CompTIA Security+ SYO-401

Certification Training
9954 Learners
View Course Now!
33 Chapters +

Network Design Elements and Components Tutorial

1 Network Design Elements and Components

In the field of Network Security, we can’t let anyone steal or hack our data. So, it is very important to design a highly secured network. In this lesson, though we may not completely learn to design a secure network, but surely will learn about its key components. Before we get into the details of this topic, let’s see the following screen that describes the objectives covered in this lesson. After completing this lesson, you will be able to: • Comprehend Network Design and Components, • Describe Virtualization, and • Define Cloud Service Security. In this topic, you will learn about Network Design and Components.Network design refers to planning a computer network infrastructure, and implementing security configuration parameters on network devices. Creating a network design requires a System Administrator to cover two key aspects: 1. Thorough analysis to understand the components and protocols of the physical network, and 2. Troubleshoot security issues related to wireless networking. So, before understanding these sub-objectives, we will review some network design concepts. Network design starts with the help of network topologies. In layman terms, network topologies provide information on how to place nodes, devices, and other security objects in a network to ease their access. Topologies enable you not only to design a network, but also secure a network. They are further classified into Logical topology and Physical topology. The Logical topology does not determine the physical placement of devices, but rather how the devices send data, and how they are related to one another. Whereas, Physical topology maps the physical location of the nodes, and determines how they interact with one another.Now, let's see the different topologies and their functions. We begin with the basic and simplest form of network topologies, Point-to-Point topology. This is where two end points create an unimpeded connection between each another. For example, telephone lines use switched point-to-point topology to send data between two phone connections. Next is the Bus topology. The backbone of this topology is a single cable with many connectors that feeds off into nodes. The information travels down the backbone and to all connections. This is similar to a bus traveling down the road and halts at all stops. Bus topologies are often created using hubs. Third on the list is Star topology. This is a common topology implemented in a network that is created using switches, and all their nodes travel back to a single device that broadcasts the actual data. Sometimes hubs are used to create star topologies, and repeaters can be used to create extended star topologies. Next is the Ring topology. Here, data travels in a circular motion, and is found on a bus type connection. The common ring topology is known as Token Rings. The device with a token broadcasts data across the bus, and the token then moves to the next device in the ring. Last on this list is Mesh topology. In this type, devices create redundant connections with all other devices in the network. It is hard to interrupt communication in this topology as they use mathematical equations to determine the best possible route to move data between devices. There is one more topology, Advanced topology. We will discuss this later in the lesson. Now, let’s learn how to secure network designs.

2 Network Design and Components

We have learnt the primary functions of key network topologies. Now, let's see how topologies and design elements work together with devices and securities. Since we are discussing security, let's begin with ‘Demilitarized Zones’ or ‘DMZ’. This term is metaphorically inspired from Military, and it means "an area between Nations in which military operations are not permitted". However, in computer security, DMZ is a mediator between public Internet and internal network. In other words, DMZ is the area between two firewalls. Firewalls placed on the edge of a network are called External Firewalls, and they intercept the public data attempting to get into the systems through the space between two firewalls. In a typical scenario, publically accessed devices will be placed on a DMZ. But how does DMZ work? After the data is allowed by the external firewall, it is able to access the machines within the DMZ. There is another firewall known as Internal Firewall that is placed behind DMZ systems. This avoids unwanted public activity in the private LANs. DMZs allow servers to access the public network or get accessed by other public networks. They ensure there is no compromise done to the private internal networks with sensitive data. You can use DMZs to hide or isolate internal servers from other private and public networks. Servers like DNS, Web servers, FTP servers, SMTP servers, and other mail type servers are the most common types of devices for DMZ.

3 Subnetting

Let’s now move from Demilitarized Zone to another component of network designing, which is Subnetting. Subnetting, like VLANs, is the logical division of networks based on IP address schemes. It takes one network and divides it into two based on IP networks, which are split through the process of subnets. These two subnets then act as different networks, and then require routing to transfer data between the two networks. Subnetting is divided into networks based on Network IDs, which are inturn determined by subnet masks. Now, we will carefully understand the process of splitting of network. Subnet masks are four sets of eight bits that are either On or Off. These are represented in the example of This means, when lined up with an IP address, anything that is under the 255.255.255 portion of the IP address is a network address. Anything under the 0th portion of the Network ID is a node address. For example, means all devices on the 192.168.2 are on a single subnet. 15 denotes the address of a particular node on that subnet. You can have two subnets such as and In these subnets, devices on the first network cannot communicate with devices on the second network even if they are on the same switched network, unless a routing device is configured to route data between these two networks. After learning about Subnetting, we move to the next aspect of network security, Virtual Local Area Networks or VLANs. VLANs are commonly associated with managed Layer 3 switches, and they are like the subnetted networks. Devices on one VLAN cannot access or communicate with devices on another VLAN without a routing device to transfer data between networks. You can use VLANs to group types of machines or users in a single networking group. For example, if you have many users throughout the physical network that are part of the same HR department, their machines can be VLANed into their own networking segment. This facilitates communication between users who are connected to the HR Server. In the previous slide, we learnt how VLAN works. Now, we will learn about Network Address Translation. Network Address Translation or NAT is a security feature, originally designed to extend the number of usable IP addresses, and it enables any organization to present a single address to the Internet for all computer connections. The NAT server provides IP addresses to hosts or systems in the network, and tracks the inbound and outbound traffic. Now, let’s look at the security aspect of NAT. It limits an attacker to only see limited number of public IP addresses. Thus, NAT hides your network from public and malicious users. The reverse of NAT is PAT or Port Address Translation. This happens when information comes into a specified port, and your device redirects all information from that inbound port to a specific server. PAT is more limited, and used with ports rather than IP addresses. Now, let’s see the different types of NATs like Destination NAT or Static NAT. These are different forms to hide your network. NAT uses a range of private IP addresses as displayed on your screen. This range of IP addresses is translated into public IP addresses that communicates across the network. This enables expansion of devices that can be used across the world with IP addresses, as well as hides your network from external access. Moving on, the word ‘Remote’ plays an unpraised role in our lives. We use remote control for television, air-conditioning, and so on. Let’s see, what role “Remote Access” plays in networking. Remote access is claimed to be a great invention for administration, as it helps manage network administration and maintenance of devices on the network from any location, either within the network or outside of the network. For example, in large companies with multiple offices, some form of remote access is absolutely necessary. It enables a network administrator to access routers across the Internet or across the network to make necessary changes. Additionally, remote access can be found in desktops, servers, managed switches, and many other devices. It has two forms, namely, TELNET and SSH Tunneling. There are web-based options for remote access and management of devices. From a security perspective, remote access is always a security threat. If you can access a device or a network remotely, so can a malicious user. It is important to secure remote access with authentication, encryption, and other security measures. Remote access can be set up for networks, devices, and other services. There are remote access authentication methods to secure access to devices on the network. The most common methods are PAP, CHAP, MS-CHAP, and RADIUS. \

4 Tunneling

Now, let’s look at SSH Tunneling. SSH Tunneling is a method to securely access a remote network. It involves creating a Virtual Private Network or VPN, or a tunnel that creates a pipe to allow you or a machine to access remote resources, as if they are directly on the network. It takes two end points, which could be two routers, or a VPN concentrator and a client, or a client and a router. Then, it creates a point to point connection with the device. Before sending information to the targeted device, it creates a pipe or tunnel across the Internet, protecting it with encryption and authentication while in transit. Following this, payload or data to be sent is pushed through the protected tunnel, to and from the end points. SSH Tunneling allows a computer to access network resources, as if the devices were connected directly to the LAN. Windows uses a Remote Access Server or RAS to create these remote access and tunneling connections. All of these and other Virtual Network Computing or VNC methods are vulnerable to intruders on the Internet.Telephony is the combination of Telephones and IT. It is commonly referred as Voice Over IP systems. The companies that still use landlines are most likely to migrate to digital VoIP data. The problem with Telephony is, it is not very secure, and securing information and data is often a hassle, or is generally left to the vendor. VoIP traffic can easily be sniffed with packet sniffers, and other networking tools. They can be easily exploited, if not treated like other parts of your network with sensitive data or information. In addition to using normal networking security standards, it is good to utilize third party vendor tools and measures. There are possibilities that NAC may request for listed MAC addresses of the client computers. NAC may require a machine to have Windows or certain Operating System patches before connecting to a network. It is a very strict measure, although it protects the network from several types of threats and vulnerabilities. It is important to note that 802.1X is a type of NAC or Network Access Control for wireless Access Points, and for connecting physical ports. We will now learn about Virtualization. Today, organizations prefer implementing virtualization in almost all environments. In simple words, virtualization allows you to have a single machine that lines several virtual machines within a physical machine. Use of virtualization cuts down on the cost of equipment, and size of the environmental footprint your systems will leave. Virtualization has its own share of risks. If the single physical device crashes or is inaccessible, then all the machines housed on the host will go down or become inaccessible. It becomes a single point of failure. Virtual machines are separated from their physical host machine by a technology known as a hypervisor. If a hypervisor is secured, and separates virtual machine from the rest of the machine, then your network should be safe even if the host machine is compromised with viral information. Virtualization is cost effective, but there is a problem when security measures for hypervisor are compromised. Virtualization is the heart of cloud computing. There are two types of hypervisor structures, Type 1 and Type 2. In the Type 1 or bare metal, the hypervisor is directly on the host hardware. Whereas, Type 2 hypervisor runs an application on the host Operating System.

5 Cloud Computing

In this topic, you will learn about Cloud Computing.We have discussed cloud computing in previous topics. Now, let’s learn what is Cloud Computing? Would you like to guess? Cloud computing is a form of virtualized outsourcing. To run a business, you need software models, a team for installation, configuring, and other tasks. However, with cloud computing, the business shifts from traditional software models to Internet. Cloud computing is a virtual system over the Internet to house and perform your IT tasks. There are several types of cloud computing, which we will discuss in greater detail. Although, these categories do not describe all the forms, they are general umbrella categories for cloud computing. Let’s take a general question that people have with regards Cloud Computing. Many customers share service, for example banking institutions, retail stores, law firms, and all types of businesses can subscribe to the same service. If this is a shared service, then other companies may use our data; however, with cloud computing it is impossible that one customer can gain access to another customer’s data. You can trust the provider to keep customer information partitioned from other subscribers. This is often accomplished using virtualization technologies. In most cases, law enforcement agencies have legal reasons for the data provider to give access to the stored information, and they have to provide full disclosure of the information. If you are wondering who manages security, then it is critical to find out what services are provided, and whether you are responsible for the security configuration of the system. Most public cloud providers periodically undergo third-party security audits.

6 Types of Cloud Services

Cloud Computing currently offers 9 categories of cloud services, and following are the types of cloud: • Platform as a Service (PaaS) • Software as a Service (SaaS) • Infrastructure as a Service (IaaS) • Cloud Service Security • Private Cloud • Public Cloud • Hybrid Cloud • Community Cloud • Defense in Depth/Layered Security We will look at each of these in the following screens. Let’s start with Platform as a Service or PaaS. It is defined as a cloud infrastructure in which users access a platform over the Internet to perform their daily tasks. This platform can be an Operating System accessed over the network, storage area, or a third party application to perform your services. The cloud involves a contract with a third party company, in which they lease a platform and allow you to establish a connection with the platform. The PaaS provider is responsible for the facility, network, hardware, Operating System, and the middleware, with the consumer responsible for user and applications. Next on the list is Software as a Service (SaaS). When you use Software as a Service, the third party application is provided over the Internet. This means you are not responsible for the data, disk space, or storage and installation of the application, and it is accessed remotely. Many third party companies prefer using SaaS for their own software to be used, but not be responsible for the whole network of a company that is accessing their software. In this scenario, the consumer is only responsible for the user. Software as a Service means the cloud company is responsible for the application, middleware, operating system, hardware, network, and facility of the platform they support. These types of service companies provide the datacenter side of it for a monthly fee, or expect you to pay for the service you use.Next, we’ll learn about Cloud Service Security. Cloud Service Security is the developing sub-space of computer security, system security, and extensively, data security. It alludes an expansive arrangement of strategies, advancements, and controls conveyed to secure information, applications, and related foundations of distributed computing. With Cloud as Service Concepts, you are only as secure as the company that houses the equipment. Although, the more you give over to the company, the less you are liable. It is important to weigh in the amount of security required to the amount of security provided to determine if you have chosen the right cloud company. We’ll now learn about Private Cloud. Private cloud is a sort of distributed computing that conveys comparable points of interest to open cloud, including adaptability and self-administration through a restrictive building design. A private cloud is committed to a solitary association. They are like custom-made clouds that you own, or which the company owns. They are the provider and the consumer to this cloud environment. In this type of topology, you are not putting any data on the Internet, or into the hands of a third party vendor. These clouds give you full control of security and access to the cloud environment. The 6th category is the Public Cloud. Public clouds are the infrastructure for the general public. It may be owned or managed by a third party, but exists on the premises of the cloud provider. Mostly, public cloud works on the pay-as-you-go concept. This means that your files and information are stored or moved over the Internet, making them only as secure as the provider. Public Cloud providers often use a third party security audit to ensure they are secure, without causing problems while accessing their platforms. Now, let’s look at Hybrid Cloud. Hybrid cloud is a mix of public and private clouds. This cloud gives your company the option to store data that is not sensitive in a public cloud, and correlates with your on-site private cloud, where sensitive data is stored. Hybrid clouds can be a combination of private, public, and community clouds. Next is Community Cloud. The Community Cloud enables multi-occupancy, which allows more organizations to share the computing infrastructure. These organizations come together due to their common computing concerns, which include audit requirements, need for hosting applications, and quick turnaround time. In this type of cloud, like the public cloud, the consumer has very little control over the cloud infrastructure. Lastly, let’s look at Defense in Depth/Layered Security. One of the key things that we touched throughout the previous lessons including this is that, there is security at every layer of the OSI model and at every layer of a Network Topology. This strategy is known as Layered Security, or as Defense in Depth in the industry. We need security at every layer of access, from the end user to the client, to the server, to the firewalls and network devices. Also, there should be security between public and private servers, and from the LAN to the WAN. Once you establish these layers of security, you also need to secure the physical access of the computer rooms and device structures. Following this, you can increase security of the perimeter, and physical security such as mantraps and fences. Malicious hackers are always learning newer ways to circumvent technologies, security measures, and exploits. Thus, you need more security at different layers. If we have only firewall or a single network device, and once that device is compromised, there is nothing to stop the intruder from entering the network.

8 Summary

Let’s summarize the topics covered in this lesson: • Network Designs deal with the design and infrastructure fundamentals. • Network Topologies mean nodes, devices, and security objects that are placed for accessing the network resources. • Remote Access allows a network administrator to access routers across the Internet or across the network to make necessary changes. • Virtual Private Network tunnel creates a pipe that allows you or a machine to access remote resources as if they are directly on the network. • Virtualization allows you to have a single machine that lines several virtual machines within that physical machine. • Cloud Computing is a form of virtualized outsourcing. With this, we conclude the lesson, ‘Network Design Elements and Components.’ The next lesson is ‘Implement Common Protocols and Services.’

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*