VPN ( Virtual Private Network )
Interfacing with Managed Switches
Switch Port Protection
Switch ports do not use IP or work on layer 3. Now let’s talk about switch port protection. When you are connecting switches together make sure you avoid the bridging look. Look at the image below to see how a bridging loop looks like.
Now when you connect three switches one of there is going to become the root bridge or you can say root switch where both other switches are connected. Now some evil person can plugin a switch below and claim to be root switch. This can compromise the network because his switch will be considered to be the root switch.
Now it’s solution is root guard what it does memorize the MAC of root switch and if someone comes and claims to be the root switch his connection is turned off automatically.
One more problem is most of the ports on the switch are designed to connect computers few ports connect to switches. someone can put the switch in other ports that only support computers. So to avoid this BPDU ( Bridge Protocol Data Unit ) is made which automatically turns off that port if someone connects switch in place of the computer to that port.
DHCP snooping is another issue which is we should have only one DHCP server in one broadcast domain. However, is easy to plugin another DHCP server in other port. In this process where we configure the switches to say that you are directly connected to the DHCP server.
So if someone will try to do this system will automatically detect that there is a rogue DHCP server and start to turn off DHCP ports.
port bonding is joining two different ports of two switches which are linked together so that they can act as one fast port. For doing this you have to go into the configuration and do some settings. What we do is take the ports and make them into one group and assign those individual ports to those groups.
Remember port bonding links switch ports to increase bandwidth. Always use LACP for the trunking protocol in your switch and set ports to active.
Quality of Service
There is a term call traffic shaping which means controlling the traffic so that we can use it in the best possible way. eg you limit download speed on a certain computer or even selecting a service eg messenger etc. Quality of Service (QoS) me a mechanism by which we perform traffic shaping.
You can do all the settings in your router admin panel. eg giving Call of Duty more priority on all other games etc. QoS basically helps you manage available bandwidth.
IDS vs. IPS
Normally in a network, you have a router which is the main source from where outside traffic is coming into that network and that router has a firewall into it so avoid malicious data to come in. Sometimes that firewall is separate form router and that device is only working as a firewall behind that router.
In that case, we need an IDS ( intrusion detection system ) to tell the firewall that something bad is happening in the network. IDS can be a device or a computer with IDS software in your network.
IPS does the same thing as IDS but it does something to stop it instead of telling someone. We can have routers or firewalls which have IPS build into them or a separate device.
In short a firewall filers, IDS notifies , IPS acts to stop.
There are two types of proxy servers forward proxy server and reverse proxy server. Now, forward proxy servers are old. In the Forward proxy server, the clients know about the proxy and send the request to the proxy server and that server acts on the request.
It’s a dedicated box or software running on a server. It provides caching. It helps content filtering and it acts as a firewall. These are mostly used in schools, universities for blocking the websites, etc.
One thing you need to know that proxy is application-specific eg web proxy, FTP proxy or VoIP proxy every application has a proxy server for it. In the case of the web proxy, every system has to go through a configuration on their system to use the internet. You have to add that manually.
It’s alternative is a transparent proxy where you don’t have to do any settings. But that has to be in the line between you and the internet so that anyone using it has to do through it.
another type of Forward, proxy we ran into have proxy away from us we first to the internet and then go to the proxy server which will do all work for us. So we create a VPN connection that is encrypted to the proxy from our computer.
One more secure way to use a proxy is using tor proxy. In tor what happens is tor connect us to a node where hundred of PC are connected and randomly select a patch to access our target which makes it more untrackable.
Reverse Proxy Server is inverse of forwarding, proxy server. We have web servers where the proxy server represents the webserver not the client. In simple words, servers have set proxy to hide.
It helps protect from attacks like DOS. They have high security. It also helps to do load balancing or do cache. It can also handle encryption acceleration. They take a lot of work off of web servers.
If a lot of people are visiting your server and you want to provide the same to in an easy way to everyone you have to do load balancing. So what we do is add more servers and all of them are a copy of each other.
One way to manage the load is by using a DNS server and add a turn for each server using the round robbin technique. Or we can do deligations for the load balancing which mostly helps if server are far away from each other.
For servers that are one the same place, we can do server-side load balancing by using a smart device called load balancer which can talk to all the servers individually. Nowadays all of this is virtualized.