Routers, Firewalls, and Switches – CompTIA Security+

Let’s start our discussionof these network devices on switches. These switches arereally great big bridges. They operate at Layer2 of the OSI Model. I put a representation, here, ofthe different layers of the OSI Model, here, onthe left-hand side. We’re really talkingabout Layer 2, primarily, in these switches. All of these switches do all ofthis switching, this MAC Layer Look-Up, in hardware, sothey’re really, really fast. And what’s nice about theback planes of these devices is they can communicateto each other. Two devices on this devicecommunicate to each other directly, without havingto use any bandwidth or bother anybody elsethat’s on the network. So they’re very, very efficientin the way the operate. They decide where traffic goes,based on the data link control address of a device.

And most of the timeon an ethernet network, for instance, that’sthe MAC address. The network card addressof the different devices. So there’s a big table inside ofthese machines that understands exactly everybody who’splugged into this device. And whenever it needs todecide which way packets go, it looks to see what thedestination MAC address. It references back thebig table of lists, and it says oh, that particulardevice is on port seven. I’m going to send thetraffic over to port seven.

There are many, many, many portson these enterprise devices. They really are the coreof an enterprise network. If you’re in a large, oreven a small environment, and your pluggedinto the network, you’re probablyplugged into a switch in almost every situation. This happens to be a really,really large switch with lots of slots, and you can fill itup with many different kinds of ports. Some switches are very small. They’re workgroupswitches, and there may be many of those stackedup inside of a closet, for instance.

But most of the time, whenyou’re on somebody’s network, you’re on a switch. You’ll also see, if you everlook at a network diagram, a switch representedwith this diagram, here, where you’ve gotarrows just pointing left to right or up and down. They don’t go anyother direction. They pass straight througha particular device that represents that Layer 2switching, where we’re just sending traffic on its way. You also are able tohave a lot of bandwidth go through these devices,and this becomes a little bit of a challenge from asecurity perspective. You have so many differentdevices plugged in. You have so much datagoing back and forth.

How do you begin tomanage traffic, especially understand the securityrelationship between two devices that may be talking toeach other on the same switch? And that is a bitof a challenge. We have to nowlayer our security, not only insidedevices like this, but also on the end stationsthemselves and the servers. If we ever want to be ableto see everything end-to-end, that’s really the onlyway to go about doing it.

Since switchesoperate at Layer 2, everybody’s on the same subnet. So to be able to separate ournetwork into other pieces, we need something tobe able to move up to a higher level, the OSI Layer3, and that would be a router. And usually routers are inthe center of the network. And most of the time,they’re connecting all of these differentswitches to each other.

Perhaps connecting aninternet connection, as well. Any time you have to connecttwo different IP subnet, you’re going to need arouting function somewhere. This may be on astandalone device, or it may be part of asoftware module or hardware module within a switch. So you’ll sometimes hearthe term a Layer 3 switch. That’s really talkingabout a router that is embedded, or installed,inside of a switch. You’re not reallyswitching at Layer 3. You’re reallyrouting at Layer 3. You’ll also see thisrepresented on network diagrams as these differentarrows that are pointing indifferent directions.

So if you ever see that 90degree angle on an arrow going through a diagram, it’sprobably referring to a router. If you ever hear the term Layer2, you can think switching. If you hear the term Layer3, you can think routing. And that’s usually howwe’re representing it. Sometimes we don’tsay we need to route, sometimes we say we need todo Layer 3 between those two particular subnets. These are also able to connectdifferent network types.

So you’ll connecta Wide Area Network connection, a fiber-basednetwork connection, a copper basednetwork connection, and they’ll all gothrough the router. And the router’s smart enough todo whatever types of signaling translations, or any typeof packet translations, between thosedifferent networks. So not only are we connectingdifferent IP subnets together, we can connect very, verydiverse networks together with routers. It provides us alot of functionality to be able to do that inour enterprise environments. Usually also from asecurity perspective, there is a little bit offiltering capability in here. You have the ability to filterout certain port numbers. A very, very basicfiltering functionality.

In the security world, we tendto do only a very basic type of filtering in our router,because we’ll use a firewall to be able to do a much moreefficient job of protecting our networks. If you are ever workingaround network people, they tend to wantto have the switches switch, the routersroute, and have the firewalls do firewalling. If you try to combine someof these things together, not only it is complicated,but a router doesn’t really make a good firewall. So that’s one of the nicethings about keeping these as separate components isthat you can manage them much better from asecurity perspective.

Firewalls really coverthe security perspective for the rest of thestack of the OSI layer. We’ve talked aboutswitching at Layer 2, we’ve talked aboutrouting at Layer 3. Well, at Layer 4 and allthe way up to Layer 7, we have firewalls. And firewalls are really ourfirst and last line of defense when that traffic is goingin and out of our network. If we need to protect servers,we need to protect our users, we need to separate ourselvesfrom the big bad internet, it’s a firewall that’sgoing to be doing that.

This can be also a devicethat is able to encrypt data into and out of the network. Very often, we’ll connectfirewalls to each other, and we’ll buildencrypted tunnels between those connections. We’ll talk a lot aboutencryption technologies, and the way thatwe do these tunnels in other parts of thesevideos that we look at. But it’s usuallythe firewalls that are the endpointsbetween the two. You may have a firewallat your home office. You may put a firewallat a remote site.

You may connect them togetherthrough the internet. And in order to keepyour data private, as it goes throughthat public internet, we can create encryptedtunnels between the two, and essentially, send all of ourdata between those two sites, all encrypted. Even if somebody was tolook at that data going by, they wouldn’t be ableto make any sense of it as it’s going through. Many firewalls canalso act as proxies. Proxies is a very,very traditional method of separating internalnetworks from the internet.

Proxies work by making arequest to a web server, but instead of talkingdirectly to the web server, you’re reallytalking to the proxy that you have insideof your network. That proxy thentakes your request and makes the requeston your behalf. When it receives theresponse from that web server out there the internet, itlooks through the content, and makes sure there’snothing bad in there. Usually makes surethat that’s something you’re allowed to look at, andthen it sends you the response.

By putting thatright in the middle, it is separating the internalnetwork from the internet. There’s some nice securitybenefits to doing that. Most firewalls thatyou’re going to find it can also be Layer 3 devices. So you will veryoften see the firewall on the edge of the network asthe internet is coming into it. And it’s performingrouting for us, and it’s doing networkaddress translation for us.

So many times you don’t haveto have a Layer 3 router right behind it. The firewall’s simply doingall of that routing for us. And because it’s rightthere on the edge, it can route to the internet,it can route to a DMZ, it can route to ourinternal network as if it was a standalonerouter all by itself. Think of it as havingrouting functionality with all of thesegreat firewalling and security technologies builtright into the technology.

Leave a Comment

Your email address will not be published. Required fields are marked *