2 cissp ® Official Study Guide Eighth Edition

492
Chapter 11 
■
Secure Network Architecture and Securing Network Components
However, a clearer perspective is that any weakness in a network, whether on the border, 
on a server, or on a client, presents a risk to all elements within the organization.
Traditional security has depended on network border sentries, such as appliance fire-
walls, proxies, centralized virus scanners, and even IDS/IPS/IDP solutions, to provide 
security for all of the interior nodes of a network. This is no longer considered best business 
practice because threats exist from within as well as without. A network is only as secure 
as its weakest element.
Lack of internal security is even more problematic when remote access services, includ-
ing dial-up, wireless, and VPN, might allow an external entity (authorized or not) to gain 
access to the private network without having to go through the border security gauntlet.
Endpoint security should therefore be viewed as an aspect of the effort to provide suf-
ficient security on each individual host. Every system should have an appropriate combina-
tion of a local host firewall, anti-malware scanners, authentication, authorization, auditing, 
spam filters, and IDS/IPS services.
Secure Operation of Hardware
You’ll use numerous hardware devices when constructing a network. Strong familiarity 
with these secure network components can assist you in designing an IT infrastructure that 
avoids single points of failure and provides strong support for availability.
Collisions vs. broadcasts
A collision occurs when two systems transmit data at the same time onto a connection 
medium that supports only a single transmission path. A broadcast occurs when a single 
system transmits data to all possible recipients. Generally, collisions are something to 
avoid and prevent, while broadcasts have useful purposes from time to time. The man-
agement of collisions and broadcasts introduces a new term known as 
domains
.
A 
collision domain
is a group of networked systems that could cause a collision if any two 
(or more) of the systems in that group transmitted simultaneously. Any system outside 
the collision domain cannot cause a collision with any member of that collision domain.
A 
broadcast domain
is a group of networked systems in which all other members receive 
a broadcast signal when one of the members of the group transmits it. Any system out-
side a broadcast domain would not receive a broadcast from that broadcast domain.
As you design and deploy a network, you should consider how collision domains and 
broadcast domains will be managed. Collision domains are divided by using any layer 
2 or higher device, and broadcast domains are divided by using any layer 3 or higher 
device. When a domain is divided, it means that systems on opposite sides of the 
deployed device are members of different domains.

Secure Network Components 

Download 19,3 Mb.

Do'stlaringiz bilan baham: