Q15 Network Concepts (VPN, VLAN, SNMP, NAT) Flashcards
(6 cards)
(2024) Explain the following concepts: (a) What is Virtual Private Network (VPN)?
What it is: A technology that creates a secure, encrypted connection, often called a “tunnel,” over an unsecured public network like the Internet. It allows devices or networks to communicate as if they were directly connected to a private network.
How it works (General): VPNs operate at the Network layer (Layer 3) or Data Link layer (Layer 2) of the OSI model. They encapsulate original network packets or frames inside new packets, which are then encrypted. These encrypted packets travel through the “tunnel” over the public network. At the other end of the tunnel, the VPN device decrypts the outer packet, removes the encapsulation, and forwards the original packet/frame into the private network. Key features include encryption, tunneling, authentication, and often IP masking and remote access.
(b) What is Virtual Local Area Network (VLAN)?
What it is: A method to divide a physical network switch or a larger physical LAN into multiple logical network segments (broadcast domains) using software configuration rather than separate physical wiring.
How it works: Devices connected to different physical ports on a switch can be assigned to the same VLAN. The switch is configured to forward broadcast and unicast traffic only between ports assigned to the same VLAN, effectively creating separate virtual LANs on the same physical infrastructure. The IEEE 802.1Q standard is commonly used to tag frames with VLAN information.
What is Simple Network Management Protocol (SNMP)?
What it is: A standard protocol framework used for monitoring and managing network devices (like routers, switches, servers, printers) on an IP network.
How it works: SNMP uses a manager-agent model. A central manager (running SNMP client software) queries agents (running SNMP server software on managed devices) to collect information about their status, configuration, and performance. This information is stored in a structured database called the Management Information Base (MIB), whose structure is defined by the Structure of Management Information (SMI). Managers use SNMP messages (like GetRequest, SetRequest) to interact with objects in the MIB. Agents can also send asynchronous alerts called Traps to the manager in case of significant events.
What is Source Network Address Translation (SNAT)?
What it is: A type of Network Address Translation (NAT) where the source IP address of a packet is rewritten as it passes through a NAT device (like a router or firewall).
How it works: SNAT is typically used when multiple hosts on a private network (using non-globally routable IP addresses like 192.168.x.x) need to access resources on a public network like the Internet. The NAT device translates the private source IP address of outgoing packets to a single public IP address (or a pool of public addresses). This allows many internal hosts to share one or a few public IP addresses, conserving public address space. The NAT device maintains a table to track active connections and reverse the translation for incoming response packets.
What is Destination Network Address Translation (DNAT)?
What it is: A type of Network Address Translation (NAT) where the destination IP address of a packet is rewritten as it passes through a NAT device.
How it works: DNAT is commonly used to allow external users on a public network (like the Internet) to access services hosted on a server within a private network. The NAT device is configured to translate a public IP address and port number (e.g., the public IP of the router, port 80) to the private IP address and port number of the internal server (e.g., 192.168.1.100, port 80). This allows the internal server to be accessible from the outside without needing a public IP address itself. It is also sometimes called port forwarding or server mapping.
(2023) Explain how a Virtual Private Network (VPN) works, and discuss the differences between VPN and port forwarding of SSH
Layer of Operation: VPNs typically operate at OSI Layer 2 (Data Link) or Layer 3 (Network), encrypting entire frames or packets. SSH port forwarding operates at the Application Layer, encrypting only the data payload of specific application connections being forwarded.
Scope of Traffic: A VPN provides a secure tunnel for all network traffic between the endpoints (e.g., allowing a remote user to access the entire private network). SSH port forwarding tunnels specific TCP connections for designated applications/ports.
Implementation/Overhead: VPNs often require dedicated infrastructure (VPN servers/gateways, potentially specialized hardware/software) and can introduce bandwidth overhead due to encapsulation and encryption. SSH port forwarding requires only an SSH client and server and has less infrastructure cost, but requires individual configuration for each service or port to be forwarded.
Management Effort: Setting up and managing a VPN provides central control over secure network access. Managing multiple services via SSH port forwarding can be cumbersome as each needs separate configuration.
