(Page 4 of 10)
Network Security Topologies
You also explored network security topologies, which describe the organization of devices on a network from a security perspective. You first looked at how a network can be partitioned into multiple zones of security including:
You discovered that a VLAN (Virtual LAN) is a logical LAN created through configuration of switches; it provides the benefits of a subnet without requiring that the devices be on the same physical network, or connected with the same physical technology. Because some VLAN partitioning can be compromised, VLANs do not provide the same level of security as true physical subnets behind separate router ports.
You learned that NAT (or Network Address Translation) is used to connect a private network to a public network, using one or more externally-visible public network IP addresses. It allows devices on private networks to communicate with the Internet and other public networks. When combining NAT and IPSec, the NAT address translation should be applied BEFORE the IPSec encapsulation is performed. (If you are using ESP in tunnel mode, you MAY be able to get away with doing NAT translation after IPSec encapsulation since that configuration doesnt protect the headers addresses from modification.)
Static NAT involves a permanent mapping of a private address to a public address, generally one private to one public address. Dynamic NAT maps private addresses to public addresses as needed, which means that you can get away with fewer public addresses. PAT, or Port Address Translation, directs requests to a particular port on a public internet address, to the machine designated at the PAT box, as the machine that handles that service; for example, you might designate one machine as your web server port destination and one as your email server port destination. NAT is used for increased security, simplified administration, and the need for more internal addresses than permitted by the organizations Internet connection.
You discovered that tunneling, the encapsulation of packets to create a virtual point-to-point connection can provide an authenticated, encrypted, tamper-resistant channel between two points, over the Internet. It can exist at Layer 2 (PPTP, L2TP, L2F), Layer 3 (IPSec) or higher layers (via ssh or SSL).
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.