Defining Network Infrastructures and Network Security | 175 CERTIFICATION READY How would you define a DMZ? 1.1 firewall, then this will be the device that is scanned. If your computer connects directly to the Internet, then the computer will be scanned.

6. Make note of the results. It should show the public IP that was scanned. Then it will

list the ports that were scanned and their status. The desired result for all ports listed is “Stealth,” all the way down the line for each of the listed ports. If there are Open or Closed ports, you should check to make sure that the firewall is enabled and oper- ating properly.

7. Try a few other scans, such as All Service Ports or File Sharing.

A proxy server acts as an intermediary between a LAN and the Internet. By definition, proxy means “go-between,” acting as such a mediator between a private and a public network. The proxy server evaluates requests from clients, and if they meet certain criteria, forwards them to the appropriate server. There are several types of proxies, including the following: • Caching proxy attempts to serve client requests without actually contacting the remote server. Although there are FTP and SMTP proxies among others, the most common caching proxy is the HTTP proxy, also known as a web proxy, which caches web pages from servers on the Internet for a set amount of time. This is done to save bandwidth on the company’s Internet connection and to increase the speed at which client requests are carried out. • IP proxy secures a network by keeping machines behind it anonymous; it does this through the use of NAT. For example, a basic four-port router will act as an IP proxy for the clients on the LAN it protects. Another example of a proxy in action is Internet content filtering. An Internet content filter, or simply a content filter, is usually applied as software at the application layer and it can filter out various types of Internet activities, such as access to certain Web sites, email, instant messaging, and so on. Although firewalls are often the device closest to the Internet, sometimes another device could be in front of the firewall, making it the closest to the Internet—a network intrusion detec- tion system, or perhaps a more advanced network intrusion prevention system. A network intrusion detection system NIDS is a type of IDS that attempts to detect mali- cious network activities e.g., port scans and DoS attacks by constantly monitoring network traffic. The NIDS will then report any issues that it finds to a network administrator as long as it is configured properly. A network intrusion prevention system NIPS is designed to inspect traffic, and, based on its configuration or security policy, it can remove, detain, or redirect malicious traffic in addi- tion to simply detecting it. Redefining the DMZ A perimeter network or demilitarized zone DMZ is a small network that is set up separately from a company’s private local area network and the Internet. It is called a perimeter network because it is usually on the edge of a LAN, but DMZ has become a much more popular term. A DMZ allows users outside a company LAN to access specific services located on the DMZ. However, when the DMZ set up properly, those users are blocked from gaining access to the company LAN. Users on the LAN quite often connect to the DMZ as well, but with- out having to worry about outside attackers gaining access to their private LAN. The DMZ might house a switch with servers connected to it that offer web, email, and other services. Two common DMZ configurations are as follows: • Back-to-back configuration: This configuration has a DMZ situated between two firewall devices, which could be black box appliances or Microsoft Internet Security and Acceleration ISA Servers. 176 | Lesson 8 • 3-leg perimeter configuration: In this scenario, the DMZ is usually attached to a separate connection of the company firewall. Therefore, the firewall has three connections—one to the company LAN, one to the DMZ, and one to the Internet. SET UP A DMZ ON A SOHO ROUTER GET READY. In this exercise, we demonstrate how to enable the DMZ function of a typical four-port SOHO router:

1. Access the D-Link DIR-655 router at the following link:

http:support.dlink.comemulatorsdir655133NAlogin.html

2. Log in no password is required.

3. Click the Advanced link at the top of the screen.

4. Click the Firewall Settings link at the right.

5. Scroll down to the DMZ Host section.

6. Check the Enable DMZ option.

7. Type the IP address of the host that will be connected to the DMZ.

At this point, you would also physically connect that host to a port on the router. Or, you could connect an entire layer 3 switch to the port and enter that switch’s IP address in this field. This would allow you to connect multiple hosts to the switch while only using one port on the router. ■ Putting It All Together Building an entire network for an organization can take months or even years The concepts covered in these lessons only scrape the surface of the gigantic networking world. However, what we covered up until now is still a lot of information. Let’s try to complete the Proseware, Inc., scenario by combining the various technologies we learned about into one efficient, well-oiled network. THE BOTTOM LINE In this scenario, Proseware, Inc., wants just about every component and technology possible for its network. Let’s list what they require and follow it up with some network documenta- tion that will act as the starting point for our network plan. Here are the basic components that Proseware, Inc., desires for its for their network: • Client-server local area network with the following: ❍ 300 client computers, some of which are laptops and tablet PCs ❍ 1 master switch and 4 other secondary switches 1 per department set up in a hierarchical star fashion • 5 LAN Windows Servers connected directly to the master switch: ❍ 2 Domain Controllers ❍ 1 DNS server ❍ 1 DHCP server ❍ 1 RRAS server • Wired and wireless considerations: ❍ Category 6 twisted-pair cable for the client desktop PCs ❍ Wireless 802.11n connections for laptops and tablet PCs