Chapter 8 - Advanced network devices Flashcards
Multi Layer Switch
Operates at both layer 2 (Data Link) and layer 3 (Network)
Performs basic functions of both a switch and router
Uses an Application Specific Integrated Circuit (APIS) to accomplish Routing
Examine packets to determine if it needs to send to another device on a different network using the IP Address.
If two network, it can use a segments of using the same IP Address.
!segment addresses must not overlap!
!giver option to configure two networks into one!
!assess packet forwarding on IP and MAC address!
Multi Layer Switch Benefits
Easy to use
as it’s auto configurable and no need to learn new IP switching technology
Convergence
by responding to route failures and routing technology changes
!understands routing protocols!
Resilience
Supports Hot Standby Router Protocol (HSRP) which eliminates a single point of failure, allowing device to to send to a stand by device without disrupting services.
Access List Support
Can filter traffic base on access list and prevents traffic crossing between subnets
Transparency
No new routing protocols implemented and supports DHCP
Standards Based
Internet Engineering Task Force (IETF) protocols like
Open Shortest Path First (OSPF)
Routing Information Protocol (RIP)
Simplified network design by retaining existing structure
Management
Analysis of Accounting and Traffic to generate reports
Wireless Controlers
Is centralised management device that manages and can configure all access points
What can some WLAN Controllers enable?
VPN connectivity
Intrusion detection
Firewall settings
It’s simple to connect to a wireless controller to give access to all WAP in the network
What a Wireless Controller Offers?
1/ Centralised Authentication
You don’t need to creat individual MAC Address Tables for each access point
Authentication performed by RADIUS, Active Directory and LDAP integration
2/ Interference Mitigation
Access Points operate in non overlapping channels
No loss of packets due to interference in a dense wireless network
3/ Load Balancing
Users shift to adjacent AP if load becomes unbalanced
It occurred when an AL has a higher number of users while a neighbour WAP has fewer
4/ Radio Balancing
Enables clients to connect only to 802.11n AP
5/ Fail Over
Automatic Shift to a neighbour WAP during failure
Load Balancers
A physical network appliance use to distribute traffic across multiple servers.
It also won’t forward requests to a sever which has failed.
!all servers have to perform the same task!
!at least have 1 consistency service. Servers can perform other tasks!
Load Balancer traffic routing
Based on
Availability
Resource utilisation
Number of connections to the server
Over all server performance
If server 1 is more robust than server two. You’d use server 1 to Handel more requests.
Load Balancer Benefits
Minimise probability of servers becoming overwhelmed by traffic
Optimise bandwidth to each computer or terminal
Minimise network downtime
Perform traffic prioritisation
Provide end to end application monitoring
Provide user authentication
Protect against malicious attacks like DoS
!Load balancers can be configured to reject non logo to mate requests! (Attacks)
IDS
Intrusion Detection System
Detects suspicious activity on a host or network
Analyses traffic patterns and tried to identify normal traffic
Other if the normal traffic considered an intrusion
Can mitigate detected activity using logs
!IDS doesn’t stop an attack! It only detects suspicious activity!
IPS
Detects and prevents attacks
Network firewall
Allows or Denys traffic based on packet header for
IP Address
Protocol type
Port Number
IDS Types
1/Host Based
Web sever or database server
2/Network Based
Must see all network traffic to identify suspect activity
3/Logs
Log suspicious activity to alert of the threat but doesn’t stop it.
IPS Types
1/Host Based
Runs on individual host on the network
2/Network Based
Must be able to see all network traffic to identify and prevent attacks
3/activity log
IPS activity logs alert of an occurrence and prevents the threat
Proxy Servers
Places in a DMZ
Implemented to eliminate direct connectivity between
1/ Internal clients from internet and
2/ external clients from internal recourses
- Protects host identity as outgoing traffic appears to come from the proxy*
- Uses public IP Address to collect requested internet data for clients*
Reverse Proxy
Listens for connection requests for a given network service like TCP vid port 80 for a website
Connection is then forwarded to internal host
Proxy Configuration
Must be configured to a specific application like HTTP or FTP protocols
Proxy Benefits
Retrieves internet content for clients
Concentrate can be cached
Client identity is never revealed
Can examine packet header and payload to block certain content and at specific times
Can configure cache again timers to discard expired content (TTL value)
Can schedule pre fetched content
VPN Concentrator
Network device that provides remote access for VPNs
Allowing for high through out and encryption
It’s a dedicated device enabling servers to not be directly exposed to the internet
Point to Point VPN
When a single user wants to connect
Site to site VPN
Is when you want a persistent connection between HQ and branch offices
VPN concentrator typical use
Site to site architecture Established tunnels Authenticates users Assigns IP address to users Encrypts and decrypts data (offloads need vis internal resources) Ensures data delivery
- Encryption accomplished using *
1/ Internet Protocol Security (IPSec) and
2/ Secure Socket Layer (SLL)
VPN concentrator Authentication
Uses
Active Directory
Kerberos (used for AD users for authentication
Digital certificates
Remote authentication dial in service (RADIUS)
AAA services for remote access
Authentication (Kerberos)
Authorisation
Accounting which keeps track of users and what they have done while logged in.
RADIUS
Remote Authentication Dial In User Service
802.1X standard
Based on AAA protocol for remote connections
Controls authentication requests
A network access server forwards requests to the RADIUS server which handles authentication
Widely used for VPNs, Access Points, Remote Access
- Radius only encrypts passwords. UN is in clear text*
- only need to configure one policy to apply to all users*
TACACS+
Terminal Access Controller Access Control System
CISCO developer AAA protocol
It’s not only supported by CISCO products
Encrypts all information between clients and server
UTM
Unified Threat Management
All in one security device, designed to replace a typical firewall
Consolidated many security services into one device
UTM Provides
Network firewall Intrusion detection Antivirus and anti spyware VPN Load Balancing Content filtering
Enterprise UTMs provide
Identify base access control
QoS
SSL and SSH inspection
Network Intrusion prevention
UTM advantage and disadvantage
Reduces complexity
Becomes a single point of failure
NGFW
Next Generation Firewall
Can be hardware or software based
It detects and prevents network attacks through use of
- Security policy
- port and protocols
- operates through multiple OSI layers (up to application layer)
NGFW capabilities
1/ URL Filtering
Can categorise website to allow or block
Enable filtering at specific times or days
Suitable proxy server URL filter
2/ implement app visibility and control
Detects every app on the network in real time
Optimises bandwidth using app awareness to allow or restrict
3/Monitor App Performance
4/Improve Security
5/ Identify Awareness
Enforce policy for users and groups
6/Implementation
Can be hard coded into firewall and block malicious activity by monitoring the network
7/IPS integration
Monitors a blocks malicious activity and can employ prevention by
- Alerts and notification
- Drop malicious packets
- block source traffic
- reset connections
8/ Malware monitoring
Inspect incoming traffic and block out going communication.
VoIP Gateway
Uses internet to transmit voice
Converts voice calls between the Public Switch Telephone Network (PSTN) and IP Network
gateway not required for internal calls
VoIP Gateway Characteristics
Voice and fax compressions and decompression Packeting for IP call routing Control signal Billing system Network management system
Content filter
Screens and excludes internet content
Implemented using character strings and preset thresholds which can be modified
