Management, Monitoring, and Optimization
Network Monitoring
*Baselines* Used to determine the norms of traffic, etc at a given time. For network and network devices, baselines include information about 4 key components: * Processor * Memory * Hard-disk (or other storage) subsystems * Network adapter of subsystem
Emergency Procedue
*Building Layout* Key considerations: * All walls should have 2-hour minimum fire rating. * Doors must resist forcible entry. * The location and type of fire suppression system should be known. * Flooring in server rooms and wiring closets should be raised to help mitigate flooding damage. * Separate AC units must be dedicated to the information processing facilities. * Backup and alternate power sources should exist. *Fire Escape Plan* Map with exit routes and should be placed in all areas. *Safety/Emergency Exits* All escape routes on the map should have the following characteristics: * Clearly marked and well lit. * Wide enough to accommodate the expected number of people. * Clear of obstructions *Fail Open/Fail Close* Electric door systems that have locks may lose power during a fire. When they do, they may lock automatically (fail close) or unlock automatically (fail open). While a fail close enhances security you should consider the effect it will have during an evacuation & take steps to ensure that everyone can get out. *Emergency Alert System* All facilities should be equipped with a system to alert all employees when a fire or any other type of Emergency Alert System (EAS), which is a national warning system in the United States. One of the functions of this system is to alert the public of local weather emergencies such as tornadoes and flash floods. EAS messages are transmitted via AM and FM radio, broadcast television, cable television, and the Land Mobile Radio Service as well as VHF, UHF, and FiOS (wireline video providers). *Fire-Suppression System* * Wet pipe systems use water contained in pipes to extinguish the fire. * Dry pipe system hold the water in a holding tank instead of in the pipes. * Preaction systems operate like a dry pipe system except that the sprinkler head holds a thermal-fusible link that must melt before the water is released. * Deluge systems allow large amounts of water to be released into the room, which obviously makes this not a good choice where computing equipment will be located. * Most companies use a fire-suppressant like Halon, which is known as a "Clean Agent", an electrically non-conducting, volatile, or gaseous fire extinguisher that does not leave a residue upon evaporation." *HVAC* Needed when supporting massive amounts of computing. Computing equipment and infrastructure devices like routers and witches do not like: * Heat. Excessive heat causes reboots and crashes. * High humidity. It causes corrosion problems with connections. * Low humidity. Dry conditions encourage static electricity, which can damage equipment. Facts to know about temperature: * At 100 degrees, damage starts occurring to magnetic media. In fact, floppy disks at the most susceptible. * At 175 degrees, damage starts occurring to computers and peripherals. * At 350 degrees, damage starts occurring to paper products. *Implementing Network Segmentation* Most segmentation is at Layer 1 but you see it at Layer 2 with VLANs and Layer 3 with routing. Usually this is enough segmentation. *SCADA Systems/Industrial Control System* *Industrial control system (ICS)* is a general term that encompasses several types of control systems used in industrial production. The most widespread is Supervisory Control and Data Acquisition (SCADA). SCADA is a system operating with coded signals over communication channels to provide control of remote equipment. It includes the following components: * Sensors, which typically have digital or analog I/O, & these signals are not in a form that can be easily communicated over long distances. * Remote terminal units (RTUs), which connect to the sensors and convert sensor data to digital data (includes telemetry hardware) * Programmable logic controllers (PLCs), which connect to the sensors and convert sensor data to digital data (does not include telemetry hardware). * Telemetry systems, which connect RTUs and PLCs to control centers and the Enterprise *Human interface, which presents data to the operator. * ICS server, also called a data acquisition server, which uses coded signals over communication channels to acquire information about the status of the remote equipment for display or for recording functions. The distributed control systems (DCS) network should be a closed network, meaning it should be securely segregated from other networks. The Stuxnet virus hit the SCADA used for the control and monitoring of industrial processes. *Medianets* Networks primarily devoted to VoIP and video data that often require segmentation from the rest of the network at some layer. 2 reasons for segmenting: 1st, to ensure the security of the data. 2nd, to ensure that the network delivers high performance and low latency. *Video Teleconferencing (VCT)* When you're implementing IP video systems, consider and plan for the following issues: * Expect a large increase in the need for bandwidth. * QoS will need to be configured to ensure performance. * Storage will need to be provisioned for the camera recordings. * Initial cost be be high. *ISDN* The 1st VTC systems were ISDN based. These systems were based on a standard called H.320. While the bandwidth in each ISDN line is quite low by today's standard (128Kb), multiple lines could be combined or bonded. *IP/SIP* VTC systems based on IP use a standard called H.323. Since these work on a packet-switched network, you don't need a direct ISDN link between the sites. Session Initiation Protocol can also be used, and it operates over IP but lacks many of the structured call control functions that H.323 provides. *Legacy Systems* Systems that are older and incompatible with more modern systems and equipment. May be less secure and no longer supported by the vendor. In some cases, these legacy systems, especially with respect to industrial control systems, sometimes use propriety protocols that prevent them from communicating on the IP-based network. It's a good idea to segment these systems to protect them from security issues they aren't equipped to handle or even just allow them to function correctly. *Separate Private/Public Networks* Have seperate private and public networks. Have them segmented and NAT from private to public. *Honeypot/Honeynet* Another segmentation tactic where you employ systems strategically configured to be attractive to hackers and to lure them into spending enough time attacking them while information is gathered about the attack. A tarpit is a type of honeypot designed to provide a very slow connection to the hacker so that the attack takes enough time to be properly analyzed. *Testing Lab* Environment for developers and test applications. Used to test OS patches and antivirus updates. Smart to visualize the test network so it does not have any physical connection to the rest of the network. *Security* Layer 1, separate physical lines. Layer 2, VLANs & port security Layer 3, Routing and ACLs *Compliance* Segmentation may be required to comply with an industry regulation.
Onsite vs Offsite
*Clouds* can be thought of as a virtual computing environments where virtual servers and desktops live and can be accessed by users. A *private cloud* is 1 in which this environment is provided to the enterprise by a 3rd party for a fee. This is a good solution for a company that has neither the expertise not the resources to manage their own cloud yet would like to take advantage of the benefits that cloud computing offers: * Increased performance * Increased fault tolerance * Constant availability * Access from anywhere These types of clouds might be considered *offsite* or *public*. On the other hand, for the organization that has the expertise and resources, a *private* or *onsite* solution might be better and might be more secure. This approach will enjoy the same benefits as a public cloud and may offer more precise control and more options to the organization.
Common Address Redundancy Protocol
*Common Address Redundancy Protocol (CARP)* provides IP-based redundancy, allowing a group of hosts on the same network segment (referred to as a *redundancy group*) to share an IP address. 1 host is designated the *master* and the rest are *backups*. The master host responds to any traffic or ARP requests directed toward it. Each host may belong to more than 1 redundancy group at a time. 1 of its most common uses is to provide redundancy for devices such as firewalls or routers. Th virtual IP address (this is another name for the shared group IP address) will be shared by a group of routers or firewalls. The client machines use the virtual IP address as their default gateway. In the event that the master device fails and is taken offline, the IP will move to one of the backup devices and service will continue. VRRP and HSRP are similar protocols.
Safety Practices
*Electrical Safety* *Grounding* - Is the electrical term for providing a patch for an electrical charge to follow to return to earth. *ESD* - Electrostatic discharge (ESD) is the technical term for what happens whenever 2 objects of dissimilar charge come in contact. *Static* - When ESD is create, it's a form of static energy. Extremely dry conditions in the area where computers are utilized make the problem of static electricity worse. You need some humidity to balance it out. *Installation Safety* *Lifting Equipment* * Be careful to not twist when lifting. Keep the weight at the center of our body. * Keep objects as close to your body as possible and at waist level. * Lift with your legs, not your back. When you have to pick up something, bend at the knees, not at the waist. You want to maintain the natural curve of the back and spine when lifting. * Whenever possible, push instead of pull. *Rack Installation* Many devices come rack ready. Server racks are measured in rack units (RU) or simply U. one U is equal to 1.75 inches in height. *Placement* Aligned your equipment hot aisle/cold aisle. It's used to conserve energy and lower cooling costs. The rows composed of rack fronts are called cold aisles. The rows the heated exhausts pour into are called hot aisles and face AC return ducts. *Tool safety* * Avoid using pencils inside a computer. They can become a conductor and cause damage. *Be sure that the tools you are using have not been magnetized. Magnetic fields can be harmful to data stored on magnetic media. * When using compressed air to clean inside the computer, blow the air around the components with the minimum distance of 4 inches from the nozzle * Never use the standard vacuum cleaner inside a computer case. The plastic parts of the vacuum cleaner can build up static electricity and discharge to the components. *MSDS* Materials Safety Data Sheet info about any type of chemical, equipment, or supply that has the potential to hard the environment or people has to have this.
Locating and Installing Equipment >> Labeling
*Port Labeling* Ports on switches, patch panels, and other systems should be properly labeled, and the wall outlets to which they lead should match. Naming convention should be agreed upon so both technicians and company can reference something by name. This should be update if name is ever changed. *System Labeling* Other systems that are installed in racks, such as servers, firewalls appliances, and redundant power supplies, should also be labeled with IP addresses and DNS names that the devices possess. *Circuit Labeling* Circuits entering the facility should also be labeled. Label electrical receptacles, circuit breaker panels, and power distribution units. Include circuit information, voltage and amperage, the type of electrical receptacle, and where in the data center the conduit terminates. *Naming conventions* A naming system or convention guides and organized labeling and ensures consistency. *Patch Panel Labeling* The American National Standards Institute/Telecommunications Industry Association (ANSI/TIA) 606-B.1 Administration Standard for Telecommunications Infrastructure for identification and labeling approved in April 2012 provides clear specifications for labeling and administration best practices across all electrical and network systems premise classes, including large data centers.
Locating and Installing Equipment >> Power Management
*Power Converters* Power conversion is the process of converting electric energy from 1 form o another. This conversion could take several forms: * AC to DC * From 1 voltage level to another * From 1 frequency to another *Circuits* In situations where high availability is required, it may be advisable to provision multiple power circuits to the facility. This is sometimes called A+B or A/B power. To provision for A+B power, you should utilize a pair of identically size circuits (i.e. 2x20 amperes). In the final analysis, even these systems can fail you in some natural disasters and so you should always also have power generators as well as a final backup. *UPS* All infrastructure systems and servers should be connected to an uninterruptible power supply (UPS). *Inverters* A power inverter is a type of power converter that specifically converts DC to AC. It produces no power and must be connected to a DC source. *Power Redundancy* While the facility itself needs redundant power circuits and backup generators, a system can still fail if the power supply in the device fails. Mission-critical devices should be equipped with redundant power supplies, which can mitigate this issue.
How to Optimize Performance
*Quality of Service (QoS)* Refers to the way the resources are controlled so that the quality of service is maintained. Provides different priorities to 1 or more types of traffic. *Delay* Data can run into congested lines making applications like VoIP fail. This is the best reason to implement QoS when real-time applications are in use in the network to prioritize delay-sensitive traffic. *Dropped Packets* Packets get dropped if buffer gets full and a request for retransmit will happen. *Error* Packets can be corrupted in transit and arrive at the destination in an unacceptable format, again requiring retransmission and resulting in delays. *Jitter* Not every packet takes the same route to the destination, so some will be more delayed than others if they travel through a slower or busier network connection. The variation in packet delay is called *jitter*, and this can have a nastily negative impact on programs that communicate in real time. *Out-of-Order Delivery* Is also a result of packets taking a different paths through the network to their destinations. The application at the receiving end needs to put them back together in the right order for the message to be completed, so if there are significant delays or the packets are reassembled out of order, users will probably notice degradation of an application's quality. QoS can ensure that applications with a required bit rate receive the necessary bandwidth to work properly. Networks with excess bandwidth doesn't factor QoS but the more limited your bandwidth is, the more important QoS is. *DSCP* 1 method that can be used for classifying and managing network traffic and providing QoS is *Differentiated Service Code Point (DSCP), or DiffServ uses a 6-bit differentiated service code point (DSCP) in the 8-bit Differentiated Service field (DS field) in the IP deader for packet classification. This allows for the creation of traffic classes that can be used to assign priorities to various traffic classes. In theory, a network could have up to 64 different traffic classes using different DSCPs, but most networks use the following traffic classifications: * Default, which is typically best-effort traffic. * Expedited Forwarding (EF), which is dedicated to low-loss, low-latency traffic. * Assured Forwarding (AF), which gives assurance of delivery under prescribed conditions. * Class Selector, which maintains backward compatibility with the IP Precedence field (a field formerly used by the Type of Service, or TOS function).
Network Optimization
*Reasons to Optimize Your Network's Performance* Includes things like splitting up network segments, stopping unnecessary service on servers, offloading ones server's work onto another, & upgrading outmoded hardware devices to news models. *Latency Sensitivity* Good pipe is needed to avoid latency which is annoying at best. i.e. online gaming latency will get you potentially killed in the game. *High-Bandwidth Applications* New added bandwidth is good for app developers as they will add functions that take advantage of the bandwidth. High-bandwidth applications are VoIP and video streaming : *VoIP* Voice over Internet Protocol (VoIP) describes several technologies that work to deliver voice communications over the Internet or other data networks. *Video Applications* watching real-time video on the internet. *Other Real-Time Services* *Presence* is a function provided by many collaboration solutions that indicates the availability of a user. It signals to other users whether a user is online, busy, in a meeting, and so forth. *Multicast vs Unicast* unicast transmissions represent a 1-to-1 conversation, that is, data sent from a single device to another single device. On the other hand, Multicast is a technology that sends information for a single source to multiple recipients and is far superior to using unicast transmission when it comes to video streaming and conferencing. While unicast transmission creates a data connection and stream for each recipient, multicast uses the same stream for all recipients. This single stream is replicated as needed by multicast routers and switches in the network. The stream is limited to branches of the network topology that actually have subscribers to the stream. This reduces the use of bandwidth in the network. *Uptime* 4 or 5 9's are expected today for a lot of the services we use. 99.99% or 99.999% through out the year leaves very little downtime throughout the year.
Standard Business Documents
*Statement of Work (SOW)* - This document spells out all the details concerning what work is to be performed, deliverables, and the timeline a vendor must execute in performance of specified work. *Memorandum of Understanding (MOU)* - This is an agreement between 2 or more organizations that details a common line of action. It is often used in cases where parties do not have a legal commitment or in situations where the parties cannot create a legally enforceable agreement. In some cases, it is referred to as a letter of intent. *Master License Agreement (MLA)* - This is an agreement whereby 1 party is agreeing to pay another part for the use of a piece of software for a period of time. These agreements as pretty common in the IT world. *Service-Level Agreement (SLA)* - This is an agreement that defines the allowable time in which a party must respond to issues on behalf of the other party. Most service contracts are accompanied by an SLA, which often include security priorities, responsibilities, guarantees, and warranties.
Virtual Networking Components
*Virtual Servers* Virtual servers can perform all the same functions as physical server but can enjoy some significant advantages. By clustering a virtual server with other virtual servers located on different hosts, you can achieve fault tolerance in the case of a host failure. Increased performance can also be derived from this approach. The virtualization software can allow you to allocate CPU and memory resources to the VMs dynamically as needed to ensure that the maximum amount of computing power is available to any single VM at any moment while not wasting any of that power on an idle VM. *Virtual Switches* Are software versions of Layer 2 switches that can be used to create virtual networks. They can be used for the same purposes as physical switches. VLANs can be created, virtual server can be connected to the switches, and the virtual network can be managed, all while residing on the same physical box. These switches can also span multiple hosts (the physical machines that house multiple virtual servers, desktops, and switches are called hosts). Distributed virtual switches are those switches that span multiple hosts, and they are what link together the VMs that are located on different hosts yet are members of the same cluster. *Virtual vs Physical NICs* 1 host running multiple VM instances connected to 1 physical switch port but each instance has their own unique IP and MAC. Looks like 3 separate ports but since it's virtualized it's on 1. *Virtual Routers* Are typically implemented as specialized software. They consist of individual routing and forwarding tables, each of which could be considered a virtual router. *Virtual Firewall* Are also implemented as software in the virtualized environment. Like their counterparts, they can be used to restrict traffic between virtual subnets created by virtual routers. *Software-Defined Networking (SDN)* Is an approach to computer networking that allows network administrators to manage network services through abstraction of lower-level functionality. SDN architectures decouple network control and forwarding functions, enabling network control to become directly programmable and the underlying infrastructure to be abstracted from applications and network services. *Virtual Desktops* Delivering virtual OS environment to users when they start their PCs up. This allows for the user desktop to require less computing power, especially if the applications are also delivered virtually and those applications running in a VM in the cloud rather than in the local desktop eating local resources. Also beneficial to maintain a consistent users environment. *Thin computing* takes this a step further. In this case, all of the computing is taking place on the server. A *thin client* is simply displaying the output from the OS running in the cloud, and the keyboard is used to interact with that OS in the cloud. *Virtual PBX* An example of what is called *software as a service (SaaS). A hosting company manages the entire phone system for the company, freeing the organization from the need to purchase and manage the physical equipment that would be required otherwise to provide the same level of service. To the outside world, the company appears to have a professional phone system while everything is actually being router through the hosting company's system. *Network as a Service (NaaS)* A network hosted and managed by a 3rd party on behalf of the company. It makes more sense to outsource the management of the network to a 3rd party when it is not cost effective to maintain a networking staff.
Traffic Shaping
Also known as packet shaping. Is a form f bandwidth optimization. It works by delaying packets that meet a certain criteria to guarantee usable bandwidth for other applications. Traffic shaping is basically traffic triage-you're really just delaying attention to some traffic so other traffic gets A-listed through. Traffic shaping uses *bandwidth throttling* to ensure that certain data streams don't sent too much data in a specified period of time as well as *rate limiting* to control the rate at which traffic is sent. Most traffic shaping is applied to devices at the edge of the network to control the traffic entering the network. The device that control it have what's called a *traffic contract* that determines which packets are allowed on the network and when. Delayed packets are stored in the managing device's 1st in 1st out (FIFO) buffer until they're allowed to proceed per the conditions in the contract.
Backup types
Backup Type: Full backup Data Backed up: All data Backup Time: Slowest Restore Time: Fast Storage Space: High Backup Type: Incremental backup Data Backed up: Only new/modified files/folders Backup Time: Fast Restore Time: Moderate Storage Space: Lowest Backup Type: Differential backup Data Backed up: All data since last full Backup Time: Moderate Restore Time: Fast Storage Space: Moderate
Archives/Backups
Backups must be created on a schedule and tested regularly to ensure that a data restoration is successful. The 3 main data backup types are full backups, differential backups, and incremental backups. When a file is create or updated, the archive bit for the file is enabled. If the archive bit is cleared, the file will not be archived during the next backup. If the archive bit is enabled, the file will be archived during the next backup. Keep this in mind: * If you use a full back up once a week and differential backups the other days of the week, to restore you will only need the last full backup tape and the last differential take. this is the fastest restore. * If you use a full back up once a week and incremental backups the other days of the week, to restore you will need the last full backup tape and all of the incremental tapes. This is the slowest restore.
Cloud Concepts
Cloud storage locates the data on a central server, but unlike an internal data center in the LAC, the data is accessible from anywhere and in many cases from a variety of device types. Cloud deployments can differ in 2 ways: * The entity that manages the solution. * The percentage of the total solution provided by the vendor. Options relative to the entity that manages the solution: *Private cloud*: This is a solution owned and managed by 1 company solely for that company's use. *Public cloud*: This is a solution provided by a 3rd party. It offloads the details to the 3rd party but gives up some control and can introduce security issues. *Hybrid cloud*: This is some combination of private and public. i.e. perhaps you only use the facilities of the provider but still manage the data yourself. *Community cloud*: This is a solution owned and managed by a group of organizations that create the cloud for a common purpose. There are several levels of service that can be made available through a cloud deployment: *Infrastructure as a service (IaaS)*. The vendor provides the hardware platform or data center, and the company installs and manages its own operating systems and application systems. *Platform as a service (PaaS)*. The vendor provides the hardware platform or data center and the software running on the platform. *Software as a service (SaaS)*. The vendor provides the entire solution. This includes the OS, infrastructure software, and the application.
Locating and Installing Equipment
Common data center or server room equipment and a few best practices for managing these facilities: *Main Distribution Frame (MDF)* Connects equipment (inside plant) to cables and subscriber carrier equipment (outside plant). It also terminates cables that run to intermediate distribution frames distributed throughout the facility. *Intermediate Distribution Frame (IDF)* Serves as a distribution point for cables from the (MDF) to individual cables connected to equipment in areas remote from these frames.
Physical Network Diagrams
Contains all the physical devices and connectivity paths on your network and should accurately picture how your network physically fits together in detail. Must include connections, types of hardware, and their firmware revisions. Use software like SmartDraw, Visio, and AutoCAD to create diagrams. Any network changes should mean diagrams are mirrored with that update
Vendor Documentation
Contains details concerning SLAs and deadlines for warranties. Good to have documentation of when these dates expire.
Locating and Installing Equipment >> Cable Management
DC cables come together in large numbers at distribution points where managing them becomes important both to protect the integrity of the cables and to prevent overheating of the infrastructure devices caused by masses of unruly cabling. The points of congestion typically occur at the patch panels. *Patch panels* terminate cables from wall or data outlets. Critical maintenance issues at the patch panel are to ensure that cabling from the patch panel to the switch is neat, that the patch cables are as short as possible without causing stress on the cables, and that the positioning of the cabling does not impede air flow to the devices, which can cause overheating.
IP Address Utilization
Having it documented. Will help greatly when troubleshooting IP related problems.
Logical Network Diagrams
Includes things like protocols, configurations, addressing scheme, access lists, firewalls, type of applications, etc. All things that apply logically to you network (VLANs and groups it represents). Any updates to the logical network should also be mirrored in the diagrams.
Asset Management
Involved tacking all network assets like computers, routers, switches, etc through their entire life cycles Most organizations find it beneficial to utilize assets identification numbers to facilitate this process. ISO has established standards. The ISO 19770 family consists of 4 major parts: * 199770-1 is a process-related standard that outlines best practices for IT asset management in an organization. * 19770-2 is a standard for machine encapsulation (in the form of an XLM file known as a SWID tag) of inventory data-allowing users to easily identify what software is deployed on a given device * 19770-3 is a standard that provides a schema for machine encapsulation of entitlements and rights associated with software licenses. the records (known and ENTs) will describe all entitlements and fights attendant to a piece of software and the method for measurement of license/entitlement consumption. (Still a draft) * 19770-4 allows for standardized reporting of utilization of resources. This is crucial when considering complex data center license types and for the management of cloud based software and hardware (software as a service (SaaS, and infrastructure as a service, or IaaS), (Still a draft)
Caching Engines
Is a collection of data that duplicates key pieces of original data. Computers use caches all the time to temporarily store information for faster access, and processors have both internal and external caches available to them, which speeds up their response times. A *caching engine* is basically a database on a server that stores information people need to access fast. The most popular implementation of this is with web servers and proxy servers, but caching engines are also used on internal networks to speed up access to things like database services.
High Availability
Is a system-design protocol that guarantees a certain amount of operational uptime during a given period. The design attempts to minimize unplanned down time. 5 9's is the highest availability it means out of the full year only 5m and 15.36 seconds, network access is allowed to be down.
Unified Communications
Is the integration of real-time communication services such as instant messaging with non-real-time communication services such as unified messaging (integrated voicemail, email, SMS, & fax). UC allows an individual to sent a message on 1 medium and receive the same communication on another medium. UC systems are made of several components that make sending a message on 1 medium and receiving the same communication on another medium possible. The following may be part of a UC systems: *UC Servers* The UC server is the heart of the system. It provides call control mobility services and administrative functions. It may be a standalone device or in some cases a module that is added to a router. *UC Devices* UC devices are the endpoints that may participate in unified communications. This includes computers, laptops, tablets, and smartphones. *UC Gateways* UC gateways are used to tie together geographically dispersed locations that may want to make use of UC facilities. They are used to connect the IP-based network with the Public Switched Telephone Network (PTSN)
Managing Network Documentation
Keep documentation in a safe in at least 3 different forms: * An electronic copy that you can easily modify after configuration changes. * A hard copy in a binder of some sort, stored in an easily accessible location. * A copy on an external drive to keep in a really safe place (even off site) in case something happens to the other 2 or the building or part of it burns to the ground
Fault Tolerance
Means that even if 1 computer or device fails, you won't lose access to the resource it provides. You can set up load balancing this way too when having multiple devices to ensure fault tolerance.
Schematics and Diagrams
Microsoft Viso, SmartDraw, and a host of computer aided design (CAD) programs are used to make network diagrams. Whatever tool you use to draw pictures about your network they basically fall into these groups: * Wiring diagrams/schematics * Physical network diagrams * Logical network diagrams * Schematics and Diagrams * Asset Management * IP address Utilization * Vendor Documentation
Standard EIA/TIA 568B wiring
Pin: 1 Color: White/Orange Pin: 2 Color: Orange Pin: 3 Color: White/Green Pin: 4 Color: Blue Pin: 5 Color: White/Blue Pin: 6 Color: Green Pin: 7 Color: White/Brown Pin: 8 Color: Brown
Policies, Procedures, and Regulations
Policies govern how the network is configured and operated as well as how people are expected to behave on it. Basically, policies give people guidelines as to what they are expected to do. Procedures are precise descriptions of the appropriate steps to follow in a given situation. They often dictate precisely hot to execute policies as well. *Policies* Include the following * Security Policies - used to maintain security in the network * Clean-desk policies - used to prevent sensitive documents in the open * Network access (who, what, and how) - used to allow user access to parts of the network * Acceptable-use policies - used to let users know what is acceptable and not. * Consent to monitoring - used to let users know they have no privacy and they are monitored. *Change Management* - These policies ensure a consistent approach to managing changes to network configurations: * Disposal of network equipment. * Use of recording equipment. * How passwords are managed (length and complexity required, and how often they need to be changed). * Types of security hardware in place. * How often to do backups and take other fault-tolerant measures. * What to do with user accounts after an employee leaves the company. *Procedures* These are actions to be taken in specific situations: * Disciplinary action to be taken if a policy is broken. * What to do during an audit. * How issues are reported to management. * What to do when someone has locked themselves out of their account. * How to properly install or remove software on servers. * What to do if files on the server suddenly appear to be "missing" or altered. * How to respond when a network computer has a virus. * Actions to take if it appears that a hacker has broken into the network. * Actions to take if there is a physical emergency like a fire of flood. For every policy on your network, there should be a credible related procedure that clearly dictates the steps to take in order to fulfill it.
Locating and Installing Equipment >> Rack Monitoring
Racks should contain monitoring devices that can be operated remotely. These devices can be used to monitor the following issues: * Temperature * Humidity * Physical security (open doors) * Smoke * Water leaks * Vibration
Locating and Installing Equipment >> Rack security
Rack devices should be secured from theft. Several locks which can be used to do this are typically implemented in the doors on the front of a rack cabinet: * Swing handle/wing knob locks with common key * Swing handle/wing knob locks with unique key * Swing handle with number and key lock * Electronic locks * Radio-frequency identification (RFID) card locks
Load Balancing
Refers to a technique used to spread work out to multiple computers, work links, or other devices. Using load balancing, you can provide an active/passive server cluster in which only 1 server is active and handling requests.
Regulations
Rules imposed on your organization by an outside agency, like a certifying board or a government entity, and they're usually totally rigid and immutable.
Storage Area Network (SAN)
SANs comprise high-capacity storage devices that are connected by a high-speed private network (separate from LAN) using a storage-specific switch. This storage information architecture addresses the collection of data, management of data, and use of data. Following are protocols that can be used to access the data and the client systems that can use those various protocols. Alternative to SAN and NAS: *iSCSI* Internet Small Computer System Interface (iSCSI) is an IP-based networking storage standard method of encapsulating SCSI commands (which are used with storage area networks) within IP packets. This allows the use of the same network for storage as is used for the balance of the network. *Fiber Channel* FC is a high-speed network technology (commonly running at 2-, 4-, 8-, 16-gigabit per second rates) primarily used to connect computer data storage. It operates on an optical network that is not compatible with regular IP-based data network. Fibre-Channel over Ethernet (FCoE), on the other hand, encapsulates Fiber Channel trafic within Ethernet frames much like iSCSI encapsulates SCSI commands in IP packets. However, unlike iSCSI, it does not use IP at all. It does allow this traffic on the IP network. *Jumbo Frame* Are Ethernet frames with more than 1,500 bytes of payload. Jumbo frames or 9,000-byte payload frames have the potential to reduce overhead and CPU cycles. In high-speed networks such as those typically used in a SAN, it may be advisable to enable jumbo frames to improve frames. *Network attached storage (NAS)* NAS serves the same function as SAN, but clients access the storage in a different way. In a NAS configuration, almost any machine that can connect to the LAN (or is interconnected to the LAN through a WAN) can use protocol such as NFS, CIFS, and HTTP to connect tot he NAS and share files. In a SAN configuration, only devices that can use the Fiber Channel SCSI network can access the data, so it's typically done though a sever with this capability.
NAC
Service called Network Admission Control in the Cisco world and Network Access Protection in the Microsoft world, but the goals are the same: To examine all devices requesting network access for malware, missing security updates, and other security issues any device could potentially introduce to the network. Some NAC can even send failed systems to their remediation server to apply patches and updates before allowing the device access to the network.
Wiring Schematics
Standard drop cables or *patch cables* have the pins in the same order on both connectors. If you are connecting similar devices you use a *crossover* cable which has 1 connector with flipped wires. Specifically, pins 1 & 3, and pins 2 & 6 get switched. *The crossover cable which only has 1,3 & 2,6 switched is for connections up to 100BaseTX. If you are using 1000BaseT4, all 4 pairs of wires get crossed at the opposite end, meaning pins 4 & 7 and pins 5 & 8 get crossed as well. The Automatic MDI/MDI+ Configuration standard-an optional feature of the 1000BaseT standard-makes the need for crossover cables between gig-capable interfaces a thing of the past. Label your cables and have documentations when, who, what, where, why, how, they were installed.
Class of Service (COS)
The 2nd method of providing traffic classification & thus the ability to treat the classes differently in a 3-bit field called the Priority Code Point (PCP) within an Ethernet frame header when VLAN tagged frames as defined by IEEE 802.1Q are used. This method is defined in the IEEE 802.1p standard. It describes 8 different classes of service as expressed through the 3-bit PCP field in an IEEE 802.1Q header added to the frame. Level: 0 Description: Best effort Level: 1 Description: Background Level: 2 Description: Standard (spare) Level: 3 Description: Excellent load (business-critical applications) Level: 4 Description: Controlled load (streaming media) Level: 5 Description: Voice and video (interactive voice and video, less than 100ms latency and jitter) Level: 6 Description: Layer 3 Network Control Reserved Traffic (less than 10ms latency and jitter) Level: 7 Description: Layer 2 Network Control Reserved Traffic (lowest latency and jitter) Qos levels are established per call, per session, or in advance of the session by SLA.
Change Management Procedures
The purpose of this process is to ensure that all changes are approved by the proper personnel and are implemented in a safe and logical manner. *Document Reason for a Change* Clearly, every change should be made for a reason, and before the change is even discussed, that reason should be documented. During all stages of the approval process, this information should be clearly communicated and attached to the change under consideration. *Change Request* A change should start its life as a change request. This request will move through various stages of the approval process and should include certain pieces of information that will guide those tasked with approving or denying it. *Configuration Procedures* The exact steps required to implement the change and the exact devices involved should be clearly detailed. Complete documentation should be produced and submitted with a formal report to the change management board. *Rollback Process* Before any changes are implemented, plans for reversing the changes and recovering from any adverse effects from the change should be identified. *Potential Impact* While unexpected adverse effects of a change can't always be anticipated, a good-faith effort should be made to identify all possible systems that could be impacted by the change. Help identify systems that may need to be monitored for their reaction to the change. *Notification* When all system and departments that may be impacted by the change are identified, system owners and department heads should be notified of all changes that could potentially affect them. Helps for additional monitors for problems during the change process. *Approval process* Request for changes should be fully vetted by a cross section of users, IT personnel, management, and security experts. In many cases, it's wise to form a change control board to complete the following tasks: * Assure that changes made are approved, tested, documented, and implemented correctly. * Meet periodically to discuss change status accounting reports. * Maintain responsibility for assuring that changes made do not jeopardize the soundness of the verification system. *Maintenance Window* A maintenance window is an amount of time a system will be down or unavailable during the change. Before this window of time is specified, all affected systems should be examined with respect to their criticality in supporting mission-critical operations. It may be that the time required to make the change may exceed the allowable downtime a system can suffer during normal business hours, and the change may need to be implemented during a weekend or in the evening. *Authorized Downtime* Once the time required to make the change has been compared to the maximum allowable downtime a system can suffer and the optimum time for the change is identified, the authorized downtime can be specified. This amounts to a final decision on when the change will be made. *Notification of Change* When the change has been successfully completed and a sufficient amount of time has elapsed for issues to manifest themselves, all stakeholders should be notified that the change is complete. At that time, these stakeholders can continue to monitor the situation for any residual problems. *Documentation* The job isn't complete until the paperwork is complete. In this case, the following should be updated to reflect the changed state of the network: * Network configurations * Additions to network * Physical location changes
On-Boarding and Off-Boarding of Mobile Devices
User expect companies to allow Bring Your Own Device (BYOD) to work which presents security risk. NAC is a method which allows user devices to connect to network and also has measures of control over them.
Virtual Networking
Virtual computing solutions come from a number of vendors. Some of the more popular ones are: * VMware vSphere * Microsoft Hyper-V * Citrix XenServer
Locating and Installing Equipment >> Device Placement
When location equipment in a data center, server room, or wiring closet, the placement of the equipment should take several issues into consideration. *Air Flow* When hot air is NOT removed from the area and replace with cooler air, the devices overheat and start rebooting unexpectedly. One of the approaches commonly used is *hot aisle/cold isle* which lines up racks in alternating rows with cold air intakes facing 1 way and hot air exhausts facing the other. *Cable Trays* Are metal trays used to organize the cabling neatly and keep it away from the areas where it can cause heat buildup. *Rack Systems* Used to hold and arrange the servers, routers, switches, firewalls, and other rack-ready equipment. Rack devices are advertised in terms of Us. U is the standard unit of measure for designating the vertical usable space, or height of racks. 1U is equal to 1.75 inches. You should be familiar with the following types of rack systems and components: * Server Rail Racks - Are used to hold servers in 1 of the types of racks described next. They are designed to hold the server while allowing the server to be slid out from the rack for maintenance. * Two-Post Racks - Only 2 posts run from the floor. These posts may reach to the ceiling or they may bot (freestanding). * Four-Post Racks - These have 4 rails and can be either floor to ceiling or freestanding. * Freestanding Racks - It does not reach the ceiling and stands on its own.