I should preface this saying I'm not all that knowledgeable in networking. But I wish to learn as much as possible! :) I want to know enough about networking to ensure our businesses network is configured correctly, safely, and is well secured.
I understand that VLAN's is a L2 technology that effectively "splits" a switch into smaller sections, which can then be connected together again via patch cables (although this defeats the purpose) or via routers where each partition can be assigned a muterally-exclusive IP bitmask. Therefore if you have N networks, you need N-1 routers between them to allow L2 communication with LAN devices and L3 communication with stuff from the other LANs. Is my understanding correct?
I know NAT allows multiple users to appear as a single user to the ISP, as NAT plays shenanigans with ports to emulate a single user, but this just makes things so confusing to me, at least in the context of typical edge routers.
If NAT can cloak many devices on a network to appear as a single device, does it improve security? especially with the basic firewall that's often "bundled" generally blocks incoming connections on all ports by default.
On home routers, what exactly does DMZ do? Forward all incoming connections a specific device? How does the router know what traffic goes to my server and what traffic goes to all the other devices?
On enterprise systems, does "DMZ" simply mean to put a specific device on the outside of the LAN? This would then imply that LAN devices must communicate to it over IP since you basically put one of your devices directly on the WAN side.
While doing some research on how to setup a secure and robust network, I came across Steve Gibson's "3 dumb routers" approach. But should NAT be disabled on the 2 inner routers? I don't know if the firewall rules require that be enabled, or if NAT provides extra layer of security and should be left enabled.
No comments:
Post a Comment