Page 487 - StudyBook.pdf
P. 487

Topologies and IDS • Chapter 7  471

                 Exam Objectives Fast Track



                 Security Topologies


                       A DMZ is a network segment where systems that are accessible to the
                         public Internet are housed and which offers some basic levels of
                         protection against attacks.
                       The creation of DMZ segments is usually done by placing systems
                         between two firewall devices that have different rule sets.This allows
                         systems on the Internet to connect to the offered services on the DMZ
                         systems but not to the computers on the internal segments of the
                         organization (often called the protected network).
                       A private internal network is called the intranet, as opposed to the
                         Internet (which is the large publicly accessible network). It is expected
                         that all traffic on an intranet will be secure from outside attack or
                         compromise.
                       An extranet is a special topology that is implemented in certain cases
                         where there is a need to allow access to some of the internal network data
                         and resources by users outside of the internal network.
                       Using special features found in newer, more expensive switches and special
                         software in the switch, you can physically split one switch into two, thus
                         creating two network segments that are completely separate from one
                         another and creating a VLAN.

                       NAT is a feature of many firewalls, proxies, and routing-capable systems.
                         NAT has several benefits, one of which is its ability to hide the IP
                         addresses and network design of the internal network.The ability to hide
                         the internal network from the Internet reduces the risk of intruders
                         gleaning information about the network and exploiting that information
                         to gain access. If an intruder does not know the structure of a network,
                         the network layout, the names and IP address of systems, and so on, it is
                         very difficult to gain access to that network.

                       Tunneling is used to create a virtual point-to-point connection between
                         you and your destination using an untrusted public network as the
                         medium. In most cases, this would be the Internet.When you establish a
                         secure tunnel, commonly called a VPN, you are creating a safe connection



                                                                              www.syngress.com
   482   483   484   485   486   487   488   489   490   491   492