CompTIA® Network+ Exam Notes : Use Cases For Advanced Networking Devices

2. Infrastructure

2.3 Use cases for advanced networking devices

Proxy Server: A proxy server, also known as a "proxy" or "application level gateway", is a computer that acts as a gateway between a local network (e.g., all the computers at one company or in one building) and a larger-scale network such as the Internet.

Proxy servers are used to provide improved performance and security. They can also be used to monitor how employees use outside resources such as the World Wide Web.

A proxy server typically works on the transport layer (layer 4) or higher of the OSI model. A Proxy Server can be used to connect all the work stations on the local network to the Internet. In this case, the proxy does Many-to-One address mapping. i.e. it maps several local IP address to one public IP address for enabling Internet access. A proxy server is typically implemented at the application layer of the OSI model.

Proxy servers work as a intermediary between the two ends of a client/server network connection. Proxy servers interface with network applications, most commonly Web browsers and servers.

Reverse proxy server: Acts as a gateway to an HTTP server receiving requests from client and performs TCP multiplexing

Example : Incoming requests for a corporate Web site

Proxy servers provide three main functions:

1. Firewall and network data filtering support : Proxy servers work at the Application layer (layer 7) of the OSI model. They differ from traditional network firewalls that work at lower OSI layers and support application-independent filtering.

2. Network connection sharing : proxy servers are commonly employed to distribute Internet connections across multiple routers and local intranet networks.

3. Data caching : The caching of Web pages by proxy servers can improve a network user's experience in three ways. First, caching may conserve bandwidth on the network, increasing its scalability. Next, caching can improve response time experienced by clients. With an HTTP proxy cache, for example, Web pages can load more quickly into the browser. Finally, proxy server caches increase content availability.

IDS: IDS stands for Intrusion Detection System. IDS detect unauthorized access attempts. There are basically two main types of IDS being used today

  • Network based (a packet monitor),
  • and Host based (looking for instance at system logs for evidence of malicious or suspicious application activity in real time).

Both IPS and IDS are closely related, and IPS is considered as an extension of IDS. If the IDS monitors network wide communication, it is called Network based IDS, and if the IDS monitors security on a per host basis, it is called Host based IDS. Network based IDS collects widespread intrusions effectively.

Host-based intrusion detection system (HIDS): HIDS refers to applications such as spyware or virus applications that are installed on individual network systems. The HIDS monitors and creates logs on the local system.

Protocol-based intrusion detection system (PIDS): The PIDS monitors and analyzes protocols communicating between network devices. A PIDS is often installed on a web server and analyzes traffic HTTP and HTTPS communications.

Application Protocol-Based Intrusion Detection System (APIDS): The APIDS monitors application-specific protocols.

Network-based intrusion detection system (NIDS): The NIDS examines all network traffic to and from network systems. If it is software, it is installed on servers or other systems that can monitor inbound traffic. If it is hardware, it may be connected to a hub or switch to monitor traffic.

Behavior based IDS: A behavior-based system looks for variations in behavior such as unusually high traffic, policy violations, and so on. By looking for deviations in behavior, it can recognize potential threats and quickly respond.

Signature based IDS: A signature-based system, also commonly known as misuse-detection IDS (MD-IDS), is primarily focused on evaluating attacks based on attack signatures and audit trails. Attack signatures describe a generally established method of attacking a system. For example, a TCP flood attack begins with a large number of incomplete TCP sessions. If the MD-IDS knows what a TCP flood attack looks like, it can make an appropriate report or response to thwart the attack. This IDS uses an extensive database to determine the signature of the traffic.

An intrusion prevention system (IPS): An intrusion prevention system is a computer security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. IT is a network device that continually scans the network, looking for inappropriate activity. It can shut down any potential threats. The IPS looks for any known signatures of common attacks and automatically tries to prevent those attacks. An IPS is considered a reactive security measure because it actively monitors and can take steps to correct a potential security threat.

Multi layer switch: A multi-layer switch is one that can operate at both Layer 2 and Layer 3 of the OSI model, which means that the multi-layer device can operate as both a switch and a router. Also called a Layer 3 switch, the multi-layer switch is a high-performance device that actually supports the same routing protocols that routers do. It is a regular switch directing traffic within the LAN; in addition, it can forward packets between subnets.

VPN concentrator: A VPN concentrator can be used to increase remote-access security. This device can establish a secure connection (tunnel) between the sending and receiving network devices. VPN concentrators add an additional level to VPN security. Not only can they create the tunnel, but they also can authenticate users, encrypt the data, regulate the data transfer, and control traffic.

VoIP (voice over IP): VoIP is the transmission of voice and multimedia content over Internet Protocol (IP) networks. VoIP historically referred to using IP to connect private branch exchanges (PBXs), but the term is now used interchangeably with IP telephony.

The important elements and the functions of a VOIP network are given below:

a. IP phone: An IP phone is a telephone with an integrated Ethernet connection. Although users speak into a traditional analog handset (or headset) on the IP phone, the IP phone digitizes the spoken voice, packetizes it, and sends it out over a data network (via the IP phone's Ethernet port).

b. Call agent: A call agent is a repository for a VoIP network's dial plan. For example, when a user dials a number from an IP phone, the call agent analyzes the dialed digits and determines how to route the call toward the destination.

c. Gateway: A gateway in a VoIP network acts as a translator between two different telephony signaling environments. In the figure, both gateways interconnect a VoIP network with the PSTN. Also, the gateway on the right interconnects a traditional PBX with a VoIP network. PBX A Private Branch Exchange (PBX) is a privately owned telephone switch traditionally used in corporate telephony systems. Although a PBX is not typically considered a VoIP device, it can connect into a VoIP network through a gateway.

d. Analog phone: An analog phone is a traditional telephone, like you might have in your home. Even though an analog phone is not typically considered a VoIP device, it can connect into a VoIP network via a VoIP or, as shown in the figure, via a PBX, which is connected to a VoIP network.

e. UC servers are typically software-based applications that run real-time services allowing for instant messaging, VoIP, and other services. Some of the most common are Microsoft Lync Server, Skype for Business, and Cisco's Unified Communications Manager.

f. UC devices are client applications that make the communication possible. Microsoft Lync, for example, includes a client for IM, presence, video calls, desktop sharing, voice, and so on.

g. UC gateways make it possible to expand communication possibilities. Lync Server, for example, includes gateways for Extensible Messaging and Presence Protocol (XMPP), thus making it possible for clients to communicate with XMPP servers.


SIP: The Session Initiation Protocol is a communications protocol for signaling and controlling multimedia communication sessions in applications of Internet telephony for voice and video calls. It is a signaling protocol for Internet conferencing, telephony, presence, events notification and instant messaging. SIP is used to create, manage and terminate sessions in an IP based network. A session could be a simple two-way telephone call or it could be a collaborative multi-media conference session. This makes possible to implement services like voice-enriched e-commerce, web page click-to-dial or Instant Messaging with buddy lists in an IP based environment. Don't worry if you don't know about these services.

SIP is the IETF protocol for VOIP and other text and multimedia sessions, like instant messaging, video, online games and other services. The SIP is an IETF application layer protocol for establishing, manipulating, and tearing down sessions. A session could be a simple two-way telephone call or it could be a collaborative multi-media conference session. Used to create and end sessions for one or more media connections, including Voice over IP calls.

Actual voice packets are sent using RTP/RTCP for SIP VOIP calls. RTP opens two ports for communication. One for the media stream (an even port number) and one for control (QoS feedback and media control)- RTCP. Originating source port numbers are dynamically assigned by source host, usually greater than 1023. The following are the recommended port numbers:

H.323: is a recommendation from the ITU Telecommunication Standardization Sector (ITU-T) that defines the protocols to provide audio-visual communication sessions on any packet network.

RTP: Real-time Transport Protocol is a network protocol for delivering audio and video over IP networks. RTP is used extensively in communication and entertainment systems that involve streaming media, such as telephony, video teleconference applications. SIP uses RTP and several other protocols for media streaming. RTP is a Layer 4 protocol that carries voice (and interactive video).

SMB: Which stands for Server Message Block, is a protocol for sharing files, printers, serial ports, and communications abstractions such as named pipes and mail slots between computers.

Content filter: Internet content filter is used to block specific types of information from being passed on to the user.

SIEM Security information and event management: is a security solution that helps organizations recognize potential security threats and vulnerabilities before they have a chance to disrupt business operations. It surfaces user behavior anomalies and uses artificial intelligence to automate many of the manual processes associated with threat detection and incident response.

Next generation firewall(NGFW) : A traditional firewall combined with any other network device (such as an intrusion prevention system) to get additional functionalities. A next-generation firewall (NGFW) is a network security device that provides capabilities beyond a traditional, stateful firewall. While a traditional firewall typically provides stateful inspection of incoming and outgoing network traffic, a next-generation firewall includes additional features like application awareness and control, integrated intrusion prevention, and cloud-delivered threat intelligence. A next-generation firewall (NGFW) is a part of the third generation of firewall technology, combining a traditional firewall with other network device filtering functionalities, such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS).

Common features of a traditional firewall include support for Network Address Translation (NAT), Port Address Translation (PAT), and Virtual Private Network (VPN) termination, as well as being able to provide a high level of availability and performance.

Traditional firewalls are limited to providing stateful inspection of incoming and outgoing network traffic

Next-generation firewall features:

NGFWs combine many of the capabilities of traditional firewalls - including packet filtering, network address translation (NAT) and port address translation (PAT), URL blocking, and virtual private networks (VPNs) - with quality of service (QoS) functionality and other features that are not found in traditional firewalls. These include intrusion prevention, SSL and SSH inspection, deep-packet inspection, and reputation-based malware detection, as well as application awareness.

NGFW: Common features of a traditional firewall include support for Network Address Translation (NAT), Port Address Translation (PAT), and Virtual Private Network (VPN) termination, as well as being able to provide a high level of availability and performance.

NGFW (short for Next Generation Firewall) offers:

  • Application Awareness,
  • Stateful Inspection,
  • Integrated Intrusion Protection System (IPS),
  • Identity Awareness (User and Group Control),
  • Bridged and Routed Modes,
  • And the ability to utilize external intelligence sources

Physical Access control devices

Cameras Cameras allow for monitoring areas remotely.

HVAC (heating, ventilation, and air conditioning) sensors: These devices provide heating, ventilation, and air conditioning.

Internet of Things (IoT): Includes such devices as refrigerators,smart speakers, smart thermostats, and smart doorbells.

ICS/SCADA Industrial Control Systems (ICS): It is a catchall term for sensors and controls used in industry. A subset of this is SCADA (supervisory control and data acquisition), which refers to equipment often used to manage automated factory equipment, dams, power generators, and similar equipment.

Previous   Contents   Next

Network+ Cram Notes Contents
certexams ad

simulationexams ad