Notes

Class 7 – Network Infrastructure

Network Communication Devices

The network infrastructure defines the way in which devices are connected together to
achieve end-to-end communications. Just as there are many sizes of networks, there are
also many ways to build an infrastructure. However, there are some standard designs
that the network industry recommends achieving networks that are available and secure.
This module covers the basic operation of network infrastructures, including wired and
wireless networks.

Network Communication Devices

End Devices

The network devices that people are most familiar with are end devices. To
distinguish one end device from another, each end device on a network has an
address. When an end device initiates communication, it uses the address of the
destination end device to specify where to deliver the message.

An end device is either the source or destination of a message transmitted over

the network.

Check the video in the PPT file to see an animation of data flowing through a
network.

Watch the video in the PPT file to learn more about end devices.

Routers

Routers are devices that operate at the OSI network layer (Layer 3). Routers are
used to interconnect remote sites. They use the process of routing to forward data
packets between networks. The routing process uses network routing tables,
protocols, and algorithms to determine the most efficient path for forwarding an IP
packet. Routers gather routing information and update other routers about
changes in the network. Routers increase the scalability of networks by
segmenting broadcast domains.

Routers have two primary functions: path determination and packet forwarding. To
perform path determination, each router builds and maintains a routing table which
is a database of known networks and how to reach them. The routing table can be

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 built manually and contain static routes or can be built using a dynamic routing
protocol.

Packet forwarding is accomplished by using a switching function. Switching is the

process used by a router to accept a packet on one interface and forward it out of
another interface. A primary responsibility of the switching function is to
encapsulate packets in the appropriate data link frame type for the outgoing data
link.

Check the video in the PPT file to see an animation of routers R1 and R2 receiving
a packet from one network and forwarding the packet toward the destination
network.

After the router has determined the exit interface using the path determination
function, the router must encapsulate the packet into the data link frame of the
outgoing interface.

What does a router do with a packet received from one network and destined for
another network? The router performs the following three major steps:

1. It de-encapsulates the Layer 2 frame header and trailer to expose the

Layer 3 packet.

2. It examines the destination IP address of the IP packet to find the best

path in the routing table.

3. If the router finds a path to the destination, it encapsulates the Layer 3

packet into a new Layer 2 frame and forwards that frame out the exit
interface.

Packet Forwarding Decision Process

Now that the router has determined the best path for a packet based on the longest
match, it must determine how to encapsulate the packet and forward it out the
correct egress interface.

Check the image in the PPT file to knows how a router determines the best path
to use to forward a packet.

The following steps describe the packet forwarding process shown in the
mentioned image:

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 1. The data link frame with an encapsulated IP packet arrives on the ingress
interface.
2. The router examines the destination IP address in the packet header and
consults its IP routing table.
3. The router finds the longest matching prefix in the routing table.
4. The router encapsulates the packet in a data link frame and forwards it out
the egress interface. The destination could be a device connected to the
network or a next-hop router.
5. However, if there is no matching route entry the packet is dropped.

Routing Information

The routing table of a router stores the following information:

• Directly connected routes - These routes come from the active router
interfaces. Routers add a directly connected route when an interface is
configured with an IP address and is activated.
• Remote routes - These are remote networks connected to other routers.
Routes to these networks can either be statically configured or dynamically
learned through dynamic routing protocols.

Specifically, a routing table is a data file in RAM that is used to store route
information about directly connected and remote networks. The routing table
contains network or next hop associations. These associations tell a router that a
particular destination can be optimally reached by sending the packet to a specific
router that represents the next hop on the way to the final destination. The next
hop association can also be the outgoing or exit interface to the next destination.

The destination network entries in the routing table can be added in several ways:

• Local Route interfaces – These are added when an interface is configured

and active. This entry is only displayed in IOS 15 or newer for IPv4 routes,
and all IOS releases for IPv6 routes.
• Directly connected interfaces – These are added to the routing table
when an interface is configured and active.
• Static routes – These are added when a route is manually configured and
the exit interface is active.
• Dynamic routing protocol – This is added when routing protocols that
dynamically learn about the network, such as EIGRP or OSPF, are
implemented and networks are identified.

Dynamic routing protocols exchange network reachability information between

routers and dynamically adapt to network changes. Each routing protocol uses

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 routing algorithms to determine the best paths between different segments in the
network, and updates routing tables with these paths.

Dynamic routing protocols have been used in networks since the late 1980s. One
of the first routing protocols was RIP. RIPv1 was released in 1988. As networks
evolved and became more complex, new routing protocols emerged. The RIP
protocol was updated to RIPv2 to accommodate growth in the network
environment. However, RIPv2 still does not scale to the larger network
implementations of today. To address the needs of larger networks, two advanced
routing protocols were developed: Open Shortest Path First (OSPF) and
Intermediate System-to-Intermediate System (IS-IS). Cisco developed the Interior
Gateway Routing Protocol (IGRP) and Enhanced IGRP (EIGRP), which also
scales well in larger network implementations.

Additionally, there was the need to connect different internetworks and provide
routing between them. The Border Gateway Protocol (BGP) is now used between
Internet Service Providers (ISPs). BGP is also used between ISPs and their larger
private clients to exchange routing information.

The table 1 classifies the protocols. Routers configured with these protocols will
periodically send messages to other routers. As a cybersecurity analyst, you will
see these messages in various logs and packet captures.

Protocol Interior Gateway Protocols Exterior Gateway

Protocols
Distance Vector Link State Path Vector
IPv4 RIPv2 EIGRP OSPFv2 IS-IS BGP-4
IPv6 RIPng EIGRP for OSPFv3 IS-IS for BGP-MP
IPv6 IPv6
Table 1: Routing protocols

Watch the video in the PPT file to learn about static and dynamic routing.

Hubs, Bridges, LAN Switches

An Ethernet hub acts as a multiport repeater that receives an incoming electrical

signal (data) on a port. It then immediately forwards a regenerated signal out all
other ports. Hubs use physical layer processing to forward data. They do not look
at the source and destination MAC address of the Ethernet frame. Hubs connect

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 the network into a star topology with the hub as the central connection point. When
two or more end devices connected to a hub send data at the same time, an
electrical collision takes place, corrupting the signals. All devices connected to a
hub belong to the same collision domain. Only one device can transmit traffic at
any given time on a collision domain. If a collision does occur, end devices use
CSMA/CD logic to avoid transmission until the network is clear of traffic. Due to
the low cost and superiority of Ethernet switching, hubs are seldom used today.

Bridges have two interfaces and are connected between hubs to divide the network
into multiple collision domains. Each collision domain can have only one sender at
a time. Collisions are isolated by the bridge to a single segment and do not impact
devices on other segments. Just like a switch, a bridge makes forwarding decisions
based on Ethernet MAC addresses. Bridges are seldom used in modern networks.

LAN switches are essentially multiport bridges that connect devices into a star
topology. Like bridges, switches segment a LAN into separate collision domains,
one for each switch port. A switch makes forwarding decisions based on Ethernet
MAC addresses. The figure shows the Cisco series of 2960-X switches that are
commonly used to connect end devices on a LAN.

Switching Operation

Switches use MAC addresses to direct network communications through the

switch, to the appropriate port, and toward the destination. A switch is made up of
integrated circuits and the accompanying software that controls the data paths
through the switch. For a switch to know which port to use to transmit a frame, it
must first learn which devices exist on each port. As the switch learns the
relationship of ports to devices, it builds a table called a MAC address table, or
content addressable memory (CAM) table. CAM is a special type of memory used
in high-speed searching applications.

LAN switches determine how to handle incoming data frames by maintaining the
MAC address table. A switch builds its MAC address table by recording the MAC
address of each device that is connected to each of its ports. The switch uses the
information in the MAC address table to send frames destined for a specific device
out of the port to which the device is connected.

The following two-step process is performed on every Ethernet frame that enters
a switch.

1. Learn – Examining the Source MAC Address

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 Every frame that enters a switch is checked for new MAC address information that
may need to be learned. It does this by examining the frame’s source MAC address
and the port number where the frame entered the switch. If the source MAC
address is not in the table, it is added to the MAC address table along with the
incoming port number, as shown in the figure. If the source MAC address does
exist in the table, the switch updates the refresh timer for that entry. By default,
most Ethernet switches keep an entry in the table for five minutes.

2. Forward – Examining the Destination MAC Address

If the destination MAC address is a unicast address, the switch will look for a match
between the destination MAC address of the frame and an entry in its MAC
address table. If the destination MAC address is in the table, it will forward the
frame out the specified port. If the destination MAC address is not in the table, the
switch will forward the frame out all ports except the incoming port, as shown in
the figure. This is called an unknown unicast.

A switch can have multiple MAC addresses associated with a single port. This is
common when the switch is connected to another switch. The switch will have a
separate MAC address table entry for each frame received with a different source
MAC address.

Watch the video in the PPT file to see a demonstration of how two connected
switches build their MAC address tables.

VLANs

Within a switched internetwork, VLANs provide segmentation and organizational

flexibility. VLANs provide a way to group devices within a LAN. A group of devices
within a VLAN communicate as if they were connected to the same network
segment. VLANs are based on logical connections, instead of physical
connections.

VLANs allow an administrator to segment networks based on factors such as

function, project team, or application, without regard for the physical location of the
user or device. Devices within a VLAN act as if they are in their own independent
network, even if they share a common infrastructure with other VLANs. Any switch
port can belong to a VLAN. Unicast, broadcast, and multicast packets are
forwarded and flooded only to end devices within the VLAN where the packets are
sourced. Each VLAN is considered a separate logical network. Packets destined
for devices that do not belong to the VLAN must be forwarded through a device
that supports routing.

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 A VLAN creates a logical broadcast domain that can span multiple physical LAN
segments. VLANs improve network performance by separating large broadcast
domains into smaller ones. If a device in one VLAN sends a broadcast Ethernet
frame, all devices in the VLAN receive the frame, but devices in other VLANs do
not.

VLANs also prevent users on different VLANs from snooping on each other’s
traffic. For example, even though HR and Sales are connected to the same switch
in the figure, the switch will not forward traffic between the HR and Sales VLANs.
This allows a router or another device to use access control lists to permit or deny
the traffic. Access lists are discussed in more detail later in the chapter. For now,
just remember that VLANs can help limit the amount of data visibility on your LANs.

STP

Network redundancy is a key to maintaining network reliability. Multiple physical

links between devices provide redundant paths. The network can then continue to
operate when a single link or port has failed. Redundant links can also share the
traffic load and increase capacity.

Multiple paths need to be managed so that Layer 2 loops are not created. The best
paths are chosen, and an alternate path is immediately available should a primary
path fail. The Spanning Tree Protocol is used to maintain one loop-free path in the
Layer 2 network, at any time.

Redundancy increases the availability of the network topology by protecting the

network from a single point of failure, such as a failed network cable or switch.
When physical redundancy is introduced into a design, loops and duplicate frames
occur. Loops and duplicate frames have severe consequences for a switched
network. STP was developed to address these issues.

STP ensures that there is only one logical path between all destinations on the
network by intentionally blocking redundant paths that could cause a loop. A port
is considered blocked when user data is prevented from entering or leaving that
port. This does not include bridge protocol data unit (BPDU) frames that are used
by STP to prevent loops. Blocking the redundant paths is critical to preventing
loops on the network. The physical paths still exist to provide redundancy, but
these paths are disabled to prevent the loops from occurring. If the path is ever
needed to compensate for a network cable or switch failure, STP recalculates the
paths and unblocks the necessary ports to allow the redundant path to become
active.

Wireless Communications

Watch the video in the PPT file to learn about Wireless LAN (WLAN) operation.

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 Wireless versus Wired LANs

WLANs use Radio Frequencies (RF) instead of cables at the physical layer and
MAC sublayer of the data link layer. WLANs share a similar origin with Ethernet
LANs. The IEEE has adopted the 802 LAN/MAN portfolio of computer network
architecture standards. The two dominant 802 working groups are 802.3 Ethernet,
which defined Ethernet for wired LANs, and 802.11 which defined Ethernet for
WLANs. There are important differences between the two.

WLANs also differ from wired LANs as follows:

• WLANs connect clients to the network through a wireless access point (AP)
or wireless router, instead of an Ethernet switch.
• WLANs connect mobile devices that are often battery powered, as opposed
to plugged-in LAN devices. Wireless NICs tend to reduce the battery life of
a mobile device.
• WLANs support hosts that contend for access on the RF media (frequency
bands). 802.11 prescribes collision-avoidance (CSMA/CA) instead of
collision-detection (CSMA/CD) for media access to proactively avoid
collisions within the media.
• WLANs use a different frame format than wired Ethernet LANs. WLANs
require additional information in the Layer 2 header of the frame.
• WLANs raise more privacy issues because radio frequencies can reach
outside the facility.

Frame Structure

The 802.11 frame format is similar to the Ethernet frame format, except that it
contains more fields.

All 802.11 wireless frames contain the following fields:

• Frame Control - This identifies the type of wireless frame and contains
subfields for protocol version, frame type, address type, power
management, and security settings.
• Duration - This is typically used to indicate the remaining duration needed
to receive the next frame transmission.
• Address1 - This usually contains the MAC address of the receiving wireless
device or AP.

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 • Address2 - This usually contains the MAC address of the transmitting
wireless device or AP.
• Address3 - This sometimes contains the MAC address of the destination,
such as the router interface (default gateway) to which the AP is attached.
• Sequence Control - This contains information to control sequencing and
fragmented frames.
• Address4 - This usually missing because it is used only in ad hoc mode.
• Payload - This contains the data for transmission.
• FCS - This is used for Layer 2 error control.

CSMA/CA

WLANs are half-duplex, shared media configurations. Half-duplex means that only
one client can transmit or receive at any given moment. Shared media means that
wireless clients can all transmit and receive on the same radio channel. This creates
a problem because a wireless client cannot hear while it is sending, which makes it
impossible to detect a collision.

To resolve this problem, WLANs use carrier sense multiple access with collision
avoidance (CSMA/CA) as the method to determine how and when to send data on the
network. A wireless client does the following:

1. Listens to the channel to see if it is idle, which means that is senses no other
traffic is currently on the channel. The channel is also called the carrier.
2. Sends a ready to send (RTS) message to the AP to request dedicated access
to the network.
3. Receives a clear to send (CTS) message from the AP granting access to send.
4. If the wireless client does not receive a CTS message, it waits a random
amount of time before restarting the process.
5. After it receives the CTS, it transmits the data.
6. All transmissions are acknowledged. If a wireless client does not receive an
acknowledgment, it assumes a collision occurred and restarts the process.

Wireless Client and AP Association

For wireless devices to communicate over a network, they must first associate with an
AP or wireless router. An important part of the 802.11 process is discovering a WLAN
and subsequently connecting to it. Wireless devices complete the following three
stage process.

• Discover a wireless AP
• Authenticate with AP
• Associate with AP

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

In order to have a successful association, a wireless client and an AP must agree on
specific parameters. Parameters must then be configured on the AP and subsequently
on the client to enable the negotiation of a successful association.

• SSID -The SSID name appears in the list of available wireless networks on a
client. In larger organizations that use multiple VLANs to segment traffic, each
SSID is mapped to one VLAN. Depending on the network configuration, several
APs on a network can share a common SSID.
• Password - This is required from the wireless client to authenticate to the AP.
• Network mode - This refers to the 802.11a/b/g/n/ac/ad WLAN standards. APs
and wireless routers can operate in a Mixed mode meaning that they can
simultaneously support clients connecting via multiple standards.
• Security mode - This refers to the security parameter settings, such as WEP,
WPA, or WPA2. Always enable the highest security level supported.
• Channel settings - This refers to the frequency bands used to transmit
wireless data. Wireless routers and APs can scan the radio frequency channels
and automatically select an appropriate channel setting. The channel can also
be set manually if there is interference with another AP or wireless device.

Passive and Active Discover Mode

Wireless devices must discover and connect to an AP or wireless router. Wireless

clients connect to the AP using a scanning (probing) process. This process can be
passive or active.

In passive mode, the AP openly advertises its service by periodically sending

broadcast beacon frames containing the SSID, supported standards, and security
settings. The primary purpose of the beacon is to allow wireless clients to learn which
networks and APs are available in a given area. This allows the wireless clients to
choose which network and AP to use.

In active mode, wireless clients must know the name of the SSID. The wireless client
initiates the process by broadcasting a probe request frame on multiple channels.
The probe request includes the SSID name and standards supported. APs
configured with the SSID will send a probe response that includes the SSID,
supported standards, and security settings. Active mode may be required if an AP or
wireless router is configured to not broadcast beacon frames.

A wireless client could also send a probe request without a SSID name to discover
nearby WLAN networks. APs configured to broadcast beacon frames would respond
to the wireless client with a probe response and provide the SSID name. APs with
the broadcast SSID feature disabled do not respond.

Wireless Devices -AP, LWAP, and WLC

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 A common wireless data implementation is enabling devices to connect wirelessly via
a LAN. In general, a wireless LAN requires wireless access points and clients that
have wireless NICs. Home and small business wireless routers integrate the functions
of a router, switch, and access point into one device. Note that in small networks, the
wireless router may be the only AP because only a small area requires wireless
coverage. In larger networks, there can be many APs.

All of the control and management functions of the APs on a network can be
centralized into a Wireless LAN Controller (WLC). When using a WLC, the APs no
longer act autonomously, but instead act as lightweight APs (LWAPs). LWAPs only
forward data between the wireless LAN and the WLC. All management functions, such
as defining SSIDs and authentication are conducted on the centralized WLC rather
than on each individual AP. A major benefit of centralizing the AP management
functions in the WLC is simplified configuration and monitoring of numerous access
points, among many other benefits.

Network Representations

Network Representations

Network architects and administrators must be able to show what their networks
will look like. They need to be able to easily see which components connect to
other components, where they will be located, and how they will be connected.
Diagrams of networks often use symbols to represent the different devices and
connections that make up a network.

Image shows symbols used in network diagrams. At the top are the following end
devices: desktop computer, laptop, printer, IP phone, wireless tablet, and
TelePresence endpoint. In the middle are the following intermediary devices:
wireless router, LAN switch, router, multilayer switch, and firewall appliance. At the
bottom are the following network media: blue waves depicting wireless media, a
solid black line depicting LAN media, and a red lighting bolt depicting WAN media.

A diagram provides an easy way to understand how devices connect in a large

network. This type of “picture” of a network is known as a topology diagram. The
ability to recognize the logical representations of the physical networking
components is critical to being able to visualize the organization and operation of
a network.

In addition to these representations, specialized terminology is used to describe

how each of these devices and media connect to each other:

• Network Interface Card (NIC) - A NIC physically connects the end device
to the network.

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 • Physical Port - A connector or outlet on a networking device where the
media connects to an end device or another networking device.
• Interface - Specialized ports on a networking device that connect to
individual networks. Because routers connect networks, the ports on a
router are referred to as network interfaces.

Note: The terms port and interface are often used interchangeably.

Topology Diagrams

Topology diagrams are mandatory documentation for anyone working with a

network. They provide a visual map of how the network is connected. There are
two types of topology diagrams: physical and logical.

Physical Topology Diagrams

Physical topology diagrams illustrate the physical location of intermediary

devices and cable installation. You can see that the rooms in which these
devices are located are labeled in this physical topology.

Logical Topology Diagrams

Logical topology diagrams illustrate devices, ports, and the addressing

scheme of the network. You can see which end devices are connected to
which intermediary devices and what media is being used.

The topologies shown in the physical and logical diagrams are appropriate for your
level of understanding at this point in the course. Search the internet for “network
topology diagrams” to see some more complex examples.

LANs and WANs

Network infrastructures vary greatly in terms of:

• Size of the area covered

• Number of users connected
• Number and types of services available
• Area of responsibility

The two most common types of network infrastructures are Local Area Networks
(LANs), and Wide Area Networks (WANs). A LAN is a network infrastructure that
provides access to users and end devices in a small geographical area. A LAN is
typically used in a department within an enterprise, a home, or a small business
network. A WAN is a network infrastructure that provides access to other networks

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 over a wide geographical area, which is typically owned and managed by a larger
corporation or a telecommunications service provider.

LANs

A LAN is a network infrastructure that spans a small geographical area. LANs have
specific characteristics:

• LANs interconnect end devices in a limited area such as a home, school,

office building, or campus.
• A LAN is usually administered by a single organization or individual.
Administrative control is enforced at the network level and governs the
security and access control policies.

• LANs provide high-speed bandwidth to internal end devices and

intermediary devices.

WANs

A WAN is a network infrastructure that spans a wide geographical area. WANs are
typically managed by service providers (SPs) or Internet Service Providers (ISPs).

WANs have specific characteristics:

WANs interconnect LANs over wide geographical areas such as between cities,
states, provinces, countries, or continents.

WANs are usually administered by multiple service providers.

WANs typically provide slower speed links between LANs.

The Three-Layer Network Design Model

The campus wired LAN uses a hierarchical design model to separate the network
topology into modular groups or layers. Separating the design into layers allows
each layer to implement specific functions, which simplifies the network design.
This also simplifies the deployment and management of the network.

The campus wired LAN enables communications between devices in a building or

group of buildings, as well as interconnection to the WAN and Internet edge at the
network core.

Each layer is designed to meet specific functions.

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 The access layer provides endpoints and users direct access to the network. The
distribution layer aggregates access layers and provides connectivity to services.
Finally, the core layer provides connectivity between distribution layers for large
LAN environments. User traffic is initiated at the access layer and passes through
the other layers if the functionality of those layers is required.

Even though the hierarchical model has three layers, some smaller enterprise
networks may implement a two-tier hierarchical design. In a two-tier hierarchical
design, the core and distribution layers are collapsed into one layer, reducing cost
and complexity.

In flat or meshed network architectures, changes tend to affect a large number of

systems. Hierarchical design helps constrain operational changes to a subset of
the network, which makes it easy to manage as well as improve resiliency. Modular
structuring of the network into small, easy-to-understand elements also facilitates
resiliency through improved fault isolation.

Common Security Architectures

Firewall design is primarily about device interfaces permitting or denying traffic

based on the source, the destination, and the type of traffic. Some designs are as
simple as designating an outside network and inside network, which are
determined by two interfaces on a firewall.

Here are three common firewall designs.

The public network (or outside network) is untrusted, and the private network (or
inside network) is trusted.

Typically, a firewall with two interfaces is configured as follows:

• Traffic originating from the private network is permitted and inspected as it

travels toward the public network. Inspected traffic returning from the public
network and associated with traffic that originated from the private network
is permitted.
• Traffic originating from the public network and traveling to the private
network is generally blocked.

A demilitarized zone (DMZ) is a firewall design where there is typically one inside
interface connected to the private network, one outside interface connected to the
public network, and one DMZ interface.

• Traffic originating from the private network is inspected as it travels toward

the public or DMZ network. This traffic is permitted with little or no restriction.

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 Inspected traffic returning from the DMZ or public network to the private
network is permitted.
• Traffic originating from the DMZ network and traveling to the private network
is usually blocked.
• Traffic originating from the DMZ network and traveling to the public network
is selectively permitted based on service requirements.
• Traffic originating from the public network and traveling toward the DMZ is
selectively permitted and inspected. This type of traffic is typically email,
DNS, HTTP, or HTTPS traffic. Return traffic from the DMZ to the public
network is dynamically permitted.
• Traffic originating from the public network and traveling to the private
network is blocked.

Zone-based policy firewalls (ZPFs) use the concept of zones to provide

additional flexibility. A zone is a group of one or more interfaces that have similar
functions or features. Zones help you specify where a Cisco IOS firewall rule or
policy should be applied.

Network Security Infrastructure

Security Devices

Watch the video in the PPT file to learn more about security devices.

Firewall

A firewall is a system, or group of systems, that enforces an access control policy between
networks.

Watch the video in the PPT file to view a firewall in operation.

Properties

All firewalls share some common properties:

• Firewalls are resistant to network attacks.

• Firewalls are the only transit point between internal corporate
networks and external networks because all traffic flows through the
firewall.
• Firewalls enforce the access control policy.

Benefits

There are several benefits of using a firewall in a network:

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 • They prevent the exposure of sensitive hosts, resources, and
applications to untrusted users.
• They sanitize protocol flow, which prevents the exploitation of
protocol flaws.
• They block malicious data from servers and clients.
• They reduce security management complexity by off-loading most of
the network access control to a few firewalls in the network.

Limitations

Firewalls also have some limitations:

• A misconfigured firewall can have serious consequences for the

network, such as becoming a single point of failure.
• The data from many applications cannot be passed over firewalls
securely.
• Users might proactively search for ways around the firewall to
receive blocked material, which exposes the network to potential
attack.
• Network performance can slow down.
• Unauthorized traffic can be tunneled or hidden as legitimate traffic
through the firewall.

IDS & IPS

A networking architecture paradigm shift is required to defend against fast-moving

and evolving attacks. This must include cost-effective detection and prevention
systems, such as intrusion detection systems (IDS) or the more scalable intrusion
prevention systems (IPS). The network architecture integrates these solutions into
the entry and exit points of the network.

When implementing IDS or IPS, it is important to be familiar with the types of

systems available, host-based and network-based approaches, the placement of
these systems, the role of signature categories, and possible actions that a Cisco
IOS router can take when an attack is detected.

IDS and IPS technologies are both deployed as sensors. An IDS or IPS sensor
can be in the form of several different devices:

• A router configured with Cisco IOS IPS software

• A device specifically designed to provide dedicated IDS or IPS services
• A network module installed in an adaptive security appliance (ASA), switch,
or router

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 IDS and IPS technologies use signatures to detect patterns in network traffic. A
signature is a set of rules that an IDS or IPS uses to detect malicious activity.
Signatures can be used to detect severe breaches of security, to detect common
network attacks, and to gather information. IDS and IPS technologies can detect
atomic signature patterns (single-packet) or composite signature patterns (multi-
packet).

Types of IPS

There are two primary kinds of IPS available: host-based IPS and network-
based IPS.

Host-based IPS

Host-based IPS (HIPS) is software installed on a host to monitor and

analyze suspicious activity. A significant advantage of HIPS is that it can
monitor and protect operating system and critical system processes that are
specific to that host. With detailed knowledge of the operating system, HIPS
can monitor abnormal activity and prevent the host from executing
commands that do not match typical behavior. This suspicious or malicious
behavior might include unauthorized registry updates, changes to the
system directory, executing installation programs, and activities that cause
buffer overflows. Network traffic can also be monitored to prevent the host
from participating in a denial-of-service (DoS) attack or being part of an illicit
FTP session.

HIPS can be thought of as a combination of antivirus software, antimalware

software, and a firewall. Combined with a network-based IPS, HIPS is an
effective tool in providing additional protection for the host.

A disadvantage of HIPS is that it operates only at a local level. It does not

have a complete view of the network, or coordinated events that might be
happening across the network. To be effective in a network, HIPS must be
installed on every host and have support for every operating system.

Network-based IPS

A network-based IPS can be implemented using a dedicated or non-

dedicated IPS device. Network-based IPS implementations are a critical
component of intrusion prevention. There are host-based IDS/IPS solutions,
but these must be integrated with a network-based IPS implementation to
ensure a robust security architecture.

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 Sensors detect malicious and unauthorized activity in real time and can take
action when required.

Security Devices

Watch the video in the PPT file to learn more about security services.

Traffic Control with ACLs

An Access Control List (ACL) is a series of commands that control whether a

device forwards or drops packets based on information found in the packet header.
When configured, ACLs perform the following tasks:

• They limit network traffic to increase network performance. For example, if

corporate policy does not allow video traffic on the network, ACLs that block
video traffic could be configured and applied. This would greatly reduce the
network load and increase network performance.
• They provide traffic flow control. ACLs can restrict the delivery of routing
updates to ensure that the updates are from a known source.
• They provide a basic level of security for network access. ACLs can allow
one host to access a part of the network and prevent another host from
accessing the same area. For example, access to the Human Resources
network can be restricted to authorized users.
• They filter traffic based on traffic type. For example, an ACL can permit
email traffic, but block all Telnet traffic.
• They screen hosts to permit or deny access to network services. ACLs can
permit or deny a user to access file types, such as FTP or HTTP.

In addition to either permitting or denying traffic, ACLs can be used for selecting
types of traffic to be analyzed, forwarded, or processed in other ways. For
example, ACLs can be used to classify traffic to enable priority processing. This
capability is similar to having a VIP pass at a concert or sporting event. The VIP
pass gives selected guests privileges not offered to general admission ticket
holders, such as priority entry or being able to enter a restricted area.

SMTP

Simple Network Management Protocol (SNMP) allows administrators to manage

end devices such as servers, workstations, routers, switches, and security
appliances, on an IP network. It enables network administrators to monitor and
manage network performance, find and solve network problems, and plan for
network growth.

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 SNMP is an application layer protocol that provides a message format for
communication between managers and agents.

As shown in the figure, the SNMP system consists of two elements.

• SNMP manager that runs SNMP management software.

• SNMP agents which are the nodes being monitored and managed.

The Management Information Base (MIB) is a database on the agents that stores
data and operational statistics about the device.

To configure SNMP on a networking device, it is first necessary to define the

relationship between the manager and the agent.

The SNMP manager is part of a network management system (NMS). The SNMP
manager runs SNMP management software. The SNMP manager can collect
information from an SNMP agent by using the “get” action and can change
configurations on an agent by using the “set” action. In addition, SNMP agents can
forward information directly to a network manager by using “traps”.

NTP

It is important to synchronize the time across all devices on the network because
all aspects of managing, securing, troubleshooting, and planning networks require
accurate and consistent timestamping. When the time is not synchronized between
devices, it will be impossible to determine the order of the events that have
occurred in different parts of the network.

Typically, the date and time settings on a network device can be set using one of
two methods:

• Manual configuration of the date and time

• Configuring the Network Time Protocol (NTP)

As a network grows, it becomes difficult to ensure that all infrastructure devices

are operating with synchronized time. Even in a smaller network environment, the
manual method is not ideal. If a device reboots, how will it get an accurate date
and timestamp?

A better solution is to configure the NTP on the network. This protocol allows
routers on the network to synchronize their time settings with an NTP server. A
group of NTP clients that obtain time and date information from a single source
have more consistent time settings. When NTP is implemented in the network, it

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 can be set up to synchronize to a private primary clock or it can synchronize to a
publicly available NTP server on the Internet.

NTP networks use a hierarchical system of time sources. Each level in this
hierarchical system is called a stratum. The stratum level is defined as the number
of hop counts from the authoritative source. The synchronized time is distributed
across the network using NTP.

NTP servers are arranged in three levels known as strata:

• Stratum 0 - An NTP network gets the time from authoritative time sources.
These authoritative time sources, also referred to as stratum 0 devices, are
high-precision timekeeping devices assumed to be accurate and with little
or no delay associated with them.
• Stratum 1 - The stratum 1 devices are directly connected to the
authoritative time sources. They act as the primary network time standard.
• Stratum 2 and lower strata - The stratum 2 servers are connected to
stratum 1 devices through network connections. Stratum 2 devices, such as
NTP clients, synchronize their time using the NTP packets from stratum 1
servers. They could also act as servers for stratum 3 devices.

Smaller stratum numbers indicate that the server is closer to the authorized time
source than larger stratum numbers. The larger the stratum number, the lower the
stratum level. The max hop count is 15. Stratum 16, the lowest stratum level,
indicates that a device is unsynchronized. Time servers on the same stratum level
can be configured to act as a peer with other time servers on the same stratum
level for backup or verification of time.

VPN

A VPN is a private network that is created over a public network, usually the
internet.

Instead of using a dedicated physical connection, a VPN uses virtual connections

that are routed through the internet from the organization to the remote site. The
first VPNs were strictly IP tunnels that did not include authentication or encryption
of the data. For example, Generic Routing Encapsulation (GRE) is a tunneling
protocol developed by Cisco that can encapsulate a wide variety of network layer
protocol packet types inside IP tunnels. This creates a virtual point-to-point link to
Cisco routers at remote points over an IP internetwork.

A VPN is virtual in that it carries information within a private network, but that
information is actually transported over a public network. A VPN is private in that

Canadian College of Technology & Business (CCTB) www.canadianctb.ca

 the traffic is encrypted to keep the data confidential while it is transported across
the public network.

A VPN is a communications environment in which access is strictly controlled to

permit peer connections within a defined community of interest. Confidentiality is
achieved by encrypting the traffic within the VPN. Today, a secure implementation
of VPN with encryption is what is generally equated with the concept of virtual
private networking.

In the simplest sense, a VPN connects two endpoints, such as a remote office to
a central office, over a public network, to form a logical connection. The logical
connections can be made at either Layer 2 or Layer 3. Common examples of Layer
3 VPNs are GRE, Multiprotocol Label Switching (MPLS), and IPsec. Layer 3 VPNs
can be point-to-point site connections, such as GRE and IPsec, or they can
establish any-to-any connectivity to many sites using MPLS.

IPsec is a suite of protocols developed with the backing of the IETF to achieve
secure services over IP packet-switched networks.

IPsec services allow for authentication, integrity, access control, and

confidentiality. With IPsec, the information exchanged between remote sites can
be encrypted and verified. VPNs are commonly deployed in a site-to-site topology
to securely connect central sites with remote locations. They are also deployed in
a remote-access topology to provide secure remote access to external users
travelling or working from home. Both remote-access and site-to-site VPNs can be
deployed using IPsec.

Canadian College of Technology & Business (CCTB) www.canadianctb.ca