This section focuses on securing data in motion. You need to understand both design and implementation aspects.
- Voice. As more organizations switch to VoIP, voice protocols such as SIP have become common on Ethernet networks. This has introduced additional management, either by using dedicated voice VLANs on networks, or establishing quality of service (QoS) levels to ensure that voice traffic has priority over non-voice traffic. Other webbased voice applications make it more difficult to manage voice as a separate entity. The consumer Skype app, for example, allows for video and voice calls over the internet. This can cause additional bandwidth consumption that isn’t typically planned for in the network topology design or purchased from an ISP.
- Multimedia collaboration. There are a variety of new technologies that allow instant collaboration with colleagues. Smartboards and interactive screens make meeting in the same room more productive. Add in video technology, and someone thousands of miles away can collaborate in the same meeting virtually. Instant messaging through Microsoft Teams, Slack and other applications enables real-time communication. Mobile communication has become a huge market, with mobile apps such as WhatsApp, WeChat and LINE making realtime communication possible anywhere in the world.
- Remote access. Because of the abundance of connectivity, being productive in most job roles can happen from anywhere. Even in a more traditional environment, someone working outside of the office can use a VPN to connect and access all the internal resources for an organization. Taking that a step further, Remote Desktop Services (RDS) and virtual desktop infrastructure (VDI) can give you the same experience whether you’re in the office or at an airport: If you have an internet connection, you can access the files and applications that you need to be productive. A screen scraper is a security application that captures a screen (such as a server console or session) and either records the entire session or takes a screen capture every couple of seconds. Screen scraping can help establish exactly what a person did when they logged into a computer. Screen scrapers are most often used on servers or remote connectivity solutions (such as VDI or Remote Desktop farms).
- Data communications. Whether you are physically in an office or working remotely, the communication between the devices being used should be encrypted. This prevents any unauthorized device or person from openly reading the contents of packets as they are sent across a network. Corporate networks can be segmented into multiple VLANs to separate different resources. For example, the out-of-band management for certain devices can be on a separate VLAN so that no other devices can communicate unless necessary. Production and development traffic can be segmented on different VLANs. An office building with multiple departments or building floors can have separate VLANs for each department or each floor in the building. Logical network designs can tie into physical aspects of the building as necessary. Even with VLAN segments, the communication should be encrypted using TLS, SSL or IPSec.
- Virtualized networks. Many organizations use hypervisors to virtualize servers and desktops for increased density and reliability. However, to host multiple servers on a single hypervisor, the Ethernet and storage networks must also be virtualized. VMware vSphere and Microsoft Hyper-V both use virtual network and storage switches to allow communication between virtual machines and the physical network. The guest operating systems running in the VMs use a synthetic network or storage adapter, which is relayed to the physical adapter on the host. The softwaredefined networking on the hypervisor can control the VLANs, port isolation, bandwidth and other aspects just as if it was a physical port.