CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [29]
Figure 1.14 illustrates the creation of three VLANs in a single network.
Network Address Translation
Network Address Translation (NAT) creates a unique opportunity to assist in the security of a network. Originally, NAT extended the number of usable Internet addresses. Now it allows an organization to present a single address to the Internet for all computer connections. The NAT server provides IP addresses to the hosts or systems in the network and tracks inbound and outbound traffic.
A company that uses NAT presents a single connection to the network. This connection may be through a router or a NAT server. The only information that an intruder will be able to get is that the connection has a single address.
NAT effectively hides your network from the world, making it much harder to determine what systems exist on the other side of the router. The NAT server effectively operates as a firewall for the network. Most new routers support NAT; it provides a simple, inexpensive firewall for small networks.
FIGURE 1.14 A typical segmented VLAN
It’s important to understand that NAT acts as a proxy between the local area network (which can be using private IP addresses) and the Internet. Not only can NAT save IP addresses, but it can also act as a firewall.
Most NAT implementations assign internal hosts private IP address numbers and use public addresses only for the NAT to translate to and communicate with the outside world. The private address ranges are as follows:
10.0.0.0 -10.255.255.255
172.16.0.0-172.31.255.255
192.168.0.0-192.168.255.255
Figure 1.15 shows a router providing NAT services to a network. The router presents a single address for all external connections on the Internet.
FIGURE 1.15 A typical Internet connection to a local network
In addition to NAT, Port Address Translation (PAT) is possible. Whereas NAT can use multiple public IP addresses, PAT uses a single one and shares the port with the network. Because it is only using a single port, PAT is much more limited and typically only used on small and home-based networks. Microsoft’s Internet Connection Sharing is an example of a PAT implementation.
IP addressing is a subject on the Network+ exam, as opposed to Security+, but CompTIA still expects you to know the basics. In addition to understanding the concept behind NAT, you should know that subnetting is how networks are divided. RFCs 1466 and 1918 detail subnetting and can be found at http://www.faqs.org/rfcs/.
Tunneling
Tunneling refers to creating a virtual dedicated connection between two systems or networks. You create the tunnel between the two ends by encapsulating the data in a mutually agreed-upon protocol for transmission. In most tunnels, the data passed through the tunnel appears at the other side as part of the network.
Tunneling protocols usually include data security as well as encryption. Several popular standards have emerged for tunneling, with the most popular being the Layer 2 Tunneling Protocol (L2TP).
Tunneling sends private data across a public network by placing (encapsulating) that data into other packets. Most tunnels are virtual private networks (VPNs).
Figure 1.16 shows a connection being made between two networks across the Internet. To each end of the network, this appears to be a single connection.
FIGURE 1.16 A typical tunnel
Addressing Business Concerns
An organization or business is well served if it makes a conscious examination of its security situation. This examination includes identifying assets, doing a comprehensive risk assessment, identifying threats, and evaluating vulnerabilities. These four components will help the business principals understand what they’re up against and how to cost-effectively address these issues.
The following sections explain the various business requirements