examine traffic at a granular level. It first analyzes the traffic flowing through it and categorizes all traffic with minimal assistance from a network administrator. It can determine the needs of each type of traffic in regard to latency and bandwidth requirements. Using this information, it can then assure that traffic is balanced in the most efficient manner in order that latency- and bandwidth-sensitive applications get what they need while less-sensitive applications get less because they can function just as well without it. For the most part, it can do all of this without administrative configuration, but it will report its findings back to the network administrator in detailed reports.
VPN Concentrator
A virtual private network (VPN) is a network connection that is made secure even though it is flowing through an unsecure network, typically the Internet. This is done by using an encapsulation protocol. The encapsulation protocol creates a tunnel between two devices. A device that is sometimes used to create this tunnel is referred to as a VPN concentrator. Most VPN concentrators use either the Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP) to create the tunnel. The reason that it’s called a concentrator is that it can handle many VPN connections simultaneously. I will discuss PPTP and L2TP later in this chapter.
Exam Essentials
Know the functions and applications of various network devices. A router works at Layer 3 (Network) whereas a switch works at Layer 2 (Data-Link). An HIDS is host based like a moat, whereas IDS and IPS are network based to provide protection for multiple hosts. Packet shapers analyze traffic patterns and application needs and control traffic in ways that firewalls can’t duplicate. A VPN concentrator can make network traffic secure, even when it’s flowing through an unsecure network.
1.2 Compare and Contrast the Use of Networking Services and Applications
The next step toward creating your functional network architecture is selecting the networking services that you will use on your network. This will largely be determined by the size and scope of your network and what you are connecting. For example, if you are connecting devices that are not at the same location, you might want to use protocols that are specific for that type of connection. Some protocols that you might consider would include VPN, IPsec, RAS, unified voice services, and others. In this section, I will discuss these technologies and how they relate to your network architecture.
1.3.1 VPN
A virtual private network (VPN) is not really private since it runs through an unsecure network. However, a VPN is made virtually private using an encapsulation protocol, also called a tunneling protocol. You can accomplish this using SSL and cryptography. There are also other protocols that are specifically designed to provide a tunnel that encapsulates a well-known protocol, for example, IP, with a secure protocol known only by the sender and receiver.
Site to Site/Host to Site/Host to Host
For most companies with multiple locations, the prospect of installing dedicated leased lines, such as T-1s or T-3s, to each of their locations is cost prohibitive and unnecessary. It’s unnecessary with today’s networks because it’s possible to use the Internet as a secure connection between the locations. Tunneling is a process of encapsulating one protocol within another so as to provide a secure communication through an unsecure medium, typically the Internet. The processes and protocols used to create tunnels have changed over the past 15 years, and some tunnels are therefore more secure than others. Some tunneling protocols also encrypt the data contained in the packets, while others do not. As you will see, you can use these tunneling protocols to move data securely from one datacenter to another datacenter (site to site), from a remote computer to a datacenter (host to site), or even from one remote computer to another remote computer (host to host). In the following sections, I’ll discuss the protocols used for tunneling and the security they provide in each of these scenarios.
Protocols
Protocols have been defined in many ways. Some say that protocols are an expected behavior between two parties. Others say that protocols establish a set of rules by which the two parties can communicate. Network protocols fall into both of these definitions. They are the rules that determine the expected behavior of communication between one device and another one. In order for devices to communicate effectively, they must share the same protocol. If two devices know a protocol that other devices don’t, they can then communicate to each other through a medium that would otherwise be considered unsecure. Therefore, if I were to encapsulate one protocol inside another, I would create a tunnel on which only the computers that know the outer protocol could communicate. This is what is referred to as a tunneling protocol. In this section, I will discuss the various protocols that can be used as tunneling protocols between two devices.
IPsec
Internet Protocol Security (IPsec) is a framework of protocols designed to authenticate connections and encrypt data during communication between two computers. It operates at the Network layer of the OSI model and provides security for protocols that operate at the higher layers of the OSI model. Because of this, you can use IPsec to secure practically all TCP/IP-related communications, including tunnels.
The function of IPsec is to ensure that data on the network is safe from being viewed, accessed, or modified by anyone except the intended receiver. IPsec can be used to provide security within networks as well as between networks. To be more specific, IPsec has three main security services:
Data Verification This ensures that the data received is actually from the source from which it appears to have originated.
Protection from Data Tampering This ensures that the data has not been changed in any way during the transmission between the sending computer and the receiving computer.
Privacy of Transactions This ensures that the data that is sent is readable only by the intended receiver.
There are two main modes of IPsec: transport mode and tunnel mode. Transport mode is used to send and receive encrypted data within the same network. Tunnel mode is used to send encrypted data between networks. It includes an encryption mechanism as well as an authentication mechanism.
GRE
Generic Routing Encapsulation (GRE) is a protocol developed by Cisco systems that you can use to encapsulate many Network layer protocols to be delivered on point-to-point links in your IP network. It works by encapsulating the original payload (inner packet) into an outer IP packet that can be sent through the tunnel. De-encapsulation takes place at the other end of the tunnel, so the inner packet can be delivered without the destination machine ever being aware that an outer IP packet existed. This makes GRE a flexible tool that can even be used to send multicast and IPv6 packets through an otherwise normal IPv4 structure.
SSL VPN
The Secure Sockets Layer (SSL) protocol uses cryptography to provide secure authentication and communication privacy over the Internet. It is typically used for e-commerce. When used in conjunction with a VPN on a site that is allowing e-commerce, the advantage SSL offers is that many of the filters are already configured. In other words, if a site wants to allow e-commerce using SSL, then the ports for SSL already must be allowed through any firewalls or other network filters. This means that an SSL-based VPN might be much easier to configure than one that requires that a new protocol and its ports be allowed through the firewalls of the network.
PTP/PPTP
The Point-to-Point Tunneling Protocol (PPTP) is used to create a secure tunnel between two points on a network over which other protocols such as the Point-to-Point
