Security without Obscurity: A Guide to Cryptographic Architectures by Jeff Stapleton

Author:Jeff Stapleton [Stapleton, Jeff]
Language: eng
Format: epub, pdf
Publisher: CRC Press
Published: 2018-07-10T23:00:00+00:00

Figure 6.9 Application architecture with crypto.

Figure 6.10 Network architecture for application VLAN.

Figure 6.9 shows a network architecture for the application VLAN with cryptography information. The application VLAN in the DMZ restricts access to the Web and BP servers, and another application VLAN in the network limits access to the App and DB servers. As discussed for the DMZ application VLAN:

The Web servers have TLS keys, a private asymmetric key and a public key certificate, for the external HTTPS connection to web browsers.

The App servers have TLS keys, a private asymmetric key and a public key certificate, for the internal TLS connections to the Web servers and the BP servers.

As observed for the network application VLAN:

The App servers have TLS keys, a private asymmetric key and a public key certificate, for the internal TLS connections to the Web servers and the BP servers.

The Web servers and the BP servers reuse their same certificates for both their external and internal TLS connections.

Modifying network diagrams with cryptography information likewise is helpful to understand the cryptographic architecture. The network devices (who) are identified, the key types (what) and purposes (why) are implied by the protocols (HTTP, TLS), the locations (where) are indicated, and the protocols (when) are provided. However, Figure 6.9 does not document all of the connections; for a more complete viewpoint, Figure 6.10 needs to be considered.

Figure 6.10 shows a network architecture for the administrative VLAN with cryptography information. The admin VLAN in the DMZ limits access to the RAS and a separate VLAN in the network restricts access to the SS and AS. From a network perspective,

Outside the DMZ the Internet routers have IPsec keys, a private asymmetric key and a public key certificate, for cross-connecting the East and West datacenters.

Inside the DMZ the RAS has TLS keys, a private asymmetric key and a public key certificate, for VPN access.

Inside the network the routers have IPsec keys, a private asymmetric key and a public key certificate, for synchronizing the DB servers.

Inside the network the AS has TLS keys, a private asymmetric key and a public key certificate, for connecting to the RAS inside the DMZ.

Inside the network the AS has SSH keys, a private asymmetric key and a public key certificate, for administrating other servers and network devices.

As mentioned, updating network diagrams with cryptography information is helpful to understand the cryptographic architecture. The network devices (who) are identified, the key types (what) and purposes (why) are implied by the protocols (HTTP, TLS), the locations (where) are indicated, and the protocols (when) are provided. However, Figures 6.10 and 6.11 together still do not address all of the cryptography information. Another viewpoint is adding cryptography information to the data diagram as shown in Figure 6.12.

The web servers have a TLS certificate chain and its TLS private key for external connections, along with an SSH public key for internal administration.

The BP servers have a TLS certificate chain and its TLS private key for external connections, along with an SSH public key for internal administration.

The

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.