chapter 5: securing the network infrastructure
DESCRIPTION
Chapter 5: Securing the Network Infrastructure. Security+ Guide to Network Security Fundamentals Second Edition. Objectives. Work with the network cable plant Secure removable media Harden network devices Design network topologies. Working with the Network Cable Plant. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/1.jpg)
Chapter 5: Securing the Network Infrastructure
Security+ Guide to Network Security Fundamentals
Second Edition
![Page 2: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/2.jpg)
Security+ Guide to Network Security Fundamentals, 2e
2
Objectives
• Work with the network cable plant
• Secure removable media
• Harden network devices
• Design network topologies
![Page 3: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/3.jpg)
Security+ Guide to Network Security Fundamentals, 2e
3
Working with the Network Cable Plant
• Cable plant: physical infrastructure of a network (wire, connectors, and cables) used to carry data communication signals between equipment
• Three types of transmission media:
– Coaxial cables
– Twisted-pair cables
– Fiber-optic cables
![Page 4: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/4.jpg)
Security+ Guide to Network Security Fundamentals, 2e
4
Coaxial Cables
• Coaxial cable was main type of copper cabling used in computer networks for many years
• Has a single copper wire at its center surrounded by insulation and shielding
• Called “coaxial” because it houses two (co) axes or shafts―the copper wire and the shielding
• Thick coaxial cable has a copper wire in center surrounded by a thick layer of insulation that is covered with braided metal shielding
![Page 5: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/5.jpg)
Security+ Guide to Network Security Fundamentals, 2e
5
Coaxial Cables (continued)
• Thin coaxial cable looks similar to the cable that carries a cable TV signal
• A braided copper mesh channel surrounds the insulation and everything is covered by an outer shield of insulation for the cable itself
• The copper mesh channel protects the core from interference
• BNC connectors: connectors used on the ends of a thin coaxial cable
![Page 6: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/6.jpg)
Security+ Guide to Network Security Fundamentals, 2e
6
Coaxial Cables (continued)
![Page 7: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/7.jpg)
Security+ Guide to Network Security Fundamentals, 2e
7
Twisted-Pair Cables
• Standard for copper cabling used in computer networks today, replacing thin coaxial cable
• Composed of two insulated copper wires twisted around each other and bundled together with other pairs in a jacket
![Page 8: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/8.jpg)
Security+ Guide to Network Security Fundamentals, 2e
8
Twisted-Pair Cables (continued)
• Shielded twisted-pair (STP) cables have a foil shielding on the inside of the jacket to reduce interference
• Unshielded twisted-pair (UTP) cables do not have any shielding
• Twisted-pair cables have RJ-45 connectors
![Page 9: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/9.jpg)
Security+ Guide to Network Security Fundamentals, 2e
9
Fiber-Optic Cables
• Coaxial and twisted-pair cables have copper wire at the center that conducts an electrical signal
• Fiber-optic cable uses a very thin cylinder of glass (core) at its center instead of copper that transmit light impulses
• A glass tube (cladding) surrounds the core
• The core and cladding are protected by a jacket
![Page 10: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/10.jpg)
Security+ Guide to Network Security Fundamentals, 2e
10
Fiber-Optic Cables (continued)
• Classified by the diameter of the core and the diameter of the cladding
– Diameters are measured in microns, each is about 1/25,000 of an inch or one-millionth of a meter
• Two types:
– Single-mode fiber cables: used when data must be transmitted over long distances
– Multimode cable: supports many simultaneous light transmissions, generated by light-emitting diodes
![Page 11: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/11.jpg)
Security+ Guide to Network Security Fundamentals, 2e
11
Securing the Cable Plant
• Securing cabling outside the protected network is not the primary security issue for most organizations
• Focus is on protecting access to the cable plant in the internal network
• An attacker who can access the internal network directly through the cable plant has effectively bypassed the network security perimeter and can launch his attacks at will
![Page 12: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/12.jpg)
Security+ Guide to Network Security Fundamentals, 2e
12
Securing the Cable Plant (continued)
• The attacker can capture packets as they travel through the network by sniffing
– The hardware or software that performs such functions is called a sniffer
• Physical security
– First line of defense
– Protects the equipment and infrastructure itself
– Has one primary goal: to prevent unauthorized users from reaching the equipment or cable plant in order to use, steal, or vandalize it
![Page 13: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/13.jpg)
Security+ Guide to Network Security Fundamentals, 2e
13
Securing Removable Media
• Securing critical information stored on a file server can be achieved through strong passwords, network security devices, antivirus software, and door locks
• An employee copying data to a floppy disk or CD and carrying it home poses two risks:
– Storage media could be lost or stolen, compromising the information
– A worm or virus could be introduced to the media, potentially damaging the stored information and infecting the network
![Page 14: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/14.jpg)
Security+ Guide to Network Security Fundamentals, 2e
14
Magnetic Media
• Record information by changing the magnetic direction of particles on a platter
• Floppy disks were some of the first magnetic media developed
• The capacity of today’s 3 1/2-inch disks are 14 MB
• Hard drives contain several platters stacked in a closed unit, each platter having its own head or apparatus to read and write information
• Magnetic tape drives record information in a serial fashion
![Page 15: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/15.jpg)
Security+ Guide to Network Security Fundamentals, 2e
15
Optical Media
• Optical media use a principle for recording information different from magnetic media
• A high-intensity laser burns a tiny pit into the surface of an optical disc to record a one, but does nothing to record a zero
• Capacity of optical discs varies by type
• A Compact Disc-Recordable (CD-R) disc can record up to 650 MB of data
• Data cannot be changed once recorded
![Page 16: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/16.jpg)
Security+ Guide to Network Security Fundamentals, 2e
16
Optical Media (continued)
• A Compact Disc-Rewriteable (CD-RW) disc can be used to record data, erase it, and record again
• A Digital Versatile Disc (DVD) can store much larger amounts of data
– DVD formats include Digital Versatile Disc-Recordable (DVD-R), which can record once up to 395 GB on a single-sided disc and 79 GB on a double-sided disc
![Page 17: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/17.jpg)
Security+ Guide to Network Security Fundamentals, 2e
17
Electronic Media
• Electronic media use flash memory for storage
– Flash memory is a solid state storage device―everything is electronic, with no moving or mechanical parts
• SmartMedia cards range in capacity from 2 MB to 128 MB
• The card itself is only 45 mm long, 37 mm wide, and less than 1 mm thick
![Page 18: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/18.jpg)
Security+ Guide to Network Security Fundamentals, 2e
18
Electronic Media (continued)
• CompactFlash card
– Consists of a small circuit board with flash memory chips and a dedicated controller chip encased in a shell
– Come in 33 mm and 55 mm thicknesses and store between 8MB and 192 MB of data
• USB memory stick is becoming very popular
– Can hold between 8 MB and 1 GB of memory
![Page 19: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/19.jpg)
Security+ Guide to Network Security Fundamentals, 2e
19
Keeping Removable Media Secure
• Protecting removable media involves making sure that antivirus and other security software are installed on all systems that may receive a removable media device, including employee home computers
![Page 20: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/20.jpg)
Security+ Guide to Network Security Fundamentals, 2e
20
Hardening Network Devices
• Each device that is connected to a network is a potential target of an attack and must be properly protected
• Network devices to be hardened categorized as:
– Standard network devices
– Communication devices
– Network security devices
![Page 21: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/21.jpg)
Security+ Guide to Network Security Fundamentals, 2e
21
Hardening Standard Network Devices
• A standard network device is a typical piece of equipment that is found on almost every network, such as a workstation, server, switch, or router
• This equipment has basic security features that you can use to harden the devices
![Page 22: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/22.jpg)
Security+ Guide to Network Security Fundamentals, 2e
22
Workstations and Servers
• Workstation: personal computer attached to a network (also called a client)
– Connected to a LAN and shares resources with other workstations and network equipment
– Can be used independently of the network and can have their own applications installed
• Server: computer on a network dedicated to managing and controlling the network
• Basic steps to harden these systems are outlined on page 152
![Page 23: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/23.jpg)
Security+ Guide to Network Security Fundamentals, 2e
23
Switches and Routers• Switch
– Most commonly used in Ethernet LANs
– Receives a packet from one network device and sends it to the destination device only
– Limits the collision domain (part of network on which multiple devices may attempt to send packets simultaneously)
• A switch is used within a single network
• Routers connect two or more single networks to form a larger network
![Page 24: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/24.jpg)
Security+ Guide to Network Security Fundamentals, 2e
24
Switches and Routers (continued)
• Switches and routers must also be protected against attacks
• Switches and routers can be managed using the Simple Network Management Protocol (SNMP), part of the TCP/IP protocol suite
• Software agents are loaded onto each network device to be managed
![Page 25: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/25.jpg)
Security+ Guide to Network Security Fundamentals, 2e
25
Switches and Routers (continued)
• Each agent monitors network traffic and stores that information in its management information base (MIB)
• A computer with SNMP management software (SNMP management station) communicates with software agents on each network device and collects the data stored in the MIBs
• Page 154 lists defensive controls that can be set for switches and routers
![Page 26: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/26.jpg)
Security+ Guide to Network Security Fundamentals, 2e
26
Hardening Communication Devices
• A second category of network devices are those that communicate over longer distances
• Include:
– Modems
– Remote access servers
– Telecom/PBX Systems
– Mobile devices
![Page 27: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/27.jpg)
Security+ Guide to Network Security Fundamentals, 2e
27
Modems
• Most common communication device
• Broadband is increasing in popularity and can create network connection speeds of 15 Mbps and higher
• Two popular broadband technologies:
– Digital Subscriber Line (DSL) transmits data at 15 Mbps over regular telephone lines
– Another broadband technology uses the local cable television system
![Page 28: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/28.jpg)
Security+ Guide to Network Security Fundamentals, 2e
28
Modems (continued)
• A computer connects to a cable modem, which is connected to the coaxial cable that brings cable TV signals to the home
• Because cable connectivity is shared in a neighborhood, other users can use a sniffer to view traffic
• Another risk with DSL and cable modem connections is that broadband connections are charged at a set monthly rate, not by the minute of connect time
![Page 29: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/29.jpg)
Security+ Guide to Network Security Fundamentals, 2e
29
Remote Access Servers
• Set of technologies that allows a remote user to connect to a network through the Internet or a wide area network (WAN)
• Users run remote access client software and initiate a connection to a Remote Access Server (RAS), which authenticates users and passes service requests to the network
![Page 30: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/30.jpg)
Security+ Guide to Network Security Fundamentals, 2e
30
Remote Access Servers (continued)
![Page 31: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/31.jpg)
Security+ Guide to Network Security Fundamentals, 2e
31
Remote Access Servers (continued)
• Remote access clients can run almost all network-based applications without modification
– Possible because remote access technology supports both drive letters and universal naming convention (UNC) names
• Minimum security features are listed on page 158
![Page 32: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/32.jpg)
Security+ Guide to Network Security Fundamentals, 2e
32
Telecom/PBX Systems
• Term used to describe a Private Branch eXchange
• The definition of a PBX comes from the words that make up its name:
– Private
– Branch
– eXchange
![Page 33: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/33.jpg)
Security+ Guide to Network Security Fundamentals, 2e
33
Mobile Devices
• As cellular phones and personal digital assistants (PDAs) have become increasingly popular, they have become the target of attackers
• Some defenses against attacks on these devices use real-time data encryption and passwords to protect the system so that an intruder cannot “beam” a virus through a wireless connection
![Page 34: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/34.jpg)
Security+ Guide to Network Security Fundamentals, 2e
34
Hardening Network Security Devices
• The final category of network devices includes those designed and used strictly to protect the network
• Include:
– Firewalls
– Intrusion-detection systems
– Network monitoring and diagnostic devices
![Page 35: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/35.jpg)
Security+ Guide to Network Security Fundamentals, 2e
35
Firewalls
• Typically used to filter packets
• Designed to prevent malicious packets from entering the network or its computers (sometimes called a packet filter)
• Typically located outside the network security perimeter as first line of defense
• Can be software or hardware configurations
![Page 36: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/36.jpg)
Security+ Guide to Network Security Fundamentals, 2e
36
Firewalls (continued)
• Software firewall runs as a program on a local computer (sometimes known as a personal firewall)
– Enterprise firewalls are software firewalls designed to run on a dedicated device and protect a network instead of only one computer
– One disadvantage is that it is only as strong as the operating system of the computer
![Page 37: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/37.jpg)
Security+ Guide to Network Security Fundamentals, 2e
37
Firewalls (continued)
• Filter packets in one of two ways:
– Stateless packet filtering: permits or denies each packet based strictly on the rule base
– Stateful packet filtering: records state of a connection between an internal computer and an external server; makes decisions based on connection and rule base
• Can perform content filtering to block access to undesirable Web sites
![Page 38: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/38.jpg)
Security+ Guide to Network Security Fundamentals, 2e
38
Firewalls (continued)
• An application layer firewall can defend against worms better than other kinds of firewalls
– Reassembles and analyzes packet streams instead of examining individual packets
![Page 39: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/39.jpg)
Security+ Guide to Network Security Fundamentals, 2e
39
Intrusion-Detection Systems (IDSs)
• Devices that establish and maintain network security
• Active IDS (or reactive IDS) performs a specific function when it senses an attack, such as dropping packets or tracing the attack back to a source
– Installed on the server or, in some instances, on all computers on the network
• Passive IDS sends information about what happened, but does not take action
![Page 40: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/40.jpg)
Security+ Guide to Network Security Fundamentals, 2e
40
Intrusion-Detection Systems (IDSs) (continued)
• Host-based IDS monitors critical operating system files and computer’s processor activity and memory; scans event logs for signs of suspicious activity
• Network-based IDS monitors all network traffic instead of only the activity on a computer
– Typically located just behind the firewall
• Other IDS systems are based on behavior:
– Watch network activity and report abnormal behavior
– Result in many false alarms
![Page 41: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/41.jpg)
Security+ Guide to Network Security Fundamentals, 2e
41
Network Monitoring and Diagnostic Devices
• SNMP enables network administrators to:
– Monitor network performance
– Find and solve network problems
– Plan for network growth
• Managed device:
– Network device that contains an SNMP agent
– Collects and stores management information and makes it available to SNMP
![Page 42: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/42.jpg)
Security+ Guide to Network Security Fundamentals, 2e
42
Designing Network Topologies
• Topology: physical layout of the network devices, how they are interconnected, and how they communicate
• Essential to establishing its security
• Although network topologies can be modified for security reasons, the network still must reflect the needs of the organization and users
![Page 43: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/43.jpg)
Security+ Guide to Network Security Fundamentals, 2e
43
Security Zones
• One of the keys to mapping the topology of a network is to separate secure users from outsiders through:
– Demilitarized Zones (DMZs)
– Intranets
– Extranets
![Page 44: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/44.jpg)
Security+ Guide to Network Security Fundamentals, 2e
44
Demilitarized Zones (DMZs)
• Separate networks that sit outside the secure network perimeter
• Outside users can access the DMZ, but cannot enter the secure network
• For extra security, some networks use a DMZ with two firewalls
• The types of servers that should be located in the DMZ include:
– Web servers – E-mail servers
– Remote access servers – FTP servers
![Page 45: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/45.jpg)
Security+ Guide to Network Security Fundamentals, 2e
45
Demilitarized Zones (DMZs) (continued)
![Page 46: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/46.jpg)
Security+ Guide to Network Security Fundamentals, 2e
46
Intranets
• Networks that use the same protocols as the public Internet, but are only accessible to trusted inside users
• Disadvantage is that it does not allow remote trusted users access to information
![Page 47: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/47.jpg)
Security+ Guide to Network Security Fundamentals, 2e
47
Extranets
• Sometimes called a cross between the Internet and an intranet
• Accessible to users that are not trusted internal users, but trusted external users
• Not accessible to the general public, but allows vendors and business partners to access a company Web site
![Page 48: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/48.jpg)
Security+ Guide to Network Security Fundamentals, 2e
48
Network Address Translation (NAT)
• “You cannot attack what you do not see” is the philosophy behind Network Address Translation (NAT) systems
• Hides the IP addresses of network devices from attackers
• Computers are assigned special IP addresses (known as private addresses)
![Page 49: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/49.jpg)
Security+ Guide to Network Security Fundamentals, 2e
49
Network Address Translation (NAT) (continued)
• These IP addresses are not assigned to any specific user or organization; anyone can use them on their own private internal network
• Port address translation (PAT) is a variation of NAT
• Each packet is given the same IP address, but a different TCP port number
![Page 50: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/50.jpg)
Security+ Guide to Network Security Fundamentals, 2e
50
Honeypots
• Computers located in a DMZ loaded with software and data files that appear to be authentic
• Intended to trap or trick attackers
• Two-fold purpose:
– To direct attacker’s attention away from real servers on the network
– To examine techniques used by attackers
![Page 51: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/51.jpg)
Security+ Guide to Network Security Fundamentals, 2e
51
Honeypots (continued)
![Page 52: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/52.jpg)
Security+ Guide to Network Security Fundamentals, 2e
52
Virtual LANs (VLANs)
• Segment a network with switches to divide the network into a hierarchy
• Core switches reside at the top of the hierarchy and carry traffic between switches
• Workgroup switches are connected directly to the devices on the network
• Core switches must work faster than workgroup switches because core switches must handle the traffic of several workgroup switches
![Page 53: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/53.jpg)
Security+ Guide to Network Security Fundamentals, 2e
53
Virtual LANs (VLANs) (continued)
![Page 54: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/54.jpg)
Security+ Guide to Network Security Fundamentals, 2e
54
Virtual LANs (VLANs) (continued)
• Segment a network by grouping similar users together
• Instead of segmenting by user, you can segment a network by separating devices into logical groups (known as creating a VLAN)
![Page 55: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/55.jpg)
Security+ Guide to Network Security Fundamentals, 2e
55
Summary
• Cable plant: physical infrastructure (wire, connectors, and cables that carry data communication signals between equipment)
• Removable media used to store information include:
– Magnetic storage (removable disks, hard drives)
– Optical storage (CD and DVD)
– Electronic storage (USB memory sticks, FlashCards)
![Page 56: Chapter 5: Securing the Network Infrastructure](https://reader036.vdocuments.mx/reader036/viewer/2022081504/56814e5d550346895dbbfa3f/html5/thumbnails/56.jpg)
Security+ Guide to Network Security Fundamentals, 2e
56
Summary (continued)
• Network devices (workstations, servers, switches, and routers) should all be hardened to repel attackers
• A network’s topology plays a critical role in resisting attackers
• Hiding the IP address of a network device can help disguise it so that an attacker cannot find it