Advanced Networking Devices (VPN, Proxy Servers and more)

This article covers what is VPN and VLAN. Type of switches how can we perform switch port protection differences between IDS, IPS and firewall type of proxy servers and how can we do load balancing.

VPN ( Virtual Private Network )

When you are within a network you can talk to all deceive connected in that network. What if you are far far away from your home or office and still want to talk to that network with an IP address who is part of that network. That’s where a VPN comes into play.
What we are going to do is let’s say our laptop is somewhere out there in an airport. So we are going to make that laptop part of that LAN. One challenge we have is our network has a private IP address that we can not use over the internet.

But we have a public IP address provided by the airport. So we need to find a way that will help us have two IP addresses Public to read the router of our private network and Private to talk to the computer inside the network.
So in our packet, we will have two IP address sources and destination of public IP and source and destination of the private network. Now when our request will reach the router of private network it will strip the public IPs and send the private IPs to the network.
When a request comes back we need to have something smart enough to put all the information back on to that packet. That’s what VPN does it create a tunnel between the client and some endpoint which is usually a router. We can easily create a client VPN connection on all of the OS we have out there.
On the other end, you have to set a router that has a VPN concentrator or any device made for this purpose only and do all the settings. This will act as other VPN endpoints. We can also set VPN concentrators on two networks and join doesn’t matter how much far away they are. This is called site to site VPN.

VLANs

A Vlan splits one broadcast domain into two or more broadcast domains. It’s like creating a switch inside a switch. eg we have a switch which contains 24 ports what we can do using VLAN is divide the 24 ports we can set 10 ports as one switch and other 14 as another switch. Now we have two switch one has 14 ports and the other has 10 ports.
To do this setting we assign an IP to switch normally switches have nothing to do with IP but we assign IP to switch so that we can use that IP to open up configuration settings link we do in routers.
Remember managed switches can supports Vlans Unmanaged switches don’t support VLANs. There is another option in switches called Trunking which automatically sets the switch to talk to the ports which are set as trunking. For example, we have two switches connected A and B and we set 4.5.6.7 as separate and if we will separate any other port eg 9,10,11 of switch B. it will be automatically set for talking to B.
Now if you want there two sperate networks to talk to each other in old ways we use a router to interconnect two separate VLANs.The problem is if you increase no. of VLANs you have to add more and more routers. So we add InterVlan routing What we do is in configuration to allow inter-VLAN routing by turning the option on.

Interfacing with Managed Switches

The router uses the IP address to filer traffic and switch use MAC addresses which is the main difference. For configuring both we need to know the IP address from where we can access them. But one thing which is common in both is console ports which can be used to configure routers and switches. 
You just plug a rollover cable in one site and connect with the laptop but a downside is these cables are very slow. So it’s alternative is to connect the laptop with router/switch and connect using Telnet.

Switch Port Protection

There are two ports one that is available in a switch where you plug the wire and the second one is the one you use with IP address. Here we are going to talk about Switch ports on how to protect them and what problem you can get into while using a switch.

Switch ports do not use IP or work on layer 3. Now let’s talk about switch port protection. When you are connecting switches together make sure you avoid the bridging look. Look at the image below to see how a bridging loop looks like.

Now if someone has accidentally done this there is an (STP) Spanning Tree Protocol which is used to automatically detect this happening and turn off on of the port so that this loop breaks.

Now when you connect three switches one of there is going to become the root bridge or you can say root switch where both other switches are connected. Now some evil person can plugin a switch below and claim to be root switch. This can compromise the network because his switch will be considered to be the root switch.

Now it’s solution is root guard what it does memorize the MAC of root switch and if someone comes and claims to be the root switch his connection is turned off automatically.

One more problem is most of the ports on the switch are designed to connect computers few ports connect to switches. someone can put the switch in other ports that only support computers. So to avoid this BPDU ( Bridge Protocol Data Unit ) is made which automatically turns off that port if someone connects switch in place of the computer to that port.

DHCP snooping is another issue which is we should have only one DHCP server in one broadcast domain. However, is easy to plugin another DHCP server in other port. In this process where we configure the switches to say that you are directly connected to the DHCP server.

So if someone will try to do this system will automatically detect that there is a rogue DHCP server and start to turn off DHCP ports.

Port Bonding

port bonding is joining two different ports of two switches which are linked together so that they can act as one fast port. For doing this you have to go into the configuration and do some settings. What we do is take the ports and make them into one group and assign those individual ports to those groups.

Remember port bonding links switch ports to increase bandwidth. Always use LACP for the trunking protocol in your switch and set ports to active.

Port Mirroring

You can set different ports to send a copy of traffic coming on that port to a system so that you can monitor that. This option is available on Managed switches. You can enable these options from the configurations menu in switches. The process of sniffing the traffic is called port mirroring. This process gives us the ability to remotely monitor that data that is going in and out from a particular source.

Quality of Service

There is a term call traffic shaping which means controlling the traffic so that we can use it in the best possible way. eg you limit download speed on a certain computer or even selecting a service eg messenger etc. Quality of Service (QoS) me a mechanism by which we perform traffic shaping.

You can do all the settings in your router admin panel. eg giving Call of Duty more priority on all other games etc. QoS basically helps you manage available bandwidth.

IDS vs. IPS

Normally in a network, you have a router which is the main source from where outside traffic is coming into that network and that router has a firewall into it so avoid malicious data to come in. Sometimes that firewall is separate form router and that device is only working as a firewall behind that router.

In that case, we need an IDS ( intrusion detection system ) to tell the firewall that something bad is happening in the network. IDS can be a device or a computer with IDS software in your network.

IPS does the same thing as IDS but it does something to stop it instead of telling someone. We can have routers or firewalls which have IPS build into them or a separate device.

In short a firewall filers, IDS notifies , IPS acts to stop.

Proxy Servers

There are two types of proxy servers forward proxy server and reverse proxy server. Now, forward proxy servers are old. In the Forward proxy server, the clients know about the proxy and send the request to the proxy server and that server acts on the request.

It’s a dedicated box or software running on a server. It provides caching. It helps content filtering and it acts as a firewall. These are mostly used in schools, universities for blocking the websites, etc.

One thing you need to know that proxy is application-specific eg web proxy, FTP proxy or VoIP proxy every application has a proxy server for it. In the case of the web proxy, every system has to go through a configuration on their system to use the internet. You have to add that manually.

It’s alternative is a transparent proxy where you don’t have to do any settings. But that has to be in the line between you and the internet so that anyone using it has to do through it.

another type of Forward, proxy we ran into have proxy away from us we first to the internet and then go to the proxy server which will do all work for us. So we create a VPN connection that is encrypted to the proxy from our computer.

One more secure way to use a proxy is using tor proxy. In tor what happens is tor connect us to a node where hundred of PC are connected and randomly select a patch to access our target which makes it more untrackable.

Reverse Proxy Server is inverse of forwarding, proxy server. We have web servers where the proxy server represents the webserver not the client. In simple words, servers have set proxy to hide.

It helps protect from attacks like DOS. They have high security. It also helps to do load balancing or do cache. It can also handle encryption acceleration. They take a lot of work off of web servers.

Load Balancing

If a lot of people are visiting your server and you want to provide the same to in an easy way to everyone you have to do load balancing. So what we do is add more servers and all of them are a copy of each other.

One way to manage the load is by using a DNS server and add a turn for each server using the round robbin technique.  Or we can do deligations for the load balancing which mostly helps if server are far away from each other.

For servers that are one the same place, we can do server-side load balancing by using a smart device called load balancer which can talk to all the servers individually. Nowadays all of this is virtualized. 

Leave a comment

Your email address will not be published. Required fields are marked *