Advanced Networking Devices Flashcards
Multilayer switches
• A switch (Layer 2) and router (Layer 3) in the same
physical device
• Layer 2 router?
• Switching still operates at OSI Layer 2, routing still
operates at OSI Layer 3
• There’s nothing new or special happening here
Wireless networks everywhere
• Wireless networking is pervasive
• And you probably don’t just have a single access
point
• Your access points may not even be in the same
building
• One (or more) at every remote site
- Configurations may change at any moment
- Access policy, security policies, AP configs
- The network should be invisible to your users
- Seamless network access, regardless of role
Wireless LAN controllers
- Centralized management of WAPs
- A single “pane of glass”
- Deploy new access points
- Performance and security monitoring
- Configure and deploy changes to all sites
- Report on access point use
- Usually a proprietary system
- Wireless controller is paired with the access points
Balancing the load
- Distribute the load
- Multiple servers
- Invisible to the end-user
- Large-scale implementations
- Web server farms, database farms
- Fault tolerance
- Server outages have no effect
- Very fast convergence
Load balancer
- Configurable load
- Manage across servers
- TCP offload
- Protocol overhead
- SSL offload
- Encryption/Decryption
- Caching
- Fast response
- Prioritization
- QoS
- Content switching
- Application-centric balancing
IDS and IPS
• Intrusion Detection System / Intrusion Prevention
System
• Watch network traffic
• Intrusions
• Exploits against operating systems, applications, etc.
• Buffer overflows, cross-site scripting, other
vulnerabilities
- Detection vs. Prevention
- Detection – Alarm or alert
- Prevention – Stop it before it gets into the network
Identification technologies
- Signature-based
- Look for a perfect match
- Anomaly-based
- Build a baseline of what’s “normal”
- Behavior-based
- Observe and report
- Heuristics
- Use artificial intelligence to identify
Proxies
• Sits between the users and the external network
• Receives the user requests and sends the request
on their behalf (the proxy)
• Useful for caching information, access control,
URL filtering, content scanning
• Applications may need to know how to
use the proxy (explicit)
• Some proxies are invisible (transparent)
Application proxies
- Most proxies in use are application proxies
- The proxy understands the way the application works
- A proxy may only know one application, i.e., HTTP
- Many proxies are multipurpose proxies
- HTTP, HTTPS, FTP, etc.
VPN concentrator
- Virtual Private Network
- Encrypted (private) data traversing a public network
- Concentrator
- Encryption/decryption access device
- Often integrated into a firewall
- Many deployment options
- Specialized cryptographic hardware
- Software-based options available
- Used with client software
- Sometimes built into the OS
Remote access VPN
- On-demand access from a remote device
- Software connects to a VPN concentrator
- Some software can be configured as always-on
AAA framework
- Identification - This is who you claim to be
- Usually your username
- Authentication - Prove you are who you say you are
- Password and other authentication factors
• Authorization
• Based on your identification and authentication,
what access do you have?
• Accounting
• Resources used: Login time, data sent and received,
logout time
RADIUS (Remote Authentication Dial-in User Service)
• One of the more common AAA protocols
• Supported on a wide variety of platforms and
devices
- Centralize authentication for users
- Routers, switches, firewalls
- Server authentication
- Remote VPN access
- 802.1X network access
• RADIUS services available on almost any server operating system
UTM / All-in-one security appliance
Unified Threat Management (UTM) / Web security gateway • URL filter / Content inspection • Malware inspection • Spam filter • CSU/DSU • Router, Switch • Firewall • IDS/IPS • Bandwidth shaper • VPN endpoint
Next-generation Firewalls (NGFW)
- The OSI Application Layer
- Layer 7 firewall
- Can be called different names
- Application layer gateway
- Stateful multilayer inspection
- Deep packet inspection
• Requires some advanced decodes
• Every packet must be analyzed, categorized,
and a security decision determined