CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)

3.5.3.9.2  Databases 1 2 3 4 5 6 7 8 9 10 3.7  Success Questions

Network Security Topologies

You also explored network security topologies, which describe the organization of devices on a network from a security perspective. You first looked at how a network can be partitioned into multiple zones of security including:

• DMZ, or De-Militarized Zone, a no-man’s-land between external networks like the Internet and your protected internal network, usually sitting outside the firewall separating the wild world from your internal network; it is a neutral zone which keeps internal and external users apart, and minimizes opportunities for unauthorized actions by each, such as break-ins by external users or uses of Internet music-sharing services by internal users; in the DMZ you generally run services which need to accept connections from outside, such as email and web services; non-essential services should be minimized since they increase vulnerabilities, and internal-only services should not be run in the DMZ.
  
  
• Intranet, the internal network used by the organization’s insiders; proprietary data is generally stored and transported around a company’s intranet; if implementing a logical intranet connection via the Internet, protect that connection with an encrypted channel like a VPN or SSL-encrypted web connection; the intranet contains your network’s crown jewels – its most valuable data – and while threat of access by outsiders may be lower, there is still possibility of compromise by insiders, so suitable security should be deployed.
  
  
• Extranet, the extension of parts of an organizations network to its business partners such as suppliers and customers on a need-to-know basis; access is normally provided via VPN or SSL-encrypted web connections; because more people have access to these areas of your network than to your intranet, extra monitoring may be advisable.

You discovered that a VLAN (Virtual LAN) is a logical LAN created through configuration of switches; it provides the benefits of a subnet without requiring that the devices be on the same physical network, or connected with the same physical technology. Because some VLAN partitioning can be compromised, VLAN’s do not provide the same level of security as true physical subnets behind separate router ports.

You learned that NAT (or Network Address Translation) is used to connect a private network to a public network, using one or more externally-visible public network IP addresses. It allows devices on private networks to communicate with the Internet and other public networks. When combining NAT and IPSec, the NAT address translation should be applied BEFORE the IPSec encapsulation is performed. (If you are using ESP in tunnel mode, you MAY be able to get away with doing NAT translation after IPSec encapsulation since that configuration doesn’t protect the header’s addresses from modification.)

Static NAT involves a permanent mapping of a private address to a public address, generally one private to one public address. Dynamic NAT maps private addresses to public addresses as needed, which means that you can get away with fewer public addresses. PAT, or Port Address Translation, directs requests to a particular port on a public internet address, to the machine designated at the PAT box, as the machine that handles that service; for example, you might designate one machine as your web server port destination and one as your email server port destination. NAT is used for increased security, simplified administration, and the need for more internal addresses than permitted by the organization’s Internet connection.

You discovered that tunneling, the encapsulation of packets to create a virtual point-to-point connection can provide an authenticated, encrypted, tamper-resistant channel between two points, over the Internet. It can exist at Layer 2 (PPTP, L2TP, L2F), Layer 3 (IPSec) or higher layers (via ssh or SSL).

3.5.3.9.2  Databases 1 2 3 4 5 6 7 8 9 10 3.7  Success Questions