IP Networking Part 5 ‐ Building the KSBE Network “A webinar to help you prepare for the CBNE™ Certification”

Wayne M. Pecena, CPBE, CBNE Texas A&M Information Technology Educational Broadcast Services IP Networking‐Part 5 ‐ Building the KSBE Network “A webinar to help you ppprepare for the CBNE™ Certification”

Advertised Presentation Scope:

The IP Networking webinar series continues with part 5 focusing on “Building the KSBE Network", by applying the concepts addressed in the first 4 parts of the IP Networking Webinar series. The end result of this webinar will be an understanding of how to build an IP network infrastructure often found in a broadcast environment. The “KSBE Network” will address layered IP netwo rk des ig n, app licat io n o f a n IP add ress ing p la n, use of VLAN’ s, r outin g pr otocol s, securin g th e n etw ork , an d access to the network through a secure VPN connection. The IP Networking Webinar series is focused on enhancing the Broadcast Engineers knowledge of the technology and practical concepts of IP Networking in the broadcast plant. In addition, the webinar series provides an excellent tutorial for those preparing for SBE networking certifications such as the CBNE.

My Goals & Deliverables for This Afternoon:

‐ Provide an Awareness of Network Design Principals ‐ Provide an Understanding of Factors in Network Design ‐ Provide a Foundation for SBE CBNT & CBNE Certification Exams ‐ Provide Reference Material & Resources to Obtain Further Knowledge

2 Agenda

• Introduction • Network Design Concepts • Layered Network Design • The Building Blocks – SddStandards – Network Topologies – IP Address Plan (IPv4 focused) – VLAN Implementation – When to Route –When to Switch? • Securing the Network • Access the Network • “Assembling the KSBE Network” • Best Practices Summary / Q & A • Reference Documents

3 5 Things Required To Build a Network

• Send Host • Receive Host • Message or Data to Send Between Hosts • Media to Interconnect Hosts • Protocol to Define How Data is Transferred

4 Network Design Considerations

• Performance • Reliability / Redundancy • Sca la bility • Security • Flexibility • Manageability • Affordability

5 The Design Process

6 The Basic Network

7 The LAN Environment

8 Adding Redundant ISP’s

9 More Redundancy!

10 Layered Network Design • Separate Network in “Layers” or Zones – External or Public Network – “DMZ” or Demilitarized Zone or Perimeter Network – Internal or Private Network(s)

Non‐Secure

Secure

11 Standards • OSI Model & IETF RFC’s • IlInternal SddStandards: – Device Naming Scheme • Device Type • Device Number • Device Location – IP Addressing Scheme • Public • Private – VLAN Naming Scheme – Wiring Schemes

12 OSI ‐ DoD ‐ TCP/IP Models IP Focused ‐ DOD Model Stack or TCP/IP Model

13 Reference Hardware & Services

• Physical Medium(s) • Switches • Routers • Firewalls • VLAN(s) • VPN(s)

14 Managed vs Un‐Managed Switches

• Managed Switch • Un‐Managed Switch – User Configurable – Fixed Configuration – Provides Ability to Control & – “Plug & Play” Monitor Host Communications – Provides Basic Host – Port Configuration , Security, & Communications MiMonitor ing – VLAN Implementation – Cheaper – Redundancy Supported (STP) – QoS ()(Prioritization) Implementation – Port Mirroring

15 Addressing Physi ca l & Virtua l Address ing

• Each Host on an Ethernet Based IP Network Has: • An Unique MAC Address – Layer 2 Physical Address (local ) • An Unique IP Address – Layer 3 Logical Address (global routed)

16 IP Address Plan

• Required Space vs Available Space • Private Addresses • “bli”“Public” Addresses • Static Assignment • Dynamic Assignment

17 The IP Address Subnet Mask Each IP Address Must Have a Subnet Mask

18 IP Address Subnetting

• What is a Subnet? – Logical Subdivision of a Larger Network – Creates New Networks From A Larger Network – Bits Are “Stolen” From the Host Portion • Each Newer Network Created Has Less Hosts • 2n‐2 New Networks Created where n=number of host bits stolen

• Why Do We Subnet? – Efficient Use of IP Address Space (“Right Size” the Network) – Increase Performance (smaller Broadcast domain) – Enhance Routing Efficiency (reduce Routing Table size) – Network Management Policy and Segmentation (function, ownership, geo location) – Job Security for Network Engineers!

19 Subnet Example

Network Existing Design Required Hosts Hosts Subnet Size A – Sales 35 40 64 B – Eng 17 20 32 C ‐ Prod 27 30 32

20 Network Address Translation –NAT RFC 1631 • Allows Mapping Internal (private) Address Space to External (public) Address Space – Allows Internal IP Addresses to be Hid (Security) – Can Conserve IP Public Address Space

21 Building the IP Network Infrastructure • Layered Network Design • Switching – VLAN(s ) • Routing • Access Control – Tunnels – Firewalls

22 Switching vs Routing When to Switch? ‐‐ When to Route?

23 Switching Fundamentals

• Legacy Ethernet Used Hubs – An “Ethernet DA” of sorts –All Bits Go to All Ports – High Collision Level Due to Shared Media (40‐50% of Bandwidth Consumed by Collision Recovery) – High Collision Level Yields High Latency

• Switches Allow Segmentation of Network – Allows Dedicated Bandwidth and Point‐Point Communications – Increased Throughput Due to Zero or Minimal Collisions – Allows Full‐Duplex Operation – Increased Security Capability

• Switches Selectively Forward Individual “Frames” from a Receiving Port to a Destination Port

24 VLANS Are Your Friend!

• Virtual Local Area Network – VLAN – Logical Network of a Physical Network • Allows Separation of Networks Across a Common Physical Media – Creates Subset of Larger Network – Control Broadcast Domains – Each VLAN is a Broadcast Domain – Architecture Flexibility – Security • Static Port Based VLAN(s) – Most Popular – Manual Configuration • Dynamic Port Based – MAC‐BdBased VLAN(s ) • Assignment Based Upon MAC Address – Protocol‐Based VLAN(s) • Assignment Based Upon Protocol

25 VLAN Trunking

26 VLAN Example Physical Representation of Previous Diagram

Switch Port Type Configuration:

Access Link – Member of One VLAN Only Connects to a Host Trunk Link – Carries Traffic From Multiple VLANS Between Switches

27 Interface Configuration

28 Broadcast Domains

29 Connectivity Between Broadcast Domains

GE0 GE2 Network #1 Network #3

GE1 Unique IP Unique IP Unique IP Address Address Address Range Range Range Network #2

FE0

Blue Green Red VLAN VLAN VLAN

30 Routing

• Routing is Simppyly the Moving of Data Between Networks • OSI Model Layer 3 Process • Routing Involves Two Processes: – Determining the Best Path The Hard Part – Actually Sending of the Data The Easy Part • Static Routing – Stub Routing (used when only one path exists) • Dynamic Routing – Path is Automatically Determined

31 Routing Types:

• Static Routing – Appropriate for Small Networks – Appropriate for Stable Networks – Use in “Stub” Networks – Minimal Hardware / Easy Administration

• Dynamic Routing – Appropriate for Changing Topology Environments – Desirable When Multiple Paths Exist – More Scalable – Less Configuration Error Prone

32 Routing Protocol Choices

Interior Distance Interior Link State Exterior Path Vector Vector Class fu l RIP IGRP EGP

Classless RIP v2 EIGRP OSPF v2 IS‐IS BGP v4

IPv6 RIPng EIGRP v6 OSPF v3 IS‐IS v6 BGP v4

33 Practical Routing Protocol Choices “Common” IGP Protocols – VLSM Support

RIP v2 EIGRP (Cisco) OSPF v2 Type: Distance Vector Hybird Link‐State Metric: Hop Count Bandwidth/Delay Cost Administrative 120 90 110 Distance: Hop Count Limit: 15 224 None Convergence: Slow Fast Fast Updates: Full Table Every 30 Send Only Send Only When Seconds Changes When Change Occurs, Change Occurs But Refreshed Every 30m RFC Reference: RFC 1388 N/A RFC 2328

34 Routing Protocols: Which One is Best? “It Depends ”

RIP ISP BGP

OSPF

EIGRP

35 Which Routing Protocol?

Static Dynamic Routing Routing

EGP IGP

BGP

Distance Link State Vector Protocol: Protocol:

RIP IGRP OSPF IS-IS

Standards Based Hybrid Proprietary Protocol:

EIGRP 36 Unicast or ?

Diagram Courtesy of: When to Route – When to Switch?

Broadcast Domain When to ROUTE? “Breaks the Broadcast Domain”

Collision Collision Domain Domain

Router Collision Collision Domain Domain

When to SWITCH? “Breaks the Collision Domain”

Broadcast Domain

38 Routing & Switching Summary

Collision Domain Broadcast Domain Route Between Networks (Broadcast Domains)

Switch to Break Collision Domain Within a

Collision Broadcast Domain Collision Domain Domain Hub Switch Switch Collision Domain

Collision Collision Domain Domain

Layer 3 Si Switch

Collision Collision Domain Domain

Broadcast Domain

Broadcast Domain 39 What Is A “Layer 3” Switch?

• “Marketing Terminology” Applied to a One Box Solution: – Layer 2 Switching or Forwarding • Traditionally Performed in Hardware – Layer 3 Routing or Forwarding • Traditionally Performed in Software

• Layer 3 Switch Performs Both

• Can Eliminate Use of VLAN(s) –Each Port Can Be Assigned to a Subnet

• Not for All Environments – Typically Found in Workgroup Environment – Limited to Ethernet – Limited to OSPF and RIP Protocols

40 The Security Challenge

PERFORMANCE SECURITY USEABILITY

41 Goals of Network Security

• Confidentiality “Keeping Data Private”

• Integrity “Insuring Data Has Not Been Modified”

• Availability “Insuring Data is Availlblable to the Intenddded User”

42 Network Security – The First Step

• Control Access to the Network – Open or Available LAN Switch Ports? – Can I get an IP Address? – If I get an IP Address, can I get Network Access?

• First Step: – LkLock down all LAN switc h ports – Require Users & Devices to Authenticate (802.1xX)

43 Network Security Concerns

• Focused on Protecting the Network Infrastructure • Common Threats: – DHCP Snooping – ARP Spoofing (IP Spoofing) – Rogue Routers Advertisements – Denial of Service Attacks – Application Layer Attacks • Implementation Considerations: – Know Your Enemy – Cost – Human Factors – Understand Your Network – Limit Scope of Access – Don’t Overlook Physical Security

44 Security

• Firewalls • Intrusion Detection • Content • Physical • Regulatory • Communications • Access

45 Switch Port Security “Port Lockdown”

• An Important Feature of Implementing Switch Infrastructure • Port Security Aspects: – One MAC Address Per Port • Dynamic • Stati c – n MAC Addresses Per Port – Unused Ports Disabled – MAC Violation Action – VLAN Specified Per Port

46 IT Infrastructure Threats

• Viruses • Operating Systems • Worms • File System / Media • Trojan Horse • Application • Spyware & Adware – Web Services • “Zombie – Email Services Computer” – P2P • Wire less / MbilMobile Environment • Social Engineering • And the list goes on & on…..

47 Network Infrastructure Threats

• Denial of Service “DoS” • Spoofing • Hijacking • Authentication Bypass or “Back Door” Access • Physical Access • And the list goes on & on…..

48 Can You Balance Your Network Infrastructure?

“DoS” Viruses Spoofing Worms Hijacking Trojan Horse “Back Door” Access Spyware Physical Access Adware SilEiSocial Engineer ing Botnets Phishing USEABLE And more …..

The Goal – “Create a Secure But Useable Network”

49 Network Security Tools • – Used to Create a “Trusted” Network Segment by Permitting or Denying Network Packets – Types of Firewalls: • Packet Filtering – Stateless – Stateful • Detection Tools – Intrusion Detection Systems (IDS) • Signature Based • Anomaly Based – Intrusion Prevention Systems (IPS) • Combine Firewall & IDS Functions

50 Firewalls

• Firewall – Defines Traffic Types That Can Enter or Exit a Network – Can Be Software Based • Access Control List “ACL” Applied to Router or Switch Interface –Ingress or Egress Filtering: – IP Address Filtering – Port Number Filtering – MAC Address Filter ing – May Be Hardware Based “Appliance”

51 Firewall Types:

Packet Filtering - “Stateless” Packet Filtering - “Stateful”

52 Firewall Implementation “The 3‐Armed Firewall”

53 VPN Implementation “Virtual Private Network”

Demilitarized Zone “DMZ”

Email Server Remote User Web (VPN Client) Server

Application Server

Internal VPN Network(s) Concentrator (Outside)

Application Server VPN Access Appliance

Remote Office 54 Don Not Confuse VLAN’s and VPN’s Essence of a VPN is a TlTunnel Throug h a NkNetwork IfInfrastructure

Virtual Private Network – VPN Protocols - IPsec with Encryption - L2TP inside of IPsec - SSL with Encryption

55 Packet Filtering & Shaping

• Packet Filtering – A Firewa ll is UUdsed to Create a “Truste d” NNketwork Segment by PPiiermitting or DDienying Network Packets – Can Be Implemented in Router with Access Control Lists (ACL) – Ingress Filtering – Egress Filtering – Types of Firewalls: • Packet Filtering: – Stateless – Filters Solely on Packet Info – Statefull – Identifies as Packet Stream Component • NextGen – Provide Application Awareness

• Packet Shaping – A Traffic Shaper is Used to Control the Volume of Traffic on a Network Segment – Generally Achieved by Delaying Packets – Traffic is Classified – Rules Applied Based Upon Classification

56 Quality of Service – “QoS” IEEE 802.1P/Q

• Why QoS? – All IP Packets Are Created Equal, But The Application Data Contained Within an IP Packet May Not Be. – Q0S Allows Network Traffic to Be Prioritized Based Upon the Application to Insure Packet Delivery: • Streaming Media (Audio over IP –Video Over IP) • IP Telephony (Voice over IP) • Real‐Time Control (automation control) • Mission Critical Applications

57 Assembling the Pieces

58 Some Best Practices to Consider

• Recognize Physical Security • Keep Up With Equipment “Patches” • Change Default Logins • Utilize Access Logging on Key • Utilize Strong Passwords Network Devices • Disable Services Not Required • Utilize Session Timeout Features • Adopt a Layered Design Approach • Encrypt Any Critical Data • Segregate Network(s) • Restrict Remote Access Source • Separate Networks via VLANS • Understand & Know Your Network • Implement Switch Port Security Baseline • • Utilize Packet Filtering in Routers & Actively Monitor and Look for Firewalls Abnormalities • • Do Not Overlook Egress Traffic Limit “Need‐to‐Know” • • Deny All Traffic –Then Permit Only Disable External “ICMP” Access Required

59 Document What You Do!

60 61 CBNE Recommended Study:

62 My Favorite:

63 Web Reference Sources:

IETF RFC Documents: www.rfc-editor.org Learn More About the OSI Model: http://www.9tut.com/osi-model-tutorial Learn More About Switching: http://www. technick. net/public/code/cp_ dpadpagege. php?aiocp_dp=guide _networking _switching Learn More About Routing: http://www.inetdaemon.com/tutorials/internet/ip/routing/index.shtml Learn More About Layyger 3 Switching: http://happyrouter.com/layer-3-switches-explained Learn More About QoS: http://docwiki.cisco.com/wiki/Quality_of_Service_Networking

64 ? Questions ?

Thank You for Attending!

Wayne M. Pecena Texas A&M University Office of Information Technology w‐[email protected] u [email protected]

979.845.5662

65