The fundamental technologies in almost every network are switches, routers, and firewalls. In this video, you’ll learn how these devices are used to connect and protect our network devices.
<< Previous Video: Introduction to Security+Next: Load Balancers and Proxies >>
Let’s start our discussion of these network devices on switches. These switches are really great big bridges. They operate at Layer 2 of the OSI Model. I put a representation, here, of the different layers of the OSI Model, here, on the left-hand side.
We’re really talking about Layer 2, primarily, in these switches. All of these switches do all of this switching, this MAC Layer Look-Up, in hardware, so they’re really, really fast. And what’s nice about the back planes of these devices is they can communicate to each other. Two devices on this device communicate to each other directly, without having to use any bandwidth or bother anybody else that’s on the network.
So they’re very, very efficient in the way the operate. They decide where traffic goes, based on the data link control address of a device. And most of the time on an ethernet network, for instance, that’s the MAC address.
The network card address of the different devices. So there’s a big table inside of these machines that understands exactly everybody who’s plugged into this device. And whenever it needs to decide which way packets go, it looks to see what the destination MAC address.
It references back the big table of lists, and it says oh, that particular device is on port seven. I’m going to send the traffic over to port seven. There are many, many, many ports on these enterprise devices.
They really are the core of an enterprise network. If you’re in a large, or even a small environment, and your plugged into the network, you’re probably plugged into a switch in almost every situation. This happens to be a really, really large switch with lots of slots, and you can fill it up with many different kinds of ports.
Some switches are very small. They’re workgroup switches, and there may be many of those stacked up inside of a closet, for instance. But most of the time, when you’re on somebody’s network, you’re on a switch.
You’ll also see, if you ever look at a network diagram, a switch represented with this diagram, here, where you’ve got arrows just pointing left to right or up and down. They don’t go any other direction. They pass straight through a particular device that represents that Layer 2 switching, where we’re just sending traffic on its way.
You also are able to have a lot of bandwidth go through these devices, and this becomes a little bit of a challenge from a security perspective. You have so many different devices plugged in. You have so much data going back and forth.
How do you begin to manage traffic, especially understand the security relationship between two devices that may be talking to each other on the same switch? And that is a bit of a challenge. We have to now layer our security, not only inside devices like this, but also on the end stations themselves and the servers. If we ever want to be able to see everything end-to-end, that’s really the only way to go about doing it.
Since switches operate at Layer 2, everybody’s on the same subnet. So to be able to separate our network into other pieces, we need something to be able to move up to a higher level, the OSI Layer 3, and that would be a router. And usually routers are in the center of the network.
And most of the time, they’re connecting all of these different switches to each other. Perhaps connecting an internet connection, as well. Any time you have to connect two different IP subnet, you’re going to need a routing function somewhere. This may be on a standalone device, or it may be part of a software module or hardware module within a switch.
So you’ll sometimes hear the term a Layer 3 switch. That’s really talking about a router that is embedded, or installed, inside of a switch. You’re not really switching at Layer 3. You’re really routing at Layer 3.
You’ll also see this represented on network diagrams as these different arrows that are pointing in different directions. So if you ever see that 90 degree angle on an arrow going through a diagram, it’s probably referring to a router. If you ever hear the term Layer 2, you can think switching.
If you hear the term Layer 3, you can think routing. And that’s usually how we’re representing it. Sometimes we don’t say we need to route, sometimes we say we need to do Layer 3 between those two particular subnets.
These are also able to connect different network types. So you’ll connect a Wide Area Network connection, a fiber-based network connection, a copper based network connection, and they’ll all go through the router. And the router’s smart enough to do whatever types of signaling translations, or any type of packet translations, between those different networks.
So not only are we connecting different IP subnets together, we can connect very, very diverse networks together with routers. It provides us a lot of functionality to be able to do that in our enterprise environments. Usually also from a security perspective, there is a little bit of filtering capability in here.
You have the ability to filter out certain port numbers. A very, very basic filtering functionality. In the security world, we tend to do only a very basic type of filtering in our router, because we’ll use a firewall to be able to do a much more efficient job of protecting our networks. If you are ever working around network people, they tend to want to have the switches switch, the routers route, and have the firewalls do firewalling.
If you try to combine some of these things together, not only it is complicated, but a router doesn’t really make a good firewall. So that’s one of the nice things about keeping these as separate components is that you can manage them much better from a security perspective. Firewalls really cover the security perspective for the rest of the stack of the OSI layer.
We’ve talked about switching at Layer 2, we’ve talked about routing at Layer 3. Well, at Layer 4 and all the way up to Layer 7, we have firewalls. And firewalls are really our first and last line of defense when that traffic is going in and out of our network.
If we need to protect servers, we need to protect our users, we need to separate ourselves from the big bad internet, it’s a firewall that’s going to be doing that. This can be also a device that is able to encrypt data into and out of the network. Very often, we’ll connect firewalls to each other, and we’ll build encrypted tunnels between those connections.
We’ll talk a lot about encryption technologies, and the way that we do these tunnels in other parts of these videos that we look at. But it’s usually the firewalls that are the endpoints between the two. You may have a firewall at your home office. You may put a firewall at a remote site. You may connect them together through the internet.
And in order to keep your data private, as it goes through that public internet, we can create encrypted tunnels between the two, and essentially, send all of our data between those two sites, all encrypted. Even if somebody was to look at that data going by, they wouldn’t be able to make any sense of it as it’s going through. Many firewalls can also act as proxies.
Proxies is a very, very traditional method of separating internal networks from the internet. Proxies work by making a request to a web server, but instead of talking directly to the web server, you’re really talking to the proxy that you have inside of your network. That proxy then takes your request and makes the request on your behalf.
When it receives the response from that web server out there the internet, it looks through the content, and makes sure there’s nothing bad in there. Usually makes sure that that’s something you’re allowed to look at, and then it sends you the response. By putting that right in the middle, it is separating the internal network from the internet.
There’s some nice security benefits to doing that. Most firewalls that you’re going to find it can also be Layer 3 devices. So you will very often see the firewall on the edge of the network as the internet is coming into it.
And it’s performing routing for us, and it’s doing network address translation for us. So many times you don’t have to have a Layer 3 router right behind it. The firewall’s simply doing all of that routing for us.
And because it’s right there on the edge, it can route to the internet, it can route to a DMZ, it can route to our internal network as if it was a standalone router all by itself. Think of it as having routing functionality with all of these great firewalling and security technologies built right into the technology.