Pi's Website - Archived

Vista Q & A
Home
Common Errors
Helpful Links
Linux
Tutorial Index
Windows Vista
Contact Us
Site Map
PC & Certification Info
Tweaks
Programs

3.3 Understand the concepts behind the following kinds of Security Topologies

o Security Zones

o DMZ (Demilitarized Zone)
o Intranet
o Extranet

o VLANs (Virtual Local Area Network)
o NAT (Network Address Translation)
o Tunneling

Security Zones

Security Zones are different portions of a network with different security settings and concerns.

 

What are the different security zones?

  1. Demilitarized Zone (DMZ) - this is a zone where servers are placed to allow outside users from the Internet and internal users to access them, but still gives them some level of security.  Often, web and e-mail servers occupy the DMZ.  They are often connected to a multi-homed firewall, meaning that it has different ports for the outside network, inside network, and DMZ, but can also be placed in a screened subnet.  In a screened subnet, there is a simple firewall called a screening firewall that is generally a packet filter that blocks invalid traffic.  Then there is the DMZ and a screened firewall between the DMZ and internal network that is more powerful.  This setup is more expensive, but has several benefits including performance and it lowers the work placed on the more advanced and powerful screened firewall
  2. Intranet - an intranet is the internal network that uses technology similar to the Internet.  These are used within companies to share information and services.
  3. Extranet - an extranet is a connection between business partners, suppliers, or other companies that engage in business relationships.

VLANs

Virtual Local Area Networks (VLANs) can be setup within a network to separate different networks without using a complex series of routers.  Most switches can create VLANs.  The clients of a VLAN can be very far apart yet have the benefit of being in a LAN.  Clients can be switched from one VLAN to another without changing the connection.  They increase security since one VLAN is treated separately from another without using a router.

NAT

Network address translation (NAT) is an additional form of securing a network.  NAT translates the private IP address(es) from a private network to public address(es).  It is security because it hides the internal IP address.

 

What are internal IP addresses?

In a private network, there are three types of internal addresses that are only used for private networks:

  1. 10.0.0.0 - 10.255.255.255
  2. 172.16.0.0 - 172.21.255.255
  3. 192.168.0.0-192.168.255.255

 

What types of translation are offered?

There are two types of translation offered by NAT:  static and dynamic

  1. Static translation is a permanent translation from 1 IP address to another.  It is useful for small networks where only a few users need to access the Internet, and it translates both ways.
  2. Dynamic translation is more complicated.  In dynamic translation, there is a list of available global IP addresses from which it chooses one when necessary.  The "mappings," or associations between the internal and external IP address, change.

Tunneling

A tunnel is a private connection that exists over a public network.  Tunneling allows for relatively safe communication over a public network.  There are various tunneling protocols including PPTP and L2TP.