Every network exists to provide services — and those services are delivered by hosts that have been configured to perform a specific role. Objective 2.3 asks you to recognize the most common server roles and network appliances by name, understand the core function each one performs, and be able to match a real-world scenario ("users can't resolve website names," "a device needs to spread incoming traffic across several web servers") to the correct role or appliance.
This objective is organized into three groups. Server roles are software services — often run on dedicated hardware, but conceptually defined by the function they perform regardless of the underlying box. Internet appliances are devices (hardware or virtual) that sit at a strategic point in the network, usually the perimeter, to inspect, filter, or distribute traffic. Legacy/embedded systems and IoT covers a category of devices that don't fit the traditional "server" or "appliance" mold but are increasingly common on modern networks and carry their own unique risk profile.
Role vs. Hardware
A "server role" describes what a host does, not what physical box it runs on. A single physical server can run multiple roles simultaneously (a small business might run DNS, DHCP, and file sharing all on one machine), or a single role can be spread across many physical servers for redundancy and load (a large company's web servers). Don't assume "one role = one box" — the exam tests your understanding of the function, independent of deployment.
The following ten roles represent the core services that make a modern network usable — resolving names, assigning addresses, sharing files and printers, delivering mail and web content, logging events, authenticating users, storing structured data, and keeping every device's clock in sync.
Translates human-readable domain names (e.g., google.com) into IP addresses that computers actually use to route traffic, and vice versa. Without DNS, users would have to memorize and type numeric IP addresses for every website and service they wanted to reach. A DNS server maintains records mapping names to addresses and answers lookup requests from clients.
Automatically assigns IP addresses, subnet masks, default gateways, and DNS server addresses to client devices joining the network, eliminating the need to manually configure every device (see the DORA process covered in objective 2.6). Most SOHO routers run a built-in DHCP server; larger organizations typically run DHCP on a dedicated server.
Provides centralized storage that multiple users and devices can access over the network, typically presented as mapped network drives or shared folders. Centralizing files this way makes backup, access control, and collaboration far simpler than scattering files across individual local machines. Common protocols include SMB (Windows-native file sharing) and NFS (common in Linux/Unix environments).
Manages and queues print jobs from multiple client computers to one or more shared network printers, centralizing print drivers, permissions, and job queuing rather than requiring each printer to be configured individually on every computer. A print server can be a dedicated appliance, a role running on a general-purpose server, or even a printer itself with built-in network/print-server capability.
Sends, receives, and stores email for an organization's users. Mail servers typically combine multiple protocols: SMTP (Simple Mail Transfer Protocol) handles outgoing/relay of mail between servers, while IMAP or POP3 handle client retrieval of mail from the server's mailbox storage. (These protocols and their ports are explored in greater depth in a later networking objective.)
Provides centralized logging — network devices, servers, and applications send their log messages (errors, warnings, status events) to a central syslog server rather than keeping logs scattered locally on each device. This centralization is critical for security monitoring, troubleshooting, and compliance, since it allows an administrator to correlate events across many devices from one place instead of checking each device individually.
Hosts and serves website content (HTML, images, applications) to client browsers using HTTP (port 80, unencrypted) or HTTPS (port 443, encrypted via TLS). Common web server software includes Apache, Nginx, and Microsoft IIS. A single physical or virtual server can host many separate websites simultaneously.
A framework — not a single protocol — describing three related security functions, often implemented together via services like RADIUS or TACACS+.
Stores, organizes, and serves structured data to client applications, typically using a query language such as SQL. Database servers run software like Microsoft SQL Server, MySQL, PostgreSQL, or Oracle, and are the backend behind most business applications, websites, and inventory/customer record systems — the application a user interacts with is usually just a front end querying a database server behind the scenes.
Synchronizes the system clocks of devices across a network to a common, accurate time reference. Accurate, synchronized time is critical for far more than just clock display — it's essential for correctly correlating timestamps in security logs, for many authentication protocols (e.g., Kerberos, which fails if client/server clocks drift too far apart), and for scheduled tasks and certificate validity checks across the network.
Exam Angle — Match the Symptom to the Role
This objective is tested almost entirely through symptom-matching. "Users can reach a website by IP but not by name" → DNS problem. "A new device on the network has no IP address at all" → DHCP problem. "Security logs from different devices don't line up in time" → NTP problem. "An employee can log in but can't access the files they need" → an authorization failure (the "A" after authentication in AAA). Practice converting symptoms into role names — that's the actual exam skill.
Where server roles generally provide a service that users or applications directly consume, internet appliances typically sit at a strategic chokepoint in the network — most often the perimeter, between the internal network and the internet — to inspect, filter, distribute, or relay traffic on behalf of other systems.
A spam gateway sits in front of a mail server and filters incoming (and sometimes outgoing) email for spam, phishing attempts, and malicious attachments before that mail ever reaches end users' inboxes. It can be a dedicated hardware appliance, a software service, or a cloud-based filtering service that simply redirects mail flow through it before delivery to the real mail server.
A Unified Threat Management (UTM) appliance consolidates multiple security functions into a single device: firewall, intrusion detection/prevention (IDS/IPS), antivirus/anti-malware scanning, content filtering, VPN termination, and often spam filtering — all managed from one console. The appeal of a UTM is simplified management and reduced hardware footprint compared to deploying each of those functions as a separate standalone device, which is the traditional enterprise approach.
UTM vs. Standalone Firewall
Recall from objective 2.5 that a basic firewall filters traffic by rule. A UTM is best understood as a "firewall and then some" — it includes firewall functionality but bundles many additional security layers into the same box. The tradeoff: a UTM is a single point of failure and can become a performance bottleneck under heavy load, since one device is now responsible for many security functions simultaneously.
A load balancer distributes incoming network or application traffic across multiple servers, ensuring no single server becomes overwhelmed while the others sit idle. This serves two purposes simultaneously: improving performance (spreading the workload) and improving availability/redundancy (if one backend server fails, the load balancer can detect this and stop sending it traffic, routing requests to the remaining healthy servers instead).
Load balancers are especially common in front of web server farms and database clusters, where a popular website or application needs more capacity than any single server could handle alone.
A proxy server acts as an intermediary between client devices and the destination servers they're trying to reach, with the client's request passing through the proxy rather than going directly to the destination. Proxies serve several distinct purposes, often combined in the same device:
Forward Proxy vs. Reverse Proxy
A forward proxy sits in front of clients, handling outbound requests on their behalf to external destinations (the typical "company internet filter" scenario). A reverse proxy sits in front of servers instead, handling inbound requests from external clients on behalf of one or more backend servers — often blurring into load-balancer territory, since a reverse proxy frequently distributes incoming requests across multiple backend servers as part of its job.
| Appliance | Core Function | Typical Placement |
|---|---|---|
| Spam gateway | Filters spam/phishing before it reaches the mail server | In front of the mail server |
| UTM | Consolidates firewall + IDS/IPS + antivirus + content filtering + VPN | Network perimeter |
| Load balancer | Distributes traffic across multiple servers for performance/redundancy | In front of a server farm/cluster |
| Proxy server | Intermediary for client requests; filtering, caching, anonymity | Between clients and the internet (forward) or in front of servers (reverse) |
A SCADA (Supervisory Control and Data Acquisition) system monitors and controls industrial processes and physical infrastructure — power grids, water treatment plants, manufacturing lines, oil and gas pipelines, and similar industrial environments. SCADA systems collect real-time data from sensors and control physical equipment (valves, pumps, switches) spread across a facility or a wide geographic area.
Why SCADA Security Is Different
SCADA systems are frequently built on legacy hardware and software that may be decades old, were never designed with modern network security in mind, and often cannot be patched or updated without risking disruption to critical physical processes (a water treatment plant can't simply "reboot to apply updates" the way an office workstation can). This combination — old, hard-to-patch software controlling physically critical infrastructure — makes SCADA environments a uniquely sensitive security concern, and they are typically isolated from general business networks specifically because of this risk.
Internet of Things (IoT) devices are everyday physical objects embedded with sensors, software, and network connectivity, allowing them to collect and exchange data over a network. Common examples include smart thermostats, smart speakers/assistants, security cameras, smart door locks, wearable fitness trackers, and connected appliances.
Exam Angle
SCADA and IoT are grouped together here because the exam wants you to recognize a shared theme: both categories involve devices that are connected to the network but were not designed with network security as a primary concern, and both are commonly addressed in practice by network segmentation — placing these devices on a separate, isolated VLAN or network segment so that a compromise of one of these devices doesn't expose the rest of the network.
Final Exam Reminders
DNS = names ↔ IPs. DHCP = automatic IP configuration. These two are the most frequently tested roles in this objective.
AAA = three distinct functions — don't collapse "authentication" and "authorization" into the same thing; a user can be authenticated but not authorized.
NTP = accurate time matters for log correlation and authentication protocols like Kerberos, not just for clock display.
UTM = many security functions bundled into one appliance; tradeoff is a single point of failure.
Load balancer = performance AND redundancy — distributes load and routes around failed servers.
Forward proxy = protects/filters for clients going out. Reverse proxy = sits in front of servers handling inbound requests.
SCADA = industrial/physical infrastructure control; legacy systems, hard to patch, high-stakes if compromised.
IoT = single-purpose connected devices; default credentials and infrequent updates are the recurring exam theme.