Networking Concepts – Part One Exercise 3 – 12

Exercise 3 – Next-Generation Firewalls

A firewall is a security device that is used to protect your network. There are different types of firewalls that are available (for example, network firewalls, web application firewalls, and stateful inspection firewalls). Generally, firewalls are divided into two types:

• Traditional firewalls
• Next-generation firewalls (NGFW)

In this exercise, you will learn about the differences between these two types.

Learning Outcomes

After completing this exercise, you will be able to:

• Describe and Compare Next-Generation Firewalls with Traditional Firewalls

Your Devices

This exercise contains supporting materials for Cisco.

Traditional Firewalls

Traditional firewalls control traffic entering or exiting a point within the network. It provides this using stateless or stateful methods, depending on the type of protocol that is being run.

Firewalls with stateless filtering, filter traffic based on source and destination addresses, or other static values. These firewalls don’t keep track of the state of network connections, and they are not aware of data flows. They are also known as an access control list (ACL).

Firewalls with stateful filtering provide filtering by comparing fields in the IP, TCP, and UDP headers and using security zones inside firewall rules. They are aware of communication paths and can track the state of network connections.

Over the years, businesses have changed, and today you have many applications that are used in the business world (skype, dropbox, slack). Traditional firewalls are not able to see or control these applications, which makes corporate networks vulnerable to threats. This is where NGFW comes in.

Next-Generation Firewalls

Next-Generation Firewalls (NGFW) belong to the third generation of firewall technology. It combines the functionality of a traditional firewall with other networks and application firewalls using in-line deep packet inspection (DPI), advanced malware protection, and URL filtering.

NGFW generally has the following features:

• Application Awareness
• Stateful Inspection
• Integrated Intrusion Protection System (IPS)
• Identity Awareness (User and Group Control)
• Bridged and Routed Modes

These firewalls work better and faster than traditional firewalls, and they are better in controlling the traffic entering and exiting a network.

Traditionally, firewalls and intrusion prevention systems are separate devices. But NGFW integrates firewall and intrusion prevention system (IPS) capabilities into one device. This integration provides improved performance and accessibility.

Below are a few examples of NGFW devices:

• Cisco Firepower 1000 Series
• Cisco Firepower 2100 Series
• Cisco Firepower 9300 Series

Exercise 4 – Next-Generation IPS

Next-Generation Intrusion Prevention System(NGIPS) provides additional capabilities to secure the network from threats. It is used alongside firewalls to prevent any malicious attacks in the network. NGIPS is a security device that works with predefined signatures. These signatures are codes of known exploit. When a threat is discovered, its signature is added to the dictionary. In this exercise, you will learn about the NGIPS security device.

Learning Outcomes

After completing this exercise, you will be able to:

• Describe NGIPS and how it Works

Your Devices

This exercise contains supporting materials for Cisco.

Next-Generation IPS

An Intrusion Prevention System IPS is a network security device used for threat preventions. In order to detect and prevent vulnerability exploits, it examines network traffic flows. Vulnerability exploits are a form of malicious inputs that can be used for taking control of an application or a computer. The attacker can potentially access all the rights and permissions available to the compromised application or even disable it. This is known as a denial-of-service state.

NGIPS has the ability to inspect asymmetric data flows because this device does not maintain a state table, which means that it is less vulnerable to attacks that exploit state table exhaustion that results in denial of service. The NGIPS performs deep packet inspection, but it is a transparent device. That means that traffic can flow through the network as if NGIPS is not present.

Below are a few examples of NGIPS devices:

• NGIPSv for VMware
• Firepower Threat Defense for ISR

Exercise 5 – Access Points

An access point is a networking device that allows a connection to be established between a wired and a wireless network. They are usually used in an office or large building.

Most access points have built-in routers, but there are also models that need to be connected separately to a router in order to provide network access. In either case, APs are typically wired to other devices, such as network switches or broadband modems.

In this exercise, you will learn about access points and their functions in a network.

Learning Outcomes

After completing this exercise, you will be able to:

• Describe the Purpose and Function of an Access Point

Your Devices

This exercise contains supporting materials for Cisco.

Access Points

Wireless communication uses radio frequency (RF) signals, where many factors can affect the data transport. The most important thing that you need to keep in mind when designing a wireless network is that you need to have optical visibility between devices and from users to devices.

Wireless devices work either on a 2.4 GHz or 5 GHz frequency band, and each provides a different range of bandwidth. 2.4 GHz is more useful for wider coverage, and 5 GHz provides higher transport speed. Within these bands, you have smaller bands called channels that provide a medium through which you send and receive data. 2.4 GHz band has 11 channels, and the 5 GHz band has 45 channels. For two wireless devices to communicate, they need to be on the same channel.

Wireless networks are complex and involve several protocols and technologies working together to provide a stable connection to the network.

You need to take special care about security, which in wireless communication is mostly about identifying endpoints, identifying users, and protecting data transferred over wireless links. First, you need to authenticate users, and this can be done using different methods. For example, you can use a text string configured on the Access Point, or you can use corporate credentials by having the user provide username and password.

To protect data transfer, encryption is used at the transmitter side, and a receiver decrypts that data. For example, you can use a Wi-Fi Protected Acces (WPA) or WPA2 protocol.

Cisco offers a wide range of access points models divided for indoor and outdoor purposes.

Indoor Access Points

Indoor Access Points allows a Wi-Fi compliant device to connect to a wired network.

Cisco’s family of enterprise access points support 802.11ac Wave 2 and the latest Wi-Fi technology. Some of the models are:

• Cisco Aironet 1800 Access Points – designed for small and midsize networks. They support older Wi-Fi devices and new Wave 2 devices.
• Cisco Aironet 2800 Access Points – comes with flexible technology and is capable of meeting demanding business goals.
• Cisco Aironet 4800 Access Points – provides high performance and security.

Besides these models, you have new access points designed for Wi-Fi 6 standard which is the next-generation wireless standard faster than 802.11ac. These access points provide better performance in congested areas. An example of such a module is:

• Cisco Catalyst 9100 Access Points – designed for larger enterprises, and offer advanced features. It provides integrated security for mobile clients and IoT devices.

Exercise 6 – Controllers

The new networking concept – software-defined networking (SDN) is all about centralizing everything. From configuration to monitoring, the aim of SDNs is to improve network control.

Network controllers are mostly devices but can also be implemented as a virtual solution. Whatever form of controller you have, the principal is the same. End devices are registered to the controller, and everything else can be configured from the central point – which is the controller. Everything is defined on the controller, from IP addresses to different routing and policies.

Controllers use application programming interfaces (APIs) to automatically configure and operate networks.

In this exercise, you will learn about network controllers and their functions in a network.

Learning Outcomes

After completing this exercise, you will be able to:

• Describe the Purpose of Cisco DNA
• Describe the Purpose of Cisco WLC

Your Devices

This exercise contains supporting materials for Cisco.

Cisco DNA

A DNA Center controller is a controller for SDA networks (software defined access). It uses a software defined networking approach for building a converged wired and wireless campus LAN.

Cisco DNA has the following benefits:

• Centralized management for design, provision, and defining policies.
• The whole network infrastructure is automated through one policy across the entire access network, which simplifies day-to-day configuration, provisioning, and troubleshooting.
• Security – security policies are applied across the network
• Policy integration: – provides consistent policy across campus, branch, and data center

Cisco WLC – Wireless Controller

Today there are more users, traffic, and IoT (Internet of Things) devices connected to the network. Cisco wireless solutions provide a scalable wireless architecture that is easier to deploy and manage.

The Cisco WLCs are compatible with today’s Wi-Fi standards and are ready for tomorrow’s challenges. They provide the following functions:

• Centralize the configuration and management of our access points
• Improves network performance with automated failover and mitigation of radio interference
• Allow us to choose between appliance-based on-premises solutions, private cloud or public cloud solutions
• Based on user ID and location it provides content filtering and security

Cisco wireless controller can be used for small, medium, and large networks.

Cisco Mobility Express is a virtual controller embedded in Aironet access points. It is ideal for small to medium-sized businesses.

Exercise 7 – Endpoints and Servers

In previous exercises, you learned about different network components used for data transfer between endpoints.

Endpoints are computer devices that are used to connect and communicate with a network. The devices can be located outside the data center, like the router, but most of the endpoints will be either physical servers running a native OS or virtual servers.

In this exercise, you will learn about different endpoints and servers in our network.

Learning Outcomes

After completing this exercise, you will be able to:

• Describe the Purpose of Endpoints and Servers

Your Devices

This exercise contains supporting materials for Cisco.

Endpoints and Servers

Endpoints can be either physical servers running a native OS or servers running virtualization software.

Servers can generally be divided into two types:

• Rack-mount servers – It is a stand-alone machine, like a user PC but with higher and better components (RAM, HDD space, CP)
• Blade servers – It fits in a blade chassis with other blade servers where they share resources like power, cooling, networking, interconnects. These servers have centralized management

For example, Cisco has UCS B-Series Blade Servers and UCS C-Series Rack Servers .

Exercise 8 – 2 Tier and 3 Tier Architecture

Before you start to configure your devices in a network, you need to design the network structure. While designing a campus LAN network, you need to ensure the network should be scalable, resilient, and manageable.

• Scalable – It means you should have the flexibility to add more switches without changing or affecting the entire design.
• Resilient – Even if one of the devices fails, the network should be able to bypass single point of failure and keep functioning.
• Manageable – Provide an easy management of the network, such as performing upgrades and troubleshooting.

In this exercise, you will learn about different network architectures that provide these features.

Learning Outcomes

After completing this exercise, you will be able to:

• Describe the Difference between 2 Tier and 3 Tier Architecture

Your Devices

This exercise contains supporting materials for Cisco.

2 Tier

The topology and design of a wired Ethernet LAN are described in terms of two-tier and three-tier architecture. The architecture is based on the number of switch layers that exists between the endpoints and the devices that lead out of the campus to some other site.

The campus LAN term refers to the LAN that is created inside one or more close buildings.

Generally, you can have two or three layers in our campus design with the following switch roles:

• Access
• Distribution
• Core

A switch that forwards traffic from user devices is an access switch. A switch that forwards traffic from other switches is either a distribution or a core switch.

The figure shows a two-tier design with only access and distribution layers. Again, you should ensure the design provides the three features (scalability, resilience and manageability).

3 Tier

Consider you have numerous buildings using 2-tier architecture, with each building having a pair of distribution switches and access switches spread around the building. The three-tier core design is used to connect these buildings.

It has a few more switches, a core switch, which connects the distribution switches. You can define a core switch as a switch that aggregates distribution switches in very large campus LANs. They provide high forwarding rates for larger volumes of traffic. Traffic from the access and distribution layer passes through core switches.

Exercise 9 – Spine-Leaf

In the previous exercise, you learned about network design in campus networks. A data center also requires a network architecture that provides the same features as a campus network.

Before you start to configure your devices in a data center network, you need to create a design that will be scalable, resilient, and manageable. Since a data center is the heart of a network , it is crucial to provide a very fast environment because there will be massive data transfers.

In this exercise, you will learn about a Cisco network topology called spine-leaf, which is actually a 2 tier design.

Learning Outcomes

After completing this exercise, you will be able to:

• Describe the Characteristics of Spine-Leaf Network Topology

Your Devices

This exercise contains supporting materials for Cisco.

Spine-Leaf

A spine-leaf network is composed of a number of spine and leaf switches.

You can see from the above figure that a spine-leaf architecture is actually a 2 tier design. The leaf switches (access switches) are used to connect end devices like servers, firewalls, and edge routers, while spine switches are used to connect leaf switches.

In this design, you should have the following configuration:

• Each leaf (access switch) must connect to every spine (distribution switch)
• Leaf switches shouldn’t be connected to each other
• Spine switches shouldn’t be connected to each other
• Endpoints only connect to the leaf switches

Exercise 10 – SOHO and WAN

In previous exercises, you learned about enterprise solutions for LAN networks. But there are businesses that only have a limited number of users and network devices. These businesses use a network design known as a small office/home office (SOHO) network.

Enterprise networks are the opposite of SOHO networks. They usually need to interconnect LAN networks from geographically spread areas. WAN (Wide Area Network) is primarily used for this purpose.

In this exercise, you will learn about SOHO and WAN.

Learning Outcomes

After completing this exercise, you will be able to:

• Describe SOHO Networks
• Describe WAN Networks

Your Devices

This exercise contains supporting materials for Cisco.

SOHO – Small Office / Home Office

SOHO refers to designs and implementations that have small volume requirements, such as a few switch ports, few APs (access points), few routers, and WAN links.

A SOHO network can be a mixed network consisting of both wired and wireless computers. In a SOHO wireless LAN, the wireless AP acts autonomously, rather than with a WLC (wireless LAN controller), doing all the work required to create and control the WLAN.

In this network, security is a big challenge compared to other types of networks. The problem here is that small businesses usually cannot afford to hire IT staff to secure the network. Hence are more likely to be attacked (hacked).

WAN

A WAN or Wide Area Network interconnects multiple local area networks (LANs) distributed over a geographically spread area. An example of a Wide Area Network is the Internet.

In WAN networks, you use specially designed network devices like modems, WAN switches, and routers.

WAN switch is a switch that belongs to a carrier network. These switches usually provide connections to public networks (for example, the Internet or MPLS network). The user will then connect an edge device to this device. The edge device is usually a router or a firewall.

A Router provides connection from the LANs to the outside world. It uses a WAN access interface port that is used to connect to the service provider network.

No matter which type of public network you use to interconnect LAN networks, you need to provide a secure transfer. This is usually done by creating VPNs (virtual private networks) that encrypt traffic between two or more sites.

Exercise 11 – On-Premises and Cloud

In today’s technology, there’s been an increase in the development of cloud solutions, and two new terms are used a lot: on-premises and cloud. The main difference between them depends on where the organizations keep their hardware and software.

In this exercise, you will learn about on-premises and cloud networks.

Learning Outcomes

After completing this exercise, you will be able to:

• Describe On-Premises and Cloud Networks

Your Devices

This exercise contains supporting materials for Cisco.

On-Premises and Cloud

When designing a network, you will first need to decide on the environment that will be used – on-premise, cloud, or even a hybrid (combination of on-premise and cloud). This is a complex process, and there are a number of factors involved that could affect a customer’s decision.

In an on-premise environment, everything will be in the datacentre and under your control. This means the company will have a server room where all networking devices will be in place. Also, all datacentre devices, like servers and storage devices, will be connected and placed here. All applications and services that are provided to the users are installed on these devices.

In a cloud environment, everything is placed somewhere else. Cloud services are provided by a cloud provider. There are three models of cloud services:

• SaaS – Software as a Service
• PaaS – Platform as a Service
• IaaS – Infrastructure as a Service

You can, for example, have servers and storage allocated in cloud provider rooms or you can use the provider’s servers and storage to run applications and services.

Two key differences between cloud and on-premise are the cost and level of ownership involved. Different cloud services have different levels of ownership. In the IaaS model, the customer is responsible for their applications and data, while the cloud provider is responsible for the customer’s servers, storage and networking. In the SaaS model, the cloud provider is responsible for everything, including applications and data.

For smaller companies, cloud is more useful as you will be able to utilize the full functionality of cloud services at a reasonable price . Cloud hardware and software are usually available in a monthly or annual subscription package. These subscriptions cover training, support, and updates. Therefore cloud services provide users with greater flexibility, efficiency and are cost-effective. Companies like AWS, Azure, and Google provide cloud computing services .

On-premises services are usually used by large organizations. It is very expensive to use cloud services in big businesses. In an on-premise environment, the company will be responsible for training, support, and updates . On-premise applications offer complete ownership and control. They are presumed to be more reliable and secure.

Exercise 12 – Compare TCP to UDP

Both TCP (transmission control protocol) and UDP (user datagram protocol) are a part of the IP (Internet Protocol) suite of protocols. Both these protocols convert data into segments to enable exchange across networked computers. However, the two are very dissimilar in their details of operation; and hence have very different application.

In this exercise, you will learn more about TCP and UDP that work on top of Internet protocol and how they are used for different application layer protocols.

Learning Outcomes

After completing this exercise, you will be able to:

• Know about TCP and UDP

Your Devices

This exercise contains supporting materials for Cisco.

TCP and UDP

Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are protocols that work on Layer 4 of the OSI reference model. There are different application layer protocols like HTTP, SMTP, FTP, etc. But how do they work , and what is the difference?

HTTP, SMTP, DNS, and similar application layer protocols use different Layer 4 protocols and different port numbers to communicate.

For example:

• HTTP uses TCP – port 80
• SMTP uses TCP – port 25
• DNS uses UDP – port 53

TCP is a connection-oriented protocol. UDP is a connection-less protocol.

In TCP, before end hosts can send data to each other, a TCP connection needs to be established between them. This makes TCP a reliable protocol because every packet sent needs to be acknowledged. TCP guarantees packet delivery. Packets sent over a TCP connection are checked for errors before they are transmitted over the network.

UDP is a connection-less protocol. Hence it doesn’t acknowledge packets and does not guarantee packet delivery. Packets are not checked for errors before transmitting them over the network.

Applications that require high reliability, speed, and quick delivery of packets use TCP. Hence TCP is used for HTTP, SSH, FTP, Email, and many others.

UDP is used for applications that require a faster delivery and does not need to be checked for any errors. For example, voice, streaming video, DNS, and many others.