The Unconventional Guide to Network Security 1.3

November 2, 2015 | Views: 6057

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Network Security 1.3

Based on CompTIA’s list of Security + exam objectives (their PDF list of domains is found here: ), this article covers the first domain, Network Security (1.0), with its third sub-heading (1.3).

I mention any products and examples because:
1. When you’re starting out it can be difficult to get a grasp of what’s what;
2. If you’re in charge of a virtual environment you probably won’t come in contact with many of these (e.g., firewall and VPN concentrators) because they’re managed solely by your VM provider/datacenter; and,
3. If you’re in an SMB you might not have any use or resources for things like virtualization.

This does not replace all other training. This is simply to augment your training by providing some examples and to help clarify a lot of the tech lingo, long documents, and other confusing aspects of other training. Definitely watch the great videos and read the other great material on Cybrary!


Network Security 1.0

1.3 Distinguish and differentiate network design elements and components


DMZ – DeMilitarized Zone

AKA Perimeter Network, this is the set of servers that faces the world-at-large, allowing them to “see” something on your network; very likely where your company’s website is there. Anybody is allowed some access to it, even though it’s typically behind your firewall. The firewall directs traffic to the DMZ, lets valid traffic through to your network, and can include your website, mail, and FTP servers.

Devices in the DMZ are the most susceptible to attack, as they are external-facing, and directly, or closely, attached to an untrusted network (the internet).

Visitors (not just people, but also computers) can only reach so far into your network – giving you a presence on the web, but not allowing traffic to get to your real network.



This takes a network (e.g., 192.168.1.x) and divides it up into smaller networks using CIDR notation (e.g.,, which means that there are 23 bits for the network). So you can have one network for Engineering, one for HR, and one for Accounting, all by using a subnet mask.

Simple Example:
Network ID    | Host ID

192.168.2.       |1 = IP Address
255.255.255.  |0 = Subnet Mask

Get familiar with 4 aspects of subnetting: IP Address, Subnet, Subnet Mask, and Interface. It’s a Layer 3 technology. Also get familiar with the terms CIDR, host portion, network portion, and binary. When CIDR (Classless InterDomain Routing) came on the scene, the need for the terms Classes A-E have become anachronistic, though it’s good to be aware of them as the main divisions and subnet masks of those classes may show up on the exam. Get familiar with VLSM (Variable Length Subnet Mask). A fun way to get used to binary is to get a binary clock.

Search for subnetting here on Cybrary for great and extended explanations and examples!


VLAN – Virtual LAN

Before VLANs, you had to use a different switch for each LAN that you wanted to separate (e.g., Engineering here, HR there). The Virtual LAN allows you to use one switch or router to both:
A. separate the network for reasons of routing, data flow management, and security; and,
B. allow traffic to route between the networks as needed (e.g., mail server needs to cross all VLANs to reach recipients). VLANs are based on a logical (Layer2/Data Link), not physical (Layer 1/Physical), connections.

With VLAN Management, you can have different switches with different VLANS, yet be able to manage all of them from a central location.

It’s different from a subnet in that it:

1. Creates a more manageable separation (though not isolation) of the traffic; and,

2. Allows you to use ACLs for security.

Compared to subnetting it’s an advanced technological way of separating traffic, lending itself to an easier-to-use method of maintaining the network.

VLAN10:                  à GOES TO à       .2, .3
VLAN11 191.168.16/28                   à GOES TO à       .18, .19
VLAN12                à GOES TO à       .33


NAT (Network Address Translation)

This is simply translating one IP address to another. It includes one-to-one translation, but very often NAT is used as many-to-one and one-to-many. E.g., a company uses the 172.16.x (private/inside) network, but the company only has 1 public IP. When 1 of those private devices goes to the internet, the router auto-translates the private IP to the single public IP. When the destination has been reached by the device, the returning packets (based on information in the packet) run back through the router and are returned to the appropriate device.

NOTE: To find your public IP, go to

A couple examples to search for and check out are Routing and Remote Access for Windows (included in Windows Server, but works differently in different versions) and IPFilter for Unix.


INTERNAL PC    à       GATEWAY IP / PUBLIC IP        à         INTERNET     à / à Devices see you as 208. address


Remote Access

This is when your employees are connecting from outside the network back into your network. You want to make remote access (RA), whether wireless or wired, secure; so this is where things like VPN (e.g., software such as OpenVPN) running as a service on the remote machine and going through https:// (such as Citrix) come into play.

An example setup would be a laptop connecting from a coffee shop: the laptop has a softvpn client running as a service. As soon as the laptop is powered on the service is running. When the user connects to the public wi-fi, the network connection is already authenticated and the data is already encrypted. You can also firewalls and other controls on the network side to insure that only those in your domain, and even only certain devices, can connect.

RA includes all connections to and from your network, things like VNC, which is used to remotely troubleshoot. Be familiar with Remote Desktop, ISDN, Dial-up, DSL, and VPN.

Three examples to check out are Routing and Remote Access for Windows (included in Windows Server); Citrix; and is RemoteApp.



You’ll see various forms of the word “telephony” used almost interchangeably: Telecommunications, VoIP, Internet Telephony, IP Telephony, and Digital Telephony. Amongst all of this is the idea of transmitting audio (even video), to others.  You can use a hosted solution (e.g., OnSip) or in-house (e.g., Cisco). Also get familiar with the terms application gateway, POTS, and PSTN. Some other examples are Skype Phone, Cisco 7940, and Polycom.


NAC – Network Access Control

Explaining and describing NAC can be pretty slippery, as the methods of providing it continue to change. Its use of protocols, application and enforcement of policies, and ways of authenticating, will vary depending on your network technology. But in short NAC is how your devices determine who and what is allowed to access your network. An available network jack could be a vulnerability, so if you can close or disable that port, do so; someone in the wrong AD group poses a risk of infiltration; you could set policies so that only certain MAC addresses are allowed. Section 5 of the Security+ study materials goes in-depth on the areas of access control.

Sample simple flow

Computer (Supplicant) à Access Control systems (e.g., switch port, firewall, and AD) à Network



Transforming your hardware to VMs can provide great cost- and time-savings, but it comes with a different set of considerations. Relating to security, one consideration is the trust issue – do you trust that the provider is not snooping? Do you trust that the VLANs are secure? The main goal, pertaining to security, is figuring out how you’ll maintain and monitor those VMs. You have to make sure that only the right people in your org have access to the VMs. Those who have access to them VMs should only be able to do what they need to do – can they just remote to it? Can they view the list of all VMs? Can they modify the VMs? And access to the VMs is different than access to the server itself – maybe a Domain Admin can only view the VM itself, but as a Domain Admin he can do whatever he wants to the OS. So it adds some layers of security issues.


Cloud Computing

The next few terms are part-and-parcel of cloud computing, which is the umbrella term. When you see all the mentions of cost savings, realize that starting out may be less costly, but if you already have the gear your company needs, it can be pretty expensive to switch. This is where looking at the 5 or 10+ year financial forecast comes into play to see what the real $$ ROI is.
When it’s all combined, you can use a thin client (essentially any old computer –except for XP/2003 and earlier since they’re out of compliance!) and do all that you need to do!
The 3 terms below are out-of-order in the cloud computing stack, which is, from bottom to top, IaaS, Paas, and SaaS.


Platform as a Service

PaaS (pronounced “pass”) allows you to take care of your web apps. It can be costly to have your own in-house platforms, so places like Amazon and MS offer AWS and Azure respectively. Developers can more economically build and maintain your companies’ web services. You might run across the term “cloud-enabled application platform.” Some types and terms for PaaS are: Public, Private, Enterprise, Hybrid, Mobile, and Open. Some examples are: MS Azure, Google App Engine, and Amazon EC2.


Software as a Service

SaaS (pronounced “sass”) is software licensing based on subscription. AKA on-demand software. One strategy in keeping IT from becoming a resource-hog (or a drain on the company’s resources) is to reduce the in-house cost of hosting apps onsite. It’s common for a company to outsource, among many other things, accounting, CRM, and HR software. Whatever the app(s), you just connect to the web, and then the app, so using the online software is often independent of what computer you use. Some examples are: Google Apps, WebEx, and Salesforce.


Infrastructure as a Service

The pronunciation is usually just saying the letters separately. Infrastructure is all the stuff (e.g., hardware, software, cooling systems) that is used to run your IT department. Search online for a definition that suits you, because there’s not a 100% agreed-upon definition. For examples of IaaS, look up VMWare, Citrix Xen products, Amazon AWS, Hyper-V.


I hope this information was helpful to you. Please leave your comments below.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Great information, thanks for all of the amazing examples. This is good stuff.

  2. Thank you for the overview, really helpful as a quick guide.

  3. Good Intro

  4. Great notes 🙂

  5. Great overview
    Many thanks to you

Page 3 of 3«123
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?