Đang chuẩn bị liên kết để tải về tài liệu:
CCSP CSI Exam Certification Guide phần 3

Layer 2 Chuyển Layer 2 switch cung cấp kết nối máy trạm của người dùng cuối để các mạng nhỏ và vừa. VLAN riêng được thực hiện trên các thiết bị chuyển mạch để giúp làm giảm nguy cơ các cuộc tấn công khai thác sự tin tưởng. | 50 Chapter 4 Understanding SAFE Network Modules Layer 2 Switch The Layer 2 switch provides end-user workstation connectivity to small and medium-sized networks. Private VLANs are implemented on these switches to help reduce the risk of trust exploitation attacks. Layer 3 Switch The Layer 3 switch provides several functions to the medium-sized network Campus module including the following Routing and switching of production and management traffic Distribution layer services such as routing QoS and access control Connectivity for the corporate and management servers Traffic filtering between subnets The Layer 3 switch provides separate segments for the corporate servers the management servers and the corporate users and provides connectivity to the WAN and Corporate Internet modules. These segments are provided through the deployment of VLANs. A Layer 3 switch also provides for an additional line of defense against internal attacks through the use of access control lists ACLs . You can use internal ACLs to protect one department s servers from access by users in another department. Additionally the use of network ingress filtering described in RFC 2827 on the corporate user and corporate intranet server VLANs helps reduce the risk of attack through internal source address spoofing. Private VLANs can be used within each VLAN to mitigate attacks through trust exploitation. Additional protection of the management servers is provided through extensive Layer 3 and Layer 4 ACLs at the interface connecting the management segment VLAN. These ACLs restrict connectivity between the management servers and the devices under their control. Only those IP addresses being managed and only those protocols necessary to conduct management are permitted. Additionally only established connections are permitted back through the ACLs. NIDS Appliance Intrusion detection within the medium-sized network Campus module is provided by a single NIDS appliance. The port to which this appliance is