Tech

Advanced IP Networking–NETWORKING, SECURITY, & MORE ESSENTIALS—CompTIA Network+ (N10-007) NETWORK-PLUS Certification Prep Course Notes

May 14, 2021 /

Advanced IP Networking

Advanced Networking Devices

  • Understand IP Tunneling
    • Very few Internet protocols are encrypted!
    • Tunnels can encapsulate unencrypted protocols to create encrypted communication channels.
    • Tunnels are often used with remote access connections.
    • A tunnel starts by making an encrypted connection between 2 computers.
    • Tunnels are used to provide encryption where there normally isn’t any.
    • They are used to encrypt unencrypted protocols.
  • VPNs (Virtual Private Networks)
    • A VPN creates a secure tunnel so a remote machine or network can be part of a local network.
    • A ‘client-to-client‘ VPN connects a remote computer to a local network.
    • A ‘site-to-site‘ VPN connects distant networks into a single network.
  • Remote Connections Challenges
    • LAN often uses private IP addressing
    • Remote device needs private & public IP address:
      • Public address to get to the network
      • Private IP address to reach the LAN

VPN–tunnel connection for remote computers to get to a designated endpoint.

  • Types of VPN:
    • Note: (the client side will be told which type to use by the people who set up the other side of the VPN.)
    • PPTP (Point to Point Tunneling Protocol)
    • L2TP/IPsec (Layer 2 Tunneling Protocol with IP Security)
    • SSTP (Secure Socket Tunneling Protocol)
  • VPN concentrators‘ can be a dedicated device that acts as an endpoint for the network.
  • Note: The best solution to make an encrypted tunnel using SSH is to piggyback a VPN session over an SSH connection.
  • In order to connect to a host over a VPN, the host must have a VPN server or concentrator.
  • VPN’s encapsulate endpoint private addresses within packets that have Internet public addresses.
  • Intro to VLANs (Virtual LAN)
    • A VLAN splits one broadcast domain into two or more broadcast domains.
    • A managed switch that supports VLANs requires configuration.
    • Trunking enables VLANs to be on more than one switch.
    • 2 types of switches:
      • Unmanaged switches–simple devices; only do switching.
      • Managed switches–offer other features (i.e.–VLANs).
    • Managed switches have IP addresses that enable connection & configuration;
      • Use Cisco Network Assistant (CNA) to configure Cisco routers;
      • VTP–(VLAN Trunk Protocol)–proprietary Cisco protocol.
  • InterVLAN Routing
    • VLANS create separate broadcast domains
    • Connect the broadcast domains with physical routers
    • Broadcast domains can be connected with virtual routers using interVLAN routing.
      • InterVLAN routing acts like one or more virtual routers.
      • A router can connect 2 VLANs
      • Higher-end switches offer interVLAN routing.
  • Interface with Managed Switches
    • Managed switches require configuration.
    • Connect to a managed switch via an IP address or a console port.
    • Cisco routers & switches use a proprietary OS.
    • A console port can be used to connect to and manage a switch or router.
  • Switch Port Protection
    • Switch ports do not use IP addresses or work with Layer 3 (Switches are Layer 2!)
    • Switch interconnections use STP to detect looping by deactivating the port, if necessary.
    • STP (Spanning Tree Protocol)
    • BPDU (Bridge Protocol Data Units) guard is a Cisco method allowing only ‘non-switch’ devices to connect to the switch.
    • DHCP snooping
  • Port Bonding
    • (aka “NIC teaming”, “link aggregation”, “channel bonding”, “port trunking”, etc.)
    • Port Bonding links switchports to increase bandwidth.
    • Use LACP for the trunking protocol (Link Aggregation Control Protocol)
      • LACP is a Cisco protocol to bind switch ports into a single, load-distributed channel.
    • Set ports to active
      • “Active-active” & “active-passive” combinations will both work (but not “passive-passive”!)
    • Make group first, then assign switch ports to group.
      • Group = port channel
  • Port Mirroring
    • Port mirroring enables the traffic flowing through one port to be monitored on another port. Inbound & outbound traffic from the specified port.
    • This feature enables administrators to remotely inspect traffic from a suspicious machine.
    • Port mirroring is configured on a switch by providing a source port and a destination port.
  • Quality of Service
    • enables the prioritization of different traffic types as bandwidth approaches a connections maximum capacity!
    • Quality of Service controls help better manage available bandwidth.
    • One type of QoS is traffic shaping.
    • Simple QoS on SOHO routers allows priority setting for different protocols.
  • IDS vs IPS
    • IDS (Intrusion Detection Systems) detect & report possible attacks to the administrators.
      IPS (Intrusion Prevention Systems) run in-line with networks & act to stop detected attacks; IPS in-band actively stops or rejects!
    • A firewall filters, IDS notifies, IPS acts to stop!
  • Proxy Servers
    • Forward proxy servers hide the clients from the server by forwarding the message to the server. (Usually a dedicated box or software in an organization (eg-schools).)
    • Forward proxy servers can be configured for caching, content filtering, & firewall capability.
    • Reverse proxy servers hide the server, and can provide load balancing & caching for high activity pages.
    • Proxy servers are application-specific (web proxy, or FTP proxy or VoIP proxy)
    • (Note: Tor networks also exist for hiding well. Tor networks create a complicated backward trail by re-routing through multiple intermediaries.)
    • Transparent proxy–must be inline (but don’t require the configuration info).

Proxy Server: A “proxy” by definition is a device, a box, a piece of software running on a computer, which acts as an intermediary between 2 different devices having a session.

  • Forward Proxy Servers (hides the clients):
    • Dedicated box or software
    • In an organization (e.g. schools)
    • Caching
    • Content filtering
    • Acts like a firewall
    • Can prevent the client from visiting certain sites.
  • Reverse Proxy Servers (hide the servers):
    • Their job is to protect the server from evil people
    • High Security
    • Handle DoS (Denial of Service) attacks
    • Load balancing
    • Caching
    • Encryption acceleration
  • Load Balancing (2 main kinds: DNS solutions & server-side solutions)
    • Load balancing can be configured as client-side or server-side, & provides high availability.
    • Load balancing can route to the most available server, either by a configured list (round robin, CDNS) or by least response time.
    • Server-side load balancing uses a sophisticated hardware device that is located within the server. (Can use clustering)
    • Delegation–reverse lookup zones.
    • Clustering
    • A load balancer evenly distributes requests across multiple servers, so they all provide roughly equal services.
  • Device Placement Scenarios
    • DMZs (demilitarized zones) are used to protect public-facing servers by creating an isolated area for those devices.
    • Two firewalls are used in a DMZ:
      • one allowing unsolicited traffic to the public service (Edge Firewall);
      • and, the second maintaining isolation of the private network (Interior Firewall);
    • Internal firewalls can be used to block specific access for areas that may need additional restrictions but still function within the main domain.
    • Critical nodes are IT department assets whose loss would stop the organization from functioning until the loss is recovered.
    • Password length & the use of additional character space are 2 important characteristics of password strength & complexity.

You May Also Like

BIOS & Intro to Core Hardware & Firmware—CompTIA A+ (220-1001) A-PLUS Certification Prep Course Notes

May 5, 2021

A Comment on Comments In Programming Languages…

May 24, 2021

Amazon’s “Sidewalk” Mesh Network Goes Live; All Devices Are Opted-In Automatically By Default

June 8, 2021