Best resources to understand enterprise networking and security?

If you have a bit of cash to spare you could get yourself a router, managed switch and an access point. This would allow you to build a "homelab" and play with VLAN, NAT, VPN, firewall, DMZ... which are the basis of networking and probably required notions to approach bigger enterprise networks.

This podcast episode with the founder of ScaleFT goes into the history of enterprise networking so you can understand the reasons for why they are like they are: https://www.enterpriseready.io/podcast/paul-querna-scaleft/

This site has some guides on security that might be a helpful starting point:

The EnterpriseReady SaaS Feature Guides

https://www.enterpriseready.io

These are all systems administration topics, might be worthwhile picking up some of the media from that realm.

'The Practice of Cloud System Administration'[0] by Limmoncelli is a good jumping off point. His works are often very good.

[0]: https://www.amazon.com/Practice-Cloud-System-Administration-...

I have the same info need in spite of the fact I have been in IT for decades as a developer and system admin I have never been exposed to the day to day network needs of the enterprise. I am unsure of even the questions to ask as I have unknown unknowns. I need case studies of business with sizes like 100,500,1000,1000+ endpoints with their corresponding application and security needs.

You can also review PCI, SOC, and other compliance and audit practices to understand why enterprise production environments are built the way they tend to get built. Also, look at some reference architecture plans and then imagine how you’d host 3-4 orthogonal designs in one enterprise. The overlaps will yield insights into complexity.

I’m in enterprise architecture and cloud migrations for big, highly regulated institutions, and came from $B e-com. We build for security and resilience across everything. Business, dev, security and operations teams don’t always have alignment and equal input in these designs (as in, enterprise security affects everyone, inside and out). That creates a certain kind of baseline for what you’re researching.

I’m an information security consultant so I live in this world every day. I think a good starter would be CompTIA’s Security+ and Network+ study guides. You don’t need to sit for the exam, but they are both entry level certifications that were required by my college when I was attending (although I studied for them in school, I had the actual certification requirement waived so ymmv) so the education materials should be pretty accessible by anyone who works in IT. I think the Network+ is recommended before Security+ and you can find decent study material recommendations online.

The term 'enterprise networking' is a bit ambiguous, as there is nothing inherently specially about networks in enterprises - its just a different layer of abstraction than what you are used to, probably packaged into hardware and software offerings you didn't have exposure to.

That said, you could learn a lot from resources that focus on networking certification. My favourite have always been the CCNA courses from CBT Nuggets done by Jeremy Cioara.

Check out cbtnuggets.com. Build your own home lab. Reddit has plenty of people that recommend the best routers and switches for you to play with. As you are a developer, there is no better way to learn than to do. Have fun! Also, worst case scenario your lab turns into a great white noise machine haha.

I found this list has some good self studying for netowkr:

https://siliconsprawl.com/2020/05/10/network-programming-sel...

We had a guest on the podcast recently recommend the free tool, Security Onion, which you might find useful for this purpose.

> I'd like to understand more of the problems we're facing so I can participate in the discussions.

There are two very different contexts for "discussions about security" in large enterprises.

1. discussing security with management / C-whatever

You need to discuss risk. You must show that there are some things which are important , and other less important. This is not an easy discussion because it requires experience and the ability to say "if this is hacked, never mind" and at the same time fight like your life depended on it to have the small XSS on your corporate site fixed. Not because it is insecure but because it does not look good in newspapers.

You also need to discuss awareness. First for them, then for the rest of the company. Because the weak link today is John in accounting who will open the enlarge your penis email end download the attached binary.

→ it is difficult to find good resources to learn about these things. Of course there are zillions of books about the subject, usually written by people who have never actually ran the security of a company. At best they were "consultants" who had great ideas, which were unfortunately in another galaxy realism-wise.

I would say the best would be to have the opportunity to work with a good CISO and watch him or her belly dance to make their point with management. If they are good you will quickly understand what is important and what is not.

2. discussing with technical teams

You can expect a competency ratio of 1:4. That is 1 person who knows what they are talking about for 4 others who are either neck deep in technical problems and need to solve these problems, or the ones who learned security as part of their general systems/networking curriculum.

The best way to integrate such a team is to become a jack of all trades a master of all trades as well. In technical teams, raw technical knowledge counts a lot - especially in technology companies. You get credibility points exponentially when you help to solve a hard technical issue. Best is to look around authentication, machine to machine traffic (and how to secure it) and application security.

→ best is to try it out yourself at home. You can run a docker server on a home server and start a few containers. Play with authentication, automated TLS, reverse proxies and filtering, logging.

Large enterprise security, technically speaking, is either the same as small enterprise security (multiplied by n servers and services), or really specific (peering, centralized authentication, ...). The first you learn at home, the second you learn by reading about that very specific subject on Internet.