Virtual networks and privacy
虛擬網路和隱私
This section of the course covered a lot of information about network operations. You reviewed the fundamentals of network architecture and communication and can now use this knowledge as you learn how to secure networks. Securing a private network requires maintaining the confidentiality of your data and restricting access to authorized users.
課程的這一部分涵蓋了許多有關網路操作的信息。您回顧了網路架構和通信的基本原理,現在可以利用這些知識來學習如何保護網路。保護私人網路需要維護數據的機密性並限制授權用戶的訪問。
In this reading, you will review several network security topics previously covered in the course, including virtual private networks (VPNs), proxy servers, firewalls, and security zones. You'll continue to learn more about these concepts and how they relate to each other as you continue through the course.
在這篇閱讀中,您將回顧課程中先前涵蓋的幾個網路安全主題,包括虛擬私人網路(VPN)、代理伺服器、防火牆和安全區域。隨著課程的進行,您將繼續學習更多關於這些概念的內容,以及它們之間的關聯。
Common network protocols
常見的網路協議
Network protocols are used to direct traffic to the correct device and service depending on the kind of communication being performed by the devices on the network. Protocols are the rules used by all network devices that provide a mutually agreed upon foundation for how to transfer data across a network.
網路協議用於根據網路上設備進行的通信類型,將流量引導至正確的設備和服務。協議是所有網路設備使用的規則,提供了一個共同商定的基礎,用於如何在網路上傳輸數據。
There are three main categories of network protocols: communication protocols, management protocols, and security protocols.
網路協議主要分為三大類:通信協議、管理協議和安全協議。
Communication protocols are used to establish connections between servers. Examples include TCP, UDP, and Simple Mail Transfer Protocol (SMTP), which provides a framework for email communication.
通信協議用於在伺服器之間建立連接。例子包括 TCP、UDP 和簡單郵件傳輸協議(SMTP),它提供了電子郵件通信的框架。Management protocols are used to troubleshoot network issues. One example is the Internet Control Message Protocol (ICMP).
管理協議用於排除網路問題。一個例子是網際網路控制訊息協議(ICMP)。Security protocols provide encryption for data in transit. Examples include IPSec and SSL/TLS.
安全協定為傳輸中的數據提供加密。例子包括 IPSec 和 SSL/TLS。
Some other commonly used protocols are:
其他一些常用的協定包括:
HyperText Transfer Protocol (HTTP). HTTP is an application layer communication protocol. This allows the browser and the web server to communicate with one another.
超文本傳輸協定 (HTTP)。HTTP 是一種應用層通信協定,允許瀏覽器和網頁伺服器之間進行通信。Domain Name System (DNS). DNS is an application layer protocol that translates, or maps, host names to IP addresses.
網域名稱系統 (DNS)。DNS 是一種應用層協議,用於將主機名稱轉換或映射為 IP 位址。Address Resolution Protocol (ARP). ARP is a network layer communication protocol that maps IP addresses to physical machines or a MAC address recognized on the local area network.
地址解析協議(ARP)。ARP 是一種網路層通信協議,用於將 IP 地址映射到本地區域網路上識別的實體機器或 MAC 地址。
Wi-Fi
This section of the course also introduced various wireless security protocols, including WEP, WPA, WPA2, and WPA3. WPA3 encrypts traffic with the Advanced Encryption Standard (AES) cipher as it travels from your device to the wireless access point. WPA2 and WPA3 offer two modes: personal and enterprise. Personal mode is best suited for home networks while enterprise mode is generally utilized for business networks and applications.
本課程的這一部分還介紹了各種無線安全協議,包括 WEP、WPA、WPA2 和 WPA3。WPA3 使用高級加密標準(AES)密碼來加密從您的設備到無線接入點的流量。WPA2 和 WPA3 提供兩種模式:個人模式和企業模式。個人模式最適合家庭網路,而企業模式通常用於商業網路和應用。
Network security tools and practices
網路安全工具與實踐
Firewalls 防火牆
Previously, you learned that firewalls are network virtual appliances (NVAs) or hardware devices that inspect and can filter network traffic before it’s permitted to enter the private network. Traditional firewalls are configured with rules that tell it what types of data packets are allowed based on the port number and IP address of the data packet.
之前,你已經學習到防火牆是網路虛擬設備(NVAs)或硬體設備,它們在允許網路流量進入私人網路之前進行檢查並可以過濾。傳統的防火牆是根據設定的規則來運作,這些規則告訴它根據資料包的埠號和 IP 地址允許哪些類型的資料包。
There are two main categories of firewalls.
防火牆主要分為兩大類。
Stateless: A class of firewall that operates based on predefined rules and does not keep track of information from data packets
無狀態:這是一類根據預定義規則運作的防火牆,並不會追蹤資料包的信息。Stateful: A class of firewall that keeps track of information passing through it and proactively filters out threats. Unlike stateless firewalls, which require rules to be configured in two directions, a stateful firewall only requires a rule in one direction. This is because it uses a "state table" to track connections, so it can match return traffic to an existing session
有狀態:一種防火牆類型,能夠追蹤通過的資訊並主動過濾威脅。與無狀態防火牆不同,無狀態防火牆需要在兩個方向上配置規則,而有狀態防火牆只需在一個方向上設置規則。這是因為它使用「狀態表」來追蹤連接,因此可以將返回流量與現有會話匹配
Next generation firewalls (NGFWs) are the most technologically advanced firewall protection. They exceed the security offered by stateful firewalls because they include deep packet inspection (a kind of packet sniffing that examines data packets and takes actions if threats exist) and intrusion prevention features that detect security threats and notify firewall administrators. NGFWs can inspect traffic at the application layer of the TCP/IP model and are typically application aware. Unlike traditional firewalls that block traffic based on IP address and ports, NGFWs rules can be configured to block or allow traffic based on the application. Some NGFWs have additional features like Malware Sandboxing, Network Anti-Virus, and URL and DNS Filtering.
下一代防火牆(NGFWs)是技術上最先進的防火牆保護。它們超越了有狀態防火牆提供的安全性,因為它們包含深度封包檢查(這是一種檢查數據封包並在存在威脅時採取行動的封包嗅探)和入侵防禦功能,能夠檢測安全威脅並通知防火牆管理員。NGFWs 可以在 TCP/IP 模型的應用層檢查流量,通常具有應用程序感知能力。與傳統防火牆根據 IP 地址和端口阻擋流量不同,NGFWs 的規則可以配置為根據應用程序阻擋或允許流量。一些 NGFWs 還具有惡意軟體沙盒、網路防毒和 URL 及 DNS 過濾等附加功能。
Proxy servers 代理伺服器
A proxy server is another way to add security to your private network. Proxy servers utilize network address translation (NAT) to serve as a barrier between clients on the network and external threats. Forward proxies handle queries from internal clients when they access resources external to the network. Reverse proxies function opposite of forward proxies; they handle requests from external systems to services on the internal network. Some proxy servers can also be configured with rules, like a firewall. For example, you can create filters to block websites identified as containing malware.
代理伺服器是為您的私人網路增加安全性的另一種方式。代理伺服器利用網路位址轉換(NAT)作為網路內部客戶端與外部威脅之間的屏障。正向代理在內部客戶端訪問網路外部資源時處理查詢。反向代理的功能與正向代理相反;它們處理來自外部系統對內部網路服務的請求。一些代理伺服器還可以配置規則,如防火牆。例如,您可以創建過濾器來阻擋被識別為含有惡意軟體的網站。
Virtual Private Networks (VPN)
虛擬私人網路(VPN)
A VPN is a service that encrypts data in transit and disguises your IP address. VPNs use a process called encapsulation. Encapsulation wraps your unencrypted data in an encrypted data packet, which allows your data to be sent across the public network while remaining anonymous. Enterprises and other organizations use VPNs to help protect communications from users’ devices to corporate resources. Some of these resources include servers or virtual machines that host business applications. Individuals also use VPNs to increase personal privacy. VPNs protect user privacy by concealing personal information, including IP addresses, from external servers. A reputable VPN also minimizes its own access to user internet activity by using strong encryption and other security measures. Organizations are increasingly using a combination of VPN and SD-WAN capabilities to secure their networks. A software-defined wide area network (SD-WAN) is a virtual WAN service that allows organizations to securely connect users to applications across multiple locations and over large geographical distances.
VPN 是一種加密傳輸中數據並偽裝您的 IP 地址的服務。VPN 使用一種稱為封裝的過程。封裝將您的未加密數據包裹在一個加密的數據包中,這使得您的數據可以在公共網絡上匿名傳輸。企業和其他組織使用 VPN 來幫助保護從用戶設備到企業資源的通信。其中一些資源包括託管業務應用程序的伺服器或虛擬機器。個人也使用 VPN 來增強個人隱私。VPN 通過隱藏個人信息(包括 IP 地址)來保護用戶隱私,防止外部伺服器獲取。值得信賴的 VPN 還通過使用強加密和其他安全措施來最大限度地減少其對用戶網路活動的訪問。組織越來越多地使用 VPN 和 SD-WAN 功能的組合來保護其網絡。軟體定義廣域網(SD-WAN)是一種虛擬 WAN 服務,允許組織安全地將用戶連接到跨多個地點和大範圍地理距離的應用程序。
Key takeaways 關鍵要點
There are three main categories of network protocols: communication, management, and security protocols. In this reading, you learned the fundamentals of firewalls, proxy servers, and VPNs. More organizations are implementing a cloud-based approach to network security by incorporating a combination of VPN and SD-WAN capabilities as a service.
網路協定主要分為三大類:通訊協定、管理協定和安全協定。在這篇文章中,你學習了防火牆、代理伺服器和 VPN 的基本知識。越來越多的組織透過結合 VPN 和 SD-WAN 功能作為一種服務,來實施基於雲端的網路安全方法。