Networking Test 3
Two-Level DRPs
*First Level*: Build enough capacity and have spare equipment (minor disaster, could be very expensive) -*Level Two*: Disaster recovery outsourcing, rely on professional disaster recovery team (major disasters)
DOS and DDOS Approaches
-*Traffic filtering*: Verify all incoming traffic addresses for validity (requires lots of processing) -*Traffic Limiting*: When a flood of packets are entering network, limit access regardless of source -*Traffic anomaly detectors:* Perform analysis of traffic to see what normal traffic is, blocks abnormal patterns
Security Risk Assessment
-A key step in developing a secure network -Assign levels of risk to various threats -Use a control spreadsheet: -List assets on side, threats across top, controls currently in use to compare risks
Digital Subscriber Line
-A point to point technology -Designed to provide high speed data transmission over traditional telephone lines -Traditional telephone lines: limited capacity due to telephone and switching equipment. Higher bandwidth possible -Requires changing telephone equipment, not rewiring local loop, not available in all locations in US (On top of existing phone network, different frequencies) -Customer premises equipment (CPE) installed -Local loops connect to MDF (splits voice and data)
Sprint's Internet Backbone
-A tier 1 in North America -Circuits: mostly ATM OC-12; few OC-48 and OC-192
Synchronous Optical Network (SONET)
-ANSI standard for optical fiber transmission in Gbps range -SONET hierarchy (Begins with OC-1 and everything after that is a multiple of it)
Features of Future Internet
-Access via gigapops, similar to NAPs (very high speeds) -IPv6 not IPv4 -New protocol focusing on issues like QoS & multicasting -New applications: tele-immersion, videoconfrencing
Application Level Firewalls
-Act as intermediate host computer (Forces anyone to login to firewall and only allows access to authorized applications) -Separates private network from rest of internet -Some prohibit external users from downloading executable files -Requires more processing power than packet filters which can impact network performance
Improving Circuit Performance
-Analyze traffic to find circuits reaching capacity (upgrade overused circuits) -Examine why circuits are overused (traffic between locations) -Add circuit switched or packet switched device that is only used when demand exceeds capacity
Frame Relay
-Another standardized technology, slower than ATM -Encapsulates packets, unreliable like ATM -No QoS support (under development)
Internet Backbones
-Backbone circuits for national ISPs (OC-48 and OC-192 the most common) -Aggregate Internet Traffic: Growing rapidly NAPs and MAEs are becoming bottlenecks (Requiring larger and larger switches)
Securing Network Perimeter
-Basic access points into a network (LANs inside organization, Dial-up access through modem, Internet) -Basic elements in preventing access: -Perimeter firewalls, Network Access Translation (NAT) proxy servers, physical security, Dial-in security
NAT Proxy Servers
-Becoming more popular, replacing firewalls -Slow down message transfer -Require at least two separate DNS servers (for use by external users on internet and one for internal users) -*Use combined, layered approach*: Use layers of NAT proxy servers, packet filters, application gateways -Maintaining online resources in a "DMZ network" between internal networks and the internet
CSU / DSU
-Channel Service Unit / Data Service Unit -WAN equivalent of NIC in a LAN -May also include multi-plexor
Mesh Architecture
-Combines performances and benefits of ring and star architectures -Use decentralized routing, each computer does its own -Impact of losing a circuit is minimal -More expensive than setting up ring or star
Computer Security Incidents
-Computer security increasingly more important (more sophisticated tools for breaking in) -Incidents increasing at an alarming rate -Computer Emergency Response Team (CERT) developed to respond to and raise awareness -Worldwide information security losses = 2 trillion
CIA: Primary goals of security
-Confidentiality: Protection of data from unauthorized disclosure of customer and proprietary data -Integrity: Assurance data has not been altered/destroyed -Availability: providing continuous uninterrupted service
Wide Area Network
-Connect BN's and LANs across longer distances, often hundreds of miles or more -Typically built by using leased circuits from common carriers such as AT&T (most cannot afford to build their own)
Network Access Points
-Connect tier 1 ISPs together -Sometimes larger tier 2 or 3 ISPs also have access directly to NAPs -About a dozen NAPs in the US -Run by common carriers such as Sprint and AT&T
Metropolitan Area Exchanges (MAE)
-Connect tier 2 ISPs together
How MPLS Works
-Customer connects to the common carrier's network using any common layer 2 service -Carrier's switch at the network entry point examines the incoming frame and converts the incoming layer 2 or 3 address into MPLS address layer -The carrier can use the same layer 2 protocol inside its network as the customer, or it can use something different -When delivered, the MPLS switch removes the MPLS header and delivers the packet into the customer's network using whatever layer 2 protocol the customer has used to connect into the carrier's network at this point
Connectionless Packet Routing
-Datagram -Adds destination and sequence number to each packet -Individual packets can follow different routes through the network -Packet reassembles at destination
Fiber to the Home
-Dedicated point to point fiber optic service -7 million US homes subscribed, 10 mil more available -An optical unit network (OUN) at the customer site acts as an ethernet switch and a router -Provides 10-100 mbps downstream, 1-10 mbps upsteam
Reducing Network Demand
-Determine impact on network -Use data compression of all data on network -Shift network usage (from peak times to lower demand times) -Redesign the network (move data closer to applications and people that use them)
WAN Practice Designs
-Difficult to recommend best practice ( Service being bought, fast changing technologies) -Factors: Data rates, costs, reliability, integration -Design: -Start w flexible packet switched service -Move to dedicated circuit services -May use btoh
Cable Modems
-Digital service offered by cable television companies -Uses hybrid fiber coax -Data Over Cable Service Interface Specification (DOCSIS): most commonly used modem protocol -Offers Vary: depends on quality of cable plant
Types of security threats
-Disruptions: Loss of network service (could be minor) -Destruction of data: viruses destroying files or crashing the hard disk -Disasters: may destroy host computers or sections of the network
Connecting to an ISP
-Done through ISP's Point of Presence (PoP) -Individual users: Typically through cable or DSL -Corporate users: Typically access the PoP using a T-1, T-3, or ATM OC-3 connections by common carrier
Star Architecture
-Easy to manage (Central computer routes all messages) -Reliability: Failure of central computer brings network down, failure of any circuit affects one site only -Performance: Central computer becomes bottleneck under high traffic
HSPA+
-Enhanced HSPA -Reasonable bandwidth -T-Mobile, AT&T -Bridge until LTE rollout is complete
Professional Hackers
-Espionage, fraud etc. -Breaking into computers for specific purposes
Switched Virtual Network (SVC)
-Establish dynamically on a per-call basis -Disconnected when call ends
Permanent Virtual Circuit (PVCs)
-Established for long duration (days or weeks) -Changed only by the network manager -More commonly used -Packet switched networks using PVCs behave like a dedicated circuit networks
Evaluate the Network's Security
-Evaluate adequacy of the controls and resulting degree of risk associated with each threat -Establish priority when dealing with threats (which need to be addressed immediately -Assessment can be done network manager or a team of experts called a Delphi team
Packet-Level Firewall
-Examines the source and destination address of every packets passing through -Only packets with acceptable addresses can pass -Examines IP addresses and TC port ID's only -Access Control Lists: Set of rules for packet level firewall, can be used to grant access or denial
Intrution
-Hackers gaining access to data files and resources -Most unauthorized access incidents involve employees -Result: industrial spying, fraud by changing data etc.
Improving WAN Performance
-Handled in same way as improving LAN performance -Improve device performance -Improve circuit capacity -Reduce network demand
IP Spoofing
-IP spoofing remains a problem -Done by changing source address of incoming packets from their real address to one inside the network -Firewall passes packet as it looks to be internal -many firewalls know to discard incoming packets with internal IP addresses
Internet Engineering Task Force
-ISOC standard -Concerned with evolution of internet architecture and smooth operation of internet -Request for Comments (RFC) basis of standards
Internet Research Task Force
-ISOC standard -Focus on long term specific issues
Internet Architecture Board
-ISOC standard -Provides strategic architectural oversight, guidance
Internet Engineering Steering Group
-ISOC standard -Responsible for management of standards process -Establishes and administers rules
Network Assets
-Identify assets on network (data files most important, mission critical applications, hardware components) -Evaluate assets based on importance -Value of asset is a function of: replacement cost, personnel time to replace, lost revenue due to absence
Disaster Recovery Plans (DRP)
-Identify clear responses to possible disasters -Provide for partial or complete recovery of assets -Includes backup and recovery controls ( Make backups routinely, encrypt them and store off site, Some use Continuous Data Protection (CDP)) -Should included documented and test approach -Plan for loss of main database or long outages
Identify and Document Controls
-Identify existing controls and list them in the cell for each asset and threat -For each asset and the specific threat: - describe each control that prevents/detects/corrects -Number the controls and put them in the cell
Security Threats
-Identify threats: Anything that can harm or interrupt system using network, or cause monetary loss -Rank threats ( probability of occurrence, cost if threat occurred) -Take nature of business into account (probability of attack greater for big bank than small restaurant)
Packet Switched Services
-In both circuit switched and dedicated services: Circuit establish between 2 computers and it is solely dedicated to those 2 computers -Packet switched services: Enable multiple connections to exist simultaneously between computers over the same physical network -User pays fixed for for connection to the network
Packet Switching
-Interleave packets from separate messages for transmission -Most data communication is short business data -Packet switching interleaves bursts from many users to maximize the use of the shared network
VPN Types
-Intranet VPN: provides virtual circuits between organization offices over the internet -Extranet VPN: same as intranet VPN, except the VPN connects several different organizations -Access VPN: Enables employees to access and organization's networks from remote locations
Device Failure Protection
-Key principal in preventing disruption, destruction -Uninterruptible Power Supply (UPS): Separate battery or generator that can supply power when its lost -Fault- tolerant servers -Disk mirroring ( secondary disk for every main disk) -Can apply to other network components as well
Dedicated Circuits
-Leased full duplex circuits from common carriers -Used to create point links between organizational locations (routers and switches connect locations) -Billed flat fee per month -Require more care in a network designg -Ring, star, and mesh
Ensuring Business Continuity
-Make sure organization's data and applications will continue to operate even in the face of disruption, destruction, or disaster -2 major parts: Development of controls and the Disaster Recovery Plan
Future of the Internet
-Many new projects designing new technologies to evolve the internet 1) Next generation Internet (NGI) -Internet 2 2) Advanced Research and Development Network Operations Center (ARDNOC) -Ca*
Physical Security
-Means of preventing outsiders from gaining access into offices, server rooms, equipment -Implement proper access controls to areas where network equipment is located -Each network component should have its own level of security -Be careful with distributed backup and servers
Network controls
-Mechanisms that reduce or eliminate the threats to network security -Types include preventive, detective, and corrective
Preventive Controls
-Mitigate or stop a person from acting or and event from occurring -Act as deterrent by discouraging or restraining
Disaster Protection
-More difficult since entire site can be destroyed -*Avoid disaster by*: decentralizing resources, storing critical data in at least two locations -*Best solution*: Have a completely redundant network that duplicates every network component, in differnt location -*Other steps:* Flood - keep key components away from river, fire - instal suppression system
T Carrier Service
-Most common use of dedicated circuits in North America -FT1 = 64 Kbps -T1 = 1.544 Mbps -T2 = 6.312 -T3 = 44.376 -T4 = 274.176
Asymmetric DSL (ADSL)
-Most common, uses frequency division multiplexing -Three FDM channels (4 KHz voice channel, downstream traffic channel, slower channel for upstream traffic) -Size of digital channels: depends on distance
Internet Access Technologies
-Most methods are commonly called "broadband communications", doesn't refer to analog communications just means high speed -DSL and Cable modems
LTE
-Most mobile devices use ARM-based chips -Spectrum flexibility -Cell sizes -VoLTE: GSM is circuit switched, VoLTE is packet switched
Ethernet Services
-Most organizations use Ethernet and IP in LAN and BN -Ethernet services differ from WAN packet services like ATM or Frame Delay -Currently offer CIR speeds from 1 to 40 Gbps at a lower cost than traditional services -No need to translate LAN protocol (Ethernet/IP) to protocol used in WAN services -Emerging technology; expect changes
Security Experts (hackers)
-Motivation: the thrill of the hunt; to show off -Crackers: hackers who cause damage
Elements of a Security Policy
-Names of decision making managers -Incident reporting system and response team -Risk assessment with priorities -Controls on all major access points -Controls so internal users cannot exceed authorized access -User training plans, testing plans
Elements of a DRP
-Names of decision making managers -Staff assignments and responsibilities -List of priorities (fix-firsts) -Recovery procedures of facilities, servers, applications -Actions to be taken under various contingencies -Safe storage of data, software and the plan itself
Preventing Denial of Service Attacks
-Network disrupted by a flood of messages that prevents messages from normal users -Distributed DoS: Come from many different computers at the same time -Difficult to prevent: Can require ISP to verify all incoming messages have valid IP address
Internet Governance
-No one organization operates the internet -Closest thing is the Internet Society (ISOC)
SONET Digital Heirarchy
-OC1 = 51.84 Mbps -OC3 = 155.52 Mbps -OC12 = 622.08 Mbps -OC24 = 1.244 Gbps -OC48 = 2.488 Gbps -OC192 = 9.953 Gbps -OC768 = 39.813 Gbps -OC3072 = 159.25 Gbps
Disaster Recovery Firms
-Offer a range of services: secure backup storage, completed network data center that clients can use during disaster,recovery of data & network within hours -Expensive, used by large organizations -Worth while when millions of dollars are at stake
Circuit Switched Devices
-Oldest and simplest WAN approach -Uses Public Switched Telephone Network (PSTN) or other telephone networks -Basic types are POTS (Plain old telephone service) and ISDN (Integrated Services Digital Network)
Internet Society (ISOC)
-Open membership professional society -Want open development of internet for everyone to use around the world -Public policy: debates in copyright, censorship, privacy -Education: Training and education programs
MPLS advantages
-Operates faster than traditional routing -Common carriers in US and Canada typically have a different way of charing for MPLS services than for other packet services, so it is common to use a full mesh design in which every location is connected to every location. Packets take fewer hops and thus less time to reach their destination
Why Networks need Security
-Organizations vulnerable due to dependency on computing and widely available Internet access to its computers and networks -Average $350,000 loss per incident, reduced customer confidence, cost of laws that require reporting incidents -Protecting data and application software (firms spend $1,250 per employee on security)
Packet Exchange Charges
-Peering: ISPs at the same level usually do not charge each other for exchanging messages -Higher level ISPs charge lower level ISPs -Tier 3 ISPs charge individual or corporate users for access
Firewalls
-Prevent intruders by creating secure internet connections -Could be router, gateway, or special purpose computer (Examines packets flowing through network, restricts access, placed on every connection network has to the internet) -Main types: packet level and application level
Specific of Continuity Plan
-Preventing disruption and disaster ( viruses, denial of service attacks, theft, disaster protection) -Detecting disruption, destruction, disaster -Correcting disruption, destruction, disaster (disaster recovery plan, disaster recovery outsourcing)
Virtual Private Networks
-Provide equivalent of a private packet switched network over the public internet -Uses virtual circuits over public internet that appear to be private -Encapsulate packets over these circuits using special protocols that also encrypt IP address -Low cost and flexible
Asynchronous Transfer Mode (ATM)
-Provides packet switching service -Performs encapsulation of packets -Provides no error control ( unreliable packet protocol) -Provides extensive QoS information -Scalable and typically uses SONET layer 2
Multi Protocol Label Switching (MPLS)
-Relatively new WAN technology -Designed to work with a variety of commonly used layer 2 protocols
Ring Architecture
-Reliability: Data can flow in both directions with expense of dramatically reduced performance -Performance: Messages travel through many nodes before reaching destination
Corrective Controls
-Remedy an unwanted event or tresspass
Intrusion Protection
-Requires proactive approach with routine testing -*Best Rule*: Do not keep extremely sensitive data online, store them on computers isolated from network -Security Policy: critical to controlling risk due to access, should clearly define: -important assets and controls need -what employees should do -plan for routinely training employees and testing
Detective Controls
-Reveal or discover unwanted events -Documenting events for potential evidence
Securing the Network
-Securing the network required personnel designated to be accountable for the controls: develop them, make sure they work, update or replace when necessary -Need to be review periodically for usefulness, verification and testing: Ensure its still there, make sure it works, are there any procedures for overrides
Financial Impact of Security
-Security issues can impact consumer confidence -70% of all emails sent in 2006 were spam -New laws on data privacy and financial information include Sarbanes-Oxley act and HIPPA
Theft Protection
-Security plan must include an evaluation of the ways to prevent equipment theft -Big problem, large secondary market, $1 billion lost a year -Physical security is key component
Cable Modem Architecture
-Similar to DSL except for it uses shared multipoint circuits rather than point to point (all messages heard by all computers are circuit) -Uses cable modem termination system (CMTS) for upstream traffic only -Uses combiner for downstream traffic only (combines internet and TV traffic)
Pros/Cons of circuit switched devices
-Simple, flexible, and inexpensive -Main problems: -Need to make separate connection each time -Low data transmission rates -Alternative: Lease a private dedicated network just for you
Internet's Hierarchical Structure
-Tier 1: ISP's provide services to their customers and sell access to tier 2 and tier 3 ISPs -Tier 2: Connect with tier 1 ISPS, provide services to their customers and sell access to local ISPs -Tier 3: Connect to tier 1 or 2, sell access to individuals
Disadvantages of VPN
-Unpredictability of internet traffic -Lack of standards for internet-based VPNs, so that not all vendor equipment and services are compatible
Improving Device Performance
-Upgrade the devices (routers) and computers that connect backbones to WAN -Examine the routing protocol -Dynamic routing increases network performance, better suited for "bursty" traffic, but reduces overall network capacity
POTS based Circuit Switched Devices
-Use dial up phone lines and modem -Modem used to call another modem, once connection is made data transfer begins -Used to connect to the internet by calling ISP's access point
Network Access Translation (NAC)
-Used by most firewalls to shield private network from public network -Translates between internal private addresses and external public addresses (Done transparently, Internal IP address remains hidden) -Performed by NAT Proxy servers (uses address table to perform translations)
Using Private Addresses with NAT
-Used to provide additional security -Assigns private IP addresses to devices in the network -No problem for internal users, big problem for intruders -Additional benefit is it gives the ability to have more internal IP address for an organization
Data Rates of Virtual CIrcuits
-Users specify the rates per PVC via negotiations -Committed Information Rate (CIR): Guaranteed by service provider (Packets sent at rates exceeding the CIR are marked discard eligible (DE) -Maximum Allowable Rate (MAR): Sends data only when extra capacity is available
Connection Oriented Packet Routing
-Virtual Circuit (VC) -Establishes end to end circuit between sender and receiver -All packets for transmission take the same route over the virtual circuit provided -Same physical circuit can carry many VC's
Preventing Computer Virsuses
-Viruses spread when infected files are accessed (Macro viruses attach to documents and spread when file is opened) -Worms: Special type of viruses that spread w/ no human intervention -Anti-Virus software checks disk and files for viruses -Incoming E-mails are most common source of viruses
WiMAX
-Wireless standard to connect Ethernet LANs -Can be used as fixed or mobile wireless (AKA 4G) -ISPs today beginning to provide this service -Many mobile devices use intel chip set -PCF media access is used (controlled) -max range 3-10 miles, common data rate is 40 mbps
Organization employees
-With legitimate access to the network -Gain access to info not authorized to use
Casual Intruder
-With limited knowledge (trying doorknobs) -Script Kitties: Novice attackers using hacking tools
