Some networking environments are highly specialized. In this video, you’ll learn about devices that provide unique solutions for today’s networks.
<< Previous Video: Networking Devices Next: Virtual Networking >>
A multilayer switch can provide multiple functions on a network. It can act as a switch, so it can forward traffic based on MAC addresses. But it can also act as a router, which means it’s making forwarding decisions based on the Layer 3 addresses that are passing through this device. This is often a function that is bundled together and marketed together as a single device. It’s often referred to as a Layer 3 switch.
In reality, these two functions are working independently inside this individual chassis. So there might be switching occurring, and all occurring at Layer 2. And a completely different part of this device is providing the router at Layer 3. We’ve effectively taken two different devices– a switch and a router– and simply combined them within the same chassis.
Almost every organization is going to have a wireless network. And it’s usually one that extends everywhere you might go inside of a particular facility. There’s usually not a single access point. There are usually many access points that are deployed in this organization. These access points may extend to multiple buildings, and they may be located at locations that are very far away from where you happen to be sitting. If you’re managing the wireless network, then you also know that changes are happening all the time. There are changes to access policies, security policies, and the configuration of the access points themselves.
This wireless network should also be seamless for your end users. They should be able to simply connect to the wireless network, use their normal credentials, and be able to communicate to all of the services they need on your network. These requirements for a large organization are much different than the wireless networks we have at home. That’s why, in these large companies, you might have a wireless LAN controller. This allows you to have centralized management of all of your wireless access points all from one single console. We often refer to this as a single pane of glass.
From this single console, you can deploy new access points. You can constantly monitor your wireless network and look for any security concerns that might be occurring. You can, of course, make changes to the configurations of all of your wireless access points, and then provide reports on how much these wireless access points are being used and by whom. These wireless LAN controllers are often proprietary. So they’re specific to the brand of access point that you’re using in your network.
If you’re providing some type of service to end users, then some of your biggest concerns are making sure that your service remains available and it remains something that is responsive when people try to use it. One way to provide both uptime and availability and an efficiency with the application is to implement some type of load balancing.
Load balancers are often used for large scale implementations of web servers, database servers, and other major services on the network. When we’re implementing these load balancers for fault tolerance, we’re usually putting multiple servers behind the load balancer. If one server happens to fail, all of the other servers are still available to provide that service to the end user.
This is how we might configure the load using these multiple servers. So we would bring up a server A, a server B, a server C, a server D, and we put them all behind a load balancer. Your users coming in from the other parts of the network are simply connecting to the load balancer to be able to use this. And the load balancer is deciding which particular servers will handle that particular request.
This load balancer is often monitoring the response that it’s getting from these servers. And if one server begins to slow down, it can balance the load across the remaining servers. The load balancer might also be providing a TCP offload. We know if we’re communicating to a device with TCP, there’s the normal three way TCP handshake that has to occur for every session.
The load balancer will provide that TCP handshake to the end user, but the communication to the individual servers behind the load balancer, we use a session that’s already up and running and will remain that way. That removes another level of overhead from the servers, and the load balancer manages all of the TCP handshake overhead.
SSL encryption can also provide additional overhead from the server. So instead of doing that encryption and decryption process on the server, the load balancer will manage and be an endpoint for SSL communication. Load balancers can also be configured to cache client requests. So if someone makes a request down to any of these servers, the load balancer will cache that information and provide the results to that user.
If another user asks for exactly the same information, the load balancer will simply pull that from the cache and send it back to the user without ever querying the servers that are behind it. Many load balancers will support multiple protocols. And it may prioritize certain protocols over others. It can also provide prioritization at the application level. So certain applications on these servers may have a higher priority than other applications running on exactly the same servers.
An IDS or an IPS is an intrusion detection system or intrusion prevention system. These are devices that we put on our network to monitor all of the communication that’s going in and out of our network. These are specifically looking for security events. They’re looking to see if someone is trying to perform an exploit against an operating system or an application, or someone who might be trying to perform a buffer overflow or some type of data injection.
There’s two different flavors of these devices. The intrusion detection system is one that’s designed to alert when there is these types of problems. But it doesn’t actively block any traffic from going through your network. An intrusion prevention system is designed not only to identify these security issues, but to also block them from entering your network. There are many different ways that an IDS or an IPS can identify these security anomalies. One way is through a signature-based match. This is looking for a very specific signature. This happens to be a signature from an IPS that is looking for the configure worm. It’s looking for an exact match of this information. And if it finds the match, it will then perform the alerting or blocking function that you’ve configured in your IDS or your IPS.
Many modern IDS or IPS devices will also monitor your network over time and determine what is normal on your network. If something happens that is outside the norm or is an anomaly, it will then give you the option to either allow or not allow that traffic through the network. These devices can also be configured to look for a certain type of behavior. If somebody accesses a file in a certain way, for example, it may decide to flag that and allow you to make a decision on whether that’s allowed or not.
And some of these devices use heuristics, which are a very broad description of malicious activity. Instead of having a specific signature, heuristics are able to use artificial intelligence to determine if a particular traffic flow seems to be malicious, and then can take action based on that.
A proxy is a security device that sits in the middle of the communication between the users and the external network that they’re accessing. The proxy will receive the request that the users make and then make that request on their behalf to the service that’s on the outside of the network. It will then receive the response to that request, examine it, make sure there’s nothing malicious inside of it, and then send the response down to the users.
It’s common to use proxies for URL filtering and content scanning. It can also be used to cache information to improve the overall performance of the network communication. If your organization is using an explicit proxy, then the applications have to know how to use that proxy to be able to communicate to the outside. And applications have to be specially written so that they’re able to take advantage of this proxy technology.
A more common proxy is a transparent proxy. With a transparent proxy, the applications don’t have to be written a certain way. And your users don’t even know the proxy is there. Your users will simply browse to the internet as usual, and the transparent proxy will intercept that communication. The proxy then makes the request on their behalf and receives the response. It examines the response, and if everything looks good, it provides the response to the end user.
As you can imagine, a proxy has to be specifically written to be able to understand how certain applications will operate. And it’s very common for these application-level proxies to be able to understand, perhaps, one application, such as HTTP. You may have to enable additional features or use additional proxies if you need to be able to proxy other types of applications, such as HTTPS, FTP, and any other type of app.
A VPN concentrator is a device we would install onto our network that would allow us to support VPNs, or Virtual Private Networks. This would allow someone on the outside of our network to communicate over the public internet, but send that communication in encrypted form. When it’s received by our VPN concentrator, it’s decrypted and then put onto our local internal network.
This VPN concentrator can be a standalone device. But we can also integrate this into most firewalls. So the firewall is providing not only the security gateway to your network, but it’s also acting as the endpoint for these VPN tunnels. For smaller implementations, you could even create a VPN concentrator using software on an individual server instead of using dedicated hardware. You would also need client software on the end station that’s able to communicate to these VPN concentrators. And often, operating systems will ship with certain types of VPN software built into the OS.
For a remote access VPN, we’d have a VPN concentrator at our main location. And inside our network, we have all of our corporate resources. The VPN concentrator is connected to the internet, which means you could be anywhere– perhaps at a coffee shop– needing access to the internal network. You would start up your VPN software on your laptop, and it would build an encrypted tunnel into the VPN concentrator. Anything sent over this VPN tunnel would all be encrypted between your laptop and the VPN concentrator. If anyone was listening in the middle, they wouldn’t be able to make any sense of this communication.
The VPN concentrator is in charge of decrypting that information and sending it into the local network. Any responses would also be re encrypted by the concentrator and sent back to the user on their laptop. It’s very common these days to configure a VPN software to be always on. So if you’re outside the building, it recognizes that you’re on an external network. And if you are on an external network, it will automatically build this tunnel back to the VPN concentrator. So always, when you’re using this laptop from wherever you happen to be, you will be using a secure channel back to the central office.
Whenever we’re using resources on our network, we’re constantly needing to identify ourselves. We need to identify ourselves when we sit down at our computer, when we connect to a wireless network, or when we try to access a resource across the network. To gain access to these resources, we need some way to validate that we are really who we say we are. And in those cases, we would use a triple-a framework to provide the authentication, the authorization, and the accounting to keep track of exactly what you’ve accessed and when on the network.
The authentication process is one that we’re very familiar with. We provide a username, and then we provide something secret, like a password, to prove that we really are who we say we are. Based on that information, we’ll be authorized to use certain resources on the network based on the rights and permissions associated with our username. This is also going to keep track of exactly when I logged on, when I logged off, and exactly what information was sent back and forth over the network.
This triple-a framework commonly runs on a triple-a server that’s somewhere in our network. So we may be a client that’s outside of our network trying to log in and gain access through a VPN tunnel. So we’ll hit the VPN concentrator, and we’ll provide our username and our password to gain access. That request is passed off to the triple-a server to check to see if the username and password are legitimate. And if they are, the triple-a server will approve those credentials, and we’ll have access to the resources on the inside of the network.
A very common protocol used for this triple-a service is RADIUS. This stands for Remote Authentication Dial-in User Service. And although the name has dial-in in the name, it is one of the most popular authentication protocols that’s used for much more than just dial-in. The RADIUS protocol may be used to authenticate users to routers and switches. It may be used to provide access to servers. Maybe this is the protocol that’s used to gain access over your VPN tunnels. And it may be used over your wireless networks using a 802.1X. RADIUS is one of the most popular authentication protocols, and you’ll see it used across a number of different services and operating systems.
So far, we’ve talked about many different components that you could have in your network. Routers, intrusion detection systems, firewalls, proxies, VPN concentrators, and more. But if your environment is relatively small, you may be able to combine all of these functions into a single security device. This is called a UTM, or Unified Threat Management device. Some people will refer to this as a web security gateway.
A UTM can be used for URL filtering or content inspection. It may be able to scan files that are downloaded for any type of malware that might be inside. It may also be able to identify spam in any emails that might be downloaded. If you’re connecting to a wide area network, some of the wide area network hardware, such as the CSU/DSU, may also be integrated into this same chassis. This could also provide Layer 3 routing and even Layer 2 switching on certain UTMs.
And, of course, from a security perspective, we need firewall functionality and IDS/IPS functionality in our UTM. You might also find UTMs that are able to provide bandwidth shaping. So you can prioritize certain applications that are communicating to the internet. And if you need a VPN concentrator, you can add that function and all of these other functions at the same time within the same chassis with a UTM.
These days, firewalls are much more than devices that can allow or disallow traffic based on a TCP or UDP port number. Modern firewalls are able to look at the applications that are flowing across the network. And we call these next generation firewalls, or NGFW. You might also see these next generation firewalls called application layer gateways, stateful multilayer inspection devices, or devices that are performing deep packet inspection.
That’s because a next generation firewall is looking at every bit and byte that’s going through the network. It’s looking at every frame that’s passing through the network, and making security decisions based on what happens to be within all of the data of that frame. So it may be able to allow communication to Facebook, allow communication to Twitter, but not allow someone to post to Facebook or post to Twitter. That’s because these firewalls can really understand all of the applications in use. And, in some cases, can understand different functions of the applications you happen to be using.
In most organizations, everyone has a phone on their desk. We used to accomplish this by using a PBX, that’s a Private Branch Exchange. You effectively have your own private phone switch within your company. That phone switch then connects to your phone provider network, and you’re able to send and receive phone calls. This also meant that we had to run additional telephone lines to everyone’s desk. So it would be very common to run two wires for every desk. One wire for the telephone, and another wire for the local area network.
Today, we’re using a voice over IP PBX, where we’re able to integrate all of your different voice over IP devices. Your voice over IP handsets, voice over IP software that’s in your mobile devices and in your browser, and you’re able to make phone calls using those devices over your existing local area network. With his voice over IP PBX, you no longer need to run multiple cables to every desk. These devices will simply plug in to the existing Ethernet connections.
Of course, not everything in the world is communicating using these voice over IP protocols and technologies. So in some cases, you also need a voice over IP gateway that can convert your voice over IP communication into something the traditional public switch telephone network can understand.
These days, a lot of the malicious software and data leakage is occurring within the data of our applications. So to control that, we may want to implement some type of content filtering on our network. This would allow us to look into the data going back and forth and determine if somebody may be transferring sensitive information into or out of our network. This can also look for inappropriate content. If we wanted to provide parental controls on our network, we would commonly use a content filter.
And, of course, we need to be able to look for malware. So usually anti-malware and anti-virus is built in to the content filtering system we might have on our network.