Network+ Chapter 10 Network Operations
Incident Response Process
1: Preparation - Having tools and training in place before an incident occurs. 2: Identification - Clearly detecting not only when an incident has occurred, but its nature and severity. 3: Containment - Immediately stopping any continuing damage caused by the incident. 4: Investigation - Identifying the precise effects and root causes of the incident. 5: Eradication - Eliminating the root cause of the incident and preventing immediate recurrence. 6: Recovery - Restoring services, validating proper operation, and otherwise returning the network to its baseline state. 7: Follow-up - Reviewing information gathered during the previous steps and taking appropriate action.
RAID
A Redundant array of independent disks allows redundancy by saving data to multiple hard drives at once. That way, a failure in one drive can be compensated for without data loss. -Raid 0 - Striping - is used for speed not redundancy - 50% on disk 1, 50% on disk 2 -Raid 1 - Duplexing/Mirroring - used for redundancy - 100% on disk 1, 100% on disk 2 -Raid 10 - Striping w/ Duplexing - 50% to disk 1, 50% to disk 2, copy of disk 1 stored on disk 3, copy of disk 2 stored on disk 4 -Raid 5 - Striping w/ Parity - uses Xor algorithm to create Parity bit - 50% on disk 1, 50% on disk 2, for disk 3 uses data on disk 1 and 2, converts data using algorithm and stores it on disk 3 -Raid 6 - Striping w/ 2 Parity disks
Full Backup
A complete backup of all files on the designated hard drive
Warm site
A compromise between a hot site and a cold site. At the least it will have some computers and networking hardware set up, even if it's not a complete replica of the primary site; it may also have software installed, or older backups. A warm site can be operational much more quickly than a cold site, but less than a hot site; likewise, its cost is intermediate between the two.
Proxy Servers
A computer that acts as a gateway between a local and a larger-scale network such as the internet. Proxy servers provide increased performance and security. -Content caching of frequently accessed data -Load balancing for internal servers -Increased security or anonymity -NAT functions -Content filtering -SSL offloading and encryption filtering
Management Information Base (MIB)
A database containing OIDs for a managed device, arranged in a tree-like hierarchical fashion. The MIB is built into the agent, and a copy of its structure is imported into the NMS. This allows the two to communicate clearly about the device's functions.
Load balancing
A feature that distributes network traffic among multiple servers or virtual machines within a cluster to avoid overloading any one host and improve performance.
Hot site
A fully operational site, complete with computer hardware, network infrastructure, installed software, and even recent backups: it can be activated in hours, or less, from the recovery plan's initiation. While a hot site maximizes availability, it's expensive to maintain what is essentially a second data center sitting idle most of the time Sufficiently large organizations might instead use distributive allocation so that the "hot site" itself is just excess capacity spread throughout multiple active sites.
Network analyzer
A hardware device or server software that captures packets transmitted in a network for routine inspection and problem detection. Also called a "sniffer", "packet sniffer", "packet analyzer", "packet sampler", "traffic analyzer" and "protocol analyzer"
System logs
A log of significant occurrences in the OS that require notifying the user. this helps in monitoring, administering and troubleshooting the system
Packet Loss Drops
A more general term for packets not being transmitted by a network device, similar to discards
SYStem LOG protocol
A protocol for transmitting event messages and alerts across an IP network. Messages are sent by the OS or application at the start or end of a process or to report the current status of a process.
Round Robin
A simple method of load balancing servers. Multiple identical servers are configured to provide the same services which are provided in a rotating sequential manner.
Cold site
A site without hardware set up in advance. Typically a cold site will have power, ventilation, and network connectivity, but otherwise it's an empty space. To actually recover operations there, you'll need to install hardware, configure the network, install software, and restore backups. A cold site is much slower to restore from than a hot site, but it's no more expensive than the rent.
Manager
A software application used to manage agents. The manager is sometimes called a network management system (NMS), and the host that runs it a network management station.
Snapshot
A type of backup made to quickly capture the state of a system at a given point without much impacting ongoing operations.
Incremental Backup
A type of backup that only backs up files that have changed since the last time files were backed up.
Object Identifier (OID)
A unique number corresponding to an object, something that can be monitored on a managed device. For example, on a switch the up or down status of a particular interface might be an object, as would be its rate of incoming traffic. (The actual value of an object is called a variable.)
SNMP Response Message
Agent-to-manager replies to Get or Set PDUs. Get responses report the requested variables while Set responses acknowledge success or error conditions.
SIEM Log Retention
All aggregated logs, critical or not, can be saved for later analysis or to comply with organizational or regulatory data retention policies.
Content Caching
Allows the balancer itself to store the most frequently accessed content without contacting the servers behind it
UPS
An uninterruptible power supply is typically a surge protector coupled with a battery backup and power inverter. When AC power is interrupted, the UPS can immediately take over without disrupting the functions of any device plugged into it. -limited battery life
SIEM Correlation
Analyzes aggregated events in order to find useful data that might need additional human review. In particular, correlation engines work by finding relationships and trends within a large number of events, filtering out irrelevant data, and highlighting what is most likely to be of interest to administrators.
AFR
Annualized failure rate describes what percentage of units should be expected to fail within a year's time.
Backup power
Brief power outages or irregularities can be compensated for by a battery-powered uninterpretable power supply (UPS), while longer ones require backup generators. Servers also commonly have redundant power supplies, allowing one to be replaced if it fails.
Surge protector
Circuits that protect against sudden voltage increases that can damage delicate electronics.
Disaster Recovery(DR)
Containing damage done by an incident, and getting any affected critical services online and secured again.While DR focuses on the technical issues of fixing the immediate problem, BC focuses on wider consequences to organizational logistics, personnel, and business operations.
Differential Backup
Copies all the data that has changed since the last full backup
Regulatory compliance
Ensuring that incident prevention and response complies not only with the organization's policies, but with any relevant laws, business agreements, or generally expected industry practices. Violating due diligence requirements can result in severe legal or public relations consequences even if the incident itself is minor or fully contained.
Business continuity(BC)
Ensuring that the business itself maintains operations through and after an incident.
Forwarded Events
Events forwarded from other computers. To collect events from a remote computer, you must configure an event subscription relationship between both systems.
System Events
Events generated by Windows components, device drivers, and other system services. System event types are predetermined by Windows.
Application Events
Events logged by specific applications. What generates an event log, and what details are recorded, are up to the writer of the application.
Setup Events
Events related to application installations
Security Events
Events related to security features, such as failed or successful logon attempts, security policy changes, or resource use. Exactly what is logged is user-configurable. Uniquely, this log has two "event levels" technically labeled as Keywords: Audit Success for successful security events (like a logon with proper credentials), and Audit Failure for unsuccessful events (like a logon with failed credentials).
Forensics practices
Formal information gathering and analysis related to an incident, its causes, and its aftermath; specifically, investigation methods which produce data suitable for courtroom evidence. Forensic data is essential for recovery, disciplinary, and legal procedures following an incident.
SIEM Aggregation
Gathers events from many sources throughout the network, and consolidates them so that they can be reviewed together. Effective aggregation often requires additional features such time synchronization and event deduplication.
Forward Proxy
Intercepts traffic from a LAN and forwards it to the internet server
Reverse Proxy
Intercepts traffic from the internet server and forwards it to the LAN
Alternate sites
Large organizations might even maintain multiple facilities for sake of redundancy. If a disaster impairs or disables one site, others can pick up the slack until service is restored. Even if there aren't specific backup sites, distributive allocation of critical business resources means that failures at one site will do minimal harm to the overall organization.
SNMP Set Message
Manager-to-agent configuration commands. A SetRequest PDU changes the value of a single variable or list of variables.
SNMP Get Message
Manager-to-agent requests for information. A GetRequest PDU asks for the value of a single variable or list of variables, but a GetNextRequest series or GetBulkRequest can be used to walk through the entire MIB of a given agent without knowing its full contents. Also known as polling.
Network Redundancy
Many network structures are designed to make sure the network continues to function even when specific links or nodes fail. Mesh topologies, NIC teaming, and port aggregation are examples of this.
Dual power supply
Many servers and fault tolerant systems are designed to draw power simultaneously from two power supplies, so that if one fails the system as a whole can still function. Depending on technical specifics, the system itself may need to switch to a reduced power mode if one supply fails.
MTD
Maximum Tolerable Downtime - The maximum length of time a business function can be disrupted without causing irreparable harm to the business.
MTBF
Mean time between failures is sometimes used interchangeably with MTTF, but it's more properly used to describe the average uptime between failures on a serviceable device, not counting time it's offline for repair.
MTBSI
Mean time between service incidents (MTBSI) is the average time from one failure to the next failure, including the time needed for repairs. MTBSI is equal to MTBF + MTTR.
MTTF
Mean time to failure represents the average time it takes for a newly installed device to fail. It's most accurately used for components or devices that are typically replaced rather than repaired, such as a light bulb or hard drive.
MTTR
Mean time to repair is the average time it takes to repair a serviceable device. For example, you could use MTTR to describe the time it takes to bring a server back to full operation after a hard drive or other component fails.
Metrics
Measurements of network behavior. Helps to gain visibility into what is happening in your network in real-time. You can analyze metrics from multiple perspectives to gain an understanding of past and present performance and to forecast future performance -CPU time -Memory -Storage -Bandwidth utilization -Speed and duplex settings
TCP offloading/TCP buffering
Move resource-intensive TCP services to different servers than those performing server application functions.
SSL offloading
Moves the processing overhead associated with SSL or TLS encryption to another server, or to a hardware appliance with accelerated encryption features.
Priority Queuing
Much like QoS, allows some traffic to be given priority over others.
Packet Loss Collisions
Multiple nodes on a shared channel transmit at once and each needs to resend
Power generator
On-site electrical generators can provide backup power for as long as they're provided with fuel, so make an excellent solution for systems that need to function through longer power outages. -takes time to start up, not instant like UPS
Packet loss Errors
Packets arrive but contain data errors and must be discarded
Packet Loss Discards
Packets arrive intact, but can't be used. Network devices frequently discard packets because of ACL rules, lack of a valid path forward, or because congestion causes the device queue to fill.
SIEM Alerts
Recognizes individual events or correlated trends that signify security incidents or other time-critical issues, and alerts security personnel. Alerts can be sent to a dashboard in the software interface, or if more critical can be sent as email or SMS notifications.
RPO
Recovery Point Objective - Amount of data lost since the last successful backup
RTO
Recovery time objective - the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.
Agent
SNMP software running on a managed device. Originally managed devices were generally network equipment such as switches, routers, or servers; but they can be almost any IP device, including phones, cameras, and other hosts.
SIEM
Security Information and Event Management - Software collects and aggregates log data generated throughout the organization's technology infrastructure, from host systems and applications to network and security devices such as firewalls and antivirus filters. The software then identifies and categorizes incidents and events, as well as analyzes them.
Clustering
Server clustering is related to, and often used in conjunction with, load balancing, but it goes a little further. Multiple servers in a cluster don't just supply redundant resources, but are aware of each other and operate toward a common goal. Clusters are usually able to dynamically reallocate duties when individual servers fail.
SNMP
Simple Network Management Protocol - An application-layer protocol used to manage and monitor network devices and their functions. In addition to hardware, SNMP can be used to monitor services such as DHCP -bandwidth usage -converts error reports in a log -emails when server is low on disk space -Server CPU and Memory usage
Health Checking
Tracks the functionality of each server in the load balancing pool, removing it in case of failure.
SNMP Trap
Unsolicited agent-to-manager reports about variable states, usually used to report significant changes of conditions without waiting for a GetRequest. The opposite of polling.
SIEM Analysis tools
Users can apply new search and correlation criteria at any time to apply to stored logs, performing rapid forensic analysis even on topics real-time analysis didn't identify.
Redundant circuit
Using multiple redundant power circuits, either in building wiring or in server rack power distribution units (PDUs), allows connected systems to function even if one or the other fails. Obviously, the system must be able to plug into both simultaneously.
Virtualization
Virtual and cloud systems don't in themselves provide redundancy, but they make it much easier to quickly deploy new copies of existing systems whenever and wherever you need them. This doesn't only help with recovery from a failure; it also can provide elasticity to meet transient surges in demand and scalability to meet long-term growth.
Data compression
uses standard compression methods to reduce the bandwidth required by some kinds of data traffic.