Concept

For the web app when deployed in the cloud, we want defense in depth. Basically, multiple safeguards at various layers so that attackers have to navigate a labyrinth of defenses.

OSI model

To model the function of a computing or telecom system, there are 7 layers to consider:

7. Application - The user layer. It manages protocols like HTTP/HTTPS, DNS and FTP.

• Attack: SQL injection, Cross-Site Scripting (XSS)
• Defense: Web Application Firewall (WAF)

6. Presentation

This layer handles data encryption, compression, formatting so the application and understand it.

• Atttack: SSL Stripping, decryption attacks
• Defense: SSL/TLS Encryption, Peer Certificate (mutual TLS /mTLS)

5. Session

This layer establishes, manages, and terminates connections (sessions) between local/remote applications

• Attack: Session Hijacking (stealing a cookie to impersonate a user)
• Defense: Secure Session IDs and IAM policies

4. Transport

This layer handles logistics of moving data. TCP and UDP live here.

• Attack: SYN Floods (DDoS attacks)
• Defense: Load Balancer DDoS protection and Rate Limiting

3. Network

This layer is the GPS of the internet. THe IP Addresses and figuring out the routing to the address desired.

• Attack: IP Spoofting or Ping Floods
• Defense: Network Security Groups and Zero Trust Packet Routing (ZPR)

2. Data Link

This layer handles data transfer between nodes. MAC addresses and switches

• Attack: ARP Spoofing or VLAN hopping
• Defense: VCN isolation

1. Physical

The physical material itself and its configurations.

• Attack: Physical theft or cutting cable
• Defense: biometrics and guards

Defense Concepts

Identity is one of the primary tool.

IAM

Compartments - You want some organization in your cloud or setup. You have the root compartment which has super access and everything at its disposal.

Paired with identity, policies can provide least privilege to ensure that identities can only access what they need.

DDOS Protection

Consider volumetric attacks, where an attacker will send a ton of packets to your cloud setup. The packets first hit the edge infrastructure (the range of cloud IP addresses and nodes and switches). Typically, this stuff will have its own volumetric analysis and detect an attack and drop packets. If the attack still persists (i.e. high volume but not high enough), the packets get routed to the Internet Gateway of your virtual cloud network. The security lists and network security groups act here to decide what packets get dropped. Then it hits the Network load balancer (NLB) which is a fast checker since it ONLY looks at the 5-tuple (source IP, Destination IP, Protocol, Source Port, Destination Port). In effect, the NLB primarily is the sorter. The load balancer itself is the smart router.

Network security groups, zero trust routing SSL network toplogy layout IAM

Packet Walkthrough

A packet is spawned by the user’s browser to access some web app on the cloud.

1. It hits the OCI Edge Node as the end server is inside of the OCI network fabric. So the packet will hit the OCI Edge if it is to reach the web app at all.

Edge nodes will run some protections:

• to guard against volumetric attacks.
• human interaction challenge where a small script is sent back and the browser has to prove its human instead of a bot
• threat intelligence (‘naughty list’)

You can run it via the edge nodes which will do the compute there OR by default the regional WAF in which the compute is done on the load balancer.

2. The packet is further subjected to the WAF policy enforced by the load balancer.

This is where the access control rules, the protection control rules, and the rate limiting are validated against.

3. NSG, ZTR,

4. Network layout with additional network guards against who can access what.