CompTIA® Security+ Exam Notes : Implementing Secure Network Architecture Concepts

3. Architecture and Design

3.2 Given a scenario, implement secure network architecture concepts

The following are the basic types of firewall architectures:

1. Bastion host: A bastion host typically has two network cards, one connected to the Internet and the other to the internal network. A firewall or a proxy is installed on the bastion host providing separation of Internet from the internal network. It can also be a router providing NAT or something similar to it.

2. Screened host gateway: It is implemented with a router (Internet end) in series with a bastion host (acting as application gateway). The router filters the packets, and the application gateway routes the packets to appropriate host computers on the internal network and vice versa.

3. Screened subnet gateway (or DMZ): It includes two screened gateway devices, one each on either side of the bastion host. The arrangement involves two sebnets one on each side of the bastion host. The arrangement is also known as DMZ (De Militarized Zone). DMZ is considered most secure of the three discussed here since the internal network is separated by a DMZ.

SSL(Secure Sockets Layer) or more correctly TLS (Transport Layer Security) is a method of offloading the processor-intensive public-key encryption algorithms involved in SSL transactions to a hardware accelerator. An SSL accelerator does not have sniffer functionality. Since encrypting data is very processor-intensive, SSL accelerators can be used to offload the public-key encryption to a separate plug-in card.

Load Balancer: A load balancer can be implemented as a software or hardware solution and is usually associated with a device - a router, a firewall, NAT, and so on. As the name implies, it is used to shift a load from one device to another.

Proxy Firewall: Proxy firewalls are used to process requests from an outside network; the proxy firewall examines the data and makes rule-based decisions about whether the request should be forwarded or refused

Correlation engines : A correlation engine is a software application that programmatically understands relationships. Correlation engines are used in SIEM Security information and event management (SIEM) systems to aggregate, normalize and analyze event log data, using predictive analytics and fuzzy logic to alert the systems administrator when there is a problem.

Scenario: Your company hosts its own web server and email server. You intend to secure the internal resources of the Company using a DeMilitarized Zone (DMZ). To create DMZ what do you need?

Solution: If a company intends to host its own servers to be accessed from public Internet, a DMZ is the most preferred solution. The network segment within the DMZ is secured by two firewalls, one interfacing with the public Internet, and the other interfacing the internal corporate network. Thus, a DMZ provides additional layer of security to internal corporate network. The type of servers that are hosted on DMZ may include web servers, email servers, file servers, DNS servers, etc.

The employees of a Company typically use Intranet within the Company. The customers and vendors of the Company use Extranet.

Extranet: An Extranet is basically an extension of Intranet using public Internet. A typical use is when a Company has multiple vendors and do the order processing, and inventory control on-line.

Note that, on the other hand, Internet is accessible to everybody, i.e. general public.

The benefit of implementing Intranets and Extranets is security and customization. Intranets and Extranets are relatively safe because general public cannot access these networks. Intranets and Extranets are usually connected securely by means of Virtual Private Network (VPN).

Previous   Contents   Next

Security+ Cram Notes Contents ad