Skip to main content

7: LAN & WAN Technologies

Private Circuit Technologies

Private circuit technologies rely on dedicated physical circuits to transmit data. This ensures a constant, guaranteed level of service, but often at a higher cost due to the dedicated resources. Examples include:

Examples:

  • Dedicated or Leased Line: A constant connection between two points, often used for corporate WANs. Provides consistent bandwidth but is expensive.

  • PPP (Point to Point Protocol): A direct communication method between two devices, often used for connecting a computer to the internet.

  • SLIP (Serial Line Internet Protocol): An older protocol for connecting IP networks via dial-up telephone connections.

  • ISDN (Integrated Services Digital Network): Allows the simultaneous digital transmission of voice, video, data, and other network services.

  • DSL (Digital Subscriber Line): Provides fast internet access over a telephone line.

While dedicated circuits provide consistent performance, they can be costly due to the reserved resources.

Packet Switching Technologies

Unlike private circuit technologies, packet switching divides data into packets and sends them individually over the most efficient route available, then reassembles the data at its destination. It uses virtual circuits rather than dedicated physical ones, which can be more efficient and cost-effective.

Examples:

  • X.25: An older ITU-T standard for packet-switched wide area network (WAN) communication. Mainly used before the modern internet.

  • Frame Relay: Designed for cost-effective data transmission for intermittent traffic between LANs and between endpoints in a WAN.

  • ATM (Asynchronous Transfer Mode): Uses small, fixed-sized cells (packets) to carry data and is designed for both LANs and WANs.

  • SDLC (Synchronous Data Link Control): An IBM communication protocol used primarily in systems network architecture (SNA) environments.

  • HDLC (High-Level Data Link Control): A bit-oriented protocol for communication over point-to-point and multipoint links.

Optimizes resource use, allowing multiple users to share bandwidth, making it generally more cost-effective.

IDS and IPS Overview

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are integral tools in network security. Both IDS and IPS analyze entire packets, including the header and payload, in search of recognized events.

  • IDS: When a known event is detected, a log message is generated. There may also be reports or optional alerts. IDS observes, logs, and optionally alerts. It doesn't take action.

  • IPS: When it detects a known event, it rejects the packet. IPS takes action! It rejects malicious packets.

Types of IDS Systems

  1. Behavior-based IDS
    • Forms a baseline of activity to establish what constitutes normal behavior.
    • Measures system performance against the baseline to spot abnormal behavior.
    • Can detect previously unknown attack methods.
  2. Knowledge-based IDS
    • Uses signatures, akin to the signature definitions adopted by anti-malware software.
    • Only effective against known attack methods.

Both host-based (HIDS) and network-based (NIDS) systems can be knowledge-based, behavior-based, or a mix of the two.

IDS/IPS Classification by Deployment

  1. Host-based (HIDS/HIPS)

    • Deployed in software form.
    • Often installed on a server.
    • HIDS observes and logs known events from whole packets.
    • HIPS rejects packets when a known event is detected.

  2. Network-based (NIDS/NIPS)

    • Typically in hardware form at the network level.

Modes of Operation for Network-based IDS and IPS

  1. Inline (In-band)
    • Positioned on or near the firewall to enhance security layers.
    • Might integrate with a switch close to the firewall.
  1. Passive (Out-of-band)
    • Traffic doesn't directly flow through the NIPS/NIDS.
    • Uses sensors and collectors to forward alerts to the NIDS.

Sensors and collectors can be strategically placed in a network. For instance, a sensor on the internet side can scan all inbound traffic. But remember that running all traffic through an inline setup can be resource-intensive. Position sensors where they best serve your network's needs.

Secure Network Design

Understanding and leveraging secure network designs can significantly enhance the overall protection of systems and data. Here's a concise breakdown:

Bastion Host

A Bastion Host is a computer or appliance with exposure to the internet. It undergoes hardening, which means all unnecessary elements, such as non-essential services, programs, protocols, and ports, are eliminated.

Key characteristics of a Bastion Host:

  • Only necessary ports are open.
  • Removal of non-essential elements.
  • Examples include hardened browsers like Librewolf or the Firefox community version.

Screened Host

A Screened Host is a system protected by a firewall and is logically located just inside a private network. This design is optimal for heightened security.

It's one of the most secure options due to its firewall protection and its location within a network

Screened Subnet

Conceptually akin to a Screened Host, a Screened Subnet is a subnet positioned between two routers or firewalls. A Bastion Host is typically situated within this subnet.

Proxy Server

A Proxy Server acts on behalf of the client, forwarding its service request and hiding the client's true origin. It's prevalent in corporate environments for internet browsing. A proxy server masks the true origin of the request, often caching content for performance enhancements.

 

Back to top