Network Security Topologies

From Techotopia
Jump to: navigation, search
PreviousTable of ContentsNext
IT Media Security BasicsIntrusion Detection Systems

Purchase and download the full PDF and ePub versions of this Security+ eBook for only $8.99

In this chapter of Security+ Essentials the topic of security as it pertains to network topologies will be explored. Topologies are created by dividing networks into security zones providing both a multi-layered defense strategy and different levels of security commensurate with the purpose of each specific zone (for example less security is necessary for a web server than for an internal server containing sensitive customer information).



The acronym DMZ originates from the military term Demilitarized Zone which refers to an area declared as a buffer between two sides in a war. In IT security the term DMZ is used to refer to what is essentially a buffer between the internet and the internal network. The DMZ is separated by an outer firewall on the internet facing side of the DMZ and an inner firewall on the internal network side of the DMZ. Any devices placed within the DMZ are accessible from both the internet and the internal network. There is no communication, however, from the internet directly though the DMZ to the internal network.

Any systems placed in the DMZ must be configured to the highest level of security possible (with the caveat that they must still be able to perform the role for which they are intended). These systems should always be considered to be compromised and must never be given direct and unrestricted access to the inner network. Servers typically placed in the DMZ are web, ftp, email and remote access servers.


The internet is the name given to the entire public network which provides the infrastructure for the transfer of data between remote points. Such data can take the form of email, web pages, files, multi-media and just about anything else that exists in digital form.

Whilst the internet seems like one giant network it is in reality a mesh of interconnected networks held together by routers which control and direct the flow of data from point to point until it reaches its destination.

The internet is completely open and as such there is no way to control what takes place on it. Whilst much of the activity on the internet is harmless it is also a fertile breeding ground for those with malicious intentions. It is for this reason that any computers or networks with access to the internet must be protected by a firewall.


An intranet can be described as a mini-internet build within the safety of a secure networking environment. Intranets are typically used to provide internal corporate web sites for employee only access. Because the intranet servers have internal, private IP addresses and reside behind firewalls they are generally not accessible to the outside world. If external access is needed to an intranet this is best achieved through the implementation of a Virtual Private Network (VPN).


An extranet is a portion of an intranet which is made accessible to external partners. Access to an extranet is typically controlled by strict levels of authentication and authorization through the use of VPNs, firewalls and security policies.

Virtual Local Area Network (VLAN)

A local area network (LAN) is typically a collection of devices connected to a single switch. A virtual local area network (VLAN) typically involves grouping devices on a single switch into multiple broadcast domains and network segments. This provides a way to limit broadcast traffic on each segment of the network (improving overall performance) and increased security through the deployment of multiple isolated LANs on a single switch. A concept known as trunking can be used to create a VLAN which spans multiple switches. This enables users to be grouped on VLANs based on function rather than by physical location. For example all members of the accounting department can be placed in the same VLAN regardless of the switches to which they are physically connected.

Network Address Translation (NAT)

Network Address Translation (NAT) provides a mechanism for using two sets of IP addresses for internal network devices, one set for internal use and another for external use. NAT was originally developed to address the problem that the supply of available IPv4 IP addresses is beginning to run out.

NAT translation typically takes place at a router or firewall and allows internal networks to assign so-called non-routable or private IP addresses for internal devices whilst using a single IP address for external communication across the internet.

Private IP addresses fall into specific ranges known as classes. Each of the following classes is considered to be non-routable on the internet:

  • Class A - - Valid IP addresses are from to
  • Class B - - Valid IP addresses are from to
  • Class C - - Valid IP address are from to


Tunneling involves the packaging of data packets so that they can securely traverse a public network. In essence, the packets for one protocal are encapsulated in the packets of another protocol. An example is the Point-to-Point Tunneling Protocol which encapsulates its own packets into the TCP/IP protocol. Encapsulation is often combined with encryption to increase the level of security.

Purchase and download the full PDF and ePub versions of this Security+ eBook for only $8.99

PreviousTable of ContentsNext
IT Media Security BasicsIntrusion Detection Systems