Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)

Previous Topic/Section
3.5.3.9.2  Databases
Previous Page
Pages in Current Topic/Section
123
4
5678910
Next Page
3.7  Success Questions
Next Topic/Section

3.6  Summary
(Page 4 of 10)

Network Security Topologies



You also explored network security topologies, which describe the organization of devices on a network from a security perspective. You first looked at how a network can be partitioned into multiple zones of security including:

  • DMZ, or De-Militarized Zone, a no-man’s-land between external networks like the Internet and your protected internal network, usually sitting outside the firewall separating the wild world from your internal network; it is a neutral zone which keeps internal and external users apart, and minimizes opportunities for unauthorized actions by each, such as break-ins by external users or uses of Internet music-sharing services by internal users; in the DMZ you generally run services which need to accept connections from outside, such as email and web services; non-essential services should be minimized since they increase vulnerabilities, and internal-only services should not be run in the DMZ.

  • Intranet, the internal network used by the organization’s insiders; proprietary data is generally stored and transported around a company’s intranet; if implementing a logical intranet connection via the Internet, protect that connection with an encrypted channel like a VPN or SSL-encrypted web connection; the intranet contains your network’s crown jewels – its most valuable data – and while threat of access by outsiders may be lower, there is still possibility of compromise by insiders, so suitable security should be deployed.

  • Extranet, the extension of parts of an organizations network to its business partners such as suppliers and customers on a need-to-know basis; access is normally provided via VPN or SSL-encrypted web connections; because more people have access to these areas of your network than to your intranet, extra monitoring may be advisable.
VLANs, NAT and Tunneling

You discovered that a VLAN (Virtual LAN) is a logical LAN created through configuration of switches; it provides the benefits of a subnet without requiring that the devices be on the same physical network, or connected with the same physical technology. Because some VLAN partitioning can be compromised, VLAN’s do not provide the same level of security as true physical subnets behind separate router ports.

You learned that NAT (or Network Address Translation) is used to connect a private network to a public network, using one or more externally-visible public network IP addresses. It allows devices on private networks to communicate with the Internet and other public networks. When combining NAT and IPSec, the NAT address translation should be applied BEFORE the IPSec encapsulation is performed. (If you are using ESP in tunnel mode, you MAY be able to get away with doing NAT translation after IPSec encapsulation since that configuration doesn’t protect the header’s addresses from modification.)

Static NAT involves a permanent mapping of a private address to a public address, generally one private to one public address. Dynamic NAT maps private addresses to public addresses as needed, which means that you can get away with fewer public addresses. PAT, or Port Address Translation, directs requests to a particular port on a public internet address, to the machine designated at the PAT box, as the machine that handles that service; for example, you might designate one machine as your web server port destination and one as your email server port destination. NAT is used for increased security, simplified administration, and the need for more internal addresses than permitted by the organization’s Internet connection.

You discovered that tunneling, the encapsulation of packets to create a virtual point-to-point connection can provide an authenticated, encrypted, tamper-resistant channel between two points, over the Internet. It can exist at Layer 2 (PPTP, L2TP, L2F), Layer 3 (IPSec) or higher layers (via ssh or SSL).


Previous Topic/Section
3.5.3.9.2  Databases
Previous Page
Pages in Current Topic/Section
123
4
5678910
Next Page
3.7  Success Questions
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.