Скачать книгу

provide remote workers with secure access to your company network: To do that, you set up a VPN on the router, and then provide your remote workers with the credentials necessary to access the VPN. The remote workers can run a software VPN client on their home computers or laptops to connect to your company network.

       To establish a tunnel directly between routers on two networks that are separated geographically: For example, suppose you have offices in Los Angeles and Las Vegas. You can use routers on both networks to establish a VPN tunnel between them. This effectively joins the networks together, so that devices on the Los Angeles network can freely exchange packets with devices on the Las Vegas network, and vice versa.

Schematic illustration of the connecting offices with a VPN tunnel.

      FIGURE 3-4: Connecting offices with a VPN tunnel.

      For more information about working with VPN tunnels, refer to Book 4, Chapter 6.

      The final topic for this whirlwind introduction to switches and routers is the concept of VLANs. Most advanced switches allow you to create VLANs.

      As its name suggests, a VLAN is a virtual network that runs on top of your actual physical network. VLANs work at layer 2 of the OSI model, which means that they’re related MAC addresses, not IP addresses. That said, there is usually a direct correlation between VLANs and IP subnets. If (or when) your network grows large enough that you want to set up two or more subnets to better manage it, you’ll probably also want to set up two or more VLANs, one for each of your subnets.

       If a port on one VLAN receives a packet intended for a destination on the same VLAN, the switch forwards the packet to the destination port, the same as if VLANs were not in use.

       When a port on one VLAN receives a packet intended for a destination on the same VLAN that the switch has not yet learned, the switch will flood only those ports that are on the destination VLAN — not all the ports on the switch. Thus, VLANs can reduce traffic caused by flooding.

       When a broadcast packet is received, the switch will forward the packet only to those ports that are on the same VLAN. In other words, VLANs can break up broadcast domains in the same way that a router can.

       If a port on one VLAN receives a packet intended for a different VLAN, a router is required to link the networks. That’s because separate VLANs are, for all intents and purposes, separate networks.That being said, most switches that support VLANs also support trunk ports, which can switch traffic between VLANs. A trunk port is a port that can handle traffic for two or more VLANs.

      To use VLANs, you must manually configure each port of your switches to operate on the appropriate VLAN. By default, all switches regardless of manufacturer are configured out of the box so that all ports operate on a VLAN named VLAN1. To create a new VLAN, you simply create a name for the new VLAN, and then configure the ports that will talk on the new VLAN.

      In VLAN terminology, a port that is configured to operate on a single VLAN is called an access port. Ports that are configured to work on more than one VLAN are called trunk ports. By default, all switch ports are configured as access ports on VLAN1.

      Note that if you have more than one switch in your network, you can configure VLANs to work across the switches. For example, you can create a VLAN for your company’s accounting department — let’s call it VLAN-Acct. Then you can configure ports on any of your switches as access ports on VLAN-Acct. In this way, your entire accounting staff can operate on the accounting VLAN.

      Cybersecurity

      IN THIS CHAPTER

      

Assessing the risk for security

      

Looking at two pillars of cybersecurity

      

Identifying the most important protection and recovery measures

      

Examining standardized cybersecurity frameworks

      

Looking closer at the NIST Cybersecurity Framework

      As an IT professional, cybersecurity is the thing most likely to keep you awake at night. Consider the following scenarios:

       Your phone starts ringing like crazy at 3 o’clock one afternoon because no one anywhere on the network can access any of their files. You soon discover that your network has been infiltrated by ransomware, nefarious software that has encrypted every byte of data on your network, rendering it useless to your users until you pay a ransom to recover the data.

       Your company becomes a headline on CNN because a security breach has resulted in the theft of your customers’ credit card information.

       On his last day of work, a disgruntled employee copies your company contact list and other vital intellectual property to a flash drive and walks away with it along with his red Swingline stapler. A few months later, your company loses its biggest contract to the company where this jerk now works.

      There is no way you can absolutely prevent such scenarios from ever happening, but with proper security, you can greatly reduce their likelihood. This chapter presents a brief overview of some of the basic principles of securing your network.

      It’s tempting to think that cybersecurity is important only to large enterprises. In a small business, everyone knows and trusts everyone else. Folks don’t lock up their desks when they take a coffee break, and although everyone knows where the petty cash box is, money never disappears.

      Cybersecurity isn’t necessary in an idyllic setting like this one — or is it? You bet it is. Here’s why any network should be set up with built-in concern for security:

       Mitts off: Even in the friendliest office environment, some information is and should be confidential. If this information is stored on the network, you want to store it in a directory that’s available only to authorized users.

       Hmm: Not all security breaches are malicious. A network