There are four basic cabling options for most physical network connections, including coaxial cable. Each option has its own advantages and disadvantages. If you choose to use physical cables for part or all of your network, you will have to run cables to each device. Running cables between devices takes careful planning. Make sure that when you explore cabling options, you evaluate the cost of installing all of the cables and connection hardware to support both your current and future needs. TABLE 9-2 lists the four basic cable options, along with the advantages and disadvantages of each one.

Wireless connections are very popular in today’s network environments, where flexibility is an important design factor. Wireless connections allow devices to connect to your network without your having to physically connect to a cable. This flexibility makes it easy to connect computers, or devices, in situations where running cables is either difficult or not practical for temporary connections. The Institute of Electrical and Electronics Engineers (IEEE) defines standards for many aspects of computing and communications. The IEEE 802.11 defines standards for wireless local area network (WLAN) communication protocols. A protocol is a set of rules that govern communication.

There are seven main protocols currently in the 802.11 standard. There are also two emerging protocols that will likely play a role in future wireless networks. As with the discussion of wired network connections, the technical details are beyond the scope of this discussion, but it is important to know the basic differences between different wireless protocols. TABLE 9-3 lists the most common current and emerging wireless protocols.

TABLE 9-3 Common Current and Emerging 802.11 Wireless Standards

Generally, hardware that supports protocols with faster speeds with longer range costs more than hardware with slower protocols. Your choice of wireless protocols will likely be based on cost, transmission speed requirements, and other devices that may cause interference in a specific frequency.

Bluetooth is a popular wireless protocol for connecting devices over short distances. The most popular use of Bluetooth is to create PANs of devices that communicate with a computer or device. Headsets, mice, printers, and connections with automation in automobiles are some examples of devices that commonly support the Bluetooth protocol. From a security perspective, it is important to consider Bluetooth support for your computers and devices when you are developing wireless policies and controls. Bluetooth-enabled computers are vulnerable to several types of wireless attacks unless you protect all wireless connections.

The simplest network device is a hub. Hubs used to be popular in smaller networks, but have largely disappeared from use. A hub is simply a box with several connectors, or ports, that allows multiple network cables to attach to it. Common hubs had 4, 8, 16, or 32 ports. A hub is simply a hardware repeater. It takes input from any port and repeats the transmission, sending it as output on every port, including the original input port. As networks have become faster and more complex, hub use has all but disappeared.

The main problem with hubs is that they repeat all network traffic to all ports. This often causes message collisions and a frequent need to resend messages. They also tend to contribute to network congestion since every computer and device receives all network traffic. Networks are designed to handle collisions and congestion but at the cost of high performance. A switch can help avoid many collision and congestion issues and actually speed up networks. A switch is a hardware device that forwards input it receives only to the appropriate output port.

For example, if Computer A wants to send a message to Computer B, a switch will send the message from Computer A’s port only to Computer B’s port. No other computers ever see the message. As an additional benefit, if Computer C wants to send a message to Computer F at the same time Computers A and B are talking, the switch can handle both connections at the same time without causing a collision. Switches are also more secure since the only computers that actually see information exchanged over the network are the computers involved in the transfer. This is more secure than a hub that repeats messages to all connected computers. In the years since 2000, switch prices have fallen to a point that they are about the same cost as the simpler hubs, and now far more popular in networks of all sizes than hubs. FIGURE 9-3 shows a simple network created using a single switch.

A router is another network device that connects two or more separate networks. A router can connect any types of networks as long as they use the same protocols. Routers are more intelligent than switches and actually inspect the address portion of the packets on your network. The router examines the destination address and then forwards the packet to the correct outbound port. Routers can be stand-alone hardware devices or computers with multiple network interfaces running routing software.

Routers also provide an important security capability. You can define rules for each router that tell the router how to filter network traffic. You can restrict which packets are allowed to flow through the network. Routers give the ability to aggressively control how users and applications use the network.

A gateway is a network device that connects two or more separate networks using different protocols. Networks using different protocols may include wired LANs, wireless LANs, and WANs. A gateway can perform many of the tasks a router performs but also has the ability to translate network packets from one protocol to another. Since it translates messages between protocols, a gateway is much more complex than either a router or a switch.

One of the most common types of gateways is one that connects a LAN to the Internet. This type of gateway is often called an Internet gateway. Gateways are necessary anytime you want to connect two networks that use different protocols. Gateways provide the same filtering capabilities of routers, and much more. Gateways analyze more than just the destination address and port of each message. Since the gateway has to translate an entire message from one protocol to another, detailed rules can be set up to filter out inappropriate traffic.

One common service present in even the earliest networks is the file sharing service. A file server is a computer or hardware device that has at least three distinct components:

• One or more connected storage devices

• A network interface

• Software to provide network access to files and folders on the attached storage devices

In the past, most file servers were computers that managed shared folders or file systems. The file server managed connections and supported authorized read/write access to its storage devices by remote users. Computer-based file servers are still in widespread use, but stand-alone hardware devices with internal disk drives are becoming more popular. A file server’s main purpose is to provide secure access to its stored data for remote users.

Specialized network storage devices generally come in two flavors: Network Attached Storage (NAS) and Storage Area Network (SAN). A NAS is a stand-alone hardware device with its own internal storage media, normally hard disks, and its own operating system. NAS devices are normally connected to the LAN and are visible as mapped remote folders or drives. SANs are often confused with NAS devices, but there are several differences. A SAN can be a single device or a collection of devices. SANs are generally connected to the computers that use them via fiber channel for a very fast data read and write rate. And SAN devices offer block-level I/O, as opposed to file level I/O for NAS devices. Even though SANs are remote devices, they appear to the operating system that uses them as local disk drives.

A print server provides the interface between computers and devices connected to a network and one or more printers connected to the same network. Like file servers, the actual server can be a computer or a stand-alone hardware device. In either case, the print server accepts print jobs from authorized users and processes them. That means the print server may contain the intelligence to store multiple print jobs and provide advanced abilities to manage the printing process. Print servers vary widely in capabilities but all generally exist to allow multiple remote users to share printers.

Network data storage may sound like the service the file server provides but the two services are distinct. A file server only stores files. A data storage server organizes data and attempts to make the data more accessible than just a list of files. Data storage software includes database management systems and document management systems. Both types of management software provide efficient, effective centralized access to data and documents for remote users.

Another substantial difference between file servers and data storage products is that data storage products generally provide far greater control over access authorization. File servers can control access to individual folders and files, but data storage software can control access to the contents of files. Database management systems and document management systems often provide their own features to maintain and authorize users and requests. These systems manage large amounts of data and can grant or deny access to individual pieces of information stored inside very large files. The advantage of databases and document management systems is they can provide fast and efficient access to large amounts of data while maintaining security of the data down to a very specific level.

Application servers are computers that run application programs on behalf of remote users. Instead of having remote users install and run programs, a user can request that an application server run the program and return the results. There are several advantages to using application servers:

1. Software does not need to be installed on every user’s computer; one license supports all users on one server (or several servers).

2. Updating software is easier; only application servers need to be updated.

3. Programs running on application servers tend to be closer to the database servers that store the data they need to run. Running programs on servers that are close to database servers can make accessing data much faster.

4. Since the database sends less data to the users’ computers, more data stays inside an organization’s secure network.

5. Server computers generally have the ability to serve many users efficiently, speeding up application programs.

Many of today’s application programs rely on distributed design, which means at least part of the application runs on an application server. This application model gets a lot of attention from developers and attackers alike. Be sure to secure application servers along with the other components of your network.

A firewall is a common network component. It filters network traffic to block suspicious packets or messages. A firewall examines all network traffic and compares it with predefined rules. Firewall rules tell the firewall software whether to forward or deny traffic. After matching traffic to its rules, a firewall should drop or reject any network messages that are unauthorized or suspicious. So, much of a firewall’s effectiveness is based on its rules.

Firewalls run as software on computers, or as stand-alone devices. Either way, the firewall needs at least two network adapters to separate incoming traffic from outgoing traffic. Routers and gateways often include firewall functionality and the ability to filter traffic before forwarding it.

One very useful application of firewalls is to separate your organization’s secure networks from its insecure networks. This is most useful when you want to separate your Internet access point from the secure network. Many organizations want to expose some services to the Internet while maintaining separation from the internal network. Firewalls make this scenario possible. Many organizations use two firewalls to create an untrusted network that Internet users can access and a trusted network for secure resources. The two networks are connected, but separated by a firewall.

The untrusted network is called a demilitarized zone (DMZ). The DMZ is a convenient place for web servers, File Transfer Protocol (FTP) servers, or any servers you want unauthorized users to access without being able to get into your trusted network. FIGURE 9-4 shows a DMZ with two firewalls.

Many firewalls provide the ability to translate an external IP address into an internally mapped IP address. The firewall stores a table that allows the software to translate the IP address for incoming and outgoing traffic. This feature, called network address translation (NAT), hides the true IP address of internal computers from outside nodes. External nodes see only a generic IP address. The firewall receives traffic from the external IP address and changes the destination IP address to route the message to the correct internal IP address.

The main principle of Microsoft Windows network security is to ensure you enforce the C-I-A triad properties, confidentiality, integrity, and availability, for your information. Design the controls for the network media, traffic flow, and network computers and devices to ensure a secure environment and information.