Routers
A router's main goal is to forward traffic between networks. Routers are devices that sit in the Layer 3 portion of the OSI model. A typical home router will typically only send traffic out of your home network and into the wider internet. It acts as the edge point between your local network and the wide area network. Across the internet, tens of thousands of routers are found which point traffic to the next network so that ultimately, your traffic can reach it's endpoint. Routers maintain route-tables which allow for decisions to be made on how to best reach the destination. Let's see an example, on your device open your terminal utility (Command Prompt/PowerShell on Windows) and type the following command:
Looking at the number on the left hand side, this denotes the hop. Each hop is a router that is making a routing decision based on it's routing table, on which hop to send it to next. On the right hand side you can see either the IP address or the hostname of the router that the packet has landed on. We can see from this output that to reach 8.8.8.8 (dns.google), 11 routers processed the packets. Hops 1 & 2 are the routers are our internal routers, hops 3 to 7 were routers within BT's infrastructure, and hops 8 to 11 were routers within Google's infrastructure.
Layer 2 and Layer 3 switches
A switch is usually a device that connects a large number of devices to the network into one single broadcast domain. Forwarding decisions are based on the layer 2 physical address (MAC address) connected to each port. As the frame arrives at the switch, it will look at the destination MAC address against the MAC address table it has populated, and forward out of the correct port as required. If a frame with a broadcast MAC address arrives at the switch, it will flood the frame out of all ports (example protocol of this is ARP). Multiple switches can be combined together and is commonly referred to as switch stacking. Let's look at the typical process for frame switching:
Phil's PC is plugged into port 1 on the switch, and Sally's PC is also plugged into the same switch. The switch has learnt the MAC addresses of each device and stored this information within it's MAC address table. The MAC address table on the switch is below:
Port Number // MAC Address
1 // 53-55-8D-D2-2B-B1
2 // 06-79-54-F9-84-AA
3 // A7-FE-F7-CE-33-06
4 // A1-15-A6-54-CC-CB
5 // 20-EC-1A-0B-68-22
Phil's PC wants to send some data to Sally's PC, and sends a frame into the network via the switch. Within the frame, there is a destination MAC address as Phil's PC has learnt Sally's PC's MAC address already via ARP. The destination MAC address is A1-15-A6-54-CC-CB, which port do you think the switch will forward the frame out of?
While Layer 2 switches make forwarding decisions based on the destination MAC address within the frame header, Layer 3 switches also make routing decisions based on the destination IP address found in the packet header (just like a router).
You may also come across the term "un-managed switch". This is just a device that operates only in the layer 2, and doesn't allow any configuration such as VLANs etc.
Next-generation firewalls and IPS
A firewall is essentially a device that will allow or deny traffic dependant on a set of rules. These rules are implemented by the network administrator and usually placed on the edge of a network to reduce the attack surface. If the traffic does not match any rules, it will be dropped by the implicit deny rule. Below we will compare the key difference between a stateful and next-generation firewall.
A next-generation firewall (NGFW) is a network security appliance that goes beyond the traditional capability of a stateful firewall. While stateful firewalls will usually pass or deny traffic based on port numbers, source and destination IPs and the protocols used (ICMP, SNMP etc), an NGFW allows for the network administrator to detect and apply a ruleset to the modern threat landscape. NGFWs are able to inspect the upper layers of the OSI model to detect malware and application level attacks. NGFWs are typically capable of:
-
Stateful traffic inspection (protocols, ports and source/destination IPs)
-
URL filtering and denying blacklisted URLs
-
Deep-packet inspection for malware code (Intrusion Prevention)
-
Application layer identification and inspection
-
SSL and SSH inspection by decrypting traffic
-
Blocking geo-graphical region IP addresses
-
And much more...
An IPS (Intrusion Prevention System) on the other-hand can either be standalone or part of the NGFW UTM (Unified Threat Management). An IPS will perform deep-packet inspection on every packet that transgresses the appliance. It is found in-line with the network traffic, and this referred to as an inline sensor. As traffic passes the sensor, it analyses the traffic based on:
-
Signature - identifying a pattern within packet/s and is the most commonly found method
-
Anomaly - malicious network activity can be different to legitimate streams of traffic
-
Reputation - using global data and blacklists to filter and prevent malicious IPs, DNS responses etc
-
Policy - an administrator created ruleset to filter and process traffic flows
If one of the above analysis rules is marked as true positive, one of the following actions will be performed:
-
Deny connection or packet
-
Reset TCP connection packet sent to source
-
Alert
-
Log victim or attacker traffic based on IP addresses in the packet header
-
Log traffic
It's important to note that while an IPS will actively analyse and attempt to prevent attacks, an IDS (Intrusion Detection System) will simply log the traffic for future review.
Access points
An access point (AP) is in the simplest terms, a device that allows wireless end user devices to connect to the network. It is sometimes referred to as WAP (Wireless Access Point). The below diagram denotes a very basic setup of the typical topology of how wireless devices would connect to the internet. It's important to ensure that the access point is secure by ensuring that the passkey is of the latest type (currently WPA3 AES) to minimise a bad actor gaining access to your network wirelessly.
Controllers (Cisco DNA Centre and WLC)
Cisco DNA is a single pane of glass solution to allow for network administrators to manage the network from a single platform. It provides administrators to automate tasks relating to network management and security. It also provides the capability to analyse the network from a simple dashboard to allow for quicker remediation of issues.
WLC (Wireless LAN Controller) allows for management of APs from a single point. When using APs within a unified environment with a WLC, the APs are referred to as LAPs (Lightweight Access Points), as the heavy lifting is completed by the WLC. In a large office there may be 100s of LAPs, which managing each individually will be a massive manual task. The WLC allows a LAP to connect to the network and pull down configuration automatically. Authentication of client devices is handled directly by the WLC in a unified deployment.
Endpoints
Endpoints are commonly referred to as end user (EU) devices. These are the devices we use every day to complete our jobs or enjoy media such as video/music streaming. Typical EU examples are:
-
Phones
-
Laptops
-
Tablets
-
Workstations
-
IoT
Servers
Servers are also technically an endpoint, however their primary purpose is to serve information to EU devices when requested. For example, on a file server, the user may request a document that is stored on a storage array within a data centre. The file server allows the EU device to pull down the document and it's content across the network. Common servers are:
-
Print server
-
File server
-
Web server
-
Application server
-
Database server
-
Domain Controller
-
And many more...
PoE
PoE stands for Power over Ethernet. It allows low power devices such as IP Phones, CCTV cameras or APs to pull power directly over the Ethernet cable. Two of the 4 pairs of copper with a typical Ethernet cable a for power, with the other two being used for data. A PoE switch is required to power the devices on the other end of the cable.
