Home > Articles

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

3.3: Security Topologies

A security topology is the arrangement of hardware devices on a network with respect to internal security requirements and needs for public access. For example, an Internet order firm will need Web servers that can be accessed by the public for placing orders. In turn, the Web servers will need access to internal database servers, and internal users (employees) will need access to the various servers and possibly to the Internet.

Exercise 3.3.1: Understanding Security Zones

As discussed in the Security+ Exam Cram 2 book, several types of security zone topologies exist, and they include features such as bastion hosts, screened host gateways, and screened subnet gateways. You can place resources that require access from both external and internal locations in a DMZ. An intranet is an internal network that is built using Web servers to disseminate information on an internal basis only. An extranet is a portion of a network set up to allow access by a specified external location only, such as a business partner. In this exercise, you research these topics on the Internet:

  1. Connect to the Internet and navigate to http://www.sharkbelly.org/ebooks/security_plus/0789728362_ch03lev1sec4.html#ch03fig04. This reference provides a comprehensive overview of all topics in Objective 3.3 of the Security+ exam. Review the information provided and in particular the following:

    • Where is a bastion host placed, and how does it protect an internal network?

    • What is the attack surface, and how should it be set up for the highest level of security?

    • How does a screened host gateway differ from a bastion host, and in what ways is it similar to a bastion host?

    • What is the function of an application gateway?

    • How does a screened subnet gateway differ from the other types of security topologies? What types of servers are placed in the DMZ that this gateway defines?

    • What are two different DMZ configurations? Note how these configurations differ from one another and when you should use one configuration or another.

    • What components of a network can constitute an intranet?

    • How does an extranet differ from an intranet, and what components normally appear in an extranet?

    • What is a virtual LAN (VLAN), and in what situations is it advantageous to employ one?

    • How does Network Address Translation (NAT) work? What are the private IP address ranges, and what purpose do these address ranges serve?

    • Which vulnerability is presented by VPN tunneling, and what topological solutions do the authors suggest to overcome this problem?


    A VLAN is a good solution when the need arises to implement a hardware-based implementation that restricts internal access within a network to certain portions as needed for performance of users' tasks. This technology is also beneficial in reducing the likelihood of data compromise by sniffers.

  2. TechSmiths provides an additional point of view on these topics at http://www.techsmiths.com/wapug/exch03/white_papers/webspeed/securing_firewall.htm. What is the major weakness of a bastion host-based security topology? In what two ways is a screened host topology better than a bastion host? Note that the screened subnet topology includes the DMZ concept. Note that a version of the screened subnet topology exists that embraces the concept of an extranet. Finally, note their preferred version of a DMZ configuration and the advantages provided by this configuration.

  3. Yet another viewpoint on security topologies appears at http://www.interhack.net/pubs/fwfaq/. This article contains information of special interest to those of you who are running Cisco routers. It answers many questions related to firewall and topology basics, various intrusions, and methods of making server-based applications work across a firewall. That said, it is a valuable reference for several Security+ objectives in all five objective domains.

  4. A concise report on what bastion hosts do appears at http://www.sans.org/resources/idfaq/bastion.php. What types of bastion hosts are used, and what methods are used to harden or secure these systems?


You should be able to distinguish the types of security topologies and know when to implement a given topology.

Exercise 3.3.2: The Use of VLANs

Two situations often arise when working with LANs. First, as LANs become more popular and faster, they tend to grow larger. As a result, any broadcast messages reach a larger audience than was common even in recent history. Additionally, as more companies adopt organizational structures that are less hierarchical, employees can move from location to location more frequently.

One solution to both of these issues is the VLAN. A VLAN allows a group of computers to be virtually configured as a separate LAN. A VLAN can simply define a subset of a larger LAN or can include computers from various existing LANs.

Figure 3.9 shows a simple VLAN configuration.

Figure 3.9Figure 3.9 VLAN connects groups of computers, forming a separate network.

This exercise directs you to research VLANs and answer some questions about what you learned:

  1. From a Web browser, visit the Candela Technologies Web page at http://www.candelatech.com/~greear/vlan.html and the University of California–Davis Web page at http://net21.ucdavis.edu/newvlan.htm. These Web sites and the links within them contain a lot of information on VLANs. How does a VLAN differ from an ordinary LAN? What are some drawbacks of ordinary routed networks that are solved by the use of a VLAN? Summarize the benefits and limitations of VLANs as described in the University of California page.

  2. Write a brief summary that explains what VLANs are, what benefits they provide over standard LANs, and how you might use one in your environment. Also answer the following questions:

    • What standard defines VLANs?

    • What factor influences VLAN designs more, physical location or logical grouping?

    • Can VLAN devices belong to different physical LANs, or must they all belong to the same LAN?

    • Do VLANs normally increase or decrease network performance?

Exercise 3.3.3: Configuring Internet Connection Sharing in Windows 2000

Internet Connection Sharing (ICS) is a simplified form of Network Address Translation (NAT) available in Windows 2000, Windows XP, and Windows Server 2003. ICS allows users in a home- or small-office environment to connect to the Internet through a host computer on which it is enabled. Like the full version of NAT, ICS hides the internal computers from anyone attempting to access them externally. In the following exercise, you configure a computer running Windows 2000 Professional for ICS. Perform this exercise on a computer that is not joined to a domain. The steps are slightly different, depending on the service pak level in use.

  1. Right-click My Network Places and choose Properties.

  2. Right-click the network connection on which you want to enable ICS and choose Properties.

  3. On the Sharing tab of the Properties dialog box that opens, select Enable Internet Connection Sharing for This Connection (see Figure 3.10).

  4. To ensure that the connection will be dialed when another computer on the network attempts to connect to the Internet, select the Enable On-Demand Dialing check box.

  5. To configure additional ICS settings, click Settings. You can specify which applications are enabled for networking as well as which services will be provided to computers on the network.

  6. Click OK.


When running ICS, client computers receive IP addresses on the network. You should configure these computers to use DHCP to obtain IP addresses.

Figure 3.10Figure 3.10 Enable ICS in Windows 2000 in the Virtual Private Connection Properties dialog box.

What Did I Just Learn?

Now that you have looked at security zone topologies, let's take a moment to review all the critical items you've experienced in this lab:

  • Security zone topologies include bastion hosts, screened host gateways, and screened subnet gateway.

  • A DMZ is a small network located between the local network and the Internet on which services such as Web servers are located. Several configurations for a DMZ are available.

  • An intranet is an internal network configured with a locally available Web server that facilitates exchange of information.

  • An extranet is similar to an intranet but allows access to another trusted network, such as that of a business partner.

  • A VLAN combines computers on the network into a single logical network that can span multiple switches. It is used to provide logical groupings of computers.

  • NAT enables multiple computers to connect to the Internet through a single gateway computer. ICS is a simplified form of NAT available in Windows 2000, Windows XP, and Windows Server 2003.

  • + Share This
  • 🔖 Save To Your Account