ITPro.TV: CompTIA Security+ (SY0-601)
- author:: Nathan Acks
- date:: 2022-04-04
Virtualization
Type I hypervisors (bare metal) are most common in business applications. And Qubes. Cloud systems are obviously all based around Type I hypervisors.
Type II hypervisors are just specialized applications. VirtualBox, etc. Fine for individuals, but not as efficient… And certainly not scalable!
Virtual (guest) networking is accomplished using a switch virtualized within the hypervisor. Virtual networking can be fully isolated, VM-to-host, or VM-to-LAN (which obviously also includes the host).
Major cloud container providers:
- Docker Hub
- Oracle Cloud Infrastructure Compute
- Canonical LXD
- Amazon Elastic Container Service
Cloud Concepts
Cloud Computing: Delivery of computing services over the internet.
Cloud Service Provider: Organization providing cloud computing services.
Tenant: A single customer or multiple customers within a cloud provider’s network.
Elasticity: The ability of (additional) resources to be assigned (to a tenant) without service interruption.
Scaling Out: Adding more instances to service.
Scaling Up: Adding more resources (compute, RAM, etc.) to an instance.
(Confusingly, the opposite of both “scaling out” and “scaling up” tends to be called “scaling down”.)
Cloud Services
“Traditional” cloud services:
- Software as a Service (SaaS): Applications provided on cloud infrastructure.
- Platform as a Service (PaaS): Runtime environment provided on cloud infrastructure. (Glitch, but also Quickbase.)
- Infrastructure as a Service (IaaS): Organization providing cloud computing services.
“Anything as a Service” (XaaS):
- Containers as a Service (CaaS)
- Code as a Service (CaaS)
- Storage as a Service (STaaS)
- Desktop as a Service (DaaS)
- Security as a Service (SECaaS)
- Database as a Service (DBaaS)
Cloud Models
- Public: Azure, AWS, GCP, et al.
- Private: Cloud infrastructure that is used, managed, operated, and owned by a single organization. Basically on-prem++. Some times used to refer to (physical + logical) portions of public cloud infrastructure that are dedicated to a single customer.
- Community: Like a private cloud, but shared by multiple organizations within a single industry (i.e., more specialized / smaller customer base than a public cloud).
- Hybrid: Infrastructure that spans multiple cloud models (and/or on-prem).
“Transit gateways” provide inter-cloud and cloud-to-on-prem connections in hybrid situations.
Computing Types
Cloud vs. Edge vs. “Fog” computing.
(“Fog” computing is really about enabling edge-like computing for ultra-low power IoT devices. Such devices generally require some more powerful local system - the “IoT gateway” - to handle processing and data storage tasks. This system, in turn, may periodically communicate with either cloud-based systems or more distributed systems known as “fog nodes”.)
It’s really all about latency.
There’s also the matter of “human” cloud services - managed service providers (MSPs).
Security MSPs go by their own moniker - MSSPs (“managed security service providers”).
On a completely random note, ITPro.TV’s also going to cover software-defined networking (SDN). ITPro.TV seems to be defining software-defined networking as API-driven and abstracted network management. Three layers:
- Application Layer: Applications using, or providing management panes on to, the network.
- Control Layer: The “SDN controller”, which orchestrates the underlying infrastructure.
- Infrastructure Layer: This is what we normally work with.
Application/Controller communication is called the “northbound API”; this is less standardized but generally involves REST APIs.
Controller/Infrastructure communication is called the “southbound API”, and is generally implemented using OpenFlow.
Cloud Security Controls
Networking controls:
- Public Subnets: Think of these as DMZs. They are connected to the broader internet by way of “secure web gateways”, which provide firewall/proxy-like DNS filtering and IDS/IDP services (though low-level traffic filtering is handled by security groups).
- Private Subnets: Virtual networks for which public connections are not allowed. The VPC endpoint provides firewall/proxy-like controls between private and public subnets.
Other:
- Security Groups: Virtual firewalls, but only of the stateful sort. Sometimes protocol/application aware. Note that most next-gen firewall capabilities (IDS/IDP, etc.) really live within “secure web gateways” and “VPC endpoints”.