Hub
• “Multi-port repeater” • Traffic going in one port is repeated to every other port • OSI Layer 1 • Everything is half-duplex • Becomes less efficient as network speeds increase • 10 megabit / 100 megabit • Difficult to find today
Bridge
• Imagine a switch with two to four ports
• Makes forwarding decisions in software
• Connects different physical networks
• Can connect different topologies
• Gets around physical network
size limitations / collisions
• OSI Layer 2 device
• Distributes traffic based on MAC address
• Most bridges these days are wireless access points
• Bridges wired Ethernet to wireless
Switch
- Bridging done in hardware
- Application-specific integrated circuit (ASIC)
- An OSI layer 2 device
- Forwards traffic based on data link address
- Many ports and features
- The core of an enterprise network
- May provide Power over Ethernet (PoE)
- Multilayer switch
- Includes Layer 3 (routing) functionality
Router
• Routes traffic between IP subnets • OSI layer 3 device • Routers inside of switches sometimes called “layer 3 switches” • Layer 2 = Switch • Layer 3 = Router • Often connects diverse network types • LAN, WAN, copper, fiber
Firewall
- Filters traffic by port number
- OSI layer 4 (TCP/UDP)
- Some firewalls can filter through OSI layer 7
- Can encrypt traffic into/out of the network
- Protect your traffic between sites
- Can proxy traffic
- A common security technique
- Most firewalls can be layer 3 devices (routers)
- Usually sits on the ingress/egress of the network
Wireless access point (WAP)
• Not a wireless router • A wireless router is a router and a WAP in a single device • WAP is a bridge • Extends the wired network onto the wireless network • WAP is an OSI layer 2 device
Converting media
- OSI Layer 1
- Physical layer signal conversion
- Extend a copper wire over a long distance
- Convert it to fiber, and back again
- You have fiber
- The switch only has copper ports
- Almost always powered
- Especially fiber to copper
Wireless range extender
• Wireless never seems to stretch far enough • We can’t always choose where to install an access point • Extend the reach of a wireless network • A wireless repeater
VoIP endpoint
• Some people still communicate using voice
• We now send this using VoIP
• The device can now be anything
• Traditional phone handset, desktop application,
mobile device app
Multilayer switches
• A switch (Layer 2) and router (Layer 3) in the same
physical device
• Layer 2 router?
• Switching still operates at OSI Layer 2, routing still
operates at OSI Layer 3
• There’s nothing new or special happening here
Wireless networks everywhere
- Wireless networking is pervasive
- And you probably don’t just have a single access point
- Your access points may not even be in the same building
- One (or more) at every remote site
- Configurations may change at any moment
- Access policy, security policies, AP configs
- The network should be invisible to your users
- Seamless network access, regardless of role
Wireless LAN controllers
- Centralized management of WAPs
- A single “pane of glass”
- Deploy new access points
- Performance and security monitoring
- Configure and deploy changes to all sites
- Report on access point use
- Usually a proprietary system
- Wireless controller is paired with the access points
Balancing the load
- Distribute the load
- Multiple servers
- Invisible to the end-user
- Large-scale implementations
- Web server farms, database farms
- Fault tolerance
- Server outages have no effect
- Very fast convergence
Load balancer
- Configurable load
- Manage across servers
- TCP offload
- Protocol overhead
- SSL offload
- Encryption/Decryption
- Caching
- Fast response
- Prioritization
- QoS
- Content switching
- Application-centric balancing
IDS and IPS
• Intrusion Detection System / Intrusion Prevention
System
• Watch network traffic
• Intrusions
• Exploits against operating systems, applications, etc.
• Buffer overflows, cross-site scripting, other
vulnerabilities
• Detection vs. Prevention
• Detection – Alarm or alert
• Prevention – Stop it before it gets into the network
Identification technologies
- Signature-based
- Look for a perfect match
- Anomaly-based
- Build a baseline of what’s “normal”
- Behavior-based
- Observe and report
- Heuristics
- Use artificial intelligence to identify
Proxies
• Sits between the users and the external network
• Receives the user requests and sends the request
on their behalf (the proxy)
• Useful for caching information, access control,
URL filtering, content scanning
• Applications may need to know how to
use the proxy (explicit)
• Some proxies are invisible (transparent)
Application proxies
• Most proxies in use are application proxies
• The proxy understands the way the application works
• A proxy may only know one application, i.e., HTTP
• Many proxies are multipurpose proxies
• HTTP, HTTPS, FTP, etc.
VPN concentrator
- Virtual Private Network
- Encrypted (private) data traversing a public network
- Concentrator
- Encryption/decryption access device
- Often integrated into a firewall
- Many deployment options
- Specialized cryptographic hardware
- Software-based options available
- Used with client software
- Sometimes built into the OS
Remote access VPN
- On-demand access from a remote device
- Software connects to a VPN concentrator
- Some software can be configured as always-on
AAA framework
• Identification - This is who you claim to be
• Usually your username
• Authentication - Prove you are who you say you are
• Password and other authentication factors
• Authorization
• Based on your identification and authentication,
what access do you have?
• Accounting
• Resources used: Login time, data sent and received,
logout time
RADIUS (Remote Authentication Dial-in User Service)
• One of the more common AAA protocols • Supported on a wide variety of platforms and devices • Centralize authentication for users • Routers, switches, firewalls • Server authentication • Remote VPN access • 802.1X network access • RADIUS services available on almost any server operating system
UTM / All-in-one security appliance
• Unified Threat Management (UTM) / Web security gateway • URL filter / Content inspection • Malware inspection • Spam filter • CSU/DSU • Router, Switch • Firewall • IDS/IPS • Bandwidth shaper • VPN endpoint
Next-generation Firewalls (NGFW)
• The OSI Application Layer • Layer 7 firewall • Can be called different names • Application layer gateway • Stateful multilayer inspection • Deep packet inspection • Requires some advanced decodes • Every packet must be analyzed, categorized, and a security decision determined
VoIP technologies
• PBX (Private Branch Exchange) • The “phone switch” • Connects to phone provider network • Analog telephone lines to each desk • VoIP PBX • Integrate VoIP devices with a corporate phone switch • VoIP Gateway • Convert between VoIP protocols and traditional PSTN protocols • Often built-in to the VoIP PBX
