Computer Networks

Computer Networking


Computer Networking


Creating a computer network requires a lot of preparation and knowledge of the right components used. One of the first steps in computer networking is identifying what components to use and where to place them. This includes selecting the proper hardware, such as the Layer 3 routers, Layer 2 switches, and Layer 1 hubs if you are on an older network. Along with the right software, such as operating systems, applications, and network services. Or if any advanced computer networking techniques, such as virtualization, are required.

Once the components are identified, it’s time to plan the network’s structure. This involves deciding where each component will be placed and how they will be connected. The majority of networks you will see today will be Ethernet-based. You will need a design process for more extensive networks. Still, for smaller networks, such as your home network, once physically connected, you are ready as all the network services are set up for you on the WAN router by the local service provider.


Preliminary Information: Useful Links to Relevant Content

Additional links to internal content for pre-information:

  1. Data Center Topologies
  2. Distributed Firewalls
  3. Internet of Things Access Technologies
  4. LISP Protocol and VM Mobility.


Computer Networks

Key Computer Networking Discussion Points:

  • Introduction to computer networks and what is involved.

  • Highlighting the details of how you connect up networks.

  • Technical details on approaching computer networking and the importance of security.

  • Scenario: The main network devices: Are Layer 2 switches and Layer 3 routers.

  • Notes on the different types of protocols sued in computer networks.


A Key Point: Knowledge Check 

  • A key point: Back to basics with computer networks.

A network is a collection of interconnected systems that share resources. IoT (Internet of Things) devices, desktop computers, laptops, and mobile phones are all connected by networks. A computer network will consist of standard devices such as APs, switches, and routers, the essential network components.

You can connect your network’s devices to other computer networks and the Internet, a global system of interconnected networks. So when we connect to the Internet, we connect the Local Area Network (LAN) to the Wide Area Network (WAN). As we move between computer networks, we must consider security. You will need a security device between these two segments that provide a stateful inspection firewall. You are probably running IPv4, so that you will need a network service known as Network Address Translation (NAT). IPv6, the latest version of the IP protocol, does not need NAT but may need a translation service with communication with IPv4-only networks.


  • Local Area Network

A Local Area Network (LAN) is a computer network that connects computers and other devices in a limited geographical area such as a home, school, office building, or closely positioned group of buildings. Ethernet cables typically connect LANs but may also be connected through wireless connections. LANs are usually used within a single organization or business but may connect multiple locations. The equipment in your LAN is in your control.


  • Wide Area Network

Then we have the Wide Area Network (WAN). In contrast to the LAN, a WAN is a computer network covering a wide geographical area, typically connecting multiple locations. Your LAN may only consist of Ethernet and a few network services. However, a WAN may consist of various communications equipment, protocols, and media that provide access to multiple sites and users. WANs usually use private leased lines, such as T-carrier lines, to connect geographically dispersed locations. The equipment in the WAN is out of your control.

Computer Networks
Diagram: Computer Networks with LAN and WAN.


Computer Networking

Once the components and structure of the network have been determined, the next step is the configuration of computer networking. This involves setting up network parameters, such as IP addresses and subnets, and configuring routing tables. Remember that security is paramount, especially when connecting to the Internet, an untrusted network with a lot of malicious activity. Firewalls help you create boundaries and secure zones for your networks. Different firewall types exist for the different network parts, creating a layered approach to security.

Once the computer networking is completed, the next step is to test the network. This can be done using tools such as network analyzers, which can detect any errors or issues present. You can conduct manual tests using Internet Control Message Protocol (ICMP) protocols, such as ping and traceroute. Testing for performance is only half of the pictures. It’s also imperative to regularly monitor the network for potential security vulnerabilities. So, you must have antivirus software, a computer firewall, and other endpoint security controls.

Finally, it’s critical to keep the network updated. This includes updating the operating system and applications and patching any security vulnerabilities as soon as possible. It’s also crucial to watch for upcoming or emerging technologies that may benefit the network.


Computer Networking & Data Traffic

Computer networking aims to carry data traffic so we can share resources. The first use case of computer networks was to share printers; now, we have a variety of use cases that evolve around data traffic. Data traffic can be generated from online activities such as streaming videos, downloading files, surfing the web, and playing online games. It is also generated from behind-the-scenes activities such as system updates and background and software downloads.

Data traffic is the amount transmitted over a network or the Internet. It is typically measured in bits, bytes, and packets per second. Data traffic can be both inbound and outbound. Inbound traffic is data coming into a network or computer, and outbound traffic is data leaving a network or computer. Inbound data traffic should be inspected by a security device, such as a firewall, which can either be at the network’s perimeter or on your computing device. At the same time, outbound traffic is generally unfiltered.

To keep up with the increasing demand, companies must monitor data traffic to ensure the highest quality of service and prevent network congestion. With the right data traffic monitoring tools and strategies, organizations can improve network performance and ensure their data is secure.

Quality of Service (QoS) is a popular technique used in computer networking. QoS can segment applications so that different types will have different priority levels. For example, Voice traffic is often considered more critical than web surfing traffic. Especially as it is sensitive to packet loss. So when there is congestion on the network, QoS allows administrators to prioritize network traffic so users have the best experience.


A Key Point: Knowledge Check 

  • A key point: Knowledge Check. Expedited Forwarding (EF)

Expedited Forwarding (EF) is a model of network traffic management that provides preferential treatment to certain types of traffic. The EF model is a way to prioritize traffic, specifically real-time traffic such as voice, video, and streaming media, over other types of traffic, such as email and web browsing. This allows these real-time applications to function more reliably and efficiently by reducing latency and jitter.

The EF model works by assigning a traffic class to each data packet. Each packet is assigned a class based on the type of data it contains, and the assigned class dictates how the network treats the packet. The EF model has two categories, EF for real-time traffic and Best Effort (BE) for other traffic. EF traffic is given preferential treatment, meaning it is prioritized over BE traffic, resulting in a higher quality of service for the EF traffic.

The EF model is an effective and efficient way to manage computer network traffic. By prioritizing real-time traffic, the EF model allows these applications to function more reliably, with fewer delays and a higher quality of service. Additionally, the EF model is more efficient, reducing the amount of traffic that needs to be managed by the network.


Computer Networking Components – Devices:

Firstly, the devices. Media interconnect devices provide the channel over which the data travels from source to destination. Many devices are virtualized today, meaning they no longer exist as separate hardware units. One physical device can emulate multiple end devices. In addition to having its operating system and required software, an emulated computer system operates as a separate physical unit. Devices can be further divided into endpoints and intermediary devices.



Endpoint is a device part of a computer network, including PCs, laptops, tablets, smartphones, video game consoles, and televisions. Endpoints can physical hardware units, such as file servers, printers, sensors, cameras, manufacturing robots, and smart home components. Nowadays, we have virtualised endpoints.


Computer Networking Components – Intermediate Devices

Layer 2 Switches:

These devices enable multiple endpoints, such as PCs, file servers, printers, sensors, cameras, and manufacturing robots, to connect to the network. Switches allow devices to communicate on the same network. Switches attempt to forward messages from the sender so the destination can only receive them, unlike a hub that floods traffic out of all ports. Switch operates with MAC addresses and works at Layer 2 of the OSI model.

Usually, all the devices that connect to a single switch or a group of interconnected switches belong to a common network. They can therefore exchange information directly with each other. If an end device wants to communicate with a device on a different network, it requires the “services” of a device known as a router, which connects other networks and works higher up in the OSI model at Layer 3. Routers work with the IP protocol.



Routers’ primary function is to route traffic between computer networks. For example, you need a router to connect your office network to the Internet. Routers connect computer networks and intelligently select the best paths between them, and they hold destinations in what is known as a routing table. There are different routing protocols for different-sized networks, and each will have different routing convergence times.

We have recently combined functions for Layer 2 and Layer 3 functionality. So we have a Layer 3 router with a Layer 2 switch module inserted, or we can have what’s known as a multilayer switch that combines the functions of Layer 3 routing and Layer 2 switch functionality on a single device.


Computer Networks
Diagram: Computer Networks with Switch and Routers.


Wi-Fi access points

These devices allow wireless devices to connect. They usually connect to switches but can also be integrated into routers. My WAN router has everything in one box: Wi-Fi, Ethernet LAN, and network services such as NAT and WAN. Wi-Fi access points provide wireless internet access within a specified area. Wi-Fi access points are typically found in coffee shops, restaurants, libraries, and airports in public settings. These access points allow anyone with a Wi-Fi-enabled device to access the Internet without needing additional hardware. 


WLAN controllers: 

WLAN controllers are devices used to automate the configuration of wireless access points. It provides centralized management of wireless networks and acts as a gateway between wireless and wired networks. Administrators can monitor and manage the entire WLAN, set up security policies, and configure access points through the controller. WLAN controllers also authenticate users, allowing them to access the wireless network.

In addition, the WLAN controller can also detect and protect against malicious activities such as unauthorized access, denial-of-service attacks, and interference from other wireless networks. By using the controller, administrators can also monitor the usage of the wireless network and make sure that the network is secure.


Network firewalls:

Then we have firewalls that are the cornerstone of security. There will be different firewall types depending on your requirement. Firewalls range from basic packet filterings to advanced next-generation firewalls and come in virtual and physical forms. Generally, a firewall monitors and controls incoming and outgoing traffic according to predefined security rules. The firewall will have a default rule set so that some firewall interfaces are more trusted than others, blankly restricting traffic from outside to inside, but you need to set up a policy for firewalls to work.

A firewall typically establishes a barrier between a trusted, secure internal network and another outside network, such as the Internet, which is assumed not to be secure or trusted. Firewalls are typically deployed in a layered approach, meaning multiple security measures are used to protect the network. Firewalls provide application, protocol, and network layer protection.

data center firewall
Diagram: The data center firewall.


  • Application layer protection: 

The next layer is the application layer, designed to protect the network from malicious applications, such as viruses and malware. The application layer also includes software like firewalls to detect and block malicious traffic.


  • Protocol layer protection: 

The third layer is the protocol layer. This layer focuses on ensuring that the data traveling over a network is encrypted and that it is not allowed to be modified or corrupted in any way. This layer also includes authentication protocols that prevent unauthorized users from accessing the network.


  • Network Layer protection

Finally, the fourth layer is network layer protection. This layer focuses on controlling access to the network and ensuring that users cannot access resources or applications they are not authorized to use.


A network intrusion protection system (IPS): 

An IPS or IDS analyzes network traffic to search for signs that a particular behavior is suspicious or malicious. The IPS can take protective action immediately if it detects such behavior. In addition, the IPS and firewall can work together to protect a network. So if an IPS detects suspicious behavior, it can trigger a policy or rule for the firewall to implement.

An intrusion protection system can alert administrators of suspicious activity, such as attempts to gain unauthorized access to confidential files or data. Additionally, it can block malicious activity if necessary; they provide a layer of defense against malicious actors and cyber attacks. Intrusion protection systems are essential to any organization’s security plan.

Cisco IPS
Diagram: Traditional Intrusion Detection. With Cisco IPS.


Computer Networking Components – Media

Next, we have the media. The media connects network devices. Different media have different characteristics, and selecting the most appropriate medium depends on the circumstances, including the environment in which the media is used and the distances that need to be covered. The media will need some connectors. A connector makes it much easier to connect wired media to network devices. A connector is a plug attached to each end of the cable. RJ-45 connector is the most common type of connector on an Ethernet LAN.


Ethernet: Wired LAN technology.

The term Ethernet refers to an entire family of standards. Some standards define how to send data over a particular type of cabling and at a specific speed. Other standards define protocols or rules that the Ethernet nodes must follow to be a part of an Ethernet LAN. All these Ethernet standards come from the IEEE and include 802.3 as the beginning of the standard name.


Introducing Copper and Fiber

Ethernet LANs use cables for the links between nodes on a computer network, and because many types of cables use copper wires, Ethernet LANs are often called wired LANs. Ethernet LANs also use fiber-optic cabling, which includes a fiberglass core that devices use to send data using light. 


Materials inside the cable: UTP and Fiber

The most fundamental cabling choice concerns the materials used inside the cable to transmit bits physically: either copper wires or glass fibers. 

  • Unshielded twisted pair (UTP) cabling devices transmit data over electrical circuits via the copper wires inside the cable.
  • Fiber-optic cabling, the more expensive alternative, allows Ethernet nodes to send light over glass fibers in the cable’s center. 

Although more expensive, optical cables typically allow longer cabling distances between nodes. So you have UTP cabling in your LAN and Fiber-optic cabling over the WAN.


UTP and Fiber

The most common copper cabling for Ethernet is UTP. Unshielded twisted pair (UTP) is cheaper than the other two and is easier to install and troubleshoot. The capability of many UTP-based Ethernet standards to use a cable length of up to 100 meters means that most Ethernet cabling in an enterprise uses UTP cables. The distance from an Ethernet switch to every endpoint on the floor of a building will likely be less than 100m. In some cases, however, an engineer might prefer first to use fiber cabling for some links in an Ethernet LAN to reach greater distances.


Fiber Cabling

Then we have fiber-optic cabling, a glass core that carries light pulses and is immune to electrical interference. Fiber-optic cabling is typically used as a backbone between buildings. So fiber cables are high-speed transmission mediums. It contains tiny glass or plastic filaments as the medium to which light passes.


Cabling types: Multimode and Single Mode

So there are two main types of fiber optic cables. So we have single-mode fiber ( SMF) and multimode fiber ( MMF). Two implementations of fiber-optic include MMF for shorter distances and SMF for longer distances. Multimode improves the maximum distances over UTP and uses less expensive transmitters than single-mode. Standards vary; for instance, the standards for 10 Gigabit Ethernet over Fiber allow for distances up to 400m, often allowing for connecting devices in different buildings in the same office park.


Network Services and Protocols

So we need to follow these standards and rules of the game. And we also need protocols, so we have the means to communicate. If you use your web browser, you use the HTTP protocol. And if you are sending an email, we are using other protocols such as IMAP and SMTP. So a protocol establishes a set of rules that determine how data is transmitted between different devices in the network. So the two protocols need to talk to each other. Such as HTTP at one end to HTTP at the other end. So consider protocol in the same way as speaking the same language. So we need to speak the same language to communicate. Then we have standards that we need to follow for computer networking, such as the TCP/IP suite.


Types of protocols

So we have different types of protocols. The following are the main types of protocols used in computer networking.


  • Communication Protocols

For example, we have routing protocols on our routers that help you forward traffic. This would be an example of a communication protocol that allows different devices to communicate with each other. Another example of a communication protocol would be instant messaging. Instant messaging is instantaneous, text-based communication you probably have used on your smartphone. So here we have several instant messaging network protocols. Short Message Service (SMS): This communications protocol was created to send and receive text messages over cellular networks.  

  • Network Management 

Network management protocols define and describe the various operating procedures of a computer network. These protocols affect various devices on a single network — including computers, routers, and servers — to ensure each one and the network, as a whole, perform optimally.

  • Security Protocols

Security protocols, also called cryptographic protocols, ensure that the network and the data sent over it are protected from unauthorized users. Security protocols are implemented on more than just your network security devices. They are implemented everywhere. The standard functions of security network protocols include encryption: Encryption protocols protect data and secure areas by requiring users to input a secret key or password to access that information.


Characteristics of a network

Network Topology:

In a carefully designed network, data flows are optimized, and the network performs as intended based on the network topology. Network topology is the arrangement of a computer network’s elements (links, nodes, etc.). It can be used to illustrate a network’s physical and logical layout and how it functions. 


Bitrate or Bandwidth:

It is often referred to as bandwidth or speed in device configurations, sometimes considered speed. Bitrate measures the data rate in bits per second (bps) of a given link in the network. The number of bits transmitted in a second is more important than the speed at which one bit is transmitted over the link – which is determined by the physical properties of the medium that propagates the signal. Many link bit rates are commonly encountered today, including 1 and 10 gigabits per second (1 and 10 billion bits per second). Some links can reach 100 and even 400 gigabits per second.


Network Availability: 

Network availability is determined by several factors, including the type of network being used, the number of users, the complexity of the network, the physical environment, and the availability of network resources. Network availability should also be addressed in terms of redundancy and backup plans. Redundancy helps to ensure that the system is still operational even if one or more system components fail. Backup plans should also be in place in the event of a system failure.

A network’s availability is calculated based on the percentage of time it is accessible and operational. To calculate this percentage, divide the number of minutes the network is available by the total number of minutes it is available for over an agreed period and divide it by 100. In other words, availability is the ratio of uptime and total time, expressed in percentage. 


Network High Availability: 

High availability is a key component of a successful IT infrastructure. It ensures that systems and services remain available and accessible to users and customers. High availability is achieved by using redundancies, such as multiple servers, systems, and networks, to ensure that if one component fails, a backup component is available. High availability is also achieved through fault tolerance, which involves designing systems that respond to failures without losing data or becoming unavailable. High availability can be achieved through various strategies like clustering, virtualization, and replication.


Network Reliability:

Network reliability can be achieved by implementing a variety of measures, often through redundancy. Redundancy is a crucial factor in ensuring a reliable network. Redundancy has multiple components to provide a backup in case of failure. Redundancy can include having multiple servers, routers, switches, and other hardware devices. Redundancy can also involve having multiple sources of power, such as multiple power supplies or batteries, and multiple paths for data to travel through the network.

For adequate network reliability, you also need to consider network monitoring. Network monitoring involves using software and hardware tools to monitor the network’s performance continuously. Monitoring can detect and alert administrators of potential performance issues or failures. We have a new term called Observability, which reflects monitoring in today’s environment more accurately.

Network Characteristics
Diagram: Network Characteristics


Network Scalability:

A network’s scalability indicates how easily it can accommodate more users and data transmission requirements without affecting performance. It can be costly and difficult to meet new needs when the network grows if you design and optimize it only for the current conditions. In terms of network scalability, several factors must be taken into account. First and foremost, the network must be designed with the expectation that the number of devices or users will increase over time. This includes hardware and software components, as the network must support the increased traffic. Additionally, the network must be designed to be flexible so that it can easily accommodate changes in traffic or user count. 


Network Security: 

Network security is protecting the integrity and accessibility of networks and data. It involves a range of protective measures designed to prevent unauthorized access, misuse, modification, or denial of a computer network and its processing data. These measures include physical security, technical security, and administrative security. A network’s security tells you how well it protects itself against potential threats. The subject of security is essential, and defense techniques and practices are constantly evolving. The network infrastructure and the information transmitted over it should also be protected. Whenever you take actions to affect the network, you should consider security. An excellent way to view network security is to take a zero-trust approach,



Virtualization can be done at the hardware, operating system, and application level. At the hardware level, physical hardware can be divided into multiple virtual machines, each running its operating system and applications. At the operating system level, virtualization can run multiple operating systems on the same physical server, allowing for more efficient use of resources. Multiple applications can run on the same operating system at the application level, allowing for better resource utilization and scalability. 

Overall, virtualization can provide several benefits, including improved efficiency, utilization, and flexibility, as well as improved security and scalability. It can consolidate and manage hardware or simplify application movement between different environments. Virtualization can also make it easier to manage different environments and provide better security by isolating different applications.


Computer Networking and Network Topologies

Physical and logical topologies exist in networks. The physical topology describes the physical layout of the devices and cables. A physical topology may be the same in two networks but may differ in distances between nodes, physical connections, transmission rates, or signal types. There are various types of physical topologies you may encounter in wired networks. Identifying the type of cabling used is essential when describing the physical topology. Physical topology can be categorized into the following categories:


  • Bus Topology:

In a bus topology, every workstation is connected to a common transmission medium, a single cable called a backbone or bus. In a previous bus topology, computers and other network devices were connected to a central coaxial cable via connectors, resulting in direct connectivity.


  • Ring Topology:

In a ring topology, computers and other network devices are cabled in succession, with the last device connected to the first to form a circle or ring. There are two neighbors for every device in the network, and there are no direct connections between them. When one node sends data to another, it passes through each node between them until it reaches its destination.


  • Star Topology

A star topology is the most common physical topology, where network devices are connected to a central device through point-to-point connections. It is also known as the hub and spoke topology. A spoke device does not have a direct physical connection to another. This topology can also be called the extended star topology. A device with its spokes replaces one or more spoke devices in an extended star topology.


  • Mesh Topology

One device can be connected to more than one other in a mesh topology. For one node to reach another, multiple paths are available. Redundant links enhance reliability and self-healing. In a full mesh topology, all nodes are connected. In partial mesh, some nodes do not connect to all other nodes.


Computer Networking


Introducing Switching Technologies

All Layer 2 devices connect to switches to communicate with one another. Switches work at layer two of the Open Systems Interconnection (OSI) model, the data link layer. Switches are ready to use right out of the box. In contrast to a router, a switch doesn’t require configuration settings by default. When you unbox the switch, it does not need to be configured to perform its role, which is to provide connectivity for all devices on your network. After putting power on the switch and connecting the systems, the switch will forward traffic to each connected device as needed.


  • Switch vs. Hubs

Moreover, you learned that switches had replaced hubs since they provide more advanced capabilities and are better suited to today’s computer networks. Advanced functionality includes filtering traffic by sending data only to the destination port (while a hub always sends data to all ports).


  • Full Duplex vs. Half Duplex

With a full duplex, both parties can talk and listen simultaneously, making it more efficient than half-duplex communication, where only one can speak simultaneously. Full duplex communication is also more reliable since it is less likely to experience interference or distortion. Until switches became available, communication devices were only half-duplexed with hubs. A half-duplex device can send and receive simultaneously, but not simultaneously send and receive.


  • VLAN: Logical LANs

Virtual Local Area Networks (VLANs) are computer networks that divide a single physical local area network (LAN) into multiple logical networks. This partitioning allows for the segmentation of broadcast traffic, which helps to improve network performance and security.

VLANs enable administrators to set up multiple networks within a single physical LAN without needing separate cables or ports. These benefits businesses need to separate data and applications between multiple teams, departments, or customers. In a VLAN, each segment is identified by a unique identifier or VLAN ID. The VLAN ID is used to associate traffic with a particular VLAN segment. For example, if a user needs to access an application on a different VLAN, the packet must be tagged with the VLAN ID of the destination segment to be routed correctly.

VLANs also provide security benefits. A VLAN can help prevent malicious traffic from entering a segment by segmenting traffic into logical networks. This helps prevent attackers from gaining access to the entire network. Additionally, VLANs can isolate critical or confidential data from other users on the same network. VLANs can be implemented on almost any network, including wired and wireless networks. They can also be combined with other network technologies, such as routing and firewalls, to improve security further.

Overall, VLANs are a powerful tool to help improve performance and security in a local area network. With the right implementation and configuration, businesses can enjoy improved performance and better protection when using VLANs.


IP Routing Process

IP routing works by examining the IP address of each packet and determining where it should be sent. Routers are responsible for this task and use routing protocols such as RIP, OSPF, EIGRP, and BGP to decide the best route for each packet. In addition, each router contains a routing table, which includes information on the best path to a given destination.

When a router receives a packet, it looks up the destination in its routing table. If the destination is known, the router will make a forwarding decision based on the routing protocol. The router will use a default gateway to forward the packet if the destination is unknown. To route packets successfully, routers must be configured appropriately and must be able to communicate with one another. Routers must also be able to detect any changes to the network, such as link failures or changes in network topology.

IP routing is an essential component of any network and ensures that packets are routed as efficiently as possible. Therefore, ensuring routers are properly configured and maintained to route packets successfully is essential.

IP Forwarding Example
Diagram: IP Forwarding Example.


  • Routing Table

A routing table is a data table stored in a router or a networked computer that lists the possible routes a packet of data can take when traversing a network. The routing table contains information about the network’s topology and decides which route a packet should take when leaving the router or computer. Therefore, the routing table must be updated to ensure data packets are routed correctly.

The routing table usually contains entries that specify which interface to use when forwarding a packet. Each entry may contain network destination addresses and the associated metrics, such as the cost or hop count of the route. In addition to the destination address, each entry can include a subnet mask, a gateway address, and a list of interface addresses.

Routers use the routing table to determine which interface to use when forwarding packets. When a router receives a packet, it looks at the packet’s destination address and compares it to the entries in the routing table. Once it finds a match, it forwards the packet to the corresponding interface.


Computer Networking


Diagram: Cloud Application Firewall.

Cisco CloudLock


Cloud Security Solutions


Cisco CloudLock

Cloud computing is becoming more popular due to its cost-savings, scalability, and accessibility. However, there is a drawback when it comes to security posture. Firstly, you no longer have as much visibility or control as you used to with on-premise application access. Cloud providers assume more risk and have less visibility into your environment the more they manage it for you. A critical security concern is that you have yet to learn what’s being done in the cloud and when. In addition, the cloud now hosts your data, which raises questions about what information is there, who can access it, where it goes, and whether it’s being stolen. Cloud platforms’ security challenges are unique, and Cisco has several solutions that can help alleviate these challenges. This post will focus on Cisco CloudLock.


Examples: Cloud Security Solutions.

  1. Cisco CloudLock
  2. Cisco Umbrella 
  3. Cisco Secure Cloud Analytics
  4. Cisco Duo Security


Our approach to technology has changed as a result of cloud technology. But unfortunately, bad actors have also exploited vulnerabilities in digital infrastructure to create a new set of security challenges that we must deal with. Firstly, enforcing corporate security policies becomes more challenging since third-party hosted SaaS applications do not guarantee that users will pass through corporate security infrastructure where traditional security screening would have occurred. This needs to be more visibility. Due to the gaps in visibility and coverage, a breach can go undetected for months. So we can employ several cloud security controls to convert this gap. All of these fall under the cloud security solution of Cisco CloudLock.

We have user and entity behavior analytics (UEBA), data loss protection (DLP), and application firewalls, today’s SaaS applications’ most important security controls. Cisco offers these security services as part of the Cisco CloudLock, the Cisco CASB offering. In addition, Cisco Cloudlock provides security across multiple cloud environments.


Preliminary Information: Useful Links to Relevant Content

A key point: Before you proceed, you may find the following posts useful for pre-information:

  1. Cisco Secure Firewall
  2. Dropped Packet Test
  3. Network Security Components
  4. Cisco Umbrella CASB
  5. CASB Tools


Cloud Security Solutions. 

Key Cisco CloudLock Discussion Points:

  • Introduction to Cisco CloudLock and what is involved.

  • Highlighting the challenging landscape's details and issues with moving to the cloud.

  • Technical details on approaching cloud security with the different cloud security solutions.

  • Scenario: The future of cloud securing with SASE.

  • Details on Cisco CloudLock CASB.


A Key Point: Knowledge Check 

  • A key point: Back to basics with cloud security concepts.

Before we go any further, let us brush up on some critical security concepts. The principle of least privilege states that people or automated tools should be able to access only the information they need to do their jobs. However, when the least privilege is applied in practice, your access policies are typically denied by default. Users are not granted any privileges by default and must request and approve any required privileges. The concept of defense in depth acknowledges that almost any security control can fail, either because a bad actor is sufficiently determined or because the security control is implemented incorrectly.

By overlapping security controls, defense in depth prevents bad actors from gaining access to sensitive information if one fails. In addition, you should remember who will most likely cause you trouble. These are your potential “threat actors,” as cybersecurity professionals call them.


Examples: Threat actors.

  1. Organized crime or independent criminals interested in making money
  2. Hacktivists, interested primarily in discrediting you by releasing stolen data, committing acts of vandalism, or disrupting your business
  3. Inside attackers are usually interested in discrediting you or making money.
  4. State actors who may steal secrets or disrupt your business


Cloud Security Solutions

Authentication and group-based access control policies defined in the application are part of the security the SaaS environment provides. However, SaaS providers significantly differ regarding security features, functionality, and capabilities. It is far from one size fits all regarding security across the different SaaS providers. For example, behavioral analytics, data loss prevention, and application firewalling are not among most SaaS providers’ main offerings – or capabilities. We will discuss these cloud security features in just a moment. Organizations must refrain from directly deploying custom firewalls or other security mechanisms into SaaS environments because they need to expose infrastructure below the application layer. Most SaaS platforms allow users to control their infrastructure through tools provided by the provider, but not all.


Cloud Security Solutions: Data Loss Prevention (DLP)

Let us start with DLP. The goal of data loss prevention (DLP) is to prevent critical data from leaving your business in an unauthorized manner. This presents a significant challenge for security because the landscape and scope are complex, particularly when multiple cloud environments are involved.

Generally, people think of firewalls, load balancers, email security systems, and host-based antimalware solutions as protecting their internal users. However, organizations use data loss prevention (DLP) to prevent internal threats, whether deliberate or unintentional. DLP solutions are specifically designed to address “inside-out” threats, whereas firewalls and other security solutions are not positioned to be experts in detecting those types of threats.

By preventing authorized users from performing authorized actions on approved devices, data loss prevention solutions address the challenge of preventing authorized users from moving data outside authorized realms. Intentional, unintentional, or at least accidental data breaches are not uncommon.


  • Example of Threat

Let us examine a typical threat. A financial credit services company user could possess legitimate access to unlimited credit card numbers and personally identifiable information (PII) through an intentional insider breach. It is also likely that the insider has access to email, so attachments can also be sent this way.

Even firewalls and email security solutions can’t prevent this insider from emailing an Excel spreadsheet with credit card numbers and other personal information from their corporate email account to their email address. They are not looking for that type of metadata. However, a DLP is more aligned with this type of threat. So, with the help of adequately configured data loss prevention solutions, unacceptable data transfers can be mitigated, prevented, and alerted. 

Remember that disaster recovery and data loss prevention go hand in hand. The data you can access is lost to you once you re-access it. In other words, preventing data loss is a worthwhile goal. However, recovering from data loss and disasters that prevent you from accessing your data (whether they are caused by malware or something more straightforward, such as forgotten domain renewals) requires planning.


  • A key point: It boils down to a lack of visibility

In on-premises DLP systems, visibility is limited to network traffic and does not extend to cloud environments, such as SaaS-bound traffic. Additionally, given the ease with which users can distribute information in cloud environments and their highly collaborative nature, distributing sensitive information to external parties is easy for employees. However, it is difficult for security analysts to detect with traditional mechanisms. Cloudlock’s data loss prevention technology continuously monitors cloud environments to detect and secure sensitive information in cloud environments. Cloudlock, for instance, can detect whether files stored in an application are shared outside of an organization, outside of specific organizational groups, or outside the entire organization.


Cloud Security Solutions


Cloud Security Solutions: Application Firewalls

Next, we have application firewalls. How does an application firewall differ from a “traditional firewall”? What is its difference from a “next-generation firewall”? First, an application firewall focuses on the application, not the user or the network. Its logic differs entirely from a non-application firewall, and it can create policies based on different objects. Establishing a policy on traditional things in cloud environments is useless.


  • Application Firewall vs. Traditional Firewall.

Many traditional approaches to protecting cloud applications will not work when you use a firewall. Because your cloud application needs to be accessible from anywhere, it is not feasible to configure rules for “Source IP.” You might be able to geo-fence using IP blocks assigned by IANA, but what about a traveling user or someone on vacation who needs remote assistance? Source IP addresses can not be used to write security policies for cloud applications.

Your toolkit just became ineffective when it came to Layer 3 and Layer 4 security controls. In addition, the attack could originate from anywhere in the world using IPv4 or IPv6. So how you secure your cloud applications and data must change from a traditional firewall to an application firewall focusing directly on the application and nothing below. In addition, you face challenges when you write firewall policies based on user IDs. To make your cloud application accessible from anywhere by anyone, you may as well not write firewall rules based on directory services like LDAP or Active Directory.

Compared with an on-premise solution, you have fewer options for filtering traffic between clients and the cloud application. In an application firewall, data is exchanged, and access is controlled to (or from) an application. Security of IP networks and Layer 4 ports are not the focus of application firewalls but rather the protection of applications and services. A firewall at the application layer cares little about how data is received and connected to the application or how it is formatted or encrypted. And this is what a traditional firewall would focus on. Instead, an application firewall monitors data exchanges between applications and other entities. Data exchange methods rather than location are examined when determining if policy violations have occurred.

Diagram: Cloud Application Firewall.


  • The road to Cisco CloudLock or multiple products.

It is possible to enable security micro services such as UEBA, DLP, and the application firewall to protect your SaaS environment by deploying multiple products for each capability and then integrating them with different SaaS vendors and offerings. This approach provides additional capabilities but at the cost of managing multiple products per environment and application. Adding other security products to the cloud environment increases security capabilities. Still, there comes the point where the additional security capabilities become unmanageable due to time, financial costs, and architectural limitations. 

Cisco can help customers close the complexity of multiple-point products and introduce additional security services for your SaaS environments under one security solution, Cisco CloudLock. It has UEBA, Application Firewall, DLP, and CASB. This has been extended to secure access service edge (SASE) with Cisco Umbrella, which we will touch on at the end of the post.


Cloud Security Solutions: Cloud Access Security Broker

Users use cloud access security brokers (CASBs) to interact with cloud services such as SaaS applications, IaaS, and PaaS environments. Moreover, they help you comply with security policies and enforce them. Now we can enforce policy in settings that we do not control. CASBs safeguard cloud data, applications, and user accounts, regardless of where the user is or how they access the cloud application. Where other security mechanisms focus on protecting the endpoint or the network, CASB solutions focus on protecting the cloud environment. They are purpose-built for the job of cloud protection.

CASB solutions negotiate access security between the user and the cloud application on its behalf. CASB solutions go beyond merely “permitting” or “denying” access. A CASB solution can enable users to access cloud applications, monitor user behavior, and protect organizations from risky cloud applications by providing visibility into user behavior. The cloud application continues to be accessible to end users in the same way as before CASB deployment. Applications are still advertised and served by cloud application service providers in the same manner as before the implementation of CASB. Cloud applications do not change, nor does the user environment.

Additionally to a lack of control, there will be a need for more visibility – many SaaS environments need a mechanism for tracking user behavior and controlling the users (although most cloud providers have their own UEBA systems).


Identifying the Different CASB Categories

  • CASB architectures generally fall into two categories: In-line deployment or out-of-band deployment.

Reverse proxies and forward proxies are two types of In-line CASB deployments. Proxy servers provide security services to users when they connect to resources. They are usually located in front of the resource to be accessed. Users connect to remote resources directly through forward proxies, which provide security services.CASB solutions based on in-line CASBs are susceptible to data path problems if interruptions occur in the CASB environment or the services on which the CASB solution depends. Forward Proxies have another drawback: you must know where your users are to place the proxy appropriately. In addition, proxy-based CASB security capabilities are limited, given the nature of cloud usage. For instance, proxy-based CASBs can’t secure cloud-to-cloud traffic, and users and devices within the cloud are unmanaged. These deficiencies create potential security gaps. 

It is possible to categorize out-of-band CASB into API-based CASB and log-based CASB, which live outside users and cloud applications. Compared to a log-based CASB, API-based CASB exchanges API calls with the cloud application environment rather than log data. SIEM or other reporting tools typically ingest log data, but API calls allow the CASB solution to control cloud applications directly. API-Based are not dependent on cloud applications. They are integrated with cloud applications but external to their environments.

CASB solutions based on logs are limited because they only take action once logs have been parsed by a SIEM or other tool. CASBs based on APIs monitor cloud usage, whether on or off the corporate network or using managed or unmanaged devices, along with monitoring cloud usage. Cloud-to-cloud applications can also be protected using a CASB that uses APIs – communications that never reach the corporate network. 

So, Cloudlock is an API-based CASB. Therefore, it doesn’t need to be in the user traffic path to provide security, unlike proxy-based CASBs. As a result, there is no need to worry about under-sizing or oversizing a proxy. Also, you don’t have to maintain proxy rulesets, cloud application traffic doesn’t have to be routed through another security layer, and traffic doesn’t have to circumvent the proxy, which is a significant value-add to cloud application security.


  • A key point: CloudLock and machine learning

To detect anomalies, Cloudlock uses advanced machine learning algorithms. It also sees actions that appear to be occurring across distances at impossible speeds outside Whitelist countries. Identifying suspicious behavior and anomalies in behavior is one of the critical features of Cisco Cloudlock.

Cisco Umbrella Firewall
Diagram: Cisco CASB


The Evolution of Cloud Security Service

Cisco CloudLock is now part of Cisco SASE. People are now calling this the evolution of cloud security. Cisco SASE includes a secure web gateway, firewall, CASB functionality, DNS-layer security, and interactive threat intelligence, all delivered from one cloud security service so organizations can embrace direct Internet access. The cloud security service Cisco Umbrella provides multiple security functions and integrates well with Cisco SD-WAN and Cisco Thousand Eyes.


Cisco Umbrella Features:

  • DNS-Layer Security

Using Umbrella’s DNS-layer security, you can improve your security quickly and easily. Its ability to stop threats over any port or protocol before they reach your network or endpoints improves security visibility, detects compromised systems, and protects your users.

  • Secure Web Gateway

With Umbrella’s secure web gateway, you can view and inspect web traffic, control URLs and applications, and protect yourself against malware. To enforce acceptable use policies and block advanced threats, use IPsec tunnels, PAC files, or proxy chaining.

  • Firewall

With Umbrella’s firewall, all activity is logged, and unwanted traffic is blocked using IP, port, and protocol rules. An IPsec tunnel can be configured on any network device to forward traffic. Policies automatically apply to newly created tunnels to ensure consistent enforcement and easy setup.

  • Cloud Access Security Broker

Through Cisco Umbrella, you can discover and report on cloud applications used throughout your organization. To better manage cloud adoption and reduce risk, you can view details on risk levels for discovered apps and block or control usage. 


Summary of Cisco CloudLock’s main features:

User security: Cloudlock uses advanced machine learning algorithms to detect anomalies based on multiple factors. It also identifies activities outside allowed countries and spots actions that occur at impossible speeds across distances.

App security: The Cloudlock Apps Firewall discovers and controls cloud apps connected to your corporate environment. You can see a crowd-sourced Community Trust Rating for individual apps, and you can ban or allowlist them based on risk.

Data security: Cloudlock’s data loss prevention (DLP) technology continuously monitors cloud environments to detect and secure sensitive information. It provides countless out-of-the-box policies as well as highly tunable custom policies. SaaS applications can come from many sources, both reliable and unreliable. Therefore, Data Security is a primary concern when using SaaS applications in the cloud.


Cloud Security Solutions


Network Connectivity


Cisco Firewall


Network Connectivity

To understand network connectivity, we will break networking down into layers. Then we can fit the different networking and security components that make up a network into each layer. This is the starting point for understanding how networks work and carrying out the advanced stages of troubleshooting. Networking does not just magically happen; we need to follow protocols and rules so that two endpoints can communicate and share information. These rules and protocols don’t just exist on the endpoint, such as your laptop; they also need to exist on the network and security components in the path between the two endpoints. 

We have networking models to help you understand what rules and protocols we need on all components, such as the TCP/IP Suite and the OSI model. These networking models are like a blueprint for building a house. They allow you to follow specific patterns and have certain types of people, which are protocols in networking. For example, to find the MAC address, when you know the IP address of the destination, we use Address Resolution Protocol (ARP). So we have rules and standards that we need to follow. By learning these rules, you can install, configure and troubleshoot the main networking components of routers, switches, and security devices.


Preliminary Information: Useful Links to Relevant Content

A key point: Useful links to pre-information

  1. Network Security Components
  2. IP Forwarding
  3. Cisco Secure Firewall
  4. Distributed Firewalls
  5. Virtual Firewalls


A Key Point: Knowledge Check 

  • A key point: Back to basics: Source and Destination

Networking, or computer networking, transports and exchanges data between nodes over a shared medium in an information system. It’s about moving information from your application across and within your network. Generally speaking, the essence of network connectivity exists as a source and a destination where we can communicate. There are different modes of communication, such as unicast, broadcast, and multicast. But for now, consider a network and the infrastructure used within a network to support communication between a single source and destination.

The source can be the application you use on your computer, such as your web browsers that use HTTP protocol. So, there are rules that your web browser software needs to follow, and the HTTP protocol specifies these. The destination could be elsewhere, such as an application hosted in the cloud or another network from your on-premise Local Area Network (LAN). In this case, we are moving from an on-premise network to a cloud network.


Network Connectivity with Edges of Control

So in the world of computer networking and network connectivity, there are different types of edges of control. In this case, if you are sitting in your home network. The edge of control is our home router provided by a service provider in your area, along with a firewall device positioned at each of these perimeters marking the points between internal and external networks.

In your home network, this parameter is static. However, the perimeter is more dissolved, especially in more extensive networks. You would need multiple firewalls and firewall types positioned in the local area network, creating a defense-in-depth approach to security.

Network connectivity
Diagram: Sample network for network connectivity.


Network Connectivity with Network Models

So, as I said, computer networks enable connected hosts—computers—to share and access resources. So when you think of a network, think of an area, and this area exists for sharing. The first purpose of network connectivity was to share printers, and it has not been expanded to many other devices to share, but in reality, the use case of sharing is still its primary use case.

And you need to know how all the connections happen and all the hardware and software that enables that exchange of resources. We do this using a networking model. So we can use network models to conceptualize the many parts of a network, relying primarily on the Open Systems Interconnection (OSI) seven-layer model to help you understand networking. 

Remember that we don’t implement the OSI; we implement the TCP/IP suite. But the OSI is a great place to start learning as everything is divided into individual layers. You can place the network and security components at each layer to help you understand how networks work. Let us start with the OSI model before we move to the TCP/IP suite.


Why use the OSI Model?

The open systems interconnection (OSI) model is based on splitting a communication system into seven abstract layers, each stacked upon the last. What can you use the OSI model for? Understanding OSI enables a tech to determine quickly at what layer a problem can occur. Second, the OSI model provides a common language techs use to describe specific network functions.

Understanding the functions of each OSI layer is very important when troubleshooting network components and network communication. Once you understand these functions and the troubleshooting tools available to you at the various layers of the model, troubleshooting network-related problems and understanding will be much easier.

Highlighting the OSI layers

  • Layer 7 Application

The application layer provides the user interface. We have software applications like web browsers and email clients, to name a few, that rely on the application layer to initiate communications. Application layer protocols include HTTP and SMTP (Simple Mail Transfer Protocol is one of the protocols enabling email communications).

  • Layer 6 Presentation

The presentation layer determines how data is represented to the user. This layer is primarily responsible for preparing data so the application layer can use it; in other words, layer 6 makes the data presentable for applications to consume. Encryption and compression work at this layer.

  • Layer 5 Session

This layer is responsible for opening and closing communication between the two devices. The time between open and closed communication is known as the session. 

  • Layer 4 Transport

Layer 4, the transport layer, is responsible for end-to-end communication between the two devices. These activities include taking data from the session layer and breaking it into segments before sending it to layer 3. Layer 4 is also responsible for flow control and error control. 

  • Layer 3 Network

The network layer is responsible for facilitating data transfer between two different networks. The network layer is unnecessary if the two devices communicating are on the same network. 

  • Layer 2 Data Link

The data link layer is very similar to the network layer, except the data link layer facilitates data transfer between two devices on the same network. The data link layer takes packets from the network layer and breaks them into smaller pieces called frames. 

  • Layer 1 Physical

The physical layer defines physical properties for connections and communication: repeaters and hubs operate here. Wireless solutions are defined at the physical layer. 


Highlighting the TCP/IP Suite: Protocols

TCP/IP is a protocol suite—meaning multiple protocols exist to provide network connectivity. Each protocol in the suite has a specific purpose and function, and protocols work at different layers. TCP/IP is a suite of protocols, the most popular of which are Transmission Control Protocol (TCP), User Data Protocol (UDP), Internet Protocol (IP), and Address Resolution Protocol (ARP).

IP performs logical addressing so your computer can be found and reached across different networks. ARP converts these logical addresses to a physical MAC address to be transmitted on the wire. We can use the ICMP protocol for troubleshooting and diagnostics, which is the status- and error-reporting protocol.  

The IP is the Internet’s address system and delivers packets of information from a source device to a target device. IP is the primary way network connections are made, and it establishes the basis of the Internet. IP does not handle packet ordering or error checking. Such functionality requires another protocol, often the TCP.

For example, when an email is sent over TCP, a connection is established, and a 3-way handshake is made. First, the source sends an SYN “initial request” packet to the target server to start the dialogue. Then the target server sends an SYN-ACK packet to agree to the process. Lastly, the source sends an ACK packet to the target to confirm the process, after which the message contents can be sent.

  • TCP/IP: Networking Model: 4-layer model vs. 7-layer OSI

The TCP/IP model is a four-layer model similar in concept to the seven-layer OSI Reference Model. To simplify life, the four layers of the TCP/IP model map to the seven layers of the OSI version. The TCP/IP model combines multiple layers of the OSI model, so when starting with networking. It’s good to start with the OSI, as none of the layers are combined.


Moving through Layers: Enabling Network Connectivity

Each OSI model layer is responsible for communicating with the layers directly above and below, receiving data from or passing it to its neighboring layers. For example, the presentation layer will receive information from the application layer, format it appropriately, which could be encryption, as we mentioned, or compression, and then pass it to the session layer. The presentation layer will never deal directly with the transport, network, data link, or physical layers. The same idea is valid for all layers regarding their communication with other layers.


OSI Layer Example: Computers communicate with a server.

Let’s look at the layers from the point of view of two computers sending data to each other. The data is called different things at each layer. This is due to the encapsulation process, but we will call it data for now. So we have Host A and Host B that want to send files to each other and, therefore, will exchange data on the network. Or host B has a local web server, and host A in their browser types in the IP address of host B. So for network connectivity, we need a source and a destination.

So, host A is the sending computer, the source, and Host B is the receiving computer, the destination. The data exchange starts with Host A sending a request to Host B in the application layer. So we have Host A, that is initiating the request. At the receiving end, the destination, on host B, the data moves back up through the layers to the application layer, which passes the data to the appropriate application or service on the system. Port numbers will identify the proper service.


  • Starting to move through the layers

Network connectivity starts at the application layer of the OSI model, which will be on the sending system, which in our case is Host A, and works its way down through the layers to the physical layer. The information then passes the communication medium, physical cablings such as Copper or Fiber, or wireless, until it receives the far-end system, which operates back up the layers, starting at the physical layer until the application layer.  


  • Action at one layer undone at another layer

When you think of two devices communicating, such as two computers, it is crucial to understand that whatever action is done at one layer of a sending computer is undone at the same layer on the receiving computer. For example, if the presentation layer compresses or encrypts traffic the information on the sending computer, the data is uncompressed or decrypted on the receiving computer.

Network Connectivity and Network Security

So we have just looked at generic connectivity. But there will be two main functions carried out by these networking and security devices. First, there is the network connectivity side of things. 

  • Network Connectivity

So we will have network devices that will need to forward your traffic so it can reach its destination. Traffic is forwarded based on IP. Keep in mind there is not any guarantee with IP. Enabling reliable network connectivity is handled further up the stack. The primary version of IP used on the Internet today is Internet Protocol Version 4 (IPv4). Due to size constraints with the total number of possible addresses in IPv4, a newer protocol was developed. The latest protocol is called IPv6. It makes many more addresses available and is increasing in adoption.


  • Network Security

Secondly, we will need to have network security devices. These devices allow traffic to pass through their interfaces if they deem it safe, and policy permits the traffic to pass through that zone in the network. The threat landscape is dynamic and bad actors have many tools to disguise their intentions. Therefore we have many different types of network security devices to consider.


Components for network connectivity

In general, we have routers forwarding the traffic based on IP, and they usually work with switches that help connect all the devices. Switches work with MAC addresses and not IP addresses. Then we have the security devices such as firewalls that help with the security side of things. Generally, a firewall device will allow all traffic to leave the network, but only traffic you permit can enter the network.


Starting with the Layer 3 Router

Routers, the magic boxes that act as the interconnection points, have all the built-in smarts to inspect incoming packets and forward them toward their eventual LAN destination.  Routers are, for the most part, automatic. A router is any hardware or software that forwards packets based on their destination IP address. Routers work at the OSI model’s Network layer (Layer 3). Classically, routers are dedicated boxes with at least two connections, although many routers contain many more connections and offer various network connectivity options.

The router inspects each packet’s destination IP address and then sends the IP packet out to the correct port. To perform this inspection, every router has a routing table that tells the router exactly where to send the packets. This table is the key to understanding and controlling forwarding packets to their proper destination.

Starting with Switches

Then we have switches, which can control and only send frames to the proper destination and reduce the number of devices receiving the frame, reducing the chance of collisions. So when we have switches, we have a star topology but consider the links between the end host and the switch port to be point-to-point. This allows full duplex communication that effectively disables the CSMA/CD process between the switch port and the attached device. Now the ability to transmit and receive simultaneously only occurs between the switch port and the end station. So consider full-duplex to be a 10x speed improvement over half-duplex. The switch port also acts as a boundary for collisions.


Building a small network: Network and Security Components

Information on Hub 

With the information you learned from the OSI, let’s look at some networking components in more detail. Networking started with hubs. A hub is an older network device you hopefully do not encounter on your networks because more effective and secure switches have replaced them. A network hub has three pitfalls: 


  • No filtering 

When a system was to send data to another system, the hub would receive the data and then send the data to all other ports on the hub. A switch operating at Layer 2 will understand MAC addresses to make better forwarding decisions. 

  • Collisions 

Because any data was sent to all other ports, and any system could send its data at any time, this resulted in many collisions on the network. A collision occurs when two data pieces collide, must be retransmitted, and will degrade application performance.

  • Security For Hubs 

Because the data was sent to all ports on the hub, all systems receive all data. Systems look at the destination address in the frame to decide whether to process or discard the data. 


Packet Sniffer

But if someone were running a packet sniffer such as Wireshark or tcpdump on a system that used a hub, they would receive all packets and be able to read them.  Sniffers examine streams of data packets that flow between computers on a network, between networked computers, and the more extensive Internet.  This created a huge security concern. The solution to the hub problem was to replace network hubs with switches with better filtering capabilities and the capability to carve a switch into multiple switches using VLANs. This improves both security and performance.


Cisco Firewall

Network connectivity: Start with switches 

At layer 2 we can have switches that reduce collisions, optimize traffic, and are better from a security point of view. LAN Switch Switches are one of the most common devices used on networks today. All other devices connect to the switch to gain access to the network.  For example, you will connect workstations, servers, printers, and routers to a switch so that each device can send and receive data to and from other devices. The switch acts as the central network connectivity point for all devices on the network. 


  • Layer 2 Switch: How switches work

The switch tracks every device’s MAC address (the physical address burned into the network card) and then associates that device’s MAC address with the port on the switch to which the device is connected. The switch stores this information in a MAC address table in memory on the switch. The switch then acts as a filtering device by sending data only to the port that the data is destined for.


Collision Domains and Broadcast Domains 

  • Collision Domain: Hub – Single Collision Domain 

In a collision domain, data transmission collisions can occur. For example, suppose you are using a hub to connect 10 systems to a network. Because traffic is sent to all ports on the hub, the data could collide on the network if several systems send data simultaneously. For this reason, all network ports on a hub (and any devices connected to those ports) are considered parts of a single collision domain. This also means that when you cascade a hub of another, all hubs are part of the same collision domain. Do you connect 100 hubs, and even though they are different physical devices, it is still one collision domain?


  • Switches: Break down Collision Domains

If you were using a switch to connect the ten systems, each port on the switch would create its network segment. When data is sent by a system connected to the switch, the switch sends the data only to the port on which the destination system resides. For this reason, if another system were to send data simultaneously, the data would not collide. As a result, each port on the switch creates a separate collision domain.


Cisco Firewall


Controlling Broadcast Domain

A broadcast domain is a group of systems that can receive one another’s broadcast messages. When using a hub to connect five systems in a network environment, if one system sends a broadcast message, the message is received by all other systems connected to the hub. For this reason, all ports on the hub create a single broadcast domain. Likewise, if all five systems were connected to a switch and one sent a broadcast message, all other systems on the network would receive the broadcast message. 

Therefore, all ports are part of the same broadcast domain when using a switch. If you wanted to control which systems received broadcast messages, you would have to use a router that does not forward broadcast messages to other networks. You could also use virtual LANs (VLANs) on a switch, with each VLAN being a different broadcast domain.


Network Connectivity: Starting with Routers

A switch connects all systems in a LAN setup, but what if you want to send data from your network to another network or across the Internet? That is the job of a router. Routers work at Layer 3 of the OSI model. A router sends or routes data from one network to another until the data reaches its final destination. Note that although switches look at the MAC address to decide where to forward a frame, routers use the IP address to determine what network to send the data to. 


Network Connectivity with Network Routing

Network routing is selecting a path across one or more networks. Routing principles can apply to any network, from telephone to public transportation. In packet-switching networks, such as the Internet, routing selects the paths for Internet Protocol (IP) packets to travel from origin to destination. These Internet routing decisions are made by specialized network hardware called routers.  


Routing Tables

Routers refer to internal routing tables to decide how to route packets along network paths. A routing table records the paths packets should take to reach every destination the router is responsible for. The router has a routing table listing all the networks it can reach. Routing protocols populate routing tables. Routing protocols can be dynamic or static.

Routing tables can either be static or dynamic. Static routing tables do not change. A network administrator manually sets up static routing tables. This sets in stone the routes data packets take across the network unless the administrator manually updates the tables. Dynamic routing tables update automatically. 

Dynamic routers use various routing protocols (see below) to determine the shortest and fastest paths. They also make this determination based on how long it takes packets to reach their destination. Dynamic routing requires more computing power so smaller networks may rely on static routing. But for medium-sized and large networks, dynamic routing is much more efficient.


Network Connectivity: Starting with Firewalls 

A firewall is a security system that monitors and controls the network traffic based on security rules. Firewalls usually sit between trusted and untrusted networks, often the Internet. For example, office networks often use a firewall to protect their network from online threats—Firewalls control which traffic is allowed to enter a network or system and which traffic should be blocked.

When configuring a firewall, you create the rules for allowing and denying traffic based on the traffic protocol, port number, and direction. Firewalls work at Layer 3 and Layer 4 of the OSI model. We know now that Layer 3 is the Network Layer where IP works. Then we have Layer 4, the Transport Layer, where TCP and UDP work. 

Stateful Inspection Firewall


  • Packet filtering firewall 

A packet-filtering firewall can filter traffic based on the source and destination IP addresses, the source and destination port numbers, and the protocol used. The downfall of a simple packet-filtering firewall is that it needs to understand the context of the conversation, making it easy for a bad actor to craft a packet to pass through the firewall.   


  • Stateful packet inspection

Stateful packet inspection firewalls. Like a packet filtering firewall, a stateful packet inspection firewall filters traffic based on source and destination IP addresses, the source and destination port numbers, and the protocol in use. Still, it also understands the context of a conversation. Stateful firewalls rely on a lot of contexts when making decisions.

For example, if the firewall records outgoing packets on one connection requesting a certain kind of response, it will only allow incoming packets on that connection if they provide the requested type of response. Stateful firewalls can also protect ports* by keeping them all closed unless incoming packets request access to a specific port. This can mitigate an attack known as port scanning.


  • Next-generation firewall 

Next-generation firewall A next-generation firewall (NGFW) is a layer seven firewall that can inspect the application data and detect malicious packets. A regular firewall filters traffic based on it being HTTP or FTP traffic (using port numbers), but it cannot determine if there is malicious data inside the HTTP or FTP packet. An application-layer NGFW can inspect the application data in the packet and determine whether there is questionable content inside. NGFWs are firewalls with the capabilities of traditional firewalls but also employ a host of added features to address threats on other OSI model layers. Some NGFW-specific features include: 


  1. Deep packet inspection (DPI) – NGFWs perform much more in-depth inspection of packets than traditional firewalls. This deep inspection can examine packet payloads and which application the packet access. This allows the firewall to enforce more granular filtering rules. 
  2. Application awareness – Enabling this feature makes the firewall aware of which applications are running and which ports those applications use. This can protect against certain types of malware that aim to terminate a running process and then take over its port. 
  3. Identity awareness lets a firewall enforce rules based on identity, such as which computer is being used, which user is logged in, etc. 
  4. Sandboxing – Firewalls can isolate pieces of code associated with incoming packets and execute them in a “sandbox” environment to ensure they are not behaving maliciously. The results of this sandbox test can then be used as criteria when deciding whether or not to let the packets enter the network.


Web Application Firewalls (WAF)

While traditional firewalls help protect private networks from malicious web applications, WAFs help protect web applications from malicious users. A WAF helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It protects web applications from attacks like cross-site forgery, cross-site scripting (XSS), file inclusion, and SQL injection.


Intrusion Prevention System 

An intrusion prevention system (IPS) is a security device that monitors activity, logs any suspicious activity, and then takes corrective action. For example, if someone is doing a port scan on the network, the IPS would discover this suspicious activity, log the action, and then disconnect the system performing the port scan from the network.


Cisco Firewall


Cisco Snort

Cisco Firewall with Cisco IPS


Cisco Firewall


Cisco Firewall with Cisco IPS

We are constantly under pressure to ensure mission-critical systems are thoroughly safe from bad actors that will try to penetrate your network and attack critical services with a range of attack vectors. So we need to create a reliable way to detect and prevent intruders. Adopting a threat-centric network security approach with the Cisco intrusion prevention system is viable. The Cisco IPS is an engine based on Cisco Snort that is an integral part of the Cisco Firewall, specifically, the Cisco Secure Firewall.

Firewalls have been around for decades and come in various sizes and flavors. The most typical idea of a firewall is a dedicated system or appliance that sits in the network and segments an “internal” network from the “external” Internet. With the traditional Layer 3 firewall, we have baseline capabilities that generally revolve around the inside being good and the outside it bad. However, we must move from just meeting our internal requirements to meeting the dynamic threat landscape in which the bad actors are evolving. We have Malware, social engineering, supply chain attacks, advanced persistent threats, denial of service, and various man-in-the-middle attacks. And nothing inside the network should be considered safe. So we must look beyond Layer 3 and incorporate multiple security technologies into firewalling.

So we have the standard firewall that can prevent some of these attacks, but we need to layer on additional capabilities to its baseline. Hence, we have a better chance of detection and prevention. Some of these technologies that we layer on are provided by Cisco Snort, which enables the Cisco intrusion prevention system ( Cisco IPS ) included in the Cisco Firewall solution that we will discuss in this post.


Preliminary Information: Useful Links to Relevant Content

Before you proceed, you may find the following posts helpful for pre-information:

  1. Cisco Secure Firewall
  2. WAN Design Considerations
  3. Routing Convergence
  4. Distributed Firewalls
  5. IDS IPS Azure


Cisco IPS.

Key Cisco Firewall Discussion Points:

  • Introduction to the Cisco Firewall and what is involved in the solution.

  • Highlighting the details of the challenging landscape along with recent trends.

  • Technical details on how to approach implementing a Cisco IPS based on Snort.

  • Scenario: Different types of network security vantage points. Cisco Secure Endpoint and Cisco Secure Malware.

  • Details on starting the different types of Snort releases and the issues with Snort 2.

  • Technical details on Cisco Snort 3.