Network+ Guide to Networks, 8th Edition 10-1
Chapter 10
Security in Network Design
At a Glance
Instructor’s Manual Table of Contents
• Overview
• Objectives
• Teaching Tips
• Quick Quizzes
• Class Discussion Topics
• Additional Projects
• Additional Resources
• Key Terms
Network+ Guide to Networks, 8th Edition 10-2
Lecture Notes
Overview
In this chapter, we dig in behind-the-scenes to see what security precautions IT professionals
need to implement on a network to help keep it secure. We’ll begin with a discussion of
network security devices, which is a category that includes far more than just firewalls. We’ll
Chapter Objectives
After reading this chapter and completing the exercises, the student will be able to:
• Describe the functions and features of various network security devices
• Implement security precautions on a switch
Teaching Tips
Network Security Devices
1. Explain that Proxy servers and ACLs on network devices are examples of non-security
Proxy Servers
2. State the important function of a proxy server – preventing the outside world from
3. Use Figure 10-1 to illustrate how a proxy server might fit into a WAN design.
4. Explain that a reverse proxy provides services to Internet clients from servers on its own
Network+ Guide to Networks, 8th Edition 10-3
ACLs (Access Control Lists) on Network Devices
2. Describe a router’s main function, which is to examine packets and determine where to
direct them based on their Network layer addressing information.
4. Discuss some of the variables an ACL uses to instruct a router to permit or deny traffic.
6. Note that an access list may contain many different statements.
7. Point out the more statements or tests the router must scan, the more time it takes the
Firewalls
1. Define and describe a firewall.
2. Describe where a firewall typically resides in a network. Use Figure 10-3 to illustrate
the placement of a firewall between a private network and the Internet.
4. Mention that many forms of firewalls exist, such as network-based and host-based
firewalls.
5. Define and explain a packet-filtering firewall.
6. Mention that firewalls ship with a default configuration designed to block the most
7. Discuss common criteria a packet-filtering firewall might use to accept or deny traffic.
8. Describe port blocking and discuss its importance in preventing security breaches.
Network+ Guide to Networks, 8th Edition 10-4
9. Describe the many factors to consider when making a decision regarding a firewall that
performs functions that are more complex.
10. Define Unified Threat Management (UTM) as a security strategy that combines
multiple layers of security appliances and technologies into a single safety net.
11. Explain that a new technology, known as Next Generation Firewalls (NGFW), have
built-in Application Control features and are application aware. Discuss the following
innovative features:
12. Point out that the most common cause of firewall failure is firewall misconfiguration.
Mention that you might need to create exceptions to rules and configuring an enterprise–
level firewall could take weeks to achieve the best results.
Teaching
Perform an in-class demonstration by navigating to the Cisco IOS Firewall
Introduction page at
IDS (Intrusion Detection System)
1. Define and describe an IDS (intrusion detection system).
2. Compare an IDS to a router’s ACL or firewall.
3. Use the right side of Figure 10-10 to demonstrate how an IDS detects traffic patterns.
5. Explain that one technique an NDIS might use to monitor traffic carried by a switch is
port mirroring. Discuss this technique with students.
Network+ Guide to Networks, 8th Edition 10-5
IPS (Intrusion Prevention System)
1. Define and describe an IPS (intrusion-prevention system).
2. Emphasize that an IPS can react when alerted to suspicious activity.
3. Use Figure 10-10 to illustrate the placement of an IDS/IPS device on a private network
5. Define and describe a DMZ (demilitarized zone). Use Figure 10-11 to discuss the
placement of IPS devices and software on a network.
SIEM (Security Information and Event Management)
1. Explain that SIEM systems can be configured to evaluate data generated from IDS, IPS,
firewall, and proxy server logs.
2. Mention that they capability required of the SIEM is determined by the amount of
3. Explain that the network administrator can fine-tune a SIEM’s configuration rules for
Switch Management
1. Point out that this section covers how paths between switches are managed and also
examines switch security concerns.
Network+ Guide to Networks, 8th Edition 10-6
Switch Path Management
1. Use Figure 10-12 to demonstrate a traffic loop.
2. Introduce and define STP (Spanning Tree Protocol).
4. Use Figure 10-13 to illustrate STP-selected paths on a switched network.
5. Explain that STP information is transmitted between switches via BPDUs (Bridge
Protocol Data Units). Discuss the following security precautions that must be
configured on STP-enabled devices:
6. Review the history of STP.
7. Discuss the newer protocols, such as RSTP, MSTP, TRILL, and SPB. Point out how
SPB, which is a descendent of STP and meant to replace it, differs from STP.
Switch Port Security
1. Explain that unused switch, router, or server ports can be accessed and exploited by
3. Mention that many Huawei, Arista, Juniper, and Cisco devices offer a type of flood
Network+ Guide to Networks, 8th Edition 10-7
Quick Quiz 1
1. What command is used to assign a statement to an already-installed ACL?
2. True or False: Packet-filtering firewalls cannot distinguish between a user who is trying
to breach the firewall and a user who is authorized to do so.
3. True or False: An IDS can react when alerted to suspicious activity.
4. Which of the following is used to disable STP on specific ports?
a. BPDU guard
b. BPDU filter
c. BPDU protocol
d. root guard
5. Which of the following switch security options monitors network traffic at one-second
intervals to determine if the traffic levels are within acceptable thresholds?
a. STP
b. BPDU
c. storm control
AAA (Authentication, Authorization, and Accounting)
1. Explain that controlling users’ access to a network and its resources consists of three
major elements:
a. authentication
b. authorization
c. accounting
Authentication
1. Point out that a user can be authenticated to the local device or to the network.
2. Mention that local authentication has both advantages and disadvantages:
a. low security
b. convenience varies
Network+ Guide to Networks, 8th Edition 10-8
c. reliable backup access
4. Demonstrate how to switch from local authentication to network authentication on a
Windows computer.
5. Review the following additional authentication restrictions that strengthen network
security:
a. time of day
b. total time logged on
Authorization
1. Discuss the most popular authorization method, which is RBAC (role-based access
control).
2. Introduce the concept of role separation, which allows each user to be a member of only
one single group in order to perform any tasks at all.
Accounting
1. Demonstrate using Windows Event Viewer to view Windows logs, which can be used
to identify interesting or suspicious events.
NAC (Network Access Control) Solutions
1. Define network access control (NAC) as a solution that employs a set of rules, called
2. Explain that software, called an agent, might need to be installed on a device in order
for the device to be authenticated. Describe the two types of agents commonly used:
3. Point out that Windows Active Directory allows for agentless authentication.
4. Describe how a guest device can be granted limited access to a NAC-protected network.
Access Control Technologies
1. Explain that several types of authentication services and protocols exist. These
Directory Services
1. Point out to students that in order for clients to authenticate to network resources, some
sort of directory server on the network must maintain a database of account information.
2. Explain that the two most common directory services are Windows AD (Active
3. Discuss LDAP (Lightweight Directory Access Protocol) as a standard protocol for
Kerberos
1. Define Kerberos as a cross-platform authentication protocol that uses key encryption to
2. Note that Kerberos is an example of a private key encryption service.
3. Introduce students to some of the terms used when discussing Kerberos:
4. Discuss the two services that a Kerberos server runs:
5. Explain that the purpose of Kerberos is to connect a valid user with a network service
6. Use Figure 10=21 to demonstrate how TGS works. Describe the process Kerberos
requires for client/server communication as outlined in the steps on pages 588-589 of
the text.
Teaching
Tip
Point out that Kerberos was named after the three-headed dog in Greek
mythology who guarded the gates of Hades and was designed at MIT
(Massachusetts Institute of Technology). MIT still provides free copies of the
Kerberos code. In addition, many software vendors have developed their own
versions of Kerberos.
SSO (Single Sign-On)
2. Point out that the primary advantage of SSO is convenience. Further discuss that the
3. Explain that an authentication process that requires two or more pieces of information is
4. Discuss the categories of authentication factors:
• something you know
5. Explain that MFA requires at least one authentication method from at least two different
categories. Use Figure 10-27 in your discussion.
RADIUS (Remote Authentication Dial-In User Service)
1. Explain that RADIUS is the most popular AAA service.
3. Explain that RADIUS can operate as a software application on a remote access server or
on a computer dedicated to this type of authentication, called a RADIUS server.
4. Explain why RADIUS is more secure than a simple remote access solution.
TACACS+ (Terminal Access Controller Access Control System Plus)
1. Mention that TACACS+ (Terminal Access Controller Access Control System Plus) is a
similar, but modified earlier version of centralized authentication.
2. Discuss the differences of TACACS+ versus RADIUS:
a. Relies on TCP, not UDP
Wireless Network Security
1. Remind students that a significant disadvantage of WEP was that is used a shared
encryption key for all clients and the key might never change.
2. Discuss the two WEP forms of authentication that were not secure:
WPA (Wi-Fi Protected Access)
1. Introduce students to TKIP (Temporal Key Integrity Protocol), which accomplished
three significant improvements over WEP:
2. Explain that the encryption protocol in WPA was replaced by a stronger encryption
WPA2 (Wi-Fi Protected Access, version 2)
1. Explain that CCMP improves wireless security for newer devices that can use WPA2.
2. Discuss the following provided by CCMP:
Personal and Enterprise
2. Discuss the authentication mechanism known as EAP (Extensible Authentication
Protocol). Explain how it is used with a RADIUS server.
3. Use Figure 10-29 to discuss the three main EAP entities:
a. supplicant
4. Use Figure 10-30 to show the steps involved in EAP communications.
5. Explain that EAP was adapted to work on both wired and wireless LANs in the 802.1X
standard and is known as EAPoL (EAP over LAN).
7. Explain that EAP-TLS uses TLS encryption to protect communications. Discuss some
8. Point out that PEAP (Protected EAP) creates an encrypted TLS tunnel between the
9. Discuss the EAP-FAST (EAP-Flexible Authentication via Secure Tunneling) protocol.
Network+ Guide to Networks, 8th Edition 10–13
Quick Quiz 2
1. Which of the following processes determines what a user can and cannot do with
network resources?
a. authentication
b. accounting
c. acceptability
d. authorization
2. Which of the following methods of access control is considered to be the least secure
method?
a. DAC (discretionary access control)
b. RBAC (role-based access control)
c. NAC (network access control)
d. MAC (mandatory access control)
3. A network access control (NAC) solution employs a set of rules, called _____, which
determine the level and type of access granted to a device when it joins a network.
4. A Kerberos client or user is known as which of the following?
a. ticket
b. supplicant
c. principal
d. token
5. Which of the following protocols has the characteristic of being certificate-based?
a. WEP
b. EAP-TLS
c. PEAP
d. EAP-FAST
Class Discussion Topics
1. Discuss the differences between the use of ACLs versus the use of firewalls for network
security. In what situations would the use of ACLs be an advantage over using a
hardware firewall?
2. As a class, discuss the differences between an IDS and an IPS. Discuss examples of
Additional Projects
1. Have students research the latest developments in Wireless network security. Students
2. Give students a scenario of an enterprise network design that does not include any
network access control technologies. Students should then propose what network access
Additional Resources
1. Firewall Solutions for Small Businesses
2. Lock Down Cisco Switch Port Security
4. Intrusion Detection and Prevention
5. 802.11 Wireless Network Security Standards & Mechanisms
Key Terms
For definitions of key terms, see the Glossary near the end of the book.
➢ alert
➢ authentication server
➢ authenticator
➢ authorization
➢ BPDU (Bridge Protocol Data Unit)
➢ EAP-TLS
➢ EAPoL (EAP over LAN)
➢ FIM (file integrity monitoring)
➢ geofencing
➢ Group Policy
➢ MAC address table
➢ MAC (mandatory access control)
➢ MFA (multifactor authentication)
➢ MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)
➢ MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol, version 2)
➢ OSA (Open System Authentication)
➢ PAP (Password Authentication Protocol)
➢ password policy
➢ PEAP (Protected EAP)
➢ persistent agent
➢ root guard
➢ RSTP (Rapid Spanning Tree Protocol)
➢ security token
➢ SIEM (Security Information and Event Management)
➢ signature