Your company is constructing a new building with a structured cable system topology per the standard EIA/TIA 568. As a network engineer, you are designing an 802.3 network with hundreds of nodes. Which of the following is the best strategy to mitigate the threat of network sniffing and denial of services?
A. Manage the network with security domains
B. Separate the network into broadcast domains
C. Split the network into collision domains
D. Organize the network into DNS domains
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Separate the network into broadcast domains.
Broadcast domains separate hosts into discrete networks connected by routers. Mitigation refers to reducing the likelihood, the impact, or both. The loss can be minimized if a network is compromised because traffic between networks is isolated and controlled. The sniffer in a network won’t receive traffic from other networks. It’s easier to contain a denial of services.
Traditional Ethernets (802.3), such as 10Base2 (thinnet) and 10 Base 5 (thicknet), are composed of cable segments connected by repeaters. They have linear topology and follow the well-known 5-4-3 principle, that is, there is a maximum of 5 segments, connected by 4 repeaters (or active hubs), and 3 out of the 5 segments can be populated with hosts.
A collision domain refers to the range or scope that the electronic signal can travel in a network. In traditional Ethernets, the traffic or signal from any segment goes across all other segments, which leads to collision and poor transmission performance. In this case, the whole ethernet shapes a collision domain.
A bridge (e.g., switching hub) is introduced to connect segments to solve the poor performance by splitting the network (a large collision domain) into several small collision domains. A bridge is a smart device capable of learning locations or addresses so that frames are sent to the destined segments, instead of repeating the signal to all segments. In other words, a bridge has a memory or cache to store the known unicast addresses. However, a bridge receives and transfers broadcasts.
A broadcast domain refers to the range or scope that the broadcast can travel in a network. In a collision domain, any form of high traffic can hinder network performance. Still, a high volume of the broadcast or broadcast storm is the primary factor that degrades the performance of a broadcast domain.
Every node on a network is uniquely identified and addressed so that transmission can happen. A network has typical transmission methods, such as unicast, multicast, and broadcast. Unicast means only one host will receive the message; multicast means multiple receivers; broadcast means all hosts.
Router and Switching Hub
A broadcast domain shapes a standalone network. Communication across broadcast domains or networks requires a router, as a broadcast means the receiver is all the hosts on the same network. A switching hub that creates collision domains is a device in a network or part of the network.
- A domain that implements a security policy and is administered by a single authority. (CNSSI 4009)
- A set of subjects, their information objects, and a common security policy. (NIST SP 800-33)
- An environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy, security model, or security architecture. (NIST SP 800-53 Rev. 4)
A security domain is related to access control, of which information flows between subjects and objects are mediated or controlled through authentication, authorization, and accounting by the security kernel. A directory service is a service that manages the repository (directory) of subjects and objects.
A DNS domain is a logical grouping of hosts described by various types of DNS records, e.g., A, IN, PTR, MX, etc.