Vlans, Mac filtering – Apple Mac OS X Server (Version 10.6 Snow Leopard) User Manual

Page 53

Advertising
background image

Chapter 4

Enhancing Security

53

This allows an organization to provide services to the external network while
protecting the internal network from being compromised by a host in the DMZ. If
someone compromises a DMZ host, he or she cannot connect to the internal network.

The DMZ is often used to connect servers that need to be accessible from the external
network or Internet, such as mail, web, and DNS servers.

Connections from the external network to the DMZ are often controlled using firewalls
and address translation.

You can create a DMZ by configuring your firewall. Each network is connected to a
different port on the firewall, called a three-legged firewall setup. This is simple to
implement but creates a single point of failure.

Another approach is to use two firewalls with the DMZ in the middle, connected to
both firewalls, and with one firewall connected to the internal network and the other
to the external network. This is called a screened-subnet firewall.

This setup provides protection in case of firewall misconfiguration, allowing access
from the external network to the internal network.

VLANs

Mac OS X Server provides 802.1q Virtual Local Area Network (VLAN) support on the
Ethernet ports and secondary PCI gigabit Ethernet cards available or included with
Xserves.

VLAN allows multiple computers on different physical LANs to communicate with
each other as if they were on the same LAN. Benefits include more efficient network
bandwidth utilization and greater security, because broadcast or multicast traffic is
only sent to computers on the common network segment. Xserve VLAN support
conforms to the IEEE 802.1q standard.

MAC Filtering

MAC filtering (or layer 2 address filtering) refers to a security access control where a
network interface’s MAC address, or Ethernet address (the 42-bit address assigned to
each network interface), is used to determine access to the network.

MAC addresses are unique to each card, so using MAC filtering on a network permits
and denies network access to specific devices, rather than to specific users or network
traffic types. Individual users are not identified by a MAC address, only a device, so an
authorized person must have an allowed list of devices that he or she would use to
access the network.

Advertising
Popular Brands
Popular manuals