Router
- Routers are “network traffic management devices used to connect different network segments together.”
- Routers are located at gateways where two or more networks connect. They look at each packet and its destination address, and then determine optimal paths across a network.
Switch
- Routers operate at the network layer (layer 3) of the OSI model. Switches operate at the data link layer (layer 2). Switches connect together devices on a network.
Note: They pose a security risk because access means that an attacker can eavesdrop on all communications. Similar to routers, switches also have insecure methods of access (notably Telnet or older versions of SNMP, use SNMPv3 instead).
Access Control lists (ACL)
Routers use access control lists (ACL) to determine if a packet should be allowed to enter a network, based on its source address.
Anti-Spoofing
Routers have insight into expected source IP addresses, so they can check the stated source IP address, which might be spoofed.
Port Security
- As switches move packets from inbound connections to outbound connections, it’s possible for them to inspect the packet headers.
- Port security means that switches can control which devices connect on each port via allowed MAC addresses (still, they can be spoofed).
Loop Prevention
Switches use Open Shortest Path First (OSPF) to route traffic and the Spanning Tree Protocol (STP) to avoid loops.
Flood Guard
Switches also commonly have flood guards to protect against flooding attacks.
Proxy
Proxy servers are a way of filtering traffic and can be used to further the security goals of an organization. A proxy intercepts requests from a client and either forwards them to their intended destination.
Forward and reverse proxy
- Proxies can be forward, meaning that they intercept a request and then forward them to the destination.
- They can be reverse, meaning that they’re installed on the server-side of a connection and intercept incoming requests.
Anonymizing Proxies
Anonymizing proxies hide information about the client making the request.
Load Balancer
Load balancers move loads across several resources. This helps to avoid overloading a server and helps increase fault tolerance. Load balancing is easiest in stateless systems.
Affinity Based Load Balancer
This means a host connects to the same server across a given session.
Round-robin Load Balancer
This means that each new request goes to a new server in rotation.
Active-passive Load Balancer
Load balancers can be active-passive, meaning that one system is balancing everything.
Access Point (AP)
Wireless access points (APs) are “the point of entry and exit for radio-based network signals into and out of a network.”
Active-active Load Balancer
Active-active means that all the load balancers are active at once.
SSID
- An SSID is a service set identifier. This is a unique identifier for a network, at most 32 characters.
- When a client wants to join the network, they have to perform a handshake to associate with an AP.
MAC Filtering
AP:s can use MAC filtering for handshake.
Signal Strength
The transmitting power of the AP, as well as the physical environment can play a role in signal strength.
Band Selection/Width
Capacity of the AP.
Fat/Thin Access Point
- Access points can be “fat” (standalone) or “thin” (controller-based).
- Standalone often includes encryption, authentication and channel management capabilities. Controller-based makes it easier to have centralized management.
Border Gateway Protocol (BGP)
BGP makes the internet work. This routing protocol controls how packets pass through routers in an autonomous system (AS) – one or multiple networks run by a single organization or provider – and connect to different networks.
Adress Resolution Protocol (ARP)
ARP translates IP addresses to MAC addresses and vice versa so LAN endpoints can communicate with one another.
Domain name system (DNS)
DNS is a database that includes a website’s domain name and its corresponding IP addresses.
