Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Part II
Infrastructure Security
In this lecture, I will introduce about issues relating to network infrastructure and network
infrastructure security.
Slide 2
Contents
1. Network Topology 8. VLAN
2. Firewall 9. NAC
7. WAN Optimize
1. Network Topopogy
Let’s start with the first part: General view of network topology
Slide 4
Network Topology
IDS/IPS
Outside
VLAN2
Modem
ISP
VLAN3
Firewall
VLAN4 VLAN 5
DMZ
Access
point
Mail LDAP Web
Svr Svr Svr
Laptop PDA
Network Topology
Firewall: divide network into zones (Inside, OutSide, DMZ) and control input and output traffic
among zones.
IDS/IPS: detect, warn, prevent attack
VPN: create security connection among network of branches and users working out of network
of company.
Slide 6
2. FIREWALL
Firewall
Firewall: ngăn chặn tấn công, quản lý truy cập
Network Topology
Firewall
Classification
Personal Network
Software Appliance
Firewall can be divided based on its operation scope in the network or based on packing
technology.
+ Personal: is set up on hosts (Server, PC, Laptop) and protects these hosts.
+ Network: has ability of protecting hosts in a network
+ Software: can be set up on hosts having different hardware foundations, taking role as a
Personal Firewall (Bkav Enpoint, …) or can be set up on a server, taking role as a Network
Firewall (Iptables, ISA Microsoft, Pfsense…)
+ Appliance: is dedicated hardware, using exclusive operating system and module of branches of
manufacture (ASA Cisco, Juniper, Sonicwall, Fortigate, …)
Slide 11
Firewall
Generations of firewall
Packet Filtering
Stateful Inpection
Proxy Server
UTM Firewall
Next-Generation Firewall
Packet filtering is the first technology used in firewall; its operation mechanism merely is to read
information of layer 3 and layer 4 of EACH package and then compare with policies.
Slide 13
Firewall
Packet Filtering
This diagram shows operation activity of Packet Filtering technology in OSI reference model
Slide 14
Firewall
Packet Filtering
• Most widely used (routers)
• Operates on network layer
• Uses ACL to filter information packet based on information in
TCP/IP header
Firewall
Packet Filtering
Limitatio
ns
With simple operation mechanism, Packet filtering still exists many limitations.
Slide 16
Firewall
Packet Filtering
Limitations
Management of ACL is difficult
Network efficiency is affected when rule number in
ACL increases
Able to filter upto 4 layers only (OSI model)
Have trouble with some protocols
Firewall
Packet Filtering
Case study: FTP Protocol
In order to understand clearly about this technology, we will study about FTP protocol.
FTP:
It is a protocol operating based on TCP protocol.
At a work session, it uses 2 channels to exchange: data (port 20) and command (port 21)
There are 2 modes: active & passive
Slide 18
Firewall
Packet Filtering
Case study: FTP Protocol
• Active FTP
Client connects from a gate N (N >1023) to Server at gate
21 (command)
Client listens at gate N+1, waiting for server to connect
back from gate 20 (data)
At mode Active:
Client connects from a gate N (N> 1023) to Server at gate 21 (command)
Then,Client listen at gate N+1 at wait for server connected back from gate 20 (data)
Slide 19
Firewall
Active FTP
The image on this slide shows operation steps, establishing connection between Server and
Client in mode Active of FTP
Firstly, client use source gate of 1026 to establish connection to gate 21 of FTP Server, then FTP
Server sends a Ack package back to Client for confirmation. After receiving Ack message, Client
listen at gate 1027 and wait for connection from FTP Server.
Slide 20
Firewall
Packet Filtering
Case study: FTP Protocol
• Situation 1: Firewall opens destination gate 20, 21 from
Client to Server while locks the backward direction
=> when Server initializes a session having source gate 20 to
destination gate (N+1) of Client in order to transmit data, it
will be blocked by Firewall.
- Situation 1: Firewall opens destination gate 20, 21 with direction from Client to Server,
prevents the backward direction => when Server initializes a session having source gate of 20 to
destination gate (N+1) of Client in order to transmit data, it will be prevented by Firewall.
- Situation 2: Firewall opens destination gate 20, 21 with direction from Client to Server, and
allow the backward direction
=> FTP transmits data successfully, but does not ensure safety to Client, because Hacker can
forge IP address of FTP Server, initialize a session with source get of 20 to Client
Slide 21
Firewall
Packet Filtering
Case study: FTP Protocol
• Active FTP
Limitation: Client does not create its own connection
but uses another one from outside
Firewall from client side will block this connection
• Passive FTP
Alternative of Active FTP
Involves PASV command
In order to avoid these limitations of Active mode, we can use FTP Passive mode
Slide 22
Firewall
Packet Filtering
Case study: FTP Protocol
• Passive FTP
Client connects to gate 21 of server with PASV command
Server sends back gate serial number in order to serve
client
Client creates connection to server through the gate
received to transmit data
Client initializes all connections to server from two gate N
and N+1 (N > 1023)
Firewall
Passive FTP
Firewall
Packet Filtering
Case study: FTP Protocol
• Passive FTP
Limitations:
1. Server discloses all gates N >1023
2. Some clients does not support FTP Passive mode
FTP Passive mode rejects method of faked attack, however, its limitation is that, the Server
discloses gate N>1023, creating security vulnerabilities; and Some clients are not supported
with FTP Passive mode
Slide 25
Firewall
Packet Filtering
Packet Filtering
=
Stateless inspection
Firewall
Stateful Inspection
• Also called Dynamic Packet Filtering
• Is a technology enabling firewall not only to manage and filter
information packets but also to manage connections
automatically
• In case of FTP protocol, can automatically permit/prevent
connections to active gates
Firewall
Stateful Inspection
* When a connection session initialized passes through Firewall, Firewall
will check the first message package of this session, from layer 1 to
layer 7 with its rules
* If the information packet matches rule having “deny” action or does
not match any rule, it will be dropped => a status document will be
added into StateTable with action ”deny”.
* If the information packet matches rule having action of permit, it will
be allowed => a status document will be added into StateTable
with action of permit.
* With the next information packets, Firewall only checks to layer 4
and associates with StateTable in order to decide to permit or deny.
When a connection session initialized passes through Firewall, Firewall will check the
first message package of this session, from layer 1 to layer 7 with its rules.
If the message package matches rule having action of deny or does not march with any
rule, the message package will be dropped => a status document will be added into
StateTable with action of deny.
If the message package matches rule with having action of permit, the message package
will be allowed => a status document will be added into StateTable with action of
permit.
In terms of the next message package, Firewall only check to layer 4 and associate with
StateTable in order to give action of permit or deny.
Slide 28
Firewall
Stateful Inspection
Advantages:
High security
Quick and flexible processing of information
packet.
The advantages of Firewall Inspection technology are high security, quick processing speed of
message package.
Slide 29
Firewall
Proxy Server
It operates on application layer so that it can
interpose deeply to the protocols of this layer such as
HTTP, FTP, etc.
Another Firewall technology used less is Proxy Server. This technology operates at application
layer so that it can interpose deeply to the message package.
Proxy firewall has ability of filter content, virus, trojan
Slide 30
Firewall
UTM Firewall
Is a technology which integrates all other security
mechanisms such as IDS/IPS, VPN, SSL, Antivirus,
LoadBalancing, QoS to traditional Firewall
UTM Firewall provides a comprehensive network
security solution for companies.
Many firewall companies have given a method integrated with all security characteristic and
other applications into a product, called generation of firewall UTM. Firewall UTM is integrated
with characteristics of IDS/IPS, VPN, SSL, Anti-Virus, LoadBalancing, QoS
Slide 31
Firewall
Next-Generation
This technology enables filtering of network traffic based
on application classification and has the ability of deeply
checking the payload of information packets.
Other than characteristics of information packet such as
IP, Port, etc. Next-Generation Firewall gives new
characteristics such as User-id, App-ID, Content-ID.
In recent years, Firewall companies have developed a Firewall technology with new generation,
or also called Next-Generation. This technology enables traffic to base on application
classification and to have ability of checking deeply content of message packages.
Normally, in order to check message package, Firewall bases on properties of message package
such as IP, Port. Firewall Next-Generation gives new properties, which helps control of traffic
more effectively and flexibly. These are properties about User-ID, App-ID, Content-ID.
Slide 32
Firewall
Next-Generation
App-ID:
App-ID identifies accurately which apps are running on network
infrastructure without depending on which service gate, which
protocol they are running on, whether they are encrypted with
SSL or not.
For example: in order to control FTP application by Firewall,
instead of setting permission rule concerning gate 20, 21, we can
set rule of using App-ID as FTP
App-ID: is a property which helps to identify accurately which service is running on network
infrastructure without depending on which service and protocol it is running on.
Back to case study about control of FTP application by Firewall, instead of setting permission
rule, preventing gate 20, 21, we can set rule of using App-ID is FTP, which is much more effective
and simple.
Slide 33
Firewall
Next-Generation
App-ID
Firewall
Next-Generation
Content-ID:
Permits checking of payload of message package.
Content-ID contains a list of keyword needed to be filtered in
payload of traffic.
For example: Content-ID includes keywords such as facebook,
sports, etc.
Firewall
Next-Generation
Content-ID
Firewall
Next-Generation
User-ID:
Associates with Microsoft Active Directory to identify user in
internal network
Uses User-ID to establish rules for Firewall
For example: Microsoft Active Directory of company has user
accounts such as Mary, Tony, etc. Administrator can establish rule
allowing User-ID Mary, Tony to access web applications, while the
remaining User-IDs are blocked
In company network, rather than administrator has to have IP list of each employee to establish
security policies for each person, with Next-Generation Firewall, the administrator can establish
security policies through Account of employees in the company. This is User-ID property of Next-
Generation. In order to use this property, company network is required to use Microsoft Active
Directory
Slide 37
Firewall
Demo
Firewall
Demo
Create ACL (Access Control List):
Access-list 100 permit tcp 10.1.1.1 0.0.0.0 20.20.20.20 0.0.0.0
eq 80
Access-list 100 deny tcp 10.1.1.2 0.0.0.0 20.20.20.20 0.0.0.0
eq 80
Access-list 100 permit icmp 10.1.1.2 0.0.0.0 20.20.20.20
0.0.0.0
ACL command
Access-list 100 permit tcp 10.1.1.1 0.0.0.0 20.20.20.20 0.0.0.0 eq 80
Access-list 100 deny tcp 10.1.1.2 0.0.0.0 20.20.20.20 0.0.0.0 eq 80
Access-list 100 permit icmp 10.1.1.2 0.0.0.0 20.20.20.20 0.0.0.0
Slide 39
3. IDS/IPS
IDS/IPS
IDS is a application which enables detection of illegal penetration based on signals known or
signals studied.
IPS is also a IDS but has ability of preventing illegal penetrations
Slide 42
IDS/IPS
IDS/IPS
Classification
Software Appliance
Host-based Network-based
Like Firewall, IDS/IPS is also classified based on packing technology and use model
Slide 46
4. VPN
Another important part in the network system is VPN, at the next part, we will study about VPN
Slide 47
VPN
IDS/IPS
Outside
VLAN2
Modem
ISP
VLAN3
Firewall
VLAN4
DMZ
Access
point
Mail LDAP Web
Svr Svr Svr
Laptop PDA
This is illustration image of VPN. VPN enables remote users connect to company network, or
connect among office of a company but far away from each other by geographical aspect.
Slide 48
VPN
VPN – Virtual Private Network
Enables to establish secure connection
channel (private) on shared environment
(virtual)
Benefits:
Ensuring security
Saving cost
VPN is abbreviation of Virtual Private Network. VPN enables to establish safe connection
channel on share environment, ensuring security, saving cost as well.
Slide 49
This image describes threat of overhearing when exchanging information through share
network environment.
Slide 50
VPN
Supporting equipment/software
Often integrated with firewall
Separate if high efficiency needed
VPN classification
Site-to-site VPN: network - network
Remote access VPN: host - network
VPN can be integrated in firewall or separated. VPN is divided into two types of VPN site-to-site
and VPN remote-access
Slide 51
VPN remote access tạo ra một kênh kết nối giữa client vào hệ thống mạng của công ty.
Slide 53
VPN
Protocols used for VPN
L2F - Layer 2 forwarding (Cisco)
PPTP - Point to Point Tunneling Protocol
(Microsoft)
L2TP - Layer 2 Tunneling Protocol (Microsoft +
Cisco)
IPSec - IP Security
SSL/TLS - Secure Sockets Layer/Transport Layer
Security
MPLS - Multi-Protocol Label Switching
In order to avoid threats of overhearing on internet environment and ensure safety, VPN
channels needed to be coded. Protocols used to code VPN include: L2F, PPTP, L2TP, IPsec, SSL,
MPLS
Slide 54
VPN
Case Study: IPSec
IPSec is often used in Site-to-Site VPN
Stage 1: create a management security
tunnel to control, establish, maintain and
terminate one VPN channel
Stage 2: creats a security tunnel to
exchange data among sites.
In order to further understand about VPN, we will study an example about Ipsec. Ipsec normally
is used in VPN Site-to-Site. One VPN channel includes 2 stages. The stage 1 creates a
management security gallery to control, establish, maintain and finish one VPN channel. Stage 2
creates a security gallery to exchange data among sites.
Slide 55
VPN
Case Study: IPSec
Parameters of an IPSec tunnel:
Encryption algorithm: DES, 3DES, AES
Hash algorithm: MD5, SHA-1
Authentication algorithm: Preshare key, Rivest,
Shamir, RSA
Diffie-Hellman: Group 1, 2, 5
VPN
DEMO
VPN
Case Study: IPSec
Configuration of stage 1 :
VPN
Case Study: IPSec
Configuration of stage 2
VPN
Case Study: IPSec
Applying Ipsec into Interface of an equipment
VPN
Case Study: IPSec
Checking IPSec VPN channel
5. NAT
This is diagram which illustrates conversion of IP address of NAT, message package having source
IP address as address of Private 10.0.0.10; this address is not located on Internet. After passing
through marginal Router, it will be shown with NAT with IP address of puclic 12.0.0.12, which is
an address located on Internet and has ability of transmitting message with hosts on Internet.
Slide 64
NAT
NAT classification
Static NAT: logical mapping 1 – 1 between local
IP and global IP, constant mapping, used for
server
For example:
10.1.1.1 – 123.30.20.21
10.1.1.2 - 123.30.20.22
10.1.1.3 - 123.30.20.23
Depending on use purpose, we will use different NAT technology. Static NAT technology will
make logical mapping with 1 IP Local address and 1 IP Global address.
For example:
10.1.1.1 – 123.30.20.21
10.1.1.2 - 123.30.20.22
10.1.1.3 - 123.30.20.23
Slide 65
NAT
NAT classification
Dynamic NAT: similar to static NAT but this
mapping can be changed
For example:
A = {10.1.1.1 ; 10.1.1.2 ; 10.1.1.3}
B = {123.30.20.21 ; 123.30.20.22 ; 123.30.20.22}
NAT: A - B
Dynamic NAT is also similar to static NAT but this logical mapping can be changed.
For example:
A = {10.1.1.1 ; 10.1.1.2 ; 10.1.1.3}
B = {123.30.20.21 ; 123.30.20.22 ; 123.30.20.22}
NAT: A - B
Slide 66
NAT
NAT classification
Port Address Translation – PAT: NAT uses Port
Port Address Translation, NAT uses Port, or also called PAT. With PAT, we only need to use 1 IP
address to make NAT for many internal IP address.
Slide 67
NAT
NAT division
Using PAT help save IP Public address
NAT
NAT
Demo
NAT
Demo
Configuration of Static NAT :
ip nat inside source static192.168.1.10 20.20.20.20
Interface f0/0
ip nat outside
•Interface f0/1
ip nat inside
NAT
Demo
Configuration of NAT Overload (PAT) :
ip nat inside source list 1 interface f0/0 overload
Access-list 1 permit 10.1.1.0 0.0.0.255
Interface f0/0
ip nat outside
Interface f0/1
ip nat inside
Configuration of PAT
Slide 72
NAT
Demo
6. Load Balancing
Load Balancing
Traffic Load Balancing
Outbound load balancing
Load Balancing is divided into 2 types, which are Load Balancing for path and Load Balancing for
server.
With Load Balancing for path, we can execute for inbound or outbound. This slide is image
illustrating Load Balancing for path by outbound
Internet Load Balancing by outbound normally is used in case network system has connections
line for connection to Internet
Slide 75
Load Balancing
Traffic Load Balancing
Inbound load balancing
-The next image demonstrates Internet Load Balancing by inbound, using DNS technology.
Slide 76
Load Balancing
Load Balancing for
Server
Global Server Load
Balancing
-We also can use DNS technology to make Load Balancing for Server Global. Global services
such as google, facebook, etc have service Server in everywhere in the world. Depending on
algorithm, DNS Server will disassemble and send back with address of Server which will serve to
demand of Client. Algorithms used for DNS Server are Load Balancing by number of connection
sessions, geographical area requested by Client.
Slide 77
Load balancing
Load balancing for
Server
Local Server Load
Balancing
With Servers which are put in the same network, Load Balancing can be implemented by
gathering Servers into a group and represented by only 1 IP, the Load Balancing equipment will
distribute this connection to physical Server. Today, VNEpress is using this technology: there are
many servers located in the same location – group, represented by 4 different IP; each IP can be
a serve group.
Slide 78
Load Balancing
-There are big companies providing methods of Load Balancing equipment such as
Peplink,Cisco, Vigor.
Slide 79
7. Wan Optimize
There is a problem that in terms of companies and organizations having branches net allocated
in far geographical areas , like on a country, connection lines among branches normally have
much lower bandwidth than connection line in LAN, which causes blockage phenomena. In
order to reduce this phenomenon, we can increase use efficiency of WAN connection line by
various technologies. These technologies are called WAN Optimize.
Slide 80
WAN Optimize
WAN transfer line: connect network of head office
and branches in different geographical area
WAN Optimize
Bandwidth source of WAN link is much limited than
LAN connection
This is illustration of blockage when forwarding between LAN connection and WAN connection
Slide 82
Wan Optimize
WAN OPTIMIZE
Solution for enhancing use efficiency of WAN line => use WAN Optimize technology
Slide 83
Wan Optimize
Wan Optimize
Two WAN Optimize equipments at two WAN network directions will communicate, determine
algorithms and WAN Optimize technology to be used.
Data in LAN are sent to WAN Optimize equipment from sending direction, the WAN Optimize
equipment from sending direction maximizes, compresses, cache, etc data, which is aimed to
reduce data traffic needed to transmit through WAN line. Then, these data are sent through
WAN line to WAN Optimize equipment from collecting direction. The WAN Optimize equipment
from collecting direction resolves coding, restores original data and transfer them into LAN
Slide 84
Wan Optimize
WAN Optimization technologies:
Protocol Optimization
Object Caching/ Byte Caching
Compression
Bandwidth Management
Wan Optimize
Protocol Optimization: optimized in terms of
protocol, some protocols require a huge
amount of request/response among
client/server, consuming remarkable bandwidth
on WAN links
Protocol Optimization : is a technology optimized about protocol aspect, some protocols require
a huge amount of request/response among client/server, which is cost a remarkable band
amount when implementing through WAN line. WAN Optimize will implement optimization for
each detailed protocol
Slide 86
Wan Optimize
Object Caching/ Byte Caching: WAN
Optimization equipment plays the role of a
caching server, which saves temporary files to
use for users’ re-access without having to
directly access to the server.
Object Caching/ Byte Caching : WAN Optimize equipment plays a role of caching server saving
temporary files, so that when user has demand for re-accessing, the equipment will respond
without direct access to server.
Slide 87
Wan Optimize
Compression : technology in which the
equipment uses algorithms to minimize
unnecessary information in document sent, and
the remote equipment will use algorithm to re-
collect information then send out the full
information package.
Wan Optimize
Bandwidth management: use technologies such
as QoS or traffic Shapping to give priority for
traffic requiring real time, or traffic having higher
priority
Bandwidth management: use technologies such as QoS or traffic Shapping to give priority for
traffic requiring real time, or traffic having higher traffic
Slide 89
Wan Optimize
Today, in the world, there are many companies supplying equipments and solutions about WAN
Optimize, that are Riverbed, Citrix, Cisco, Juniper, Bluecoast, etc
Slide 90
Wan Optimize
This diagram demonstrates market share as well as abilities of development of companies about
WAN Optimized solutions.
Slide 91
8. VLAN
You certainly have heard for many times about VLAN definition; the next lesson will focus on
VLAN
Slide 92
Users having the same work function, the same department can have workplace in the same
geographical area and be connected to the same Switch equipment layer 2 and have the same
Broadcast area. However, it is not always in real. For examples, one company having 10 stories
of technology department, and they sit for work in 10 stories; with this geographical distance,
the connection of employees in technology department into a same physical Switch and same
broadcast area is very difficult. In order for all employees in technology department to be in a
same LAN band and a same Broadcast area, we can use VLAN technology.
Slide 93
VLAN
One VLAN is one independent LAN
VLAN enables equipment at layer 2 to be divided
into separated networks
One VLAN is identified by VLAN ID or VLAN Name
One VLAN is correlative to one independent LAN. Switch distinguishes VLAN by Tag VLAN ID
fields.
Slide 94
VLAN
Should be VLAN divided by geography or
function?
Normally, LAN is divided by geographical area, while VLAN divides users in the network by
functional, network use characteristic of users
Slide 95
VLAN
Demo
In order to have a clearer understandings about VLAN, we will study about configuration way of
one lab about VLAN
Slide 96
VLAN
- Enable Physical Interface on Router:
Router(config)#Interface f0/0
Router(config-if)#no shutdown
Demo
Slide 97
VLAN
- Divide SubInterface on Router
Demo
Slide 98
VLAN
- Configuration for initializing VLAN on Switch
SW(config)#Vlan 10
SW(config-vlan)#name BCN
Demo
Slide 99
VLAN
- Configuration of mode interface on Switch
SW(config)#interface f0/1
SW(config-if)#switchport mode trunk
SW(config)#interface f0/2
SW(config-if)#switchport mode access
Demo
Slide 100
VLAN
- Check
VLAN
database
Demo
Slide 101
9. NAC
(Network Access Control)
The next part of lesson introduces about a technology controlling network access, that is
Network Access Control, or abbreviated by NAC
Slide 102
This diagram demonstrates operation way of NAC. Server NAC will define one set of conditions
which Client needs to have in order to be allowed to access network, such as conditions of Joint
Domain, Anti Virus set-up. Client will have 1 tool called NAC Agent, which will check conditions
on Client, then send these information to NAC Server through network infrastructure. Firstly,
NAC server will check User ID of Agent, if it is not true, NAC Server will give signal of closing port
for access on Switch Access. If User ID Check is right, NAC Server will continue to check whether
Client meets any condition or not. If having any condition met, NAC Server will give signal for
Switch Access to lead Client to an insolate VLAN. In contrast, when conditions met, NAC Server
will give signal for Switch Access to open Port for Client to access network normally.
In order to control port status on Switch Access, Switch Access needed to gain configuration of
802.1x protocol.
Slide 103
In order to have sharp understandings about NAC, you can study further about NAC method of
Symantec, Cisco, Sonic Wall, CheckPoint
Slide 104
10. Wifi
Wifi Security
Higher threat than wired system
Problems
Attack
Reconaissation
DoS
Access
Wifi network system has brought many facilities but it also has many threats about security
compared to line network system. Access Points Wifi operate like a Hub equipment, that means
information exchanged in the network will be accessed to Point Broadcast to all other Hosts in
the network, thus, these will be easily attacked and overheard.
Slide 106
Wifi Security
Authentication
Preshared Key
Username/password
PKI (Public Key Infrastructure)
Wifi Security
Security type
WEP (Wired Equivalent Privacy)
WPA (Wi-fi Protected Access)
WPA2
Currently, there are 3 types of security, that are WEP, WPA, WPA2.
Pass is a strong type, which can ensure safety for Wifi not to be hacked its password
Slide 108
Wifi Security
Restricting access
Remove SSID (Service Set Identifier) broadcast
MAC/IP Filtering
Assign IP with MAC
Supervising system
Coverage area
Bandwidth
System operation
In order to restrict access to Wifi system, we also can use some optional facilities as follows:
Set up Broadcast SSID, thus, if client wants to access wifi, it has to have both SSID and password.
MAC/IP Filtering
Affix IP to MAC
Slide 109
Storage Security
Encrypt important
data
Use RAID
Data are really important for organizations because data contain information, operations
strategies of these organizations. Thus, it is required integrity and high security. One popular
technology currently used to enhance integrity of data is RAID; this technology enables to
backup data on hardware on the same Server.
Slide 111
Storage Security
Case Study: True Crypt
There are many tools for us to code data on hardware. You can refer a tool used to code
hardware, that is True Crypt
Slide 112
Storage Security
SAN – Storage Area Network
SAN is a big storage system, providing many methods of backup data and can backup by
geographical area.
Slide 113
12. Virtualization
To continue, we will study about one technology, which has become a development trend in
recent year, that is Virtualization Technology
Slide 114
Virtualization
Why need virtualization:
Optimize hardware usage
Use hardware flexibly
Data storage
Green technology application
Management cost
Virtualization
What need virtualization?
Server
• Operating system virtualization
• Hardware virtualization
Storage virtualization
Virtualization
Server virtualization
The last part of today lesson is Media Security, that means line security or also called physical
security.
Slide 118
Media Security
Line
coaxial cables, UTP/STP
Fiber
Wireless
The most popular types of physical line are coaxial cables, UTP, STP, fiber or Wireless
Slide 119
Media Security
“Physical” attack
Physical attack is also a very dangerous type of attack. By this type, attacker connects directly
with network infrastructure of patient and steals information
Slide 120
Media Security
In order to prevent this type of attack, we need policies controlling access and exit of data
center area such as magnetic door, striking card, etc.