1500bytes

Appearance

On this page

Design principles used in enterprise networks

Spine-leaf

With the increased focus on massive data transfers and instantaneous data travel in the network, the aging three-tier design within a data center is being replaced with what is being called the Leaf-Spine design. It is also referred to as leaf and spine topology, in this design there are switches found at the top of each rack that connect to the servers in the rack,with a server connecting into each switch for redundancy. People refer to this as a top-of-rack (ToR) design because the switches physically reside at the top of the rack.

The Leaf layer consists of access switches that connect to devices like servers, firewalls, load balancers, and edge routers. The Spine layer (made up of switches that perform routing) is the backbone of the network, where every Leaf switch is interconnected with each and every Spine switch.

SOHO

Means small office,home office, and is a small network connecting a user or small handful of users to the internet and office resources such as servers and printers. Usually just one router and a switch, or two, plus a firewall.

3-tier architecture

In this cisco defines 3 layers of hierarchy, the core,distribution, and access each with specific function and it's referred to as a 3-tier network architecture.

2-Tier Architecture

It's also known as collapsed core design because it's only 2 layers. In this the distribution layer is merged with the core layer.

A core is called collapsed when you move the role of the core switches to the distribution switches, merging the core- and distribution layer. We do this by directly connecting the distribution switches to each other, instead of through a core switch.

Common features of most NGFW

A traditional firewall provides stateful inspection of network traffic. It allows or blocks traffic based on state, port, and protocol, and filters traffic based on administrator-defined rules.

A next-generation firewall (NGFW) does this, and so much more. In addition to access control, NGFWs can block modern threats such as advanced malware and application-layer attacks. According to Gartner's definition, a next-generation firewall must include:

  • Standard firewall capabilities like stateful inspection

  • Integrated intrusion prevention

  • Application awareness and control to see and block risky apps

  • Threat intelligence sources

  • Upgrade paths to include future information feeds

  • Techniques to address evolving security threats

In summary, a next-generation firewall includes additional features like application awareness and control, integrated intrusion prevention, and cloud-delivered threat intelligence.

Standard firewall features

These include the traditional (first-generation) firewall functionalities such as stateful port/protocol inspection, Network Address Translation (NAT), and Virtual Private Network (VPN).

Application identification and filtering

This is the chief characteristic of NGFWs. This feature identifies and filters traffic based upon the specific applications, rather than just opening ports for all kinds of traffic. This prevents malicious applications and activity from using non-standard ports to avoid the firewall.

SSL and SSH inspection

NGFWs can even inspect SSL and SSH encrypted traffic. This feature decrypts traffic, makes sure the applications are allowed, checks other policies, and then re-encrypts the traffic. This provides additional protection from malicious applications and activity that tries to hide itself by using encryption to avoid the firewall.

Intrusion prevention

These are more intelligent capabilities and provide deeper traffic inspection to perform intrusion detection and prevention. Some of the NGFWs have built-in IPS functionality so that a stand-alone IPS might not be needed.

Directory integration

Most NGFWs include directory support (such as, Active Directory). For instance, they manage authorized applications based upon users and user groups.

Malware filtering

NGFWs can also provide reputation-based filtering to block applications that have a bad reputation. This functionality can check for phishing, viruses, and other malware sites and applications