Datasheet
Book IV
Chapter 1
Network Security
Terminology
463
Looking at Security Devices
The first firewall (Firewall1 in Figure 1-4) is connected to the Internet and
controls what traffic is allowed to pass from the Internet through the
firewall. You can see that the first firewall has to allow HTTP traffic and DNS
server traffic through the firewall, as there are public HTTP and DNS servers
behind the first firewall.
The second firewall (Firewall2 in Figure 1-4) is designed to stop all traffic
from passing through that firewall in order to protect the private LAN. The
area between the two firewalls is known as a demilitarized zone (DMZ) and
is designed to allow selected traffic to enter the zone. This firewall solution
is known as a screened-subnet as any traffic that passes into the DMZ is
screened first and ensured it is authorized traffic.
Another very popular firewall solution that relates to Cisco devices is what
is known as a screened-host firewall, shown in Figure 1-5. It is a topology that
has the Internet connected to your router, which will then filter, or screen,
what packets are allowed to pass through and reach the firewall.
Figure 1-5:
A screened-
host firewall
uses a
router to
filter which
packets
reach the
firewall.
Private
LAN
Internet
HTTP DNS
Firewall
Cisco router
Cisco routers use access lists (a list of rules that determine what packets are
allowed to enter or leave the network) to control what traffic is allowed to
pass through the router. Access lists are beyond the scope of the CCENT
certification but are required knowledge to pass the CCNA certification
exam.
Intrusion detection system
An intrusion detection system (IDS) is a device or piece of software that
monitors activity and identifies any suspicious activity on a network
or system. When the IDS identifies the suspicious activity, it logs the
activity and may even send notification to the administrator as an alert.
22_647486-bk04ch01.indd 46322_647486-bk04ch01.indd 463 10/15/10 11:27 PM10/15/10 11:27 PM