CHAPTER 4
Network Components and Devices
This chapter covers the following official Network+ objectives:
Given a scenario, determine the appropriate placement of networking devices on a
network and install/configure them.
Explain the purposes and use cases for advanced network devices.
This chapter covers CompTIA Network+ objectives 2.2 and 2.3. For more information on the official Network+ exam topics, see the “About the Network+ Exam” section in the Introduction.
All but the most basic of networks require devices to provide connectivity and functionality. Understanding how these networking devices operate and identifying the functions they perform are essential skills for any network administrator and are requirements for a Network+ candidate.
This chapter introduces commonly used networking devices. You are not likely to encounter all the devices mentioned in this chapter on the exam, but you can expect to work with at least some of them.
Common Network Devices
Given a scenario, determine the appropriate placement of networking devices on a network
and install/configure them.
CramSaver
If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.
1. What is the difference between an active and a passive hub?
2. What is the major difference between a hub and a switch?
3. What are the types of ports found on hubs and switches?
Answers
1. Hubs can be either active or passive. Hubs are considered active when they regenerate a signal before forwarding it to all the ports on the device.
2. Rather than forwarding data to all the connected ports, a switch forwards data only to the port on which the destination system is connected.
3. Hubs and switches have two types of ports: Medium-Dependent Interface (MDI) and Medium-Dependent Interface Crossed (MDI-X).
The best way to think about this chapter is as a catalog of networking devices. The first half looks at devices that you can commonly find in a network of any substantial size. The devices are discussed in alphabetical order to simplify study and include everything from access points to VPN concentrators.
ExamAlert
Remember that this objective begins with “Given a scenario.” That means that you may receive a drag and drop, matching, or “live OS” scenario where you have to click through to complete a specific objective-based task.
Firewall
A firewall is a networking device, either hardware or software based, that controls access to your organization’s network. This controlled access is designed to protect data and resources from an outside threat. To do this, firewalls typically are placed at a network’s entry/exit points—for example, between an internal network and the Internet. After it is in place, a firewall can control access into and out of that point.
Although firewalls typically protect internal networks from public networks, they are also used to control access between specific network segments within a network. An example is placing a firewall between the Accounts and Sales departments.
As mentioned, firewalls can be implemented through software or through a dedicated hardware device. Organizations implement software firewalls through network operating systems (NOSs) such as Linux/UNIX, Windows Servers, and Mac OS servers. The firewall is configured on the server to allow or block certain types of network traffic. In small offices and for regular home use, a firewall is commonly installed on the local system and is configured to control traffic. Many third-party firewalls are available.
Hardware firewalls are used in networks of all sizes today. Hardware firewalls are often dedicated network devices that can be implemented with little configuration. They protect all systems behind the firewall from outside sources. Hardware firewalls are readily available and often are combined with other devices today. For example, many broadband routers and wireless access points have firewall functionality built in. In such a case, the router or AP might have a number of ports available to plug systems into.
ExamAlert
Remember that a firewall can protect internal networks from public networks and control access between specific network segments.
Router
In a common configuration, routers create larger networks by joining two network segments. A small office/home office (SOHO) router connects a user to the Internet. A SOHO router typically serves 1 to 10 users on the system. A router can be a dedicated hardware device or a computer system with more than one network interface and the appropriate routing software. All modern network operating systems include the functionality to act as a router.
Note
Routers normally create, add, or divide networks or network segments at the network layer of the OSI reference model because they normally are IP-based devices. Chapter 2, “Models, Ports, Protocols, and Networking Services,” covers the OSI reference model in greater detail.
A router derives its name from the fact that it can route data it receives from one network to another. When a router receives a packet of data, it reads the packet’s header to determine the destination address. After the router has determined the address, it looks in its routing table to determine whether it knows how to reach the destination; if it does, it forwards the packet to the next hop on the route. The next hop might be the final destination, or it might be another router. Figure 4.1 shows, in basic terms, how a router works.
Note
You can find more information on network routing in Chapter 3.
FIGURE 4.1 How a router works
A router works at Layer 3 (the network layer) of the OSI model.
Switch
Like hubs, switches are the connectivity points of an Ethernet network. Devices connect to switches via twisted-pair cabling, one cable for each device. The difference between hubs and switches is in how the devices deal with the data they receive. Whereas a hub forwards the data it receives to all the ports on the device, a switch forwards it to only the port that connects to the destination device. It does this by the MAC address of the devices attached to it and then by matching the destination MAC address in the data it receives. Figure 4.2 shows how a switch works. In this case, it has learned the MAC addresses of the devices attached to it; when the workstation sends a message intended for another workstation, it forwards the message on and ignores all the other workstations.
FIGURE 4.2 How a switch works
By forwarding data to only the connection that should receive it, the switch can greatly improve network performance. By creating a direct path between two devices and controlling their communication, the switch can greatly reduce the traffic on the network and therefore the number of collisions. As you might recall, collisions occur on Ethernet networks when two devices attempt to transmit at the same time. In addition, the lack of collisions enables switches to communicate with devices in full-duplex mode. In a full-duplex configuration, devices can send data to and receive data from the switch at the same time. Contrast this with half-duplex communication, in which communication can occur in only one direction at a time. Full-duplex transmission speeds are double that of a standard half-duplex connection. So, a 100 Mbps connection becomes 200 Mbps, and a 1000 Mbps connection becomes 2000 Mbps, and so on.
The net result of these measures is that switches can offer significant performance improvements over hub-based networks, particularly when network use is high.
Irrespective of whether a connection is at full or half duplex, the method of switching dictates how the switch deals with the data it receives. The following is a brief explanation of each method:
Cut-through: In a cut-through switching environment, the packet begins to be forwarded as soon
as it is received. This method is fast, but it creates the possibility of errors being
propagated through the network because no error checking occurs.
Store-and-forward: Unlike cut-through, in a store-and-forward switching environment, the entire packet
is received and error-checked before being forwarded. The upside of this method is
that errors are not propagated through the network. The downside is that the error-checking
process takes a relatively long time, and store-and-forward switching is considerably
slower as a result.
Fragment-free: To take advantage of the error checking of store-and-forward switching, but still
offer performance levels nearing that of cut-through switching, fragment-free switching
can be used. In a fragment-free switching environment, enough of the packet is read
so that the switch can determine whether the packet has been involved in a collision.
As soon as the collision status has been determined, the packet is forwarded.
Hub and Switch Cabling
In addition to acting as a connection point for network devices, hubs and switches can be connected to create larger networks. This connection can be achieved through standard ports with a special cable or by using special ports with a standard cable.
The ports on a hub to which computer systems are attached are called Medium-Dependent Interface Crossed (MDI-X). The crossed designation is derived from the fact that two of the wires within the connection are crossed so that the send signal wire on one device becomes the receive signal of the other. Because the ports are crossed internally, a standard or straight-through cable can be used to connect devices.
Another type of port, called a Medium-Dependent Interface (MDI) port, is often included on a hub or switch to facilitate the connection of two switches or hubs. Because the hubs or switches are designed to see each other as an extension of the network, there is no need for the signal to be crossed. If a hub or switch does not have an MDI port, hubs or switches can be connected by using a cable between two MDI-X ports. The crossover cable uncrosses the internal crossing. Auto MDI-X ports on more modern network device interfaces can detect whether the connection would require a crossover, and automatically choose the MDI or MDI-X configuration to properly match the other end of the link.
ExamAlert
In a crossover cable, wires 1 and 3 and wires 2 and 6 are crossed.
A switch can work at either Layer 2 (the data link layer) or Layer 3 (the network layer) of the OSI model.
Hub
At the bottom of the networking food chain, so to speak, are hubs. Hubs are used in networks that use twisted-pair cabling to connect devices. Hubs also can be joined to create larger networks. Hubs are simple devices that direct data packets to all devices connected to the hub, regardless of whether the data package is destined for the device. This makes them inefficient devices and can create a performance bottleneck on busy networks.
In its most basic form, a hub does nothing except provide a pathway for the electrical signals to travel along. Such a device is called a passive hub. Far more common nowadays is an active hub, which, as well as providing a path for the data signals, regenerates the signal before it forwards it to all the connected devices. In addition, an active hub can buffer data before forwarding it. However, a hub does not perform any processing on the data it forwards, nor does it perform any error checking.
Hubs come in a variety of shapes and sizes. Small hubs with five or eight connection ports are commonly called workgroup hubs. Others can accommodate larger numbers of devices (normally up to 32). These are called high-density devices.
ExamAlert
Because hubs don’t perform any processing, they do little except enable communication between connected devices. For today’s high-demand network applications, something with a little more intelligence is required. That’s where switches come in.
A basic hub works at Layer 1 (the physical layer) of the OSI model.
Bridge
A bridge, as the name implies, connects two networks. Bridging is done at the first two layers of the OSI model and differs from routing in its simplicity. With routing, a packet is sent to where it is intended to go, whereas with bridging, it is sent away from this network. In other words, if a packet does not belong on this network, it is sent across the bridge with the assumption that it belongs there rather than here.
If one or more segments of the bridged network are wireless, the device is known as a wireless bridge.
Modems
A modem (short for modulator/demodulator) is a device that converts the digital signals generated by a computer into analog signals that can travel over conventional phone lines. The modem at the receiving end converts the signal back into a format that the computer can understand. Modems can be used as a means to connect to an ISP or as a mechanism for dialing up a LAN.
Modems can be internal add-in expansion cards or integrated with the motherboard, external devices that connect to a system’s serial or USB port, or proprietary devices designed for use on other devices, such as portables and handhelds.
Wireless Access Point
The term access point can technically be used for either a wired or wireless connection, but in reality it is almost always associated only with a wireless-enabling device. Wireless access points (APs) are a transmitter and receiver (transceiver) device used to create a wireless LAN (WLAN). APs typically are a separate network device with a built-in antenna, transmitter, and adapter. APs use the wireless infrastructure network mode to provide a connection point between WLANs and a wired Ethernet LAN. APs also usually have several ports, giving you a way to expand the network to support additional clients.
Depending on the size of the network, one or more APs might be required. Additional APs are used to allow access to more wireless clients and to expand the range of the wireless network. Each AP is limited by a transmission range—the distance a client can be from an AP and still obtain a usable signal. The actual distance depends on the wireless standard used and the obstructions and environmental conditions between the client and the AP.
ExamAlert
An AP can operate as a bridge connecting a standard wired network to wireless devices or as a router passing data transmissions from one access point to another.
Saying that an AP is used to extend a wired LAN to wireless clients does not give you the complete picture. A wireless AP today can provide different services in addition to just an access point. Today, the APs might provide many ports that can be used to easily increase the network’s size. Systems can be added to and removed from the network with no effect on other systems on the network. Also, many APs provide firewall capabilities and Dynamic Host Configuration Protocol (DHCP) service. When they are hooked up, they give client systems a private IP address and then prevent Internet traffic from accessing those systems. So, in effect, the AP is a switch, DHCP server, router, and firewall.
APs come in all shapes and sizes. Many are cheaper and are designed strictly for home or small office use. Such APs have low-powered antennas and limited expansion ports. Higher-end APs used for commercial purposes have high-powered antennas, enabling them to extend how far the wireless signal can travel.
Note
APs are used to create a wireless LAN and to extend a wired network. APs are used in the infrastructure wireless topology.
An AP works at Layer 2 (the data link layer) of the OSI model.
Media Converter
When you have two dissimilar types of network media, a media converter is used to allow them to connect. They are sometimes referred to as couplers. Depending on the conversion being done, the converter can be a small device, barely larger than the connectors themselves, or a large device within a sizable chassis.
Reasons for not using the same media throughout the network, and thus reasons for needing a converter, can range from cost (gradually moving from coax to fiber), disparate segments (connecting the office to the factory), or needing to run a particular media in a setting (the need for fiber to reduce EMI problems in a small part of the building).
Figure 4.3 shows an example of a media converter. The one shown converts between 10/100/1000TX and 1000LX (with an SC-type connector).
FIGURE 4.3 A common media converter
The following converters are commonly implemented and are ones that CompTIA has previously included on the Network+ exam.
ExamAlert
Make sure you know that the possibilities listed here exist:
Single mode fiber to Ethernet
Single mode to multimode fiber
Multimode fiber to Ethernet
Fiber to coaxial
Wireless Range Extender
A wireless range extender (also called a repeater or booster), can amplify a wireless signal to make it stronger. This increases the distance that the client system can be placed from the access point and still be on the network. The extender needs to be set to the same channel as the AP for the repeater to take the transmission and repeat it. This is an effective strategy to increase wireless transmission distances.
ExamAlert
Carefully read troubleshooting question scenarios to be sure the transmission from the AP is getting to the repeater first, and then the repeater is duplicating the signal and passing it on.
VoIP Endpoint
In the world of Voice over IP (VoIP), an endpoint is any final destination for a voice call. That final destination can be to a physical device (such as a physical telephone handset), a software application, or a server. Endpoints are used with the Session Initiation Protocol (SIP). To illustrate some of the possibilities, Cisco publishes an 18-page endpoint product matrix (available at https://www.cisco.com/c/dam/en/us/products/collateral/collaboration-endpoints/sales-tool-c96-739424.pdf.
Network Devices Summary
The information in this chapter is important for the Network+ exam. To summarize the coverage of network devices to this point, Table 4.1 lists some of the key points about each device. You should learn this information well.
TABLE 4.1 Network Devices Summary
ExamAlert
You will be expected to know the function of the devices mentioned in this chapter. Review Table 4.1. Make sure that you understand each device and how and why it is used on the network.
Cram Quiz
1. Users are complaining that the network’s performance is unsatisfactory. It takes a long time to pull files from the server, and, under heavy loads, workstations can become disconnected from the server. The network is heavily used, and a new videoconferencing application is about to be installed. The network is a 1000BASE-T system created with Ethernet hubs. Which device are you most likely to install to alleviate the performance problems?
A. Switch
B. Router
C. Media converter
D. Firewall
2. Which of the following devices forwards data packets to all connected ports?
A. Router
B. Switch
C. Content filter
D. Hub
3. Which of the following devices passes data based on the MAC address?
A. Hub
B. Switch
C. MSAU
D. Router
1. A. Replacing Ethernet hubs with switches can yield significant performance improvements. Of the devices listed, switches are also the only ones that can be substituted for hubs. A router is used to separate networks, not as a connectivity point for workstations. A media converter is used to connect two dissimilar types of network media. A firewall is not a solution to the problem presented.
2. D. Hubs are inefficient devices that send data packets to all connected devices. Switches pass data packets to the specific destination device. This method significantly increases network performance.
3. B. When determining the destination for a data packet, the switch learns the MAC address of all devices attached to it and then matches the destination MAC address in the data it receives. None of the other devices listed passes data based solely on the MAC address.
CramSaver
If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then complete the Cram Quiz at the end of the section.
1. What can distribute incoming data to specific application servers and help distribute the load?
2. True or false: A multilayer switch operates as both a router and a switch.
3. Your company is looking to add a hardware device to the network that can increase redundancy and data availability as it increases performance by distributing the workload. What use case might this example technology apply to?
Answers
1. A content switch can distribute incoming data to specific application servers and help distribute the load.
2. True. A multilayer switch operates as both a router and a switch.
3. A load balancer can be either a software or hardware component, and it increases redundancy and data availability as it increases performance by distributing the workload.
In addition to the networking devices discussed previously, CompTIA wants you to be aware of 12 others for the Network+ exam. The exam expects you to be able to explain the purposes and identify actual use cases for the advanced networking devices covered in this section.
ExamAlert
Notice that this objective contains the wording “use cases”: this is new to the Network+ exam objectives and means that you should expect questions which contain phrasing such as “Common use cases for this technology/device are…”
Multilayer Switch
It used to be that networking devices and the functions they performed were separate. Bridges, routers, hubs, and more existed but were separate devices. Over time, the functions of some individual network devices became integrated into a single device. This is true of multilayer switches.
A multilayer switch is one that can operate at both Layer 2 and Layer 3 of the OSI model, which means that the multilayer device can operate as both a switch and a router. Also called a Layer 3 switch, the multilayer switch is a high-performance device that supports the same routing protocols that routers do. It is a regular switch directing traffic within the LAN; in addition, it can forward packets between subnets.
ExamAlert
A multilayer switch operates as both a router and a switch.
A content switch is another specialized device. A content switch is not as common on today’s networks, mostly due to cost. A content switch examines the network data it receives, decides where the content is intended to go, and forwards it. The content switch can identify the application that data is targeted for by associating it with a port. For example, if data uses the Simple Mail Transfer Protocol (SMTP) port, it could be forwarded to an SMTP server.
Content servers can help with load balancing because they can distribute requests across servers and target data to only the servers that need it, or distribute data between application servers. For example, if multiple mail servers are used, the content switch can distribute requests between the servers, thereby sharing the load evenly. This is why the content switch is sometimes called a load-balancing switch.
ExamAlert
A content switch can distribute incoming data to specific application servers and help distribute the load.
Wireless Controller
Wireless controllers are often used with branch/remote office deployments for wireless authentication. When an AP boots, it authenticates with a controller before it can start working as an AP. This is often used with VLAN pooling, in which multiple interfaces are treated as a single entity (usually for load balancing).
Load Balancer
Network servers are the workhorses of the network. They are relied on to hold and distribute data, maintain backups, secure network communications, and more. The load of servers is often a lot for a single server to maintain. This is where load balancing comes into play. Load balancing is a technique in which the workload is distributed among several servers. This feature can take networks to the next level; it increases network performance, reliability, and availability.
ExamAlert
Remember that load balancing increases redundancy and therefore data availability. Also, load balancing increases performance by distributing the workload.
A load balancer can be either a hardware device or software specially configured to balance the load.
Note
Multilayer switches and DNS servers can serve as load balancers.
IDS/IPS
An intrusion detection system (IDS) is a passive detection system. The IDS can detect the presence of an attack and then log that information. It also can alert an administrator to the potential threat. The administrator then analyzes the situation and takes corrective measures if needed.
A variation on the IDS is the Intrusion Prevention System (IPS), which is an active detection system. With IPS, the device continually scans the network, looking for inappropriate activity. It can shut down any potential threats. The IPS looks for any known signatures of common attacks and automatically tries to prevent those attacks. An IPS is considered an active/reactive security measure because it actively monitors and can take steps to correct a potential security threat.
Following are several variations on IDSs/IPSs:
Behavior based: A behavior-based system looks for variations in behavior such as unusually high traffic, policy violations,
and so on. By looking for deviations in behavior, it can recognize potential threats
and quickly respond.
Signature based: A signature-based system, also commonly known as misuse-detection system (MD-IDS/MD-IPS), is primarily focused on evaluating attacks based on attack signatures and audit
trails. Attack signatures describe a generally established method of attacking a system.
For example, a TCP flood attack begins with a large number of incomplete TCP sessions.
If the MD-IDS knows what a TCP flood attack looks like, it can make an appropriate
report or response to thwart the attack. This IDS uses an extensive database to determine
the signature of the traffic.
Network-based intrusion detection/prevention system (NIDS or NIPS): The system examines all network traffic to and from network systems. If it is software,
it is installed on servers or other systems that can monitor inbound traffic. If it
is hardware, it may be connected to a hub or switch to monitor traffic.
Host-based intrusion detection/prevention system (HIDS or HIPS): This refers to applications such as spyware or virus applications that are installed
on individual network systems. The system monitors and creates logs on the local system.
ExamAlert
The four types of IDS/IPS tested on the exam are behavior based, signature based, network based, and host based.
Proxy Server
Proxy servers typically are part of a firewall system. They have become so integrated with firewalls that the distinction between the two can sometimes be lost.
However, proxy servers perform a unique role in the network environment—a role that is separate from that of a firewall. For the purposes of this book, a proxy server is defined as a server that sits between a client computer and the Internet and looks at the web page requests the client sends. For example, if a client computer wants to access a web page, the request is sent to the proxy server rather than directly to the Internet. The proxy server first determines whether the request is intended for the Internet or for a web server locally. If the request is intended for the Internet, the proxy server sends the request as if it originated the request. When the Internet web server returns the information, the proxy server returns the information to the client. Although a delay might be induced by the extra step of going through the proxy server, the process is largely transparent to the client that originated the request. Because each request a client sends to the Internet is channeled through the proxy server, the proxy server can provide certain functionality over and above just forwarding requests.
One of the most notable extra features is that proxy servers can greatly improve network performance through a process called caching. When a caching proxy server answers a request for a web page, the server makes a copy of all or part of that page in its cache. Then, when the page is requested again, the proxy server answers the request from the cache rather than going back to the Internet. For example, if a client on a network requests the web page www.comptia.org, the proxy server can cache the contents of that web page. When a second client computer on the network attempts to access the same site, that client can grab it from the proxy server cache, and accessing the Internet is unnecessary. This greatly increases the response time to the client and can significantly reduce the bandwidth needed to fulfill client requests.
Nowadays, speed is everything, and the capability to quickly access information from the Internet is a crucial concern for some organizations. Proxy servers and their capability to cache web content accommodate this need for speed.
An example of this speed might be found in a classroom. If a teacher asks 30 students to access a specific uniform resource locator (URL) without a proxy server, all 30 requests would be sent into cyberspace and subjected to delays or other issues that could arise. The classroom scene with a proxy server is quite different. Only one request of the 30 finds its way to the Internet; the other 29 are filled by the proxy server’s cache. Web page retrieval can be almost instantaneous.
However, this caching has a potential drawback. When you log on to the Internet, you get the latest information, but this is not always so when information is retrieved from a cache. For some web pages, it is necessary to go directly to the Internet to ensure that the information is up to date. Some proxy servers can update and renew web pages, but they are always one step behind.
The second key feature of proxy servers is allowing network administrators to filter client requests. If a server administrator wants to block access to certain websites, a proxy server enables this control, making it easy to completely disallow access to some websites. This is okay, but what if it were necessary to block numerous websites? This is when maintaining proxy servers gets a bit more complicated.
Determining which websites users can or cannot access is usually done through something called an access control list (ACL). Chapter 3 discussed how an ACL can be used to provide rules for which port numbers or IP addresses are allowed access. An ACL can also be a list of allowed or nonallowed websites; as you might imagine, compiling such a list can be a monumental task. Given that millions of websites exist, and new ones are created daily, how can you target and disallow access to the “questionable” ones? One approach is to reverse the situation and deny access to all pages except those that appear in an “allowed” list. This approach has high administrative overhead and can greatly limit the productive benefits available from Internet access.
Understandably, it is impossible to maintain a list that contains the locations of all sites with questionable content. In fairness, that is not what proxy servers were designed to do. However, by maintaining a list, proxy servers can better provide a greater level of control than an open system. Along the way, proxy servers can make the retrieval of web pages far more efficient.
A reverse proxy server is one that resides near the web servers and responds to requests. These are often used for load balancing purposes because each proxy can cache information from a number of servers.
VPN Concentrator
A VPN concentrator can be used to increase remote-access security. This device can establish a secure connection (tunnel) between the sending and receiving network devices. VPN concentrators add an additional level to VPN security. Not only can they create the tunnel, they also can authenticate users, encrypt the data, regulate the data transfer, and control traffic.
The concentrator sits between the VPN client and the VPN server, creates the tunnel, authenticates users using the tunnel, and encrypts data traveling through the tunnel. When the VPN concentrator is in place, it can establish a secure connection (tunnel) between the sending and receiving network devices.
VPN concentrators add an additional level to VPN security. Depending on the exact concentrator, they can do the following:
Create the tunnel.
Authenticate users who want to use the tunnel.
Encrypt and decrypt data.
Regulate and monitor data transfer across the tunnel.
Control inbound and outbound traffic as a tunnel endpoint or router.
The VPN concentrator invokes various standard protocols to accomplish these functions.
AAA/RADIUS Server
Among the potential issues network administrators face when implementing remote access are utilization and the load on the remote-access server. As a network’s remote-access implementation grows, reliance on a single remote-access server might be impossible, and additional servers might be required. RADIUS can help in this scenario.
ExamAlert
RADIUS is a protocol that enables a single server to become responsible for all remote-access authentication, authorization, and auditing (or accounting) services; this is referred to as AAA.
RADIUS functions as a client/server system. The remote user dials in to the remote-access server, which acts as a RADIUS client, or network access server (NAS), and connects to a RADIUS server. The RADIUS server performs authentication, authorization, and auditing (or accounting) functions and returns the information to the RADIUS client (which is a remote-access server running RADIUS client software); the connection is either established or rejected based on the information received.
Note
To learn more about AAA/RADIUS, visit www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrad.html.
UTM Appliances and NGFW/Layer 7 Firewalls
A firewall can employ a variety of methods to ensure security. In addition to the role just described, modern firewall applications can perform a range of other functions, often through the addition of add-on modules directed at the application layer (Layer 7) of the OSI model; they are then often referred to as Unified Threat Management (UTM) devices or Next Generation Firewalls (NGFW). UTMs can include the following functionality:
Content filtering: Most firewalls can be configured to provide some level of content filtering. This
can be done for both inbound and outbound content. For instance, the firewall can
be configured to monitor inbound content, restricting certain locations or particular
websites. Firewalls can also limit outbound traffic by prohibiting access to certain
websites by maintaining a list of URLs and IP addresses. This is often done when organizations
want to control employee access to Internet sites.
Signature identification: A signature is a unique identifier for a particular application. In the antivirus
world, a signature is an algorithm that uniquely identifies a specific virus. Firewalls
can be configured to detect certain signatures associated with malware or other undesirable
applications and block them before they enter the network.
Virus scanning services: As web pages are downloaded, content within the pages can be checked for viruses.
This feature is attractive to companies concerned about potential threats from Internet-based
sources.
Network Address Translation (NAT): To protect the identity of machines on the internal network, and to allow more flexibility
in internal TCP/IP addressing structures, many firewalls translate the originating
address of data into a different address. This address is then used on the Internet.
The most common type of NAT is Port Address Translation (PAT), enabling multiple devices on the network to share one single public address (or
a few). NAT is a popular function because it works around the limited availability
of TCP/IP addresses in IPv4. When the migration to IPv6 becomes complete, the need
for NAT will lessen.
URL filtering: By using a variety of methods, the firewall can choose to block certain websites
from being accessed by clients within the organization. This blocking allows companies
to control what pages can be viewed and by whom.
Bandwidth management: Although it is required in only certain situations, bandwidth management can prevent
a certain user or system from hogging the network connection. The most common approach
to bandwidth management is to divide the available bandwidth into sections and then
make a certain section available to a user or system.
Other: Although the preceding functions are the most common, UTMs can also be used for network
intrusion IDS/IPS, VPN, data loss prevention (DLP), and load balancing, as well as
to enable logging and monitoring features.
These functions are not strictly firewall activities. However, the flexibility offered by a firewall, coupled with its placement at the edge of a network, makes a firewall the ideal base for controlling access to external resources.
ExamAlert
You can expect to see exam questions on the types of firewalls and their characteristics. For example, you should know the differences between software and hardware firewalls and understand stateful inspection versus stateless packet filtering firewalls.
VoIP PBX and Gateway
When telephone technology is married with information technology, the result is called telephony. There has been a massive move from landlines to Voice over IP (VoIP) for companies to save money. One of the biggest issues with the administration of this is security. By having both data and VoIP on the same line, they are both vulnerable in the case of an attack. Standard telephone systems should be replaced with a securable PBX.
A VoIP gateway, also sometimes called a PBX gateway, can be used to convert between the legacy telephony connection and a VoIP connection using SIP (Session Initiation Protocol). This is referred to as a “digital gateway” because the voice media are converted in the process.
ExamAlert
Be sure that you know that by having both data and VoIP on the same line, they are both vulnerable in the case of an attack.
Content Filter
A content filter is any software that controls what a user is allowed to peruse and is most often associated with websites. Using a content filter, an employer can block access to pornographic sites to all users, some users, or even just an individual user. The filter can be applied as software on client machines (known as client-side filters), on a proxy server on the network (a server-side filter), at the Internet service provider (ISP), or even within the search engine itself. The latter is most commonly used on home machines.
1. Which of the following can serve as load balancers?
A. IDS and DNS servers
B. Multilayer switches and IPS
C. Multilayer switches and DNS servers
D. VoIP PBXs and UTM appliances
2. Which of the following is the best answer for a device that continually scans the network, looking for inappropriate activity?
A. IPS
B. NGFW
C. VCPN
D. AAA
3. Which of the following is the best answer for any software that controls what a user is allowed to peruse and is most often associated with websites?
A. IDS
B. Proxy server
C. RADIUS server
D. Content filter
4. You are wanting to add a protocol to the network that enables a single server to become responsible for all remote-access authentication, authorization, and auditing (or accounting) services. Which use case is the best example of this?
A. VPN
B. RADIUS
C. UTM
D. VoIP
Cram Quiz Answers
1. C. Multilayer switches and DNS servers can serve as load balancers.
2. A. An intrusion prevention system (IPS) is a device that continually scans the network, looking for inappropriate activity.
3. D. A content filter is any software that controls what a user is allowed to peruse and is most often associated with websites.
4. B. RADIUS is a protocol that enables a single server to become responsible for all remote-access authentication, authorization, and auditing (or accounting) services.
What’s Next?
Chapter 5, “WAN Technologies,” looks at wide-area networks (WANs) and reviews the characteristics of various WAN technologies. Many of today’s network environments are not restricted to a single location or LAN. Instead, many networks span great distances, making WAN knowledge essential for the network administrator.