By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Switches connect devices together in a network, and routers connect networks together within a local area network (LAN) and provide physical segmentation between systems and networks. Virtual local area networks (VLANs) increase security by logically segmenting traffic with a switch, similar to how a router physically segments traffic between networks. Physical security methods protect routers and switches. Voice over Internet Protocol (VoIP) is used to transfer multimedia and voice communications over IP networks, including the Internet. Secure Real-time Transport Protocol (SRTP) provides confidentiality, authentication, and replay protection for VoIP signals. Proxy servers improve the speed of Internet access for users and can also filter traffic. Retrieved web pages are cached on the proxy server, and the proxy server serves these cached web pages instead of using Internet bandwidth to retrieve the web page from the Internet again. Website filtering allows a proxy to block a user’s access to specific website locations. Most proxy servers also have NAT installed to translate private and public IP addresses. Firewalls are an important security element in a network and for individual computers. Packet-filtering firewalls can filter traffic based on IP addresses, ports, and some protocols by using the protocol ID. Stateful inspection firewalls identify active TCP and UDP sessions and can open and close firewall ports dynamically based on the needs of active connections. An application firewall includes different elements to examine specific commands used by different protocols, such as Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transport Protocol (SMTP). Next-generation firewalls and unified threat management (UTM) devices add more filtering capabilities such as blocking malware, filtering spam, and URL filtering. A DMZ is commonly created with two firewalls from separate vendors to achieve defense diversity. This is in line with an overall defense in depth strategy. Even if a vulnerability appears in one firewall, it’s unlikely a vulnerability will appear in both firewalls at the same time. Additionally, to succeed in penetrating an internal network that employs defense diversity, an attacker must have in-depth knowledge about firewalls from two vendors. Firewalls can be network-based or host-based. A network-based firewall protects traffic going into or out of an overall network, while a host-based firewall protects traffic for an individual system. Network-based firewalls are typically hardware-based, while host-based firewalls typically run as an additional software component on a server or desktop system. Using both network-based and host-based systems is part of an overall defense in depth strategy. Many organizations provide access to their internal network through a VPN remote access solution. A VPN provides access to the private network over a public network such as the Internet. VPNs use a tunneling protocol to encapsulate the protocols needed on the internal network. Tunneling protocols include Secure Shell (SSH), Layer 2 Forwarding (L2F), Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), Internet Protocol security (IPsec), and Transport Layer Security (TLS). When using TLS, users often only need a web browser to connect to the VPN server. Authentication protocols used for remote access include Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP (MS-CHAPv1), MS-CHAPv2, Extensible Authentication Protocol (EAP), Remote Authentication Dial-in User Service (RADIUS), Diameter, and Terminal Access Controller Access Control System+ (TACACS+). RADIUS, Diameter, and TACACS+ also provide authentication, authorization, and accounting. Traffic shaping devices can delay certain types of traffic, such as audio and video streaming traffic, so that it doesn’t consume as much bandwidth. This gives other traffic a higher priority. WAN optimization can use traffic shaping to improve VPN connections. Network access control (NAC) helps protect internal networks by differentiating between healthy and unhealthy systems and restricting access of unhealthy systems to quarantined networks. NAC is very useful with remote access because remote clients aren’t directly controlled by the organization and can have varying levels of security applied. NAC can also be used within the organization to ensure that unhealthy clients are isolated from healthy clients. Virtualization refers to replacing hardware with software. Host systems include a hypervisor that creates, runs, and manages virtual machines (VMs), also known as guest systems. Virtual desktop infrastructures (VDIs) provide users with a virtual desktop that can be persistent or nonpersistent. Software-defined networking (SDN) separates the data plane and control plane, providing logical segmentation within a network. An important security step with virtualization is to keep all hosts and guests up to date with current patches. Cloud computing includes Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS). A public cloud can be accessed by anyone. A private cloud is used by only a single organization. A hybrid cloud is a combination of any two or more clouds. Although cloud computing provides reduced costs for many users, it also includes increased risk. Data hosted in the cloud can be compromised due to errors or problems with the cloud provider. Encrypting data on the client before storing it in the cloud can help provide confidentiality of data, but encrypting data using a cloud provider’s encryption services often does not provide adequate protection.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.