Changes

Network Security Topologies

3,956 bytes added, 15:35, 26 February 2008
New page: In this chapter of Security+ Essentials the topic of security as it pertains to network topologies will be explored. Topologies are created by dividing networks into ''security zones''...
In this chapter of [[Security+ Essentials]] the topic of security as it pertains to network topologies will be explored. Topologies are created by dividing networks into ''security zones'' providing both a multi-layered defense strategy and different levels of security commensurate with the purpose of each specific zone (for example less security is necessary for a web server than for an internal server containing sensitive customer information.

== DMZ ==

The acronym ''DMZ'' originate from the military term Demilitarized Zone which refers to an area declared as a buffer between two sides in a war. In IT security the term DMZ is used to refer to what is essentially a buffer between the internet and the internal network. The DMZ is separated by an ''outer firewall'' on the internet facing side of the DMZ and an ''inner firewall'' on the internal network side of the DMZ. Any devices placed within the DMZ are accessible from both the internet and the internal network. There is no communication, however, from the internet directly though the DMZ to the internal network.

Any systems placed in the DMZ must be configured to the highest level of security possible (with the caveat that they must still be able to perform the role for which they are intended). these system should always we considered to be compromised and must never be given direct and unrestricted access to the inner network. Servers typically placed in the DMZ are web, ftp, email and remote access servers.

== Internet ==

The internet is the name given to the entire public network which provides the infrastructure for the transfer of data between remote points. Such data can take the form of email, web pages, files, multi-media and just about anything else that exists in digital form.

Whilst the internet seems like one giant network is in reality a mesh of interconnected networks held together by routers which control and direct the flow of data from point to point until it reaches its destination.

The internet is completely open and as such there is no way to control what takes place on it. Whilst much of the activity on the internet is harmless it is also a fertile breeding ground for those with malicious intentions. It is for this reason that any computers or networks with access to the internet must be protected by a firewall.

== Intranet ==

An intranet can be described as a mini-internet build within the safety of a secure networking environment. Intranets are typically used to provide internal corporate web sites for employee only access. Because the intranet servers have internal, private IP addresses and reside behind firewalls theya re generally not accessible to the outside world. If external access is needed to an intranet this is best achieved through the implementation of a Virtual Private Network (VPN).

== Extranet ==

An extranet is a portion of an intranet which is made accessible to external partners. Access to an extranet is typically controlled by strict levels of authentication and authorization through the use of VPNs, firewalls and security policies.

== Virtual Local Area Network (VLAN) ==

A local area network (LAN) is typically a collection of devices connected to a single switch. A virtual local area network (VLAN) typically involves grouping devices on a single switch into multiple broadcast domains and network segments. This provides a way to limit broadcast traffic on each segment of the network (improving overall performance) and increased security through the deployment of multiple isolated LANs on a single switch. A concept known as ''trunking'' can be used to create a VLAN which spans multiple switches. This enables users to be groups on VLANs based on function rather than by physical location. For example all members of the accounting department can be placed in the same VLAN regardless of the switches to which they are physically connected.


== Network Address Translation (NAT) ==