IP Networking Part 5 ‐ Building the KSBE Network “A webinar to help you prepare for the CBNE™ Certification”
Wayne M. Pecena, CPBE, CBNE Texas A&M Information Technology Educational Broadcast Services IP Networking‐Part 5 ‐ Building the KSBE Network “A webinar to help you ppprepare for the CBNE™ Certification”
Advertised Presentation Scope:
The IP Networking webinar series continues with part 5 focusing on “Building the KSBE Network", by applying the concepts addressed in the first 4 parts of the IP Networking Webinar series. The end result of this webinar will be an understanding of how to build an IP network infrastructure often found in a broadcast environment. The “KSBE Network” will address layered IP netwo rk des ig n, app licat io n o f a n IP add ress ing p la n, use of VLAN’ s, r outin g pr otocol s, securin g th e n etw ork , an d access to the network through a secure VPN connection. The IP Networking Webinar series is focused on enhancing the Broadcast Engineers knowledge of the technology and practical concepts of IP Networking in the broadcast plant. In addition, the webinar series provides an excellent tutorial for those preparing for SBE networking certifications such as the CBNE.
My Goals & Deliverables for This Afternoon:
‐ Provide an Awareness of Network Design Principals ‐ Provide an Understanding of Factors in Network Design ‐ Provide a Foundation for SBE CBNT & CBNE Certification Exams ‐ Provide Reference Material & Resources to Obtain Further Knowledge
2 Agenda
• Introduction • Network Design Concepts • Layered Network Design • The Building Blocks – SddStandards – Network Topologies – IP Address Plan (IPv4 focused) – VLAN Implementation – When to Route –When to Switch? • Securing the Network • Access the Network • “Assembling the KSBE Network” • Best Practices Summary / Q & A • Reference Documents
3 5 Things Required To Build a Network
• Send Host • Receive Host • Message or Data to Send Between Hosts • Media to Interconnect Hosts • Protocol to Define How Data is Transferred
4 Network Design Considerations
• Performance • Reliability / Redundancy • Sca la bility • Security • Flexibility • Manageability • Affordability
5 The Design Process
6 The Basic Network
7 The LAN Environment
8 Adding Redundant ISP’s
9 More Redundancy!
10 Layered Network Design • Separate Network in “Layers” or Zones – External or Public Network – “DMZ” or Demilitarized Zone or Perimeter Network – Internal or Private Network(s)
Non‐Secure
Secure
11 Standards • OSI Model & IETF RFC’s • IlInternal SddStandards: – Device Naming Scheme • Device Type • Device Number • Device Location – IP Addressing Scheme • Public • Private – VLAN Naming Scheme – Wiring Schemes
12 OSI ‐ DoD ‐ TCP/IP Models IP Focused ‐ DOD Model Stack or TCP/IP Model
13 Reference Hardware & Services
• Physical Medium(s) • Switches • Routers • Firewalls • VLAN(s) • VPN(s)
14 Managed vs Un‐Managed Ethernet Switches
• Managed Switch • Un‐Managed Switch – User Configurable – Fixed Configuration – Provides Ability to Control & – “Plug & Play” Monitor Host Communications – Provides Basic Host – Port Configuration , Security, & Communications MiMonitor ing – VLAN Implementation – Cheaper – Redundancy Supported (STP) – QoS ()(Prioritization) Implementation – Port Mirroring
15 Addressing Physi ca l & Virtua l Address ing
• Each Host on an Ethernet Based IP Network Has: • An Unique MAC Address – Layer 2 Physical Address (local network segment) • An Unique IP Address – Layer 3 Logical Address (global routed)
16 IP Address Plan
• Required Space vs Available Space • Private Addresses • “bli”“Public” Addresses • Static Assignment • Dynamic Assignment
17 The IP Address Subnet Mask Each IP Address Must Have a Subnet Mask
18 IP Address Subnetting
• What is a Subnet? – Logical Subdivision of a Larger Network – Creates New Networks From A Larger Network – Bits Are “Stolen” From the Host Portion • Each Newer Network Created Has Less Hosts • 2n‐2 New Networks Created where n=number of host bits stolen
• Why Do We Subnet? – Efficient Use of IP Address Space (“Right Size” the Network) – Increase Performance (smaller Broadcast domain) – Enhance Routing Efficiency (reduce Routing Table size) – Network Management Policy and Segmentation (function, ownership, geo location) – Job Security for Network Engineers!
19 Subnet Example
Network Existing Design Required Hosts Hosts Subnet Size A – Sales 35 40 64 B – Eng 17 20 32 C ‐ Prod 27 30 32
20 Network Address Translation –NAT RFC 1631 • Allows Mapping Internal (private) Address Space to External (public) Address Space – Allows Internal IP Addresses to be Hid (Security) – Can Conserve IP Public Address Space
21 Building the IP Network Infrastructure • Layered Network Design • Switching – VLAN(s ) • Routing • Access Control – Tunnels – Firewalls
22 Switching vs Routing When to Switch? ‐‐ When to Route?
23 Switching Fundamentals
• Legacy Ethernet Used Hubs – An “Ethernet DA” of sorts –All Bits Go to All Ports – High Collision Level Due to Shared Media (40‐50% of Bandwidth Consumed by Collision Recovery) – High Collision Level Yields High Latency
• Switches Allow Segmentation of Network – Allows Dedicated Bandwidth and Point‐Point Communications – Increased Throughput Due to Zero or Minimal Collisions – Allows Full‐Duplex Operation – Increased Security Capability
• Switches Selectively Forward Individual “Frames” from a Receiving Port to a Destination Port
24 VLANS Are Your Friend!
• Virtual Local Area Network – VLAN – Logical Network of a Physical Network • Allows Separation of Networks Across a Common Physical Media – Creates Subset of Larger Network – Control Broadcast Domains – Each VLAN is a Broadcast Domain – Architecture Flexibility – Security • Static Port Based VLAN(s) – Most Popular – Manual Configuration • Dynamic Port Based – MAC‐BdBased VLAN(s ) • Assignment Based Upon MAC Address – Protocol‐Based VLAN(s) • Assignment Based Upon Protocol
25 VLAN Trunking
26 VLAN Example Physical Representation of Previous Diagram
Switch Port Type Configuration:
Access Link – Member of One VLAN Only Connects to a Host Trunk Link – Carries Traffic From Multiple VLANS Between Switches
27 Interface Configuration
28 Broadcast Domains
29 Connectivity Between Broadcast Domains
GE0 GE2 Network #1 Network #3
GE1 Unique IP Unique IP Unique IP Address Address Address Range Range Range Network #2
FE0
Blue Green Red VLAN VLAN VLAN
30 Routing
• Routing is Simppyly the Moving of Data Between Networks • OSI Model Layer 3 Process • Routing Involves Two Processes: – Determining the Best Path The Hard Part – Actually Sending of the Data The Easy Part • Static Routing – Stub Routing (used when only one path exists) • Dynamic Routing – Path is Automatically Determined
31 Routing Types:
• Static Routing – Appropriate for Small Networks – Appropriate for Stable Networks – Use in “Stub” Networks – Minimal Hardware / Easy Administration
• Dynamic Routing – Appropriate for Changing Topology Environments – Desirable When Multiple Paths Exist – More Scalable – Less Configuration Error Prone
32 Routing Protocol Choices
Interior Distance Interior Link State Exterior Path Vector Vector Class fu l RIP IGRP EGP
Classless RIP v2 EIGRP OSPF v2 IS‐IS BGP v4
IPv6 RIPng EIGRP v6 OSPF v3 IS‐IS v6 BGP v4
33 Practical Routing Protocol Choices “Common” IGP Protocols – VLSM Support
RIP v2 EIGRP (Cisco) OSPF v2 Type: Distance Vector Hybird Link‐State Metric: Hop Count Bandwidth/Delay Cost Administrative 120 90 110 Distance: Hop Count Limit: 15 224 None Convergence: Slow Fast Fast Updates: Full Table Every 30 Send Only Send Only When Seconds Changes When Change Occurs, Change Occurs But Refreshed Every 30m RFC Reference: RFC 1388 N/A RFC 2328
34 Routing Protocols: Which One is Best? “It Depends ”
RIP ISP BGP
OSPF
EIGRP
35 Which Routing Protocol?
Static Dynamic Routing Routing
EGP IGP
BGP
Distance Link State Vector Protocol: Protocol:
RIP IGRP OSPF IS-IS
Standards Based Hybrid Proprietary Protocol:
EIGRP 36 Unicast or Multicast ?
Diagram Courtesy of: When to Route – When to Switch?
Broadcast Domain When to ROUTE? “Breaks the Broadcast Domain”
Collision Collision Domain Domain
Router Collision Collision Domain Domain
When to SWITCH? “Breaks the Collision Domain”
Broadcast Domain
38 Routing & Switching Summary
Collision Domain Broadcast Domain Route Between Networks (Broadcast Domains)
Switch to Break Collision Domain Within a
Collision Broadcast Domain Collision Domain Domain Router Hub Switch Switch Collision Domain
Collision Collision Domain Domain
Layer 3 Si Switch
Collision Collision Domain Domain
Broadcast Domain
Broadcast Domain 39 What Is A “Layer 3” Switch?
• “Marketing Terminology” Applied to a One Box Solution: – Layer 2 Switching or Forwarding • Traditionally Performed in Hardware – Layer 3 Routing or Forwarding • Traditionally Performed in Software
• Layer 3 Switch Performs Both
• Can Eliminate Use of VLAN(s) –Each Port Can Be Assigned to a Subnet
• Not for All Environments – Typically Found in Workgroup Environment – Limited to Ethernet – Limited to OSPF and RIP Protocols
40 The Security Challenge
PERFORMANCE SECURITY USEABILITY
41 Goals of Network Security
• Confidentiality “Keeping Data Private”
• Integrity “Insuring Data Has Not Been Modified”
• Availability “Insuring Data is Availlblable to the Intenddded User”
42 Network Security – The First Step
• Control Access to the Network – Open or Available LAN Switch Ports? – Can I get an IP Address? – If I get an IP Address, can I get Network Access?
• First Step: – LkLock down all LAN switc h ports – Require Users & Devices to Authenticate (802.1xX)
43 Network Security Concerns
• Focused on Protecting the Network Infrastructure • Common Threats: – DHCP Snooping – ARP Spoofing (IP Spoofing) – Rogue Routers Advertisements – Denial of Service Attacks – Application Layer Attacks • Implementation Considerations: – Know Your Enemy – Cost – Human Factors – Understand Your Network – Limit Scope of Access – Don’t Overlook Physical Security
44 Security
• Firewalls • Intrusion Detection • Content • Physical • Regulatory • Communications • Access
45 Switch Port Security “Port Lockdown”
• An Important Feature of Implementing Switch Infrastructure • Port Security Aspects: – One MAC Address Per Port • Dynamic • Stati c – n MAC Addresses Per Port – Unused Ports Disabled – MAC Violation Action – VLAN Specified Per Port
46 IT Infrastructure Threats
• Viruses • Operating Systems • Worms • File System / Media • Trojan Horse • Application • Spyware & Adware – Web Services • Botnets “Zombie – Email Services Computer” – P2P • Wire less / MbilMobile Environment • Social Engineering • And the list goes on & on…..
47 Network Infrastructure Threats
• Denial of Service “DoS” • Spoofing • Hijacking • Authentication Bypass or “Back Door” Access • Physical Access • And the list goes on & on…..
48 Can You Balance Your Network Infrastructure?
“DoS” Viruses Spoofing Worms Hijacking Trojan Horse “Back Door” Access Spyware Physical Access Adware SilEiSocial Engineer ing Botnets Phishing USEABLE And more …..
The Goal – “Create a Secure But Useable Network”
49 Network Security Tools • Firewall – Used to Create a “Trusted” Network Segment by Permitting or Denying Network Packets – Types of Firewalls: • Packet Filtering – Stateless – Stateful • Detection Tools – Intrusion Detection Systems (IDS) • Signature Based • Anomaly Based – Intrusion Prevention Systems (IPS) • Combine Firewall & IDS Functions
50 Firewalls
• Firewall – Defines Traffic Types That Can Enter or Exit a Network – Can Be Software Based • Access Control List “ACL” Applied to Router or Switch Interface –Ingress or Egress Filtering: – IP Address Filtering – Port Number Filtering – MAC Address Filter ing – May Be Hardware Based “Appliance”
51 Firewall Types:
Packet Filtering - “Stateless” Packet Filtering - “Stateful”
52 Firewall Implementation “The 3‐Armed Firewall”
53 VPN Implementation “Virtual Private Network”
Demilitarized Zone “DMZ”
Email Server Remote User Web (VPN Client) Server
Application Server
Internal VPN Internet Network(s) Concentrator (Outside)
Application Server VPN Access Appliance
Remote Office 54 Don Not Confuse VLAN’s and VPN’s Essence of a VPN is a TlTunnel Throug h a NkNetwork IfInfrastructure
Virtual Private Network – VPN Protocols - IPsec with Encryption - L2TP inside of IPsec - SSL with Encryption
55 Packet Filtering & Shaping
• Packet Filtering – A Firewa ll is UUdsed to Create a “Truste d” NNketwork Segment by PPiiermitting or DDienying Network Packets – Can Be Implemented in Router with Access Control Lists (ACL) – Ingress Filtering – Egress Filtering – Types of Firewalls: • Packet Filtering: – Stateless – Filters Solely on Packet Info – Statefull – Identifies as Packet Stream Component • NextGen – Provide Application Awareness
• Packet Shaping – A Traffic Shaper is Used to Control the Volume of Traffic on a Network Segment – Generally Achieved by Delaying Packets – Traffic is Classified – Rules Applied Based Upon Classification
56 Quality of Service – “QoS” IEEE 802.1P/Q
• Why QoS? – All IP Packets Are Created Equal, But The Application Data Contained Within an IP Packet May Not Be. – Q0S Allows Network Traffic to Be Prioritized Based Upon the Application to Insure Packet Delivery: • Streaming Media (Audio over IP –Video Over IP) • IP Telephony (Voice over IP) • Real‐Time Control (automation control) • Mission Critical Applications
57 Assembling the Pieces
58 Some Best Practices to Consider
• Recognize Physical Security • Keep Up With Equipment “Patches” • Change Default Logins • Utilize Access Logging on Key • Utilize Strong Passwords Network Devices • Disable Services Not Required • Utilize Session Timeout Features • Adopt a Layered Design Approach • Encrypt Any Critical Data • Segregate Network(s) • Restrict Remote Access Source • Separate Networks via VLANS • Understand & Know Your Network • Implement Switch Port Security Baseline • • Utilize Packet Filtering in Routers & Actively Monitor and Look for Firewalls Abnormalities • • Do Not Overlook Egress Traffic Limit “Need‐to‐Know” • • Deny All Traffic –Then Permit Only Disable External “ICMP” Access Required
59 Document What You Do!
60 61 CBNE Recommended Study:
62 My Favorite:
63 Web Reference Sources:
IETF RFC Documents: www.rfc-editor.org Learn More About the OSI Model: http://www.9tut.com/osi-model-tutorial Learn More About Switching: http://www. technick. net/public/code/cp_ dpadpagege. php?aiocp_dp=guide _networking _switching Learn More About Routing: http://www.inetdaemon.com/tutorials/internet/ip/routing/index.shtml Learn More About Layyger 3 Switching: http://happyrouter.com/layer-3-switches-explained Learn More About QoS: http://docwiki.cisco.com/wiki/Quality_of_Service_Networking
64 ? Questions ?
Thank You for Attending!
Wayne M. Pecena Texas A&M University Office of Information Technology w‐[email protected] u [email protected]
979.845.5662
65