Changes

Jump to: navigation, search

Network Security Topologies

7 bytes added, 15:09, 17 July 2009
no edit summary
In this chapter of [[Security+ Essentials]] the topic of security as it pertains to network topologies will be explored. Topologies are created by dividing networks into ''security zones'' providing both a multi-layered defense strategy and different levels of security commensurate with the purpose of each specific zone (for example less security is necessary for a web server than for an internal server containing sensitive customer information).
== DMZ ==
The acronym ''DMZ'' originate originates from the military term Demilitarized Zone which refers to an area declared as a buffer between two sides in a war. In IT security the term DMZ is used to refer to what is essentially a buffer between the internet and the internal network. The DMZ is separated by an ''outer firewall'' on the internet facing side of the DMZ and an ''inner firewall'' on the internal network side of the DMZ. Any devices placed within the DMZ are accessible from both the internet and the internal network. There is no communication, however, from the internet directly though the DMZ to the internal network.
Any systems placed in the DMZ must be configured to the highest level of security possible (with the caveat that they must still be able to perform the role for which they are intended). these system These systems should always we be considered to be compromised and must never be given direct and unrestricted access to the inner network. Servers typically placed in the DMZ are web, ftp, email and remote access servers.
== Internet ==
The internet is the name given to the entire public network which provides the infrastructure for the transfer of data between remote points. Such data can take the form of email, web pages, files, multi-media and just about anything else that exists in digital form.
Whilst the internet seems like one giant network it is in reality a mesh of interconnected networks held together by routers which control and direct the flow of data from point to point until it reaches its destination.
The internet is completely open and as such there is no way to control what takes place on it. Whilst much of the activity on the internet is harmless it is also a fertile breeding ground for those with malicious intentions. It is for this reason that any computers or networks with access to the internet must be protected by a firewall.
== Intranet ==
An intranet can be described as a mini-internet build within the safety of a secure networking environment. Intranets are typically used to provide internal corporate web sites for employee only access. Because the intranet servers have internal, private IP addresses and reside behind firewalls theya re they are generally not accessible to the outside world. If external access is needed to an intranet this is best achieved through the implementation of a Virtual Private Network (VPN).
== Extranet ==
== Virtual Local Area Network (VLAN) ==
A local area network (LAN) is typically a collection of devices connected to a single switch. A virtual local area network (VLAN) typically involves grouping devices on a single switch into multiple broadcast domains and network segments. This provides a way to limit broadcast traffic on each segment of the network (improving overall performance) and increased security through the deployment of multiple isolated LANs on a single switch. A concept known as ''trunking'' can be used to create a VLAN which spans multiple switches. This enables users to be groups grouped on VLANs based on function rather than by physical location. For example all members of the accounting department can be placed in the same VLAN regardless of the switches to which they are physically connected.
== Network Address Translation (NAT) ==
Network Address Translation (NAT) provides a mechanism for using two sets of IP addresses for internal network devices, one set for internal use and another for external use. NAT was originally developed to address the problem the that the supply of available IPv4 IP addresses is beginning to run out.
NAT translation typically takes place at a router or firewall and allows internal networks to assign so-called ''non-routable'' or ''private'' IP addresses for internal devices whilst using a single IP address for external communication across the internet.
Private IP addresses fall into specific ranges known as ''classes''. Each of the following classes are is considered to be non-routable on the internet:
* '''Class A''' - 10.0.0.0 - 10.255.255.255. Valid IP addresses are from 10.0.0.1 to 10.255.255.254.

Navigation menu