Defining Network Infrastructures and Network Security | 175
CERTIFICATION READY How would you define a DMZ?
1.1
firewall, then this will be the device that is scanned. If your computer connects directly to the Internet, then the computer will be scanned.
6. Make note of the results. It should show the public IP that was scanned. Then it will list the ports that were scanned and their status. The desired result for all ports listed is “Stealth,” all the way down the line for each of the listed ports. If there are Open or Closed ports, you should check to make sure that the firewall is enabled and oper- ating properly.
7. Try a few other scans, such as All Service Ports or File Sharing.
A proxy server acts as an intermediary between a LAN and the Internet. By definition, proxy means “go-between,” acting as such a mediator between a private and a public network. The proxy server evaluates requests from clients, and if they meet certain criteria, forwards them to the appropriate server. There are several types of proxies, including the following:
• Caching proxy attempts to serve client requests without actually contacting the remote server. Although there are FTP and SMTP proxies among others, the most common caching proxy is the HTTP proxy, also known as a web proxy, which caches web pages from servers on the Internet for a set amount of time. This is done to save bandwidth on the company’s Internet connection and to increase the speed at which client requests are carried out.
• IP proxy secures a network by keeping machines behind it anonymous; it does this through the use of NAT. For example, a basic four-port router will act as an IP proxy for the clients on the LAN it protects.
Another example of a proxy in action is Internet content filtering. An Internet content filter, or simply a content filter, is usually applied as software at the application layer and it can filter out various types of Internet activities, such as access to certain Web sites, email, instant messaging, and so on.
Although firewalls are often the device closest to the Internet, sometimes another device could be in front of the firewall, making it the closest to the Internet—a network intrusion detec- tion system, or perhaps a more advanced network intrusion prevention system.
A network intrusion detection system (NIDS) is a type of IDS that attempts to detect mali- cious network activities (e.g., port scans and DoS attacks) by constantly monitoring network traffic. The NIDS will then report any issues that it finds to a network administrator as long as it is configured properly.
A network intrusion prevention system (NIPS) is designed to inspect traffic, and, based on its configuration or security policy, it can remove, detain, or redirect malicious traffic in addi- tion to simply detecting it.
176 | Lesson 8
• 3-leg perimeter configuration: In this scenario, the DMZ is usually attached to a separate connection of the company firewall. Therefore, the firewall has three connections—one to the company LAN, one to the DMZ, and one to the Internet.
SET UP A DMZ ON A SOHO ROUTER
GET READY. In this exercise, we demonstrate how to enable the DMZ function of a typical four-port SOHO router:
1. Access the D-Link DIR-655 router at the following link:
http://support.dlink.com/emulators/dir655/133NA/login.html 2. Log in (no password is required).
3. Click the Advanced link at the top of the screen.
4. Click the Firewall Settings link at the right.
5. Scroll down to the DMZ Host section.
6. Check the Enable DMZ option.
7. Type the IP address of the host that will be connected to the DMZ.
At this point, you would also physically connect that host to a port on the router.
Or, you could connect an entire layer 3 switch to the port and enter that switch’s IP address in this field. This would allow you to connect multiple hosts to the switch while only using one port on the router.
■
Putting It All Together
Building an entire network for an organization can take months or even years! The concepts covered in these lessons only scrape the surface of the gigantic networking world.
However, what we covered up until now is still a lot of information. Let’s try to complete the Proseware, Inc., scenario by combining the various technologies we learned about into one efficient, well-oiled network.
THE BOTTOM LINE
In this scenario, Proseware, Inc., wants just about every component and technology possible for its network. Let’s list what they require and follow it up with some network documenta- tion that will act as the starting point for our network plan. Here are the basic components that Proseware, Inc., desires for its for their network:
• Client-server local area network with the following:
❍ 300 client computers, some of which are laptops and tablet PCs
❍ 1 master switch and 4 other secondary switches (1 per department) set up in a hierarchical star fashion
• 5 LAN Windows Servers connected directly to the master switch:
❍ 2 Domain Controllers
❍ 1 DNS server
❍ 1 DHCP server
❍ 1 RRAS server
• Wired and wireless considerations:
❍ Category 6 twisted-pair cable for the client desktop PCs
❍ Wireless 802.11n connections for laptops and tablet PCs
c08DefiningNetworkInfrastructure176 Page 176 12/24/10 12:13:24 PM f-392
c08DefiningNetworkInfrastructure176 Page 176 12/24/10 12:13:24 PM f-392 /Users/f-392/Desktop/Nalini 23.9/ch05/Users/f-392/Desktop/Nalini 23.9/ch05
Defining Network Infrastructures and Network Security | 177
❍ 1000BASE-SX fiber optic connections for the servers and switches
❍ 10GBASE-SR fiber optic connection for the master switch
• 3-leg perimeter DMZ with the following equipment and zones:
❍ Switch with 1000BASE-SX fiber optic connection
❍ 3 DMZ Windows Servers:
Web server FTP server Email server
❍ Intranet for remote users with authentication server
❍ Extranet for connection to partner company utilizing the same authentication server as the intranet
Figure 8-8 shows an example of how this network documentation might start out.
Figure 8-8
Network documentation
LAN A: Marketing
LAN B: Accounting LAN C: Engineering
WAP 802.11n 1000BASE-SX between switches
Master Switch
DMZ Switch
LAN D: IT Dept.
DC #1 DC #2 DNS
DHCP RRAS E-Mail Internet
WWW FTP Authentication Server
Take some time to think about exactly what would be entailed when installing this network.
For example, what kind of network adapters would the LAN servers require in order to take advantage of the 10 Gbps fiber connection that the master switch provides? What type of firewall should be used in order to facilitate all the different connections necessary, such as intranet, extranet, LAN connectivity to the Internet, and so on.?
This type of network documentation is just a starting point, of course. More documents will be necessary to define how and where cables will be installed, determine an IP addressing scheme and list of static IP addresses, and much more. However, this type of planning gives the basis for all of the configurations and planning yet to come.
c08DefiningNetworkInfrastructure177 Page 177 12/24/10 12:13:24 PM f-392
c08DefiningNetworkInfrastructure177 Page 177 12/24/10 12:13:24 PM f-392 /Users/f-392/Desktop/Nalini 23.9/ch05/Users/f-392/Desktop/Nalini 23.9/ch05