We need to explore the International Standards Organization's (ISO) Open System Interconnection (OSI) model to understand routers, switches, and firewalls. The seven-layer OSI model will help you to understand the essentials so that you can comfortably audit your networking environment. We will do this using simple analogies and examples while avoiding overly complex issues.
| Note | There is a reason that it takes several years for someone to take and pass their Cisco Certified Internetworking Expert (CCIE) certification. The purpose of this section is to help an auditor new to networking equipment quickly understand the differences between routers and switches and how firewalls work. | 
The layered model describes how to move data from your system to another system connected over a wire. This model helps to describe how to build applications, protocols, and equipment that allow moving data from your application to the physical wire, across hundreds or thousands of miles, and then finally to an application on the other side. Two common layered models are the ISO OSI model and the TCP/IP model. The TCP/IP model has five layers that loosely relate to the layers in the ISO OSI model. For the purposes of this chapter, we will discuss and stick with the ISO OSI seven-layer model (Table 5-1). Keep in mind that this is just a model and that real implementations of protocols do not always fit perfectly in the soup mix that follows.
| Layer | Common Name | Description | 
|---|---|---|
| Layer 7 | Application | This layer represents the end-user application such as HTTP, FTP, SMTP, or Telnet. | 
| Layer 6 | Presentation | This layer handles formatting, encryption, compression, and presentation of data to the application. Examples include SSL and TLS. | 
| Layer 5 | Session | This layer deals with the setup and management of sessions between computer applications. Examples include named pipes, NetBIOS, and session establishment for TCP. | 
| Layer 4 | Transport | This layer deals with transport issues, such as getting to the destination in one piece, and error control. TCP and UDP are perhaps the best-known examples in this layer. | 
| Layer 3 | Network | This layer routes packets between networks. Examples include IP, ICMP, IPSec, and ARP. Routers operate at this layer typically using IP addresses. | 
| Layer 2 | Data Link | This layer links data on hosts from one location to another, typically on the local-area network (LAN) but sometimes on the wide-area network (WAN) too. Examples include Ethernet, Token Ring, FDDI, Frame Relay, and ATM. Switches and bridges operate at this layer, typically using MAC addresses. | 
| Layer 1 | Physical | This layer defines the physical link, cabling, and binary transmission. Modulation and flow control occur at this layer. | 
Two key hardware components of networks include routers and switches. Routers connect and route data between networks using IP addresses. Remember that routers typically represent OSI layer 3. Once data are routed to the destination network, they go to a switch where the destination host resides. The switch uses the destination host's MAC address to send the data the rest of the way to the host.
A switch is an extension of the idea of a hub. A hub takes a frame that it receives on any given port and repeats it out every port on the hub. A switch has a learning feature whereby it learns the MAC address for each host plugged into the switch ports. Once it knows this information, the switch will repeat a frame only out the port that contains the correct destination MAC address. Everything at the switch level typically is handled with the MAC address, represented by OSI layer 2.
Computer networks are composed of interconnected LANs, which are simply groups of computers, printers, and other equipment connected to the same switch. Hosts on the network have various applications and protocols that rely on broadcasts, which are a way of addressing all hosts that are in the same "broadcast domain," or layer 2 adjacent. If all hosts were layer 2 adjacent on a network of thousands, then you could saturate your network with broadcast traffic. While routers typically will separate broadcast traffic domains (broadcast domains), many switches also have a powerful capability of controlling broadcast domains. These switches essentially separate ports (and therefore hosts connected to those ports) into little groups. These groups form virtual networks, or virtual LANs (VLANs), which limit broadcast traffic to the VLAN.
VLANs can be used on most types of switches to further segment networks connected to the switch. Routing between these VLANs can be performed by routers separate from the switch or, in some cases, integrated into the switch. Switches that can switch packets between VLANs without the use of an external router are known as layer 3 switches.
This may sound confusing, but VLANs are extremely powerful. Think of VLANs as being used to separate a physical switch into multiple logical switches. VLANs allow network administrators to create segregated networks based on levels of trust or types of traffic. For example, you can keep an IP phone on a separate VLAN than the user's computer that uses the IP phone as data drop. Breaking the network up into smaller LANs also generally helps to reduce the number of broadcasts that individual hosts are required to process, and VLANs also allow network administrators to move a user with a logical change in the switch rather than a cable move.
We now need a way to route traffic between networks. Routers forward packets between different networks. Eventually, the packaged data, or packet, gets to the remote LAN and then finally to the host on the other side. Each router between you and the remote host simply looks at the IP address header information, layer 3, to see where to send it next.
Features specific to routers are those that enable them to communicate across the Internet or company WAN. Routers dynamically build routing tables using protocols such as Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP). These enable the routers to send packets in the direction they need to go to get to the other side as quickly as possible. Routers also may have access control lists and qualityof-service features. The association to remember is as shown in Table 5-2.
| Layer | Name | Equipment Used | Depends on | Example | 
|---|---|---|---|---|
| Layer 3 | Network | Routers | IP Address-WAN | 198.133.219.25 | 
| Layer 2 | Data Link | Switches | MAC Address-LAN | 00-14-22-F5-04-16 | 
You may hear people interchangeably use routers and layer 3 devices and likewise switches and layer 2 devices. Nowadays, people quite commonly will say, "That's a layer 2 device" or "That's a layer 3 device."
Despite some of the differences between them, switches and routers typically are managed in similar manners using similar syntax and have many of the same concerns from an audit perspective. Keep in mind the purpose of the device as you step through the audit, and this will help you to determine what additional steps, if any, that you might want to perform.
There are hundreds of firewalls on the market across several dozen vendors and several dozen applications. However, they are designed essentially to help segment networks and users into appropriate security zones. For example, the Internet is not trusted and falls into the lowest security zone. Also, your internal network might be further segmented into security zones using firewalls of several types depending on the data and resources you want to protect.
A correctly deployed firewall in key areas protects information assets from unnecessary risk. Network firewalls are essential in their role of protecting the network. Firewalls can be used for perimeter protection or for creating concentric rings of various levels of trust within a network. Firewalls also can help to establish a protected area of your network that is accessible to the public or only certain partners.
It's good to have a basic understanding of the different types of firewalls so that you know whether the firewall you are auditing is appropriate for the application for which it is being used.
Packet-filtering firewalls are essentially routers operating at layer 3 using set access control lists (ACLs). Decisions are made to allow and disallow traffic based on the source and destination IP address, protocol, and port number.
Stateful packet inspection (SPI) firewalls, also called dynamic packet-filtering firewalls, operate at layers 3 and 4. Your linksys router at home allows you to establish and maintain a session externally with another address. The "state" in stateful refers to established sessions that occur in layers 4 and 5. The rules are changed dynamically when you establish an outbound connection to enable packets from the destination IP address to return back to you. All other traffic is stopped from reaching your computer, protecting you from the dangers of the Internet.
Application proxies manage conversations between hosts, acting as an intermediary at the application level of the OSI model. Because proxies reestablish conversations to the destination, they effectively can hide the source of a conversation. This is often referred to as network address translation (NAT). Proxies might enforce authentication, logging, or content rules. They typically work in conjunction with a true firewall that controls traffic to the proxy because the proxy doesn't have built-in capabilities to deny traffic.
Application-level firewalls, sometimes called gateways, combine the functionality of the typical firewall operating in the lower OSI layers with the power and deep inspection of a proxy. Now, based on information at the application level, decisions can be made to allow or disallow traffic. An example might be an appliance or host that screens web traffic before it hits your web server. Based on the behavior and content of the web traffic, decisions might be made dynamically to refuse access to the web server.
