Install and configure network components,both hardware and software-based, to support organizational security
- Load Balancer
- NIDS / NIPS
- VPN Concentrator
- Wireless Access Points
- SSL / TLS accelerators
- Mail / Media Gateway
- Hardware Security Models
- Connects computer networks
- Operate at Layer 3 (Network Layer)
- Stores information about network destinations (routing table)
- Border Router. Outside connection of a LAN to a WAN
- Access Control Lists (ACLs): Filtering packets by source address, destination address, protocol, or port
- Zones: Segmenting networks based on functionality or security
- Antispoofing: Creating a set of access lists that deny access to private IP addresses and local host ranges from the Internet
- Connects devices with a computer network by using packet switching to receive, process, and forward data to the destination device.
- Either Layer 2 (the data link layer) or Layer 3 (the network layer)
Packet-forwarding decisions are based on Media Access Control (MAC) addresses
- Virtual LANs (VLANs): Segment networks & limit broadcast traffic
- Port security: Layer 2 feature
- Enable/disable individual switch ports based on MAC address
- Can take one of the following actions when detecting a violation
o Default shutdown mode
o Protect mode
o Restrict mode
Port security is vulnerable to MAC address spoofing
- Loop Prevention
- When data units can travel from a first LAN segment to a second LAN segment through more than one path. (Can happen on switches or bridges)
- Solution: Spanning Tree Protocol (STP), a link-management protocol that provides path redundancy while preventing undesirable loops in the network
- Flood Guard : Detect and prevent malicious traffic – normally associated with DOS attacks.
- Connect two different physical networks
- Layer 2 (data link)
- Replaced by switches
- Bridge Loops (like switch loops)
Network Address Translation(NAT)
Common problem that faced is running IPv4 addresses. The solution is NAT.
A method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device
Also provides a security for hiding internal IP addresses from external access.
- Boundary device between internal & external networks
- Any device that acts on behalf of other(s) Provide security, logging, and caching
- Proxy Server: Blocks known malicious websites
- Forward proxy: Retrieves data on behalf of a client
- Reverse proxy: Protects access to a server on the internal network
- Transparent proxy (aka intercepting, inline, or forced proxy): A caching server that redirects client requests without modifying them to reduce bandwidth usage.
Shifting burden from one device to another.
o Reduces the response time,
o Maximizes throughput and
o Allows better allocation of resource
Scheduling: distributing load
o Round-robin — taking turns using a circular pattern
o Affinity (aka sticky session) — Requests sent to a specific application
o Least connections
Active/active: Servers work together
Active/passive: all traffic is sent to the active server
Virtual IPs (VIPs): At least one physical server assigned, but more than one virtual IP address assigned
- Typically Wireless (WAP)
- Layer 2 (the data link layer) of the OSI model
- Can operate as a bridge connecting a standard wired network to wireless devices or as a router passing data transmissions from one access point to another.
- Consist of a transmitter and receiver (transceiver) device used to create a wireless LAN (WLAN).
- A centralized access controller (AC) is capable of providing management, configuration, encryption, and policy settings for WLAN access points.
- Fat — intelligent access points
- Fit — scaled fat
- Thin — intelligent antennas (only transmit/receive)
- Controller-based vs. standalone
AP- Wireless Management Security
- SSID (Service Set Identifier)
- MAC filtering
- Signal strength
- Band selection/width
- Antenna types and placement