Chapter 5. Networking Security
In Chapter 1, I briefly discussed how some controls are blunt in that they aim to unilaterally block all requests that come their way without attempting to identify the requestor or the context under which the request is made. An example of a blunt security control is a network control. This chapter is devoted to discussing the various network controls that you can add on AWS.
A network control is any security control that may be added at the network layer of the infrastructure, as identified by the Open Systems Interconnection (OSI) networking model. For the purposes of this chapter, I will assume that you have a basic understanding of computer networks. You can learn more about computer networks by reading Computer Networks by Andrew Tanenbaum and David Wetherall (Pearson).
The network layer security infrastructure does not read or understand application layer semantics. Rather than seeing applications (that run business logic) interacting with one another, the security infrastructure sees network interfaces that interact with one another, making it difficult to apply controls that can incorporate business logic. In general, network security is like an axe: solid, powerful, but occasionally blunt and inaccurate. In no way am I discrediting the importance of network security but merely pointing out that it requires refinement to accommodate any nuance in applying security rules.
If you list every service in your application, you can roughly divide ...