Network Components

Install and configure network components,both hardware and software-based, to support organizational security

  • Router
  • Switch
  • Bridge
  • Proxy
  • Load Balancer
  • Firewall
  • NIDS / NIPS
  • VPN Concentrator
  • Wireless Access Points
  • SIEM
  • DLP
  • NAC
  • SSL / TLS accelerators
  • Mail / Media Gateway
  • Hardware Security Models

Router

  • Connects computer networks
  • Operate at Layer 3 (Network Layer)
  • Stores information about network destinations (routing table)
  • Border Router. Outside connection of a LAN to a WAN

Router Security

  • Access Control Lists (ACLs): Filtering packets by source address, destination address, protocol, or port
  • Zones: Segmenting networks based on functionality or security
  • Antispoofing: Creating a set of access lists that deny access to private IP addresses and local host ranges from the Internet

Switch

  • Connects devices with a computer network by using packet switching to receive, process, and forward data to the destination device.
  • Either Layer 2 (the data link layer) or Layer 3 (the network layer)
    Packet-forwarding decisions are based on Media Access Control (MAC) addresses

Switch Security

  • Virtual LANs (VLANs): Segment networks & limit broadcast traffic
  • Port security: Layer 2 feature
    • Enable/disable individual switch ports based on MAC address
    • Can take one of the following actions when detecting a violation
      o Default shutdown mode
      o Protect mode
      o Restrict mode
      Port security is vulnerable to MAC address spoofing
  • Loop Prevention
    • When data units can travel from a first LAN segment to a second LAN segment through more than one path. (Can happen on switches or bridges)
    • Solution: Spanning Tree Protocol (STP), a link-management protocol that provides path redundancy while preventing undesirable loops in the network
  • Flood Guard : Detect and prevent malicious traffic – normally associated with DOS attacks.

Bridge

  • Connect two different physical networks
  • Layer 2 (data link)
  • Replaced by switches
  • Bridge Loops (like switch loops)

Network Address Translation(NAT)

Common problem that faced is running IPv4 addresses. The solution is NAT.

A method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device

Also provides a security for hiding internal IP addresses from external access.

Proxy

  • Boundary device between internal & external networks
  • Any device that acts on behalf of other(s) Provide security, logging, and caching
  • Proxy Server: Blocks known malicious websites
  • Forward proxy: Retrieves data on behalf of a client
  • Reverse proxy: Protects access to a server on the internal network
  • Transparent proxy (aka intercepting, inline, or forced proxy): A caching server that redirects client requests without modifying them to reduce bandwidth usage.

Load Balancer

Shifting burden from one device to another.

Benefits:
o Reduces the response time,
o Maximizes throughput and
o Allows better allocation of resource

Scheduling: distributing load
o Round-robin — taking turns using a circular pattern
o Affinity (aka sticky session) — Requests sent to a specific application
o Least connections
o Random
Active/active: Servers work together
Active/passive: all traffic is sent to the active server
Virtual IPs (VIPs): At least one physical server assigned, but more than one virtual IP address assigned

Access Points

  • Typically Wireless (WAP)
  • Layer 2 (the data link layer) of the OSI model
  • Can operate as a bridge connecting a standard wired network to wireless devices or as a router passing data transmissions from one access point to another.
  • Consist of a transmitter and receiver (transceiver) device used to create a wireless LAN (WLAN).
  • A centralized access controller (AC) is capable of providing management, configuration, encryption, and policy settings for WLAN access points.

Access Controllers

  • Fat — intelligent access points
  • Fit — scaled fat
  • Thin — intelligent antennas (only transmit/receive)
  • Controller-based vs. standalone

AP- Wireless Management Security

  • SSID (Service Set Identifier)
    • Broadcast
    • Cloaked
  • MAC filtering
  • Signal strength
  • Band selection/width
  • Antenna types and placement
    • Omnidirectional
    • Directional

Leave a comment

Your email address will not be published. Required fields are marked *