Advanced Networking - Nampa School District

Download Report

Transcript Advanced Networking - Nampa School District

Computer Networking
Beyond the Basics
FETC 2009
1
Networking Trends - User
• More users are being connected to
networks as client/server applications
become more widespread
• Users are connecting more powerful
workstations that require greater
bandwidth to be fully productive
• Everyone wants access to the Internet
• Administrative and Instructional networks
are merging
FETC 2009
2
Networking Trends -Applications
• Imaging, modeling,and graphics-based
applications demand large amounts of
sustained bandwidths to transfer files
• New, real-time applications such as
multimedia, video, and voice add a new
requirement, constant delay, to the
network design
FETC 2009
3
Network Size
• Small, single segment networks
• <100 users, one or two servers, Ethernet or
Token Ring
• Medium, several segments
• <500 users, 5 servers, high speed
backbone, router
• Large, multi-segment
• 500+ users, 5+ servers. high speed
switched VLAN, router
FETC 2009
4
Network Administration Network Manager
• Making the network more manageable for
changes, moves and adds.
• Adding redundancy and improving reliability
of the network
• Updating out-of-date equipment
FETC 2009
5
Network Documentation
• Hardware and Software inventory
• Tech Support Contacts,
Contracts, and Numbers
• Vendor Information
• Software Licensing
• Original Software Diskettes and
Backups
FETC 2009
6
Network Documentation
•
•
•
•
•
IP Addressing
MAC Addressing
Hub/Switch Documentation
Server Configuration Files
Wiring Labeling Scheme and
Diagrams
• System passwords (stored for
emergency)
FETC 2009
7
Network Documentation
•
•
•
•
•
FETC 2009
Backup Log
Trouble Log
Service Log
District Policies
Purchase Orders and Invoices
8
Network Documentation
• Develop a Baseline for your
Network
• Establish communication for
vendors and staff
• Improved response time
• Know where equipment is located
• Document on Paper as well as
online
• Notebooks
• Databases - share with others
FETC 2009
9
Network Protocols
• OSI Model
• Protocol Rules
FETC 2009
10
OSI Model
FETC 2009
11
OSI Model
FETC 2009
12
The Layers
Think of the seven layers as the assembly line in the computer. At each layer, certain things
happen to the data that prepare it for the next layer. The seven layers, which separate into
two sets, are:
•
Application Set
•
•
•
•
Transport Set
•
•
•
•
FETC 2009
Layer 7: Application - This is the layer that actually interacts with the operating
system or application whenever the user chooses to transfer files, read
messages or perform other network-related activities.
Layer 6: Presentation - Layer 6 takes the data provided by the Application layer
and converts it into a standard format that the other layers can understand.
Layer 5: Session - Layer 5 establishes, maintains and ends communication with
the receiving device.
Layer 4: Transport - This layer maintains flow control of data and provides for
error checking and recovery of data between the devices. Flow control means
that the Transport layer looks to see if data is coming from more than one
application and integrates each application's data into a single stream for the
physical network.
Layer 3: Network - The way that the data will be sent to the recipient device is
determined in this layer. Logical protocols, routing and addressing are handled
here.
Layer 2: Data - In this layer, the appropriate physical protocol is assigned to the
data. Also, the type of network and the packet sequencing is defined.
Layer 1: Physical - This is the level of the actual hardware. It defines the
physical characteristics of the network such as connections, voltage levels and
timing.
13
OSI Model
FETC 2009
14
ISO/OSI Layers
FETC 2009
15
ISO/OSI Layers
FETC 2009
16
ISO/OSI Layers
FETC 2009
17
ISO/OSI Layers
FETC 2009
18
ISO/OSI Layers
FETC 2009
19
ISO/OSI Layers
FETC 2009
20
ISO/OSI Layers
FETC 2009
21
ISO/OSI Layers
FETC 2009
22
ISO/OSI Layers
FETC 2009
23
Packets
FETC 2009
24
LAN Addressing
• each node must have a unique
address for its hardware
• each network on an internet must
be unique
• many protocols use a two-level
hierarchy (network:node)
• Unicast – sent to one node
• Broadcast – sent to all nodes
• Multicast – sent to group of
nodes
FETC 2009
25
LAN Addressing
• ARP (Address Resolution Protocol)
• The ARP protocol is used to map
IP addresses to MAC addresses.
• RARP (Reverse ARP Protocol)
• RARP is used to map MAC
addresses to IP addresses
FETC 2009
26
Binary Transmission
FETC 2009
27
LAN Addressing
•
•
•
•
•
•
•
•
FETC 2009
DHCP
Static
Random
IPX
AppleTalk
TCP/IP
WINS and NetBIOS
NAT - Network Address
Translation
28
LAN Addressing
• MAC (Media Access Control)
00.0c.04b3.42.a1
• IPX - 43456:000c.04b3.42a1
• network (0-ffffffff)
• MAC address
• AppleTalk - 6501.239
• Network (1-65279)
• Node (1-254)
• TCP/IP - 168.221.20.235
Dotted Decimal Notation
• Network
• Host
FETC 2009
29
LAN Addressing - DHCP
• Addresses are assigned and
leased from a specific range by a
server running Dynamic Host
Configuration Protocol (DHCP)
• May also use Boot-P
FETC 2009
30
LAN Addressing
• IP Addressing
• 32 bit numbers
• expressed in dotted decimal notation
xxx.xxx.xxx.xxx (168.221.20.235)
• each decimal number is equal 8 bits of
binary data between 0 and 255
• 168.221.20.235 =
10101000.11011101.00010100.11101011
• IP Addresses are arranged in classes
FETC 2009
31
LAN Addressing
• Binary Numbers
• Decimal place values (0-9)
105
100,000
104
103 102 101
10,000 1,000 100 10
100
1
• Binary place values (0-1)
27
128
26
64
25
32
24
16
23
8
22
4
21
2
20
1
• Hexadecimal place values
(0-9,A,B,C,D,E,F)
163
4096
FETC 2009
162
256
161
16
160
1
32
LAN Addressing
Number Systems
FETC 2009
33
LAN Addressing
FETC 2009
34
LAN Addressing
FETC 2009
35
LAN Addressing
FETC 2009
36
LAN Addressing
http://www.gwmays.com/NumConV2/
FETC 2009
37
LAN Addressing
• IP Classes
• Class A
• 1-126 N.H.H.H.H
• 001.hhh.hhh.hhh to 126.hhh.hhh.hhh
• 126 Networks of 16,777,214 Hosts
• Class B
• 128-191 N.N.H.H
• 128.001.hhh.hhh to 191.254.hhh.hhh
• 16,382 Networks of 65,534 Hosts
FETC 2009
38
LAN Addressing
• IP Classes
• Class C
• 192-223 N.N.N.H
• 192.000.001.hhh to 223.255.254.hhh
• 2,097,152 Networks of 254 Hosts
• Class D and E reserved
• CIDR Classless Interdomain Routing
FETC 2009
39
LAN Addressing
• IP Subnet Masks
• spits a network into a collection of smaller
networks
• makes networks more manageable
• can reduce traffic on each subnet
• each network operates as an
independent network
• Example: 168.221.20.235 255.255.255.0
• 10101000.11011101.00010100.11101011
• 11111111.11111111.11111111.00000000
• Host 235 on network 168.221.20.0
FETC 2009
40
•Subnetting Network 200.200.200.0
• 200.200.200.0 255.255.255.0
• One network
• 254 hosts 200.200.200.1-254
• Single broadcast domain
FETC 2009
41
Subnetting Network 200.200.200.0
• 200.200.200.0 255.255.255.128
• 126 hosts 200.200.200.1-126
• 200.200.200.128 255.255.255.128
• 126 hosts 200.200.200.129-254
• Two networks
• Two collision domains
• Total hosts = 252
FETC 2009
42
Subnetting Network 200.200.200.0
• 200.200.200.0 255.255.255.128
• 126 hosts 200.200.200.1-126
• 200.200.200.128 255.255.255.192
• 62 hosts 200.200.200.129-190
• 200.200.200.192 255.255.255.192
• 62 hosts 200.200.200.193-254
• Three networks
• Three collision domains
• Total hosts = 250
FETC 2009
43
Public and Private IP
Addressing
• Private network numbers
• Class A
• 10.0.0.0 - 10.255.255.255 (10/8 prefix)
• Class B
• 172.16.0.0 - 172.31.255.255
(172.16/12 prefix)
• Class C
• 192.168.0.0 - 192.168.255.255
(192.168/16 prefix)
• Use with a firewall or "IP Masquerade"
• Network Address Translation.
FETC 2009
44
TCP & UDP
• TCP stands for Transmission Control Protocol. Using this
method, the computer sending the data connects directly
to the computer it is sending the data it to, and stay
connected for the duration of the transfer. With this
method, the two computers can guarantee that the data
has arrived safely and correctly, and then they disconnect
the connection. This method of transferring data tends to
be quicker and more reliable, but puts a higher load on
the computer as it has to monitor the connection and the
data going across it. A real life comparison to this method
would be to pick up the phone and call a friend. You have
a conversation and when it is over, you both hang up,
releasing the connection.
FETC 2009
45
TCP & UDP
UDP stands for User Datagram Protocol. Using this method, the
computer sending the data packages the information into a nice
little package and releases it into the network with the hopes that it
will get to the right place. What this means is that UDP does not
connect directly to the receiving computer like TCP does, but rather
sends the data out and relies on the devices in between the
sending computer and the receiving computer to get the data where
it is supposed to go properly. This method of transmission does not
provide any guarantee that the data you send will ever reach its
destination. On the other hand, this method of transmission has a
very low overhead and is therefore very popular to use for services
that are not that important to work on the first try. A comparison you
can use for this method is the plain old US Postal Service. You
place your mail in the mailbox and hope the Postal Service will get
it to the proper location. Most of the time they do, but sometimes it
gets lost along the way.
FETC 2009
46
TCP & UDP Ports
• As you know every computer or device on the Internet
must have a unique number assigned to it called the IP
address. This IP address is used to recognize your
particular computer out of the millions of other
computers connected to the Internet. When
information is sent over the Internet to your computer
how does your computer accept that information? It
accepts that information by using TCP or UDP ports.
• An easy way to understand ports is to imagine your IP
address is a cable box and the ports are the different
channels on that cable box. The cable company knows
how to send cable to your cable box based upon a
unique serial number associated with that box (IP
Address), and then you receive the individual shows
on different channels (Ports).
FETC 2009
47
TCP & UDP Ports
• Ports work the same way. You have an IP address, and then
many ports on that IP address. When I say many, I mean many.
You can have a total of 65,535 TCP Ports and another 65,535
UDP ports. When a program on your computer sends or receives
data over the Internet it sends that data to an ip address and a
specific port on the remote computer, and receives the data on a
usually random port on its own computer. If it uses the TCP
protocol to send and receive the data then it will connect and bind
itself to a TCP port. If it uses the UDP protocol to send and
receive data, it will use a UDP port. Below, is a representation of
an IP address split into its many TCP and UDP ports. Note that
once an application binds itself to a particular port, that port can
not be used by any other application. It is first come, first served.
FETC 2009
48
Network Address
Translation
• Using Private IP address on your
network and translating them to
Public IP outside your network
FETC 2009
49
NAT
• The NAT router or Firewall translates
traffic coming into and leaving the
private network.
FETC 2009
50
NAT
• Static NAT - Mapping an unregistered IP
address to a registered IP address on a one-toone basis. Particularly useful when a device
needs to be accessible from outside the network.
In static NAT, the computer with the IP address of
192.168.32.10 will always translate to 213.18.123.110.
FETC 2009
51
NAT
• Dynamic NAT - Maps an unregistered IP address
to a registered IP address from a group of
registered IP addresses
In dynamic NAT, the computer with the IP address 192.168.32.10
will translate to the first available address in the range from
213.18.123.100 to 213.18.123.150.
FETC 2009
52
NAT
•
•
•
•
•
NAT overloading utilizes a feature of the TCP/IP protocol stack, multiplexing, that
allows a computer to maintain several concurrent connections with a remote computer
(or computers) using different TCP or UDP ports. An IP packet has a header that
contains the following information:
Source Address - The IP address of the originating computer, such as 201.3.83.132
Source Port - The TCP or UDP port number assigned by the originating computer for
this packet, such as Port 1080
Destination Address - The IP address of the receiving computer, such as
145.51.18.223
Destination Port - The TCP or UDP port number that the originating computer is
asking the receiving computer to open, such as Port 3021
FETC 2009
Source
Computer
Source
Computer's
IP Address
Source
Computer's
Port
NAT Router's
IP Address
NAT Router's
Assigned
Port Number
A
192.168.32.10
400
215.37.32.203
1
B
192.168.32.13
50
215.37.32.203
2
C
192.168.32.15
3750
215.37.32.203
3
D
192.168.32.18
206
215.37.32.203
4
53
What is IPv6?
• IPv6 is short for "Internet Protocol Version 6". IPv6 is the "next
generation" protocol designed by the IETF to replace the current
version Internet Protocol, IP Version 4 ("IPv4")
• The primary change from IPv4 to IPv6 is the length of network
addresses. IPv6 addresses are 128 bits long, whereas IPv4
addresses are 32 bits;
• IPv4 address space contains 4,294,967,296 addresses
• IPv6 has enough room for
340,282,366,920,938,463,463,374,607,431,768,211,456
(340 undecillion, 282 decillion, 366 nonillion, 920 octillion, 938
septillion, 463 sextillion, 463 quintillion, 374 quadrillion, 607
trillion, 431 billion, 768 million, 211 thousand, 456) unique
addresses.
FETC 2009
54
What is IPv6?
• IPv6 addresses are normally written as eight groups
of four hexadecimal digits.
• For example,
2001:0db8:85a3:08d3:1319:8a2e:0370:7334
is a valid IPv6 address
FETC 2009
55
Networking Models
• Peer-to-Peer
• Client Server
FETC 2009
56
Network Topologies
FETC 2009
57
Ethernet
• CSMA/CD
• Carrier sense Multiple
access/collision detection
• networks with over 35%
utilization experience high
collision rates and delays
• maximum number of nodes
1024
• four repeater rule
FETC 2009
58
Token Ring
• CSMA/CA
• Token passing
• Developed by IBM
• 260 nodes per
network
FETC 2009
59
Hubs, Switches, and Routers
• Unmanaged vs Managed
• Growth Potential
• Expansion
• Cascade
FETC 2009
60
Hubs, Switches, and Routers
• Hubs - Layer 2 (MAC
address)
• Multiport Repeater
• Switches - Layer 2 or 3
• Layer 2 (MAC address)
segments network
• Layer 3 (Network address)
segments network
• Routers - Layer 3
• Network layer segments
network
FETC 2009
61
Switches
FETC 2009
62
Power over Ethernet (POE)
Switches
FETC 2009
63
Switches – MAC Table
Dynamic Address Count:
116
Secure Address Count:
0
Static Address (User-defined) Count:
0
System Self Address Count:
76
Total MAC addresses:
192
Maximum MAC addresses:
8192
Non-static Address Table:
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- -------------------0000.0c07.ac33
Dynamic
51 GigabitEthernet0/1
0000.0c07.acff
Dynamic
998 GigabitEthernet0/4
0001.023c.ad29
Dynamic
51 GigabitEthernet0/1
0001.e68a.7f84
Dynamic
51 GigabitEthernet0/5
0001.e697.2643
Dynamic
51 GigabitEthernet0/16
0001.e699.9263
Dynamic
51 GigabitEthernet0/6
0001.e69b.fe39
Dynamic
51 GigabitEthernet0/12
0001.e69d.2f99
Dynamic
51 GigabitEthernet0/1
0001.e69e.4f14
Dynamic
51 GigabitEthernet0/13
0002.a535.529b
Dynamic
51 GigabitEthernet0/12
0002.fd70.9ec0
Dynamic
998 GigabitEthernet0/8
0005.317b.83fc
Dynamic
51 GigabitEthernet0/12
0005.317b.83fc
Dynamic
998 GigabitEthernet0/1
0005.5e50.0b82
Dynamic
51 GigabitEthernet0/2
0005.5e50.0b82
Dynamic
998 GigabitEthernet0/2
0005.dd3e.b900
Dynamic
998 GigabitEthernet0/1
0006.2977.202d
Dynamic
51 GigabitEthernet0/1
0006.2977.352c
Dynamic
51 GigabitEthernet0/8
0006.536c.9ff2
Dynamic
1 GigabitEthernet0/3
0006.536c.9ff2
Dynamic
51 GigabitEthernet0/1
0006.536c.9ff2
Dynamic
998 GigabitEthernet0/9
0006.536c.c800
Dynamic
998 GigabitEthernet0/1
0006.5b16.0121
Dynamic
51 GigabitEthernet0/10
FETC 2009
64
Hubs vs Switches
FETC 2009
65
Switching
FETC 2009
66
Switching Layers
• Layer 2 - (MAC address)
segments network
• Layer 3 - (Network address)
segments network
• Layer 4 - restricts access by port
UDP TCP
FETC 2009
67
QOS (Quality of Service)
• Quality of Service is the ability to provide different
priority to different applications, users, or data flows, or
to guarantee a certain level of performance to a data
flow.
• Quality of Service guarantees are important if the
network capacity is limited, for example in cellular data
communication, especially for real-time streaming
multimedia applications, for example voice over IP and
IP-TV, since these often require fixed bit rate and are
delay sensitive.
FETC 2009
68
Routers
A router is a device in computer networking that forwards data
packets to their destinations, based on their addresses. The work
a router does it called routing, which is somewhat like switching,
but a router is different from a switch. The latter is simply a device
to connect machines to form a LAN.
FETC 2009
69
Routers
When data packets are transmitted over a network (say the Internet), they
move through many routers (because they pass through many networks)
in their journey from the source machine to the destination machine.
Routers work with IP packets, meaning that it works at the level of the IP
protocol.
Each router keeps information about its neighbors (other routers in the
same or other networks). This information includes the IP address and the
cost, which is in terms of time, delay and other network considerations.
This information is kept in a routing table, found in all routers.
When a packet of data arrives at a router, its header information is
scrutinized by the router. Based on the destination and source IP
addresses of the packet, the router decides which neighbor it will forward
it to. It chooses the route with the least cost, and forwards the packet to
the first router on that route.
FETC 2009
70
Routers
FETC 2009
71
Routers
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 168.221.27.138 to network 0.0.0.0
S
D
D
D
D
D
D
D
D
FETC 2009
192.168.209.0/24 [1/0] via 192.168.37.6
168.221.0.0/16 is variably subnetted, 597 subnets, 9 masks
168.221.237.152/30 [90/190976] via 168.221.191.75, 23:39:18, Serial3/1.1
168.221.236.152/30 [90/190976] via 168.221.205.10, 23:39:15, Serial3/1.4
168.221.239.152/30 [90/190976] via 168.221.191.117, 23:39:08, Serial3/1.1
168.221.238.152/30 [90/190976] via 168.221.252.40, 23:39:17, Serial3/0.1
168.221.236.156/30 [90/190976] via 168.221.202.22, 23:39:11, Serial3/0.7
168.221.38.85/32
[90/24821248] via 168.221.27.99, 00:31:26, GigabitEthernet4/0.3
[90/24821248] via 168.221.27.135, 00:31:26, GigabitEthernet4/0.1
[90/24821248] via 168.221.27.6, 00:31:26, GigabitEthernet4/0.2
[90/24821248] via 168.221.27.134, 00:31:26, GigabitEthernet4/0.1
168.221.235.152/30 [90/190976] via 168.221.252.127, 23:39:14, Serial3/0.1
168.221.239.156/30 [90/190976] via 168.221.202.110, 23:39:21, Serial3/0.29
72
Network Protocols
• VLAN
• Trunking
• Half Duplex/Full Duplex
FETC 2009
73
VLANs
FETC 2009
74
VLANs
FETC 2009
75
Wireless Networking
FETC 2009
76
Wireless Networking – 802.11
In 1997, the Institute of Electrical and Electronics
Engineers (IEEE) created the first WLAN standard.
They called it 802.11 after the name of the group
formed to oversee its development. Unfortunately,
802.11 only supported a maximum bandwidth of 2
Mbps - too slow for most applications. For this reason,
ordinary 802.11 wireless products are no longer being
manufactured.
FETC 2009
77
Wireless - WiFi
FETC 2009
•
Short for ‘wireless fidelity’. A term for certain
types of wireless local area networks (WLAN)
that use specifications conforming to IEEE
802.11b. WiFi has gained acceptance in many
environments as an alternative to a wired LAN.
•
Many airports, hotels, and other services offer
public access to WiFi networks so people can
log onto the Internet and receive emails on the
move. These locations are known as hotspots.
•
Low power, Short Distance, Non-penetrating,
unlicensed
78
Wireless Networking – 802.11b
IEEE expanded on the original 802.11 standard in 1999, creating the
802.11b specification. 802.11b supports bandwidth up to 11 Mbps,
comparable to traditional Ethernet. 802.11b uses the same radio signaling
frequency - 2.4 GHz - as the original 802.11 standard. Being an
unregulated frequency, 802.11b gear can incur interference from
microwave ovens, cordless phones, and other appliances using the same
2.4 GHz range. However, by installing 802.11b gear a reasonable distance
from other appliances, interference can easily be avoided. Vendors often
prefer using unregulated frequencies to lower their production costs.
Pros of 802.11b - lowest cost; signal range is best and is not easily
obstructed
Cons of 802.11b - slowest maximum speed; supports fewer simultaneous
users; appliances may interfere on the unregulated frequency band.
FETC 2009
79
Wireless Networking – 802.11a
At the same time 802.11b was developed, IEEE created a second extension to the
original 802.11 standard called 802.11a. Because 802.11b gained in popularity
much faster than did 802.11a, some folks believe that 802.11a was created after
802.11b. In fact, 802.11a was created at the same time and intended mainly for
the business market, whereas 802.11b better serves the home market. 802.11a
supports bandwidth up to 54 Mbps and signals in a regulated 5 GHz range.
Compared to 802.11b, this higher frequency limits the range of 802.11a. The
higher frequency also means 802.11a signals have more difficulty penetrating
walls and other obstructions. Because 802.11a and 802.11b utilize different
frequencies, the two technologies are incompatible with each other. Some vendors
offer hybrid 802.11a/b network gear, but these products simply implement the two
standards side by side.
Pros of 802.11a - fastest maximum speed; supports more simultaneous users;
regulated frequencies prevent signal interference from other devices
Cons of 802.11a - highest cost; shorter range signal that is more easily obstructed
FETC 2009
80
Wireless Networking – 802.11g
In 2002 and 2003, WLAN products supporting a new standard called
802.11g began to appear on the scene. 802.11g attempts to combine the
best of both 802.11a and 802.11g. 802.11g supports bandwidth up to 54
Mbps, and it uses the 2.4 Ghz frequency for greater range. 802.11g is
backwards compatible with 802.11b, meaning that 802.11g access points
will work with 802.11b wireless network adapters and vice versa.
Pros of 802.11g - fastest maximum speed; supports more simultaneous
users; signal range is best and is not easily obstructed
Cons of 802.11g - costs more than 802.11b; appliances may interfere on
the unregulated signal
FETC 2009
81
Wireless - WiMax
FETC 2009
•
WiMAX refers to broadband wireless networks
that are based on the IEEE 802.16 standard,
which ensures compatibility and interoperability
between broadband wireless access equipment.
•
Acronym that stands for Worldwide Interoperability
for Microwave Access
•
High power, long distance (31 miles), penetrating,
usually licensed
82
Wireless – WiMax (802.16)
• Broadband Wireless Access Standard
that provides secure, full-duplex, fixed
wireless MAN service. Also known as
WiMAX, throughput can reach 75 Mbps
and does not require line-of-sight to
operate. The 802.16e extension adds
roaming outside of a “home” service
area. Reach can extend from one mile
at full speed to 30 miles at reduced
throughput.
FETC 2009
83
Wireless Networking – Bluetooth
Bluetooth is an alternative wireless network technology that
followed a different development path than the 802.11 family.
Bluetooth supports a very short range (approximately 10
meters) and relatively low bandwidth (1 Mbps). In practice,
Bluetooth networks PDAs or cell phones with PCs but does
not offer much value for general-purpose WLAN networking.
The very low manufacturing cost of Bluetooth appeals to
vendors.
FETC 2009
84
Wireless Security - Authentication
FETC 2009
•
•
•
PAP
CHAP
MS-CHAP
•
Wireless LAN authentication Extensible Authentication Protocol
(EAP) for 802.1x port-based authentication used in 802.11
WLANs.
•
•
EAP-MD5
EAP-LEAP
•
EAP-TLS
•
EAP-TTLS
•
EAP-PEAP
Password Authentication Protocol.
Challenge Handshake Authentication Protocol.
Microsoft implementation of CHAP protocol.
Mandatory EAP authentication method
EAP-Lightweight EAP. Cisco's proprietary EAP
method; works only with Cisco and Apple WLAN
equipment.
EAP-Transport Layer Security. Provides mutual
authentication, but requires client and server
certificates.
EAP-Tunneled Transport Layer Security. A
proprietary method that provides mutual
authentication, but requires server certificate
distribution and administration. The clients are
proprietary and cost between $25-$50 each.
EAP-Protected EAP. An emerging protocol
backed by Microsoft, Cisco, and RSA Security
that provides mutual authentication.
85
Wireless Security - Authentication
• Local Database
• Radius (Remote Authentication
Dial In User Service)
• Active Directory
FETC 2009
86
Wiring Types
• Fiber Optics
• Connectors
• Single mode vs Multimode
• Copper(Twisted Pair)
• Categories
• Copper (Coaxial)
FETC 2009
87
Structured Networking
• Future-Proof the Network Design
• ...the objective is to enable the
adoption of new technologies
with minimal retrofit and cost
• provide a scalable foundation
that allows new technologies to
be added incrementally and
economically, enhancing the
capabilities of the network
FETC 2009
88
Structured Networking
• Implement structured wiring and
intelligent hubs
• provides path for upgrading
• remotely monitor port-level
activity
• isolated problem station
• collect statistics
FETC 2009
89
Structured Networking
• Structured network design
• highly organized
• hierarchical approach
FETC 2009
90
Structured Networking
• Establish network centers
• centralize expensive equipment
• easier to troubleshoot
• easier to secure
FETC 2009
91
Factors in Network Design
• Performance
• Scalability
• Cost
• Manageability
FETC 2009
92
Broadband vs Baseband
• broadband (multiplexing)
• transmitting multiple signals at
once by subdividing into
channels
• baseband
• transmits all signals through a
single channel
• bandwidth
• network carrying capacity
FETC 2009
93
Multiplexing
• Time division multiplexing
CC|BB|AA|CC|BB|AA|CC|BB|AA
• Frequency division multiplexing
AAAAAAAAAAAAAAAAAA
BBBBBBBBBBBBBBBBBBB
CCCCCCCCCCCCCCCCCC
FETC 2009
94
Traffic Management
•
•
•
•
•
•
•
•
FETC 2009
IP TV
Real Audio
PointCast
Broadcast
Unicast
Multicast
Viruses
Worms
95
Troubleshooting Your
Network
• Knowing your network
•
•
•
•
•
•
•
•
•
•
FETC 2009
Application metering
Network management systems
Baseline and trend analysis
Broadcasts
Response time
Retransmissions
Routing
Bandwidth and throughput
Traffic characterization
Optimization
96
Troubleshooting Your
Network
• Troubleshooting Methodology
•
•
•
•
FETC 2009
Gather information
Isolate the problem
Apply corrective measures
Monitor results
97
Troubleshooting Your
Network
•
•
•
•
•
•
FETC 2009
Analyzer (packet capture)
Tone and Probe
Test All
DVM
Performance Monitor
Network Health Monitor
98
Troubleshooting Your
Network
•
•
•
•
•
•
FETC 2009
Protocol analyzers
Triggers
Displays
Monitoring
Filters
Report
99
Troubleshooting Your
Network
•
•
•
•
•
FETC 2009
Link - Determine whether the drop is active, identify
its speed, duplex capabilities and service type.
10/100/1000 Mbps
Ping - Verify connectivity to key devices.
Cable verification - Multiple tests help you quickly
determine if cable is the problem.
Cable identification - Document unmarked
segments, saving you hours of troubleshooting time.
CDP/EDP - Precisely determine where network
drops terminate on Cisco and Extreme switches
100
Troubleshooting Your
Network
• Cable Testers
•
•
•
•
FETC 2009
Impedance and crosstalk
Near-end crosstalk (NEXT)
Pair-matching
Cable length
101
Troubleshooting Your
Network
•
•
•
•
•
•
•
FETC 2009
Ping
Trace Route
NSLookup
Telnet
Routing Tables
IP Config
Winipcfg
102
Ping (Packet Internet
Grope)
FETC 2009
103
TraceRoute
FETC 2009
104
Tracert www.uwa.edu.au
FETC 2009
•
Tracert www.uwa.edu.au
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Tracing route to mysource.webcluster.uwa.edu.au [130.95.128.111]
over a maximum of 30 hops:
1 21 ms 20 ms 20 ms adsl-3-11-1.mia.bellsouth.net [65.3.11.1]
2 21 ms 21 ms 22 ms adsl-152-108-1.mia.bellsouth.net [205.152.108.1]
3 21 ms 21 ms 21 ms 205.152.145.161
4 21 ms 20 ms 21 ms axr00mia-1-3-1.bellsouth.net [65.83.237.10]
5 20 ms 21 ms 21 ms pxr00mia-2-0-0.bellsouth.net [65.83.236.18]
6 22 ms 21 ms 22 ms 0.so-0-0-0.GW8.MIA4.ALTER.NET [65.208.86.153]
7 21 ms 21 ms 21 ms 0.so-1-3-0.xl2.mia4.alter.net [152.63.84.122]
8 37 ms 39 ms 38 ms 0.so-4-2-0.xl2.atl5.alter.net [152.63.81.81]
9 37 ms 37 ms 37 ms pos7-0.br4.atl5.alter.net [152.63.84.153]
10 54 ms 54 ms 54 ms 204.255.174.194
11 55 ms 53 ms 54 ms sl-bb23-fw-13-0.sprintlink.net [144.232.8.67]
12 83 ms 82 ms 83 ms sl-bb23-ana-11-2.sprintlink.net [144.232.8.77]
13 93 ms 94 ms 93 ms sl-bb25-sj-9-0.sprintlink.net [144.232.20.159]
14 98 ms 97 ms 98 ms 144.232.20.7
15 96 ms 95 ms 96 ms sl-aarne-2-0.sprintlink.net [144.223.243.26]
16 273 ms 261 ms 274 ms pos3-1-0.bb1.a.syd.aarnet.net.au [202.158.194.73]
17 276 ms 275 ms 274 ms 10gigether0-0-0.bb1.b.syd.aarnet.net.au [202.158.194.46]
18 434 ms 290 ms 286 ms pos3-0-0.bb1.a.mel.aarnet.net.au [202.158.194.33]
19 280 ms 295 ms 295 ms pos3-0-0.bb1.a.adl.aarnet.net.au [202.158.194.17]
20 322 ms 322 ms 323 ms pos0-1-0.bb1.a.per.aarnet.net.au [202.158.194.5]
21 302 ms 304 ms 302 ms 202.158.198.10
22 302 ms 302 ms 305 ms mysource.webcluster.uwa.edu.au [130.95.128.111]
•
Trace complete.
105
NSLookup
FETC 2009
106
WinIPCfg
FETC 2009
107
IPConfig -a
FETC 2009
108
Intranet/Extranet
• Intranet
• network and resources available
only to members of your
organization on your network.
• Extranet
• network and resources available
to members of your organization
on your network and selected
users off your network.
• Not open to the public
(anonymous users)
FETC 2009
109
Packet Sniffer Capture
FETC 2009
110
Internet Access - Access
FETC 2009
111
Wide Area Networking
• connecting LANs together over
great distance
• connecting schools to district
offices or each other
• connecting schools to the Internet
• usually done with leased lines
and services
FETC 2009
112
WAN Technologies
• Methods of connecting two or more sites
together
• Universal Service Fund (Chapter 364)
may provide up to $20,000 to offset
installation charges
• E-Rate available to reduce monthly
charges
• 2 Charges - line charges and Internet
Access charges
• Both charges based on bandwidth
• All require equipment to connect to WAN
- router and CSU/DSU etc
FETC 2009
113
WAN Technologies
• POTS (Plain Old Telephone Service)
• 56 Kbps<
• analog multipurpose phone line
• available everywhere
• unlimited distance with long distance
service
• requires modem to connect network to
phone line ($150)
• installation about $75 - monthly charges
$40
FETC 2009
114
WAN Technologies
• Wireless – WiMax
• Point-to-Point
• Point-to-Multipoint
• MetroEthernet (NMLI – Native
Mode LAN Interconnect)
• Same speeds as ethernet
• 10Mbs; 100Mbs; 1000Mbs
FETC 2009
115
Internet Access - Frame
Relay
FETC 2009
116
Internet Access - Registration
• What is ICANN?
• The Internet Corporation for Assigned Names and Numbers
(ICANN) is responsible for managing and coordinating the
Domain Name System (DNS) to ensure that every address is
unique and that all users of the Internet can find all valid
addresses. It does this by overseeing the distribution of
unique IP addresses and domain names. It also ensures that
each domain name maps to the correct IP address.
• ICANN is also responsible for accrediting the domain name
registrars. "Accredit" means to identify and set minimum
standards for the performance of registration functions, to
recognize persons or entities meeting those standards, and to
enter into an accreditation agreement that sets forth the rules
and procedures applicable to the provision of Registrar
Services.
FETC 2009
117
Internet Access - Registration
• Internic - .com .gov .edu .net
•
•
•
•
•
Internet Network Information Center
www.internic.net (800) 444-4345
Managed by Network Solutions, Inc.
Herndon, Virginia
Registering your domain company.com
• Official names and numbers must be
registered with the InterNIC
FETC 2009
118
Internet Access - Registration
• http://www.isi.edu
• The US Domain is an official top-level
domain in the DNS of the Internet
community.
• It is administered by the US Domain Registry
at the Information Sciences Institute of the
University of Southern California (ISI), under
the Internet Assigned Numbers Authority
(IANA).
• US is the ISO-3166 2-letter country code for
the United States and thus the US Domain is
established as a top-level domain and
registered with the Internic the same way
other country domains are.
FETC 2009
119
Internet Access Registration
FETC 2009
120
Internet Access - DNS
• Converts Hostnames to IP
addresses
• www.dade.k12.fl.us --168.221.21.150
• You may host your own DNS or
contract with another source
• Must have primary DNS and
secondary DNS
• DNS is a text file and special
software that is on a server
FETC 2009
121
Internet Access - DNS
• Must register your domain and
range of IP addresses
• DNS contains name to address
resolutions
• DNS contains Mail Exchange
Records
• Caching DNS servers
• Authoritative and Nonauthoritative
FETC 2009
122
How DNS works
FETC 2009
123
Sample of DNS file
FETC 2009
124
Security
FETC 2009
125
Security
•
•
•
•
•
•
Limit access to network (dial in)
Develop a security policy
Limit protocols IP, IPX, AT
NT and Novell running IP are vulnerable
Internal and External Attacks
Software for testing vulnerabilities
(SATAN, Pingware, NetProbe)
• Data Encryption
• Mathematical algorithm rearranges bits
• Both side must know the key to encrypt
or decrypt
FETC 2009
126
Security - Vulnerabilities
•
•
•
•
•
•
•
•
•
FETC 2009
Back Orifice/Subseven/VNC
Net Bus
Operating System
Attacks
Spoofing
Snooping/Sniffing
Modems
Viruses
File and print sharing
127
How Hackers Gain Access
• Stealing Passwords
• People who use the same password on multiple accounts,
especially when some of those accounts are on public Internet
sites with little to no security.
• People who write their passwords down and store them in
obvious places. Writing down passwords is often encouraged
by the need to frequently change passwords.
• The continued use of insecure protocols that transfer
passwords in clear text, such as those used for Web surfing, email, chat, file transfer, etc.
• The threat of software and hardware keystroke loggers.
• The problem of shoulder surfing or video surveillance.
• Trojan Horses
• The malicious payload of a Trojan horse can be anything. This
includes programs that destroy hard drives, corrupt files, record
keystrokes, monitor network traffic, track Web usage, duplicate emails, allow remote control and remote access, transmit data files
to others, launch attacks against other targets, plant proxy
servers, host file sharing services, and more.
FETC 2009
128
How Hackers Gain Access
• Exploiting Defaults
• Nothing makes attacking a target network easier than when that
target is using the defaults set by the vendor or manufacturer.
Many attack tools and exploit scripts assume that the target is
configured using the default settings. Thus, one of the most
effective and often overlooked security precautions is simply to
change the defaults.
• Trojan Horses
• The malicious payload of a Trojan horse can be anything. This
includes programs that destroy hard drives, corrupt
• files, record keystrokes, monitor network traffic, track Web usage,
duplicate e-mails, allow remote control
• and remote access, transmit data files to others, launch attacks
against other targets, plant proxy servers, host
• file sharing services, and more.
FETC 2009
129
How Hackers Gain Access
• Wireless Attacks
• It is often the case that the time, effort, and expense required to
secure wireless networks is significantly more than deploying a
traditional wired network.
• Research
•
•
•
•
Knowing names of key employees and users
Documents posted on the web
Operating systems used
Flaws in products
• Being Persistent
• Being a user on your network
• Monitoring Vulnerability Research
FETC 2009
130
Security - Vulnerabilities
•
•
•
•
•
•
•
•
•
FETC 2009
Denial-of-service
Trojan horse
Worm
PING sweeps
Port scanning
Software holes
Social engineering
SPAM
Spyware/Malware
131
Security - Policies
• Business Continuity Plan
• Disaster Recovery Plan
• Physical Security Policy
• Barriers, Detection, Response
• User Security Policy
• User Education
• Security Awareness
• Network Security
• Architecture
• Services and Access
FETC 2009
132
Security - Configuration
•
•
•
•
•
•
•
•
FETC 2009
New System with patches
Disable Excess Services
Remove Nonessential Programs
Use Warning Banners
Limit User Access
Enable Logging
Enable Auditing
Disable scripting
133
Security - Tools
• Vulnerability Assessments
•
•
•
•
•
•
•
•
•
FETC 2009
Nessus (Open Source)
X-Scan (Open Source)
Retina
NewT
LANguard
Ping Sweeps
Port Scanners
Banner Grabbing
OS Guessing
134
Security - Response
•
•
•
•
•
•
FETC 2009
Preparation
Initial Response
Incident Management
Forensics
Tools Analysis
Documentation
135
Security – Wireless
• Not very secure
• Factory defaults
• War driving
• Netstumbler
•
•
•
•
FETC 2009
WEP
Mac address tables
VPN
Passwords
136
Viruses, Worms and Trojans, Oh My!

Viruses - A virus is a small piece of software that piggybacks on real programs. For
example, a virus might attach itself to a program such as a spreadsheet program.
Each time the spreadsheet program runs, the virus runs, too, and it has the chance to
reproduce (by attaching to other programs) or wreak havoc.

E-mail viruses - An e-mail virus moves around in e-mail messages, and usually
replicates itself by automatically mailing itself to dozens of people in the victim's email address book.

Worms - A worm is a small piece of software that uses computer networks and
security holes to replicate itself. A copy of the worm scans the network for another
machine that has a specific security hole. It copies itself to the new machine using the
security hole, and then starts replicating from there, as well.

Trojan horses - A Trojan horse is simply a computer program. The program claims
to do one thing (it may claim to be a game) but instead does damage when you run it
(it may erase your hard disk). Trojan horses have no way to replicate automatically.
FETC 2009
137
Security - Hackers
• Hacks, Cracks, Phreaks, Pirates
FETC 2009
138
Internet Access - Security
•
•
•
•
•
•
•
FETC 2009
Passwords
Password generators
Password Encryption
Timed passwords
Encryption
Private IP networks
Routing tables
•
•
•
•
•
•
Tunneling
Firewall
Access lists
Servers
DMZ
VPN
139
Firewalls
• Connecting your network to the world gives the world
access to your network
• A firewall is simply a program or hardware device that
filters the information coming through the Internet
connection into your private network or computer system.
If an incoming packet of information is flagged by the
filters, it is not allowed through.
• The firewall applies a set of rules to either accept or reject
each packet
FETC 2009
140
Firewalls
• Firewalls use one or more of three methods to control traffic flowing in
and out of the network:
• Packet filtering - Packets (small chunks of data) are analyzed
against a set of filters. Packets that make it through the filters are
sent to the requesting system and all others are discarded.
• Proxy service - Information from the Internet is retrieved by the
firewall and then sent to the requesting system and vice versa.
• Stateful inspection - A newer method that doesn't examine the
contents of each packet but instead compares certain key parts of
the packet to a database of trusted information. Information
traveling from inside the firewall to the outside is monitored for
specific defining characteristics, then incoming information is
compared to these characteristics. If the comparison yields a
reasonable match, the information is allowed through. Otherwise it
is discarded.
FETC 2009
141
Firewalls
• Firewalls are customizable. This means that you can add or remove
filters based on several conditions. Some of these are:
• IP addresses - Each machine on the Internet is assigned a unique
address called an IP address. IP addresses are 32-bit numbers,
normally expressed as four "octets" in a "dotted decimal number."
A typical IP address looks like this: 216.27.61.137. For example, if
a certain IP address outside the company is reading too many files
from a server, the firewall can block all traffic to or from that IP
address.
• Domain names - A company might block all access to certain
domain names, or allow access only to specific domain names.
FETC 2009
142
Firewalls
•
Protocols - The protocol is the pre-defined way that someone who wants to use a
service talks with that service. The "someone" could be a person, but more often it is a
computer program like a Web browser. Protocols are often text, and simply describe
how the client and server will have their conversation. The http in the Web's protocol.
Some common protocols that you can set firewall filters for include:
•
•
•
•
•
•
•
•
•
•
IP (Internet Protocol) - the main delivery system for information over the Internet
TCP (Transport Control Protocol) - used to break apart and rebuild information that
travels over the Internet
HTTP (Hyper Text Transfer Protocol) - used for Web pages
FTP (File Transfer Protocol) - used to download and upload files
UDP (User Datagram Protocol) - used for information that requires no response, such as
streaming audio and video
ICMP (Internet Control Message Protocol) - used by a router to exchange the information
with other routers
SMTP (Simple Mail Transport Protocol) - used to send text-based information (e-mail)
SNMP (Simple Network Management Protocol) - used to collect system information from
a remote computer
Telnet - used to perform commands on a remote computer
A company might set up only one or two machines to handle a specific protocol and ban
that protocol on all other machines.
FETC 2009
143
Firewalls
• Ports - Any server machine makes its services available to the
Internet using numbered ports, one for each service that is available
on the server. For example, if a server machine is running a Web
(HTTP) server and an FTP server, the Web server would typically be
available on port 80, and the FTP server would be available on port
21. A company might block port 21 access on all machines but one
inside the company.
• Specific words and phrases - This can be anything. The firewall will
sniff (search through) each packet of information for an exact match of
the text listed in the filter. For example, you could instruct the firewall
to block any packet with the word "X-rated" in it. The key here is that it
has to be an exact match. The "X-rated" filter would not catch "X
rated" (no hyphen). But you can include as many words, phrases and
variations of them as you need.
FETC 2009
144
Firewalls – What they can protect you from
•
Remote login - When someone is able to connect to your computer and
control it in some form. This can range from being able to view or access your
files to actually running programs on your computer.
•
Application backdoors - Some programs have special features that allow for
remote access. Others contain bugs that provide a backdoor, or hidden
access, that provides some level of control of the program.
•
SMTP session hijacking - SMTP is the most common method of sending email over the Internet. By gaining access to a list of e-mail addresses, a
person can send unsolicited junk e-mail (spam) to thousands of users. This is
done quite often by redirecting the e-mail through the SMTP server of an
unsuspecting host, making the actual sender of the spam difficult to trace.
•
Operating system bugs - Like applications, some operating systems have
backdoors. Others provide remote access with insufficient security controls or
have bugs that an experienced hacker can take advantage of.
FETC 2009
145
Firewalls – What they can protect you from
•
Denial of service - You have probably heard this phrase used in news reports
on the attacks on major Web sites. This type of attack is nearly impossible to
counter. What happens is that the hacker sends a request to the server to
connect to it. When the server responds with an acknowledgement and tries to
establish a session, it cannot find the system that made the request. By
inundating a server with these unanswerable session requests, a hacker
causes the server to slow to a crawl or eventually crash.
•
E-mail bombs - An e-mail bomb is usually a personal attack. Someone sends
you the same e-mail hundreds or thousands of times until your e-mail system
cannot accept any more messages.
•
Macros - To simplify complicated procedures, many applications allow you to
create a script of commands that the application can run. This script is known
as a macro. Hackers have taken advantage of this to create their own macros
that, depending on the application, can destroy your data or crash your
computer.
FETC 2009
146
Firewalls – What they can protect you from
• Viruses - Probably the most well-known threat is computer viruses. A
virus is a small program that can copy itself to other computers. This
way it can spread quickly from one system to the next. Viruses range
from harmless messages to erasing all of your data.
• Spam - Typically harmless but always annoying, spam is the
electronic equivalent of junk mail. Spam can be dangerous though.
Quite often it contains links to Web sites. Be careful of clicking on
these because you may accidentally accept a cookie that provides a
backdoor to your computer.
• Redirect bombs - Hackers can use ICMP to change (redirect) the
path information takes by sending it to a different router. This is one of
the ways that a denial of service attack is set up.
FETC 2009
147
Firewalls
• IP address filtering - checking
source and destination addresses
• TCP/UDP port filtering (server
and client)
• permit access to port 80 (http)
• deny access to port 23 (telnet)
• ACK bit
FETC 2009
148
Firewalls
FETC 2009
149
Firewalls
Network
FETC 2009
150
Firewall Compliments
•Bastion Hosts
•Proxy servers
•Reverse proxy servers
•Cache engines
•Packet filter
•Intrusion detection systems
•Packet hound
•Stateful inspection
•SPAM/Virus filter
FETC 2009
151
Intrusion Detection and Prevention (IDS & IPS)
• ID stands for Intrusion Detection,
which is the art of detecting
inappropriate, incorrect, or
anomalous activity. ID systems
that operate on a host to detect
malicious activity on that host are
called host-based ID systems,
and ID systems that operate on
network data flows are called
network-based ID systems.
FETC 2009
152
Intrusion Detection and Prevention (IDS & IPS)
• Sometimes, a distinction is made
between misuse and intrusion
detection.
• The term intrusion is used to describe
attacks from the outside; whereas,
• misuse is used to describe an attack
that originates from the internal
network. However, most people don't
draw such distinctions.
• The most common approaches to ID
are statistical anomaly detection and
pattern-matching detection.
FETC 2009
153
Spyware
Spyware is any technology that aids in gathering information about a person or organization
without their knowledge. On the Internet (where it is sometimes called a spybot or tracking
software), spyware is programming that is put in someone's computer to secretly gather
information about the user and relay it to advertisers or other interested parties. Spyware can
get in a computer as a software virus or as the result of installing a new program.
Data collecting programs that are installed with the user's knowledge are not, properly
speaking, spyware, if the user fully understands what data is being collected and with whom it
is being shared. However, spyware is often installed without the user's consent, as a drive-by
download, or as the result of clicking some option in a deceptive pop-up window.
The cookie is a well-known mechanism for storing information about an Internet user on their
own computer. However, the existence of cookies and their use is generally not concealed from
users, who can also disallow access to cookie information. Nevertheless, to the extent that a
Web site stores information about you in a cookie that you don't know about, the cookie
mechanism could be considered a form of spyware.
FETC 2009
154
adware
• adware (spelled all lower case) is
any software application in which
advertising banners are displayed
while the program is running
FETC 2009
155
Removing Spyware and adware
• Free programs
•
•
•
•
•
Spysweeper
Spybott
Ad-Aware
Spychecker
Microsoft Windows Defender
(Beta 2)
• Immunize your system
FETC 2009
156
Internet Access - Filtering
• Filter on known sites
• Found by Bots - checked by
humans
• Key words or word searches
FETC 2009
157
VPN – Virtual Private Network
FETC 2009
•
A virtual private network (VPN) is a way to use a public
telecommunication infrastructure, such as the Internet,
to provide remote offices or individual users with
secure access to their organization's network. A virtual
private network can be contrasted with an expensive
system of owned or leased lines that can only be used
by one organization. The goal of a VPN is to provide
the organization with the same capabilities, but at a
much lower cost.
•
A VPN works by using the shared public infrastructure
while maintaining privacy through security procedures
and tunneling protocols such as the Layer Two
Tunneling Protocol (L2TP). In effect, the protocols, by
encrypting data at the sending end and decrypting it at
the receiving end, send the data through a "tunnel" that
cannot be "entered" by data that is not properly
encrypted. An additional level of security involves
encrypting not only the data, but also the originating
and receiving network addresses.
158
VPN – Virtual Private Network
FETC 2009
159
Internet Access - Filtering
•
•
•
•
•
•
•
•
•
FETC 2009
X-Stop
SurfWatch
Net Nanny
Cyber Patrol
Cyber Sitter
WebSense
WatchGuard
Proxy Servers
Router Tables
160
Internet Access - Filtering
10.100.27.46 2003/01/21 0013:38:42 PASSED http://printartist.sierrahome.com/img/treasurebox03.jpg
10.205.162.138 2003/01/21 0013:38:42 PASSED http://www.miami.com/images/logos/site/miami/miamiherald/site_logo.gif
10.100.43.99 2003/01/21 0013:38:42 PASSED http://www.babyphat.com/product_images/BP-ST3909_037_tx.jpg
10.201.225.253 2003/01/21 0013:38:42 PASSED http://rcm-images.amazon.com/images/G/01/rcm/100x60_banner.gif
10.200.76.152 2003/01/21 0013:38:42 PASSED http://movies.go.com/movies/H/houseof1000corpses_2001/trailers/win1.htm
10.100.204.240 2003/01/21 0013:38:42 PASSED http://www.apple.com/
10.203.82.16 2003/01/21 0013:38:42 PASSED http://www.lib.lsu.edu/images/goldpixel.gif
10.200.150.182 2003/01/21 0013:38:42 PASSED http:// partners.starnetsystem
10.200.150.182 2003/01/21 0013:38:42 GAMB http://www.sportsbetting.com/
10.202.26.8 2003/01/21 0013:38:42 PASSED http://www.bowwow.com.au/css/images/nav_r01_c1.gif
10.204.237.76 2003/01/21 0013:38:42 PASSED http://www.funbrain.com/cb_lnlogo_medblue.gif
10.200.125.52 2003/01/21 0013:38:42 PASSED http://webmail.aol.com/include/aol/images/tab_new_up.gif
10.204.196.167 2003/01/21 0013:38:42 PASSED http://www.princetonreview.com/shared/css/princetonReview.css
10.205.122.164 2003/01/21 0013:38:42 BANNER http://servedby.advertising.com/site=94237/size=468060/bnum=26639628/optn=1
10.204.209.28 2003/01/21 0013:38:42 PASSED http://pbskids.org/images/sky-list-zoboo-off.gif
10.100.35.239 2003/01/21 0013:38:42 PASSED http://www.sonymusic.com/ssi/js/writevb.js
10.200.150.217 2003/01/21 0013:38:42 PASSED http://autos.msn.com/images/MessengerTab/CPmsgrTABicon.png
10.201.169.6 2003/01/21 0013:38:42 PASSED http://www.getlyrics.com/images/logo.gif
10.201.209.75 2003/01/21 0013:38:42 PORN http://ad.doubleclick.net/adj/nick.nol/all_nick;sec=_all_
10.100.90.70 2003/01/21 0013:38:42 PASSED http://go.microsoft.com/fwlink/?LinkId=9705
10.100.41.97 2003/01/21 0013:38:42 PASSED http://campuslife.cornell.edu/includes/fw_menu.js
10.202.150.79 2003/01/21 0013:38:42 PASSED http://www.babyphat.com/brownie_images/BP-NBX8283_074.jpg
10.204.153.156 2003/01/21 0013:38:42 PASSED http://www.nationalgeographic.com/animals/art/sm_cf_elephant.jpg
10.201.194.77 2003/01/21 0013:38:42 PASSED http://images.mp3.com/mp3s/images/ui/bullet/default.gif
10.201.194.77 2003/01/21 0013:38:42 PASSED http://images.mp3.com/mp3s/images/ui/ttl/musicfeatures.gif
FETC 2009
161
Content Filters
FETC 2009
162
Content Filters
FETC 2009
163
Packet Shapers
• Controls flow of specific types of
traffic in or out of your network
• Can completely block traffic
• Can only allow a % of traffic to be
specified type
• Can allow bursting when
bandwidth is available
FETC 2009
164
Packet Shapers
FETC 2009
165
Packet Shapers
FETC 2009
166
Packet Shapers
FETC 2009
167
Packet Shapers
FETC 2009
168
Packet Shapers
FETC 2009
169
Packet Shapers
FETC 2009
170
Packet Shapers (Inbound)
FETC 2009
171
Packet Shapers (Outbound)
FETC 2009
172
Caching
•
•
•
•
•
•
•
Enhance Internet and Intranet Content Delivery
Accelerate web-based applications
Minimize Internet bandwidth consumption
Minimize WAN bandwidth consumption
Improve network performance
Authenticate and Manage employee Internet use
Distribute and locally store patches and file
updates
• Provide Anti-Virus screening of web traffic
• Enable detailed reporting of web use statistics
• Serve as a local file storage point
FETC 2009
173
SPAM
•
Spam is unsolicited e-mail on the Internet.
• From the sender's point-of-view, spam is a form of bulk mail,
often sent to a list obtained from a spambot or to a list obtained
by companies that specialize in creating e-mail distribution lists.
• To the receiver, it usually seems like junk e-mail.
FETC 2009
•
Spam is roughly equivalent to unsolicited telephone marketing
calls except that the user pays for part of the message since
everyone shares the cost of maintaining the Internet. It has
become a major problem for all Internet users.
•
The term spam is said to derive from a famous Monty Python
sketch that was current when spam first began arriving on the
Internet.
•
SPAM is a trademarked Hormel meat product that was wellknown in the U.S. Armed Forces during World War II.
174
SPAM
FETC 2009
175
SPAM - SPAMbots
• A spambot is a program designed to collect, or
harvest, e-mail addresses from the Internet in
order to build mailing lists for sending
unsolicited e-mail, also known as spam. A
spambot can gather e-mail addresses from Web
sites, newsgroups, special-interest group (SIG)
postings, and chat-room conversations.
Because e-mail addresses have a distinctive
format, spambots are easy to write.
• A number of legislators in the U.S. are reported
to be devising laws that would outlaw the
spambot.
FETC 2009
176
SPAM - SPAMbots
• A number of programs and approaches
have been devised to foil spambots.
• One such technique is known as
munging, in which an e-mail address is
deliberately modified so that a human
reader can decode it but a spambot
cannot. This has led to the evolution of
sophisticated spambots that can recover
e-mail addresses from character strings
that appear to be munged.
FETC 2009
177
SPAM - Munging
• Munging (pronounced (MUHN-jing or MUHN-ging) is the
deliberate alteration of an e-mail address online with the
intent of making the address unusable for Web-based
programs that build e-mail lists for spamming purposes.
• Here are examples of the munging of [email protected]:
• stangib at reno dot com
• s-t-a-n-g-i-b-at-r-e-n-o-d-o-t-c-o-m
• My username is stangib, and the domain name is
reno dot com.
• The term munging probably derives from the acronym
mung (pronounced just as it looks), which stands for
"mash until no good." It may also derive from the hackers'
slang term munge (pronounced MUHNJ), which means
"to alter information so it is no longer accurate."
FETC 2009
178
SPAM
• Blacklists and Whitelists
• A spam filter is a program that is used to detect
unsolicited and unwanted e-mail and prevent those
messages from getting to a user's inbox
• Spammers have ways to avoid SPAM filters.
• V!I!A!G!R!A
• Phishing
• The act of sending an e-mail to a user falsely
claiming to be an established legitimate enterprise in
an attempt to scam the user into surrendering
private information that will be used for identity theft.
FETC 2009
179
Phishing
FETC 2009
180
Internet Access - Proxy
• Act as agents for your network
• Prevents internal clients form
connecting to remote sites
directly
• Has the ability to cache (store
files)
• You trust your proxy server
FETC 2009
181
Internet Access - Cache
• A cache acts as a proxy to get and
store data. This can save bandwidth to
the Internet.
• Reverse caches can also deliver
content to outside users. This prevents
them from having to access devices
deep within your network.
FETC 2009
182
Internet Access - Web
Server
• Advertise your school and projects to the world
• Do you host or let your ISP/District?
• Requires both technical and publishing skills
• Web publishing tools available
• Runs on almost any platform
• Win3.x, Win95, WinNT, Macintosh, UNIX, Novell
• Microsoft IIS, Netscape Suitespot, Apache
• Database Access
FETC 2009
183
Internet Access - Mail
• POP mail, Microsoft Mail, Exchange,
ccMail, Lotus Notes, First Class,
Apple Internet Mail Server, Quick
Mail, many shareware
• each uses its own protocol
• SMTP (Simple Mail Transfer
Protocol) - transfers mail from user
to email server
• POP (Post Office Protocol) - allows
the user to read mail from an email
server
FETC 2009
184
Internet Access
• News Servers
• FTP Servers
• FAX Servers
FETC 2009
185
Server Requirements
• CPU, Motherboard, Memory, EN
Adapters, Hard disk controllers, Tape
backup, CD-ROM, video adapter,
UPS
• Server Capacity - number of bay
• Storage Capacity - # and size of HDs
• Fault Tolerance - ability to survive
crash
• Performance - speed of access to
data
FETC 2009
186
Server Requirements
• Sizing servers (Users,
WINS/NDS, DHCP, File and Print
Services, Applications (WWW
server, email, FTP server, DNS)
• Microsoft
• Novell Netware
• AppleShare
FETC 2009
187
Virtual Servers (Virtualization)
•
•
•
FETC 2009
Virtualization is an abstraction layer that decouples
the physical hardware from the operating system to
deliver greater IT resource utilization and flexibility.
Virtualization allows multiple virtual machines, with
heterogeneous operating systems to run in isolation,
side-by-side on the same physical machine. Each
virtual machine has its own set of virtual hardware
(e.g., RAM, CPU, NIC, etc.) upon which an
operating system and applications are loaded. The
operating system sees a consistent, normalized set
of hardware regardless of the actual physical
hardware components.
Virtual machines are encapsulated into files, making
it possible to rapidly save, copy and provision a
virtual machine. Full systems (fully configured
applications, operating systems, BIOS and virtual
hardware) can be moved, within seconds, from one
physical server to another for zero-downtime
maintenance and continuous workload
consolidation.
188
Network FAX services
FETC 2009
189
Remote Access Services
• Dial in or Dial Out
• Access Servers
• Cisco, Shiva, WinNT
• access to the network from
remote locations
• use phone lines
• surf the net at home
• access file servers
• access e-mail
• access web servers
• remote printing
FETC 2009
190
Protecting Your Data
•
•
•
•
•
FETC 2009
Viruses
Vandals
Mail Bombs
Spam
Users
191
Desktop Management
• Policies and Profiles
• Desktop Locking Programs
• Winshield
• Fool Proof
• WAM (Windows Access
Manager)
FETC 2009
192
Patch Management
•
•
•
•
•
•
•
•
•
FETC 2009
Provides a centralized real-time (seconds and minutes), view of
patch compliance status of an entire enterprise to enable IT
departments to make informed priority setting and action decisions
Enables administrators to meet high service level expectations
through real-time detection, remediation and verification of patch
status
Simplifies targeting and deployment through pre-packaged, pretested security patches
Enforces policy-defined patch baselines on endpoint devices, even
when not connected to the enterprise network, to insure that mobile
and remote computers maintain patch compliance wherever they
roam
Provides roll-back (for patches that support uninstall), to provide a
safety net in the event that a patch triggers unintended
consequences in the network
Insures that only authorized administrators can apply patches, and
that patches are authentic through built-in Public Key Infrastructure
(PKI) security and secure hash validation of patch packages
Provides a full audit trail of patching actions and patching steps
taken on every computer
Provides ongoing continuous enforcement of patch compliance
through policy-based automation
Examples: BigFix; Microsoft SMS
193
Back-up Technologies
• All storage systems will
eventually fail
• Minor and Major
Failures
• Human Failures
• Accidental file
deletions
• Accidental file
overwrites
• Deliberate deletion of
other user’s files
FETC 2009
194
Network Access Control
• Network Admission Control (NAC), a
set of technologies and solutions, uses
the network infrastructure to enforce
security policy compliance on all
devices seeking to access network
computing resources, thereby limiting
damage from emerging security
threats. Customers using NAC can
allow network access only to compliant
and trusted endpoint devices (PCs,
servers, and PDAs, for example) and
can restrict the access of noncompliant
devices.
FETC 2009
195
Network Access Control
•
•
•
•
•
•
•
•
•
•
•
•
FETC 2009
Dramatically improves security
Ensures endpoints (laptops, PCs, PDAs, servers, etc.) conform to
security policy
Proactively protects against worms, viruses, spyware, and malware
Focuses operations on prevention, not reaction
Extends existing investment
Broad integration with multi-vendor security and management
software
Enhances investment in network infrastructure and vendor software.
Increases enterprise resilience
Comprehensive admission control across all access methods
Prevents non-compliant and rogue endpoints from impacting
network availability
Reduces Operating Expenses related to identifying and repairing
non-compliant, rogue, and infected systems
Comprehensive span of control
Assesses all endpoints across all access methods, including LAN,
wireless, remote access, and WAN
196
Back-up Technologies
• Full Backup
• starting point to rebuild data
• done every week
• Incremental Backup
• changes since last backup
• as frequently as possible
• To rebuild data replace last full
backup then all incrementals
FETC 2009
197
Back-up Technologies
•
•
•
•
•
Automate scheduled backups
Check backups to verify completion
Store some tapes off site
Backup Strategies
Gaps in backup system
• work saved to disk between backups
• build failure resistant storage
systems
• can easily lose a whole day’s work
FETC 2009
198
Back-up Technologies
• Backup Media Options
• Taped-based systems
• DAT(Digital Audio Tape)
• 24 GB per tape - 2.2Mbps
transfer
• DLT (Digital Linear Tape)
• 64 GB per tape - 5Mbps transfer
• Optical
• Magneto-Optical; CD-R; WORM
FETC 2009
199
RAID Systems
• no longer just disk drives - disk subsystems
• Redundant Array of Inexpensive Disks
• Duplicate disk controllers with independent
processors
• RAID 0: Disk striping
• multiple drives into single volume
• increased performance but no redundancy
• RAID 1: Disk mirroring
• data written to two disk drives
• if one fails, the other is available
FETC 2009
200
Raid - Level 0
FETC 2009
201
Raid - Level 1
FETC 2009
202
Raid Systems
• RAID 3: Striped array plus parity
• written across several drives
• parity bit written to drive to
reconstruct data
• RAID 5: Independent striped
array with distributed parity
• written across several drives
• parity bit written over all drives to
reconstruct data
• Duplexing (two drives and two
controllers)
FETC 2009
203
Raid - Level 3
FETC 2009
204
Raid - Level 5
FETC 2009
205
Raid - Levels 2, 4 and 6
FETC 2009
206
Raid - Levels Other
FETC 2009
207
Fault-Tolerant
Networking Goal
• To keep your network running no
matter what happens
• To maximize the number of
failures your network can handle
• To minimize potential
weaknesses
FETC 2009
208
Fault-Tolerant
Networking
• Every aspect of your network
needs to work together to make it
fault-tolerant
• workstations - servers - hubs routers - software - cabling installers
• Each major component should
have redundancy in your network
• Fault-tolerance is expensive, but
cheap compared to the cost of
downtime in business
FETC 2009
209
Fault-Tolerant
Networking
•
•
•
•
Disaster Recovery Plan
Service Agreements
Fault-Tolerant Networking - Workstations
Minimize individual users installing software
or Operating Systems
• Define operating systems and applications
that have been tested and will be supported
on the network
• Keep spares of components - monitors,
keyboards, mouse, NIC cards, etc
FETC 2009
210
Fault-Tolerant
Networking - Servers
•
•
•
•
•
•
•
•
FETC 2009
UPS for orderly shutdown
Backup server data
Raid or Disk Mirroring
Novell SFTIII or Vinca Corp.’s StandbyServer
(mirrored servers)
Redunant NIC cards to different LAN segments,
hubs, or switches
Test new software or services before placing
them on a production server
Use network management to monitor trends in
your servers
Clustering/drive arrays
211
Fault-Tolerant
Networking - Wiring
• Start with a cabling system
• tested, documented, labeled,
warrantied
• Use more cable that you think
you will need (have spares)
• Have test equipment handy
• You are your own worst enemy
when it comes to wiring
FETC 2009
212
Hot Spare/Replacement
Items
• Always keep several spares
• Several 16 ports hubs rather than one 48 port
hub
• Select fault-resilient hubs for important areas
• Use a hub for a short time solution for switch
• On site replacement or service (4 hour
response)
• Spare depot at central office
• Keep configurations handy to reconfigure
replacements
• Provide dial backup for most important protocols
FETC 2009
213
Fault Tolerant Network
FETC 2009
214
Licensing and Copyright Issues
• Document all licenses
• Keep track of serial numbers
• Prevent copying software from
servers
• Enforce copyright laws
FETC 2009
215
LAN Management
• Simple Network Management
Protocols (SNMP)
• Access to databases in intelligent
devices
• Information stored in agents on
•
•
•
•
FETC 2009
Hubs
Routers
Bridges
Servers
Printers
Switches
Workstations
Gateways
216
LAN Management
• SNMP (Simple Network
Management Protocol)
• SMS
• Syslog Daemon
FETC 2009
217
Traffic Management
FETC 2009
218
Traffic Management
FETC 2009
219
Traffic Management
FETC 2009
220
Traffic Management
FETC 2009
221
Traffic Management
FETC 2009
222
Network Management
•
•
•
•
•
•
FETC 2009
Evaluation
Verification
Baselining
Trend analysis
Device monitoring
Network monitoring
223
Networking Tends Management and Monitoring
•
•
•
•
•
•
FETC 2009
Microsoft SMS
MangeWise
Network Assistant
LapLink, Timbuktu
RMON
Baselining and Trending
224
Power Requirements
• Clean Power
• Powerstrips
• UPS
• Intellignet
• Non-intelligent
FETC 2009
225
Disaster Recovery and Planning
• Pre-planning for emergencies
(hurricanes)
• Recovery plan for unexpected
emergencies
• Fire, Rain, Flood
• What is most knowledgeable staff
person leaves
FETC 2009
226
New Technologies
•
•
•
•
•
•
FETC 2009
Gigabit Ethernet
Satellite Internet Access
Voice over IP
Video over IP
Video conferencing
Biometrics
227
Biometrics
FETC 2009
228