DOCSLIB.ORG

IP Networking Part 5 ‐ Building the KSBE Network “A Webinar to Help You Prepare for the CBNE™ Certification”

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

IP Networking Part 5 ‐ Building the KSBE Network “A webinar to help you prepare for the CBNE™ Certification” Wayne M. Pecena, CPBE, CBNE Texas A&M Information Technology Educational Broadcast Services IP Networking‐Part 5 ‐ Building the KSBE Network “A webinar to help you ppprepare for the CBNE™ Certification” Advertised Presentation Scope: The IP Networking webinar series continues with part 5 focusing on “Building the KSBE Network", by applying the concepts addressed in the first 4 parts of the IP Networking Webinar series. The end result of this webinar will be an understanding of how to build an IP network infrastructure often found in a broadcast environment. The “KSBE Network” will address layered IP netwo rk des ig n, app licat io n o f a n IP add ress ing p la n, use of VLAN’ s, r outin g pr otocol s, securin g th e n etw ork , an d access to the network through a secure VPN connection. The IP Networking Webinar series is focused on enhancing the Broadcast Engineers knowledge of the technology and practical concepts of IP Networking in the broadcast plant. In addition, the webinar series provides an excellent tutorial for those preparing for SBE networking certifications such as the CBNE. My Goals & Deliverables for This Afternoon: ‐ Provide an Awareness of Network Design Principals ‐ Provide an Understanding of Factors in Network Design ‐ Provide a Foundation for SBE CBNT & CBNE Certification Exams ‐ Provide Reference Material & Resources to Obtain Further Knowledge 2 Agenda • Introduction • Network Design Concepts • Layered Network Design • The Building Blocks – SddStandards – Network Topologies – IP Address Plan (IPv4 focused) – VLAN Implementation – When to Route –When to Switch? • Securing the Network • Access the Network • “Assembling the KSBE Network” • Best Practices Summary / Q & A • Reference Documents 3 5 Things Required To Build a Network • Send Host • Receive Host • Message or Data to Send Between Hosts • Media to Interconnect Hosts • Protocol to Define How Data is Transferred 4 Network Design Considerations • Performance • Reliability / Redundancy • Sca la bility • Security • Flexibility • Manageability • Affordability 5 The Design Process 6 The Basic Network 7 The LAN Environment 8 Adding Redundant ISP’s 9 More Redundancy! 10 Layered Network Design • Separate Network in “Layers” or Zones – External or Public Network – “DMZ” or Demilitarized Zone or Perimeter Network – Internal or Private Network(s) Non‐Secure Secure 11 Standards • OSI Model & IETF RFC’s • IlInternal SddStandards: – Device Naming Scheme • Device Type • Device Number • Device Location – IP Addressing Scheme • Public • Private – VLAN Naming Scheme – Wiring Schemes 12 OSI ‐ DoD ‐ TCP/IP Models IP Focused ‐ DOD Model Stack or TCP/IP Model 13 Reference Hardware & Services • Physical Medium(s) • Switches • Routers • Firewalls • VLAN(s) • VPN(s) 14 Managed vs Un‐Managed Ethernet Switches • Managed Switch • Un‐Managed Switch – User Configurable – Fixed Configuration – Provides Ability to Control & – “Plug & Play” Monitor Host Communications – Provides Basic Host – Port Configuration , Security, & Communications MiMonitor ing – VLAN Implementation – Cheaper – Redundancy Supported (STP) – QoS ()(Prioritization) Implementation – Port Mirroring 15 Addressing Phys ica l & Virtua l Address ing • Each Host on an Ethernet Based IP Network Has: • An Unique MAC Address – Layer 2 Physical Address (local network segment) • An Unique IP Address – Layer 3 Logical Address (global routed) 16 IP Address Plan • Required Space vs Available Space • Private Addresses • “bli”“Public” Addresses • Static Assignment • Dynamic Assignment 17 The IP Address Subnet Mask Each IP Address Must Have a Subnet Mask 18 IP Address Subnetting • What is a Subnet? – Logical Subdivision of a Larger Network – Creates New Networks From A Larger Network – Bits Are “Stolen” From the Host Portion • Each Newer Network Created Has Less Hosts • 2n‐2 New Networks Created where n=number of host bits stolen • Why Do We Subnet? – Efficient Use of IP Address Space (“Right Size” the Network) – Increase Performance (smaller Broadcast domain) – Enhance Routing Efficiency (reduce Routing Table size) – Network Management Policy and Segmentation (function, ownership, geo location) – Job Security for Network Engineers! 19 Subnet Example Network Existing Design Required Hosts Hosts Subnet Size A – Sales 35 40 64 B – Eng 17 20 32 C ‐ Prod 27 30 32 20 Network Address Translation –NAT RFC 1631 • Allows Mapping Internal (private) Address Space to External (public) Address Space – Allows Internal IP Addresses to be Hid (Security) – Can Conserve IP Public Address Space 21 Building the IP Network Infrastructure • Layered Network Design • Switching – VLAN(s ) • Routing • Access Control – Tunnels – Firewalls 22 Switching vs Routing When to Switch? ‐‐ When to Route? 23 Switching Fundamentals • Legacy Ethernet Used Hubs – An “Ethernet DA” of sorts –All Bits Go to All Ports – High Collision Level Due to Shared Media (40‐50% of Bandwidth Consumed by Collision Recovery) – High Collision Level Yields High Latency • Switches Allow Segmentation of Network – Allows Dedicated Bandwidth and Point‐Point Communications – Increased Throughput Due to Zero or Minimal Collisions – Allows Full‐Duplex Operation – Increased Security Capability • Switches Selectively Forward Individual “Frames” from a Receiving Port to a Destination Port 24 VLANS Are Your Friend! • Virtual Local Area Network – VLAN – Logical Network of a Physical Network • Allows Separation of Networks Across a Common Physical Media – Creates Subset of Larger Network – Control Broadcast Domains – Each VLAN is a Broadcast Domain – Architecture Flexibility – Security • Static Port Based VLAN(s) – Most Popular – Manual Configuration • Dynamic Port Based – MAC‐BdBased VLAN(s ) • Assignment Based Upon MAC Address – Protocol‐Based VLAN(s) • Assignment Based Upon Protocol 25 VLAN Trunking 26 VLAN Example Physical Representation of Previous Diagram Switch Port Type Configuration: Access Link – Member of One VLAN Only Connects to a Host Trunk Link – Carries Traffic From Multiple VLANS Between Switches 27 Interface Configuration 28 Broadcast Domains 29 Connectivity Between Broadcast Domains GE0 GE2 Network #1 Network #3 GE1 Unique IP Unique IP Unique IP Address Address Address Range Range Range Network #2 FE0 Blue Green Red VLAN VLAN VLAN 30 Routing • Routing is Simppyly the Moving of Data Between Networks • OSI Model Layer 3 Process • Routing Involves Two Processes: – Determining the Best Path The Hard Part – Actually Sending of the Data The Easy Part • Static Routing – Stub Routing (used when only one path exists) • Dynamic Routing – Path is Automatically Determined 31 Routing Types: • Static Routing – Appropriate for Small Networks – Appropriate for Stable Networks – Use in “Stub” Networks – Minimal Hardware / Easy Administration • Dynamic Routing – Appropriate for Changing Topology Environments – Desirable When Multiple Paths Exist – More Scalable – Less Configuration Error Prone 32 Routing Protocol Choices Interior Distance Interior Link State Exterior Path Vector Vector Class fu l RIP IGRP EGP Classless RIP v2 EIGRP OSPF v2 IS‐IS BGP v4 IPv6 RIPng EIGRP v6 OSPF v3 IS‐IS v6 BGP v4 33 Practical Routing Protocol Choices “Common” IGP Protocols – VLSM Support RIP v2 EIGRP (Cisco) OSPF v2 Type: Distance Vector Hybird Link‐State Metric: Hop Count Bandwidth/Delay Cost Administrative 120 90 110 Distance: Hop Count Limit: 15 224 None Convergence: Slow Fast Fast Updates: Full Table Every 30 Send Only Send Only When Seconds Changes When Change Occurs, Change Occurs But Refreshed Every 30m RFC Reference: RFC 1388 N/A RFC 2328 34 Routing Protocols: Which One is Best? “It Depends ” RIP ISP BGP OSPF EIGRP 35 Which Routing Protocol? Static Dynamic Routing Routing EGP IGP BGP Distance Link State Vector Protocol: Protocol: RIP IGRP OSPF IS-IS Standards Based Hybrid Proprietary Protocol: EIGRP 36 Unicast or Multicast ? Diagram Courtesy of: When to Route – When to Switch? Broadcast Domain When to ROUTE? “Breaks the Broadcast Domain” Collision Collision Domain Domain Router Collision Collision Domain Domain When to SWITCH? “Breaks the Collision Domain” Broadcast Domain 38 Routing & Switching Summary Collision Domain Broadcast Domain Route Between Networks (Broadcast Domains) Switch to Break Collision Domain Within a Collision Broadcast Domain Collision Domain Domain Router Hub Switch Switch Collision Domain Collision Collision Domain Domain Layer 3 Si Switch Collision Collision Domain Domain Broadcast Domain Broadcast Domain 39 What Is A “Layer 3” Switch? • “Marketing Terminology” Applied to a One Box Solution: – Layer 2 Switching or Forwarding • Traditionally Performed in Hardware – Layer 3 Routing or Forwarding • Traditionally Performed in Software • Layer 3 Switch Performs Both • Can Eliminate Use of VLAN(s) –Each Port Can Be Assigned to a Subnet • Not for All Environments – Typically Found in Workgroup Environment – Limited to Ethernet – Limited to OSPF and RIP Protocols 40 The Security Challenge PERFORMANCE SECURITY USEABILITY 41 Goals of Network Security • Confidentiality “Keeping Data Private” • Integrity “Insuring Data Has Not Been Modified” • Availability “Insuring Data is Availlblable to the Intenddded User” 42 Network Security – The First Step • Control Access to the Network – Open or Available LAN Switch Ports? – Can I get an IP Address? – If I get an IP Address, can I get Network Access? • First Step: – LkLock down all LAN switc h ports – Require Users & Devices to Authenticate
Recommended publications
  • Data Link Layer

    Data Link Layer

    Data link layer Goals: ❒ Principles behind data link layer services ❍ Error detection, correction ❍ Sharing a broadcast channel: Multiple access ❍ Link layer addressing ❍ Reliable data transfer, flow control: Done! ❒ Example link layer technology: Ethernet Link layer services Framing and link access ❍ Encapsulate datagram: Frame adds header, trailer ❍ Channel access – if shared medium ❍ Frame headers use ‘physical addresses’ = “MAC” to identify source and destination • Different from IP address! Reliable delivery (between adjacent nodes) ❍ Seldom used on low bit error links (fiber optic, co-axial cable and some twisted pairs) ❍ Sometimes used on high error rate links (e.g., wireless links) Link layer services (2.) Flow Control ❍ Pacing between sending and receiving nodes Error Detection ❍ Errors are caused by signal attenuation and noise. ❍ Receiver detects presence of errors signals sender for retrans. or drops frame Error Correction ❍ Receiver identifies and corrects bit error(s) without resorting to retransmission Half-duplex and full-duplex ❍ With half duplex, nodes at both ends of link can transmit, but not at same time Multiple access links / protocols Two types of “links”: ❒ Point-to-point ❍ PPP for dial-up access ❍ Point-to-point link between Ethernet switch and host ❒ Broadcast (shared wire or medium) ❍ Traditional Ethernet ❍ Upstream HFC ❍ 802.11 wireless LAN MAC protocols: Three broad classes ❒ Channel Partitioning ❍ Divide channel into smaller “pieces” (time slots, frequency) ❍ Allocate piece to node for exclusive use ❒ Random
  • Understanding Linux Internetworking

    Understanding Linux Internetworking

    White Paper by David Davis, ActualTech Media Understanding Linux Internetworking In this Paper Introduction Layer 2 vs. Layer 3 Internetworking................ 2 The Internet: the largest internetwork ever created. In fact, the Layer 2 Internetworking on term Internet (with a capital I) is just a shortened version of the Linux Systems ............................................... 3 term internetwork, which means multiple networks connected Bridging ......................................................... 3 together. Most companies create some form of internetwork when they connect their local-area network (LAN) to a wide area Spanning Tree ............................................... 4 network (WAN). For IP packets to be delivered from one Layer 3 Internetworking View on network to another network, IP routing is used — typically in Linux Systems ............................................... 5 conjunction with dynamic routing protocols such as OSPF or BGP. You c an e as i l y use Linux as an internetworking device and Neighbor Table .............................................. 5 connect hosts together on local networks and connect local IP Routing ..................................................... 6 networks together and to the Internet. Virtual LANs (VLANs) ..................................... 7 Here’s what you’ll learn in this paper: Overlay Networks with VXLAN ....................... 9 • The differences between layer 2 and layer 3 internetworking In Summary ................................................. 10 • How to configure IP routing and bridging in Linux Appendix A: The Basics of TCP/IP Addresses ....................................... 11 • How to configure advanced Linux internetworking, such as VLANs, VXLAN, and network packet filtering Appendix B: The OSI Model......................... 12 To create an internetwork, you need to understand layer 2 and layer 3 internetworking, MAC addresses, bridging, routing, ACLs, VLANs, and VXLAN. We’ve got a lot to cover, so let’s get started! Understanding Linux Internetworking 1 Layer 2 vs.
  • Linux Networking Cookbook.Pdf

    Linux Networking Cookbook.Pdf

    Linux Networking Cookbook ™ Carla Schroder Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Linux Networking Cookbook™ by Carla Schroder Copyright © 2008 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or [email protected]. Editor: Mike Loukides Indexer: John Bickelhaupt Production Editor: Sumita Mukherji Cover Designer: Karen Montgomery Copyeditor: Derek Di Matteo Interior Designer: David Futato Proofreader: Sumita Mukherji Illustrator: Jessamyn Read Printing History: November 2007: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. The Cookbook series designations, Linux Networking Cookbook, the image of a female blacksmith, and related trade dress are trademarks of O’Reilly Media, Inc. Java™ is a trademark of Sun Microsystems, Inc. .NET is a registered trademark of Microsoft Corporation. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
  • Virtual Private Network: an Overview Type of Virtual Private Network

    Virtual Private Network: an Overview Type of Virtual Private Network

    Virtual Private Network : Layer 2 Solution Giorgio Sadolfo [email protected] What is virtual private network? • A virtual private network (VPN) allows the provisioning of private network services for an organization or organizations over a public or shared infrastructure such as the Internet or service provider backbone network (Cisco). Virtual Private Network: An Overview Type of virtual private network • SITE to SITE : Site-to-site VPNs provide an Internet-based WAN infrastructure to extend network resources to branch offices, home offices, and business partner sites. • Reliable and high-quality transport of complex, mission-critical traffic, such as voice and client server applications • Simplified provisioning and reduced operational tasks for network designs • Integrated advanced network intelligence and routing for a wide range of network designs Type of virtual private network • REMOTE ACCESS : Remote access VPNs extend almost any data, voice, or video application to the remote desktop, emulating the main office desktop. With this VPN, you can provide highly secure, customizable remote access to anyone, anytime, anywhere, with almost any device. • Create a remote user experience that emulates working on the main office desktop • Deliver VPN access safely and easily to a wide range of users and devices • Support a wide range of connectivity options, endpoints, and platforms to meet your dynamic remote access needs VPN Layer 2: Overview • Layer 2 site-to-site VPNs (L2VPN) can be provisioned between switches, hosts, and routers and allow data link layer connectivity between separate sites. • Communication between customer switches, hosts, and routers is based on Layer 2 addressing, and PE devices perform forwarding of customer data traffic based on incoming link and Layer 2 header information: • MAC address; • Frame Relay; • Data Link Connection Identifier [DLCI]; • and so on.
  • ITU Botnet Mitigation Toolkit Background Information

    ITU Botnet Mitigation Toolkit Background Information

    ITU Botnet Mitigation Toolkit Background Information ICT Applications and Cybersecurity Division Policies and Strategies Department ITU Telecommunication Development Sector January 2008 Acknowledgements Botnets (also called zombie armies or drone armies) are networks of compromised computers infected with viruses or malware to turn them into “zombies” or “robots” – computers that can be controlled without the owners’ knowledge. Criminals can use the collective computing power and connected bandwidth of these externally-controlled networks for malicious purposes and criminal activities, including, inter alia, generation of spam e-mails, launching of Distributed Denial of Service (DDoS) attacks, alteration or destruction of data, and identity theft. The threat from botnets is growing fast. The latest (2007) generation of botnets such as the Storm Worm uses particularly aggressive techniques such as fast-flux networks and striking back with DDoS attacks against security vendors trying to mitigate them. An underground economy has now sprung up around botnets, yielding significant revenues for authors of computer viruses, botnet controllers and criminals who commission this illegal activity by renting botnets. In response to this growing threat, ITU is developing a Botnet Mitigation Toolkit to assist in mitigating the problem of botnets. This document provides background information on the toolkit. The toolkit, developed by Mr. Suresh Ramasubramanian, draws on existing resources, identifies relevant local and international stakeholders, and
  • Collision & Broadcast Domain a Collision Domain Is a Section of A

    Collision & Broadcast Domain a Collision Domain Is a Section of A

    Computer Networking & Communication 4th Class Arranged By: Dr.Ahmed Chalak Shakir Collision & Broadcast Domain A collision domain is a section of a network where data packets can collide with one another when being sent on a shared medium or through repeaters, particularly when using early versions of Ethernet. A network collision occurs when more than one device attempts to send a packet on a network segment at the same time. A broadcast domain is a logical division of a computer network, in which all nodes can reach each other by broadcast at the data link layer. LAYER 1 - PHYSICAL LAYER Devices - Hubs, Repeaters Collision Domain: As you might have studied both these devices just forward the data as it is to all the devices that are connected to them after attenuating it (making it stronger so that it travels more distance). All the devices fall in the SAME COLLISION DOMAIN because two or more devices might send the data at the same time even when we have CSMA/CD working. So, the data can collide and nullify each other that way no one gets nothing. Broadcast Domain: These devices don't use any type of addressing schemes to help them forward the data like MAC or IP addresses. So, if a PC A sends something for PC B and there are also C,D and E PC's connected to the hub then all the devices i.e. B,C,D and E would receive the data ( Only PC B accepts it while others drop it ). This is what is being in a single BROADCAST DOMAIN.
  • Linux Networking 101

    Linux Networking 101

    The Gorilla ® Guide to… Linux Networking 101 Inside this Guide: • Discover how Linux continues its march toward world domination • Learn basic Linux administration tips • See how easy it can be to build your entire network on a Linux foundation • Find out how Cumulus Linux is your ticket to networking freedom David M. Davis ActualTech Media Helping You Navigate The Technology Jungle! In Partnership With www.actualtechmedia.com The Gorilla Guide To… Linux Networking 101 Author David M. Davis, ActualTech Media Editors Hilary Kirchner, Dream Write Creative, LLC Christina Guthrie, Guthrie Writing & Editorial, LLC Madison Emery, Cumulus Networks Layout and Design Scott D. Lowe, ActualTech Media Copyright © 2017 by ActualTech Media. All rights reserved. No portion of this book may be reproduced or used in any manner without the express written permission of the publisher except for the use of brief quotations. The information provided within this eBook is for general informational purposes only. While we try to keep the information up- to-date and correct, there are no representations or warranties, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the information, products, services, or related graphics contained in this book for any purpose. Any use of this information is at your own risk. ActualTech Media Okatie Village Ste 103-157 Bluffton, SC 29909 www.actualtechmedia.com Entering the Jungle Introduction: Six Reasons You Need to Learn Linux ....................................................... 7 1. Linux is the future ........................................................................ 9 2. Linux is on everything .................................................................. 9 3. Linux is adaptable ....................................................................... 10 4. Linux has a strong community and ecosystem ........................... 10 5.
  • Ethernet Basics Ethernet Basics

    Ethernet Basics Ethernet Basics

    2016-09-24 Ethernet Basics based on Chapter 4 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers Ethernet Basics • History • Ethernet Frames • CSMA/CD • Obsolete versions • 10Mbps versions • Segments • Spanning Tree Protocol 1 2016-09-24 Ethernet – Early History • 1970: ALOHAnet, first wireless packet-switched network - Norman Abramson, Univ. of Hawaii - Basis for Ethernet’s CSMA/CD protocol - 1972: first external network connected to ARPANET • 1973: Ethernet prototype developed at Xerox PARC - (Palo Alto Research Center) - 2.94 Mbps initially • 1976: "Ethernet: Distributed Packet Switching for Local Computer Networks" published in Communications of the ACM. - Bob Metcalfe and David Boggs - sometimes considered “the beginning of Ethernet” Ethernet goes Mainstream • 1979: DEC, Intel, Xerox collaborate on a commercial Ethernet specification - Ethernet II, a.k.a. “DIX” Ethernet - (Digital Equipment Corporation) • 1983: IEEE 802.3 specification formally approved - Differs from Ethernet II in the interpretation of the third header field • 1987: alternatives to coaxial cables - IEEE 802.3d: FOIRL, Fiber Optic Inter-Repeater Link - IEEE 802.3e: 1 Mbps over Twisted Pair wires (whoopee!) • 1990: Twisted-Pair wiring takes over - IEEE 802.3i: 10 Mbps over Twisted-Pair – 10Base-TX, 10Base-T4 2 2016-09-24 the Future is Now (next chapter) (and Now is so Yesteryear…) 1995 – Now: speed and cabling improvements • 1995: 100Mbps varieties • 1999: 1Gbps on twisted-pair • 2003-2006: 10Gbps on optical fiber and UTP • 2010: 40Gbps, 100Gbps (802.3ba) - optical fiber or twinaxial cable - point-to-point physical topology; for backbones • 2016, September: 2.5GBase-T, 5GBase-T ? - who knows? What Is Ethernet? • Protocols, standards for Local Area Networks » Ethernet II, IEEE 802.3 • Specifies Physical-layer components - Cabling, signaling properties, etc.
  • Guidelines on Firewalls and Firewall Policy

    Guidelines on Firewalls and Firewall Policy

    Special Publication 800-41 Revision 1 Guidelines on Firewalls and Firewall Policy Recommendations of the National Institute of Standards and Technology Karen Scarfone Paul Hoffman NIST Special Publication 800-41 Guidelines on Firewalls and Firewall Revision 1 Policy Recommendations of the National Institute of Standards and Technology Karen Scarfone Paul Hoffman C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2009 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Deputy Director GUIDELINES ON FIREWALLS AND FIREWALL POLICY Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-41 Revision 1 Natl. Inst. Stand. Technol. Spec. Publ. 800-41 rev1, 48 pages (Sep. 2009) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately.
  • Communication & Network Security

    Communication & Network Security

    6/13/19 Communication & Network Security MIS-5903 http://community.mis.temple.edu/mis5903sec011s17/ OSI vs. TCP/IP Model • Transport also called Host-to-Host in TCP/IP model. Encapsulation • System 1 is a “subject” (client) • System 2 has the “object” (server) 1 6/13/19 OSI Reference Notice: • Segments • Packets (Datagrams) • Frames • Bits Well known ports Protocol TCP/UDP Port Number File Transfer Protocol (FTP) (RFC 959) TCP 20/21 Secure Shell (SSH) (RFC 4250-4256) TCP 22 Telnet (RFC TCP 23 854) Simple Mail Transfer Protocol (SMTP) (RFC 5321) TCP 25 Domain Name System (DNS) (RFC 1034-1035) TCP/UDP 53 Dynamic Host Configuration Protocol (DHCP) (RFC 2131) UDP 67/68 Trivial File Transfer Protocol (TFTP) (RFC 1350) UDP 69 Hypertext Transfer Protocol (HTTP) (RFC 2616) TCP 80 Post Office Protocol (POP) version 3 (RFC 1939) TCP 110 Network Time Protocol (NTP) (RFC 5905) UDP 123 NetBIOS (RFC TCP/UDP 1001-1002) 137/138/139 Internet Message Access Protocol (IMAP) (RFC 3501) TCP 143 Well known ports (continued) Protocol TCP/UDP Port Number Simple Network Management Protocol (SNMP) UDP (RFC 1901-1908, 3411-3418) 161/162 Border Gateway Protocol (BGP) (RFC 4271) TCP 179 Lightweight Directory Access Protocol (LDAP) (RFC 4510) TCP/UDP 389 Hypertext Transfer Protocol over SSL/TLS (HTTPS) (RFC 2818) TCP 443 Line Print Daemon (LPD) TCP 515 Lightweight Directory Access Protocol over TLS/SSL (LDAPS) (RFC 4513) TCP/UDP 636 FTP over TLS/SSL (RFC 4217) TCP 989/990 Microsoft SQL Server TCP 1433 Oracle Server TCP 1521 Microsoft Remote Desktop Protocol (RDP) TCP 3389 • http://www.iana.org/assignments/service-names-port- numbers/service-names-port-numbers.xml.
  • Broadcast Domain

    Broadcast Domain

    Broadcast Domain A broadcast domain is a logical part of a network (a network segment) in which any network equipment can transmit data directly to other equipment or device without going through arouting device (assuming the devices share the same subnet and use the same gateway; also, they must be in the same VLAN). A more specific broadcast domain definition is the area of the computer network that consists of every single computer or network equipment that can be reached directly by sending a simple frame to the data link layer’s broadcast address. Details on Broadcast Domains While any layer 2 device is able to divide the collision domains, broadcast domains are only divided by layer 3 network devices such as routers or layer 3 switches. Frames are normally addressed to a specific destination device on the network. While all devices detect the frame transmission on the network, only the device to which the frame is addressed actually receives it. A special broadcast address consisting of all is used to send frames to all devices on the network. The VLAN (Virtual Local Area Network) technology can also create a so-called “virtual” broadcast domain. A network built with switching devices can see each network device as an independent system. These groups of independent systems can be joined into one broadcast domain, even if the computers are not physically connected to each other. This is very useful when administrating large networks where there is the need for better network management and control. How to Restrict the Broadcast Domain Since a broadcast domain is the area where broadcasts can be received, routers restrict broadcasts.
  • Firewalls and IDS

    Firewalls and IDS

    Firewalls and IDS Dr. Natarajan Meghanathan Associate Professor of Computer Science Jackson State University E-mail: [email protected] Firewalls • A firewall is a device that filters traffic between a “protected” or inside network and a “less trustworthy” or outside network. • A firewall is basically an executable code run on a dedicated computer. • As all traffic should pass through the firewall, it is not a point of bottleneck for system performance and hence non-firewall functions are not performed on that machine running the firewall. • Also, since non-firewall code does not exist in the computer, it is hard for an attacker to make use of any vulnerability to compromise the firewall. • Design idea: – Firewalls implement a security policy that is specifically designed to address what bad things that should not happen in a “protected environment” – Security policies that dictate what to allow: Standard security practices dictate a “default-deny” ruleset for firewalls, implying that the only network connections allowed are the ones that have been explicitly stated to be allowed. – Security policies that dictate what not to allow: Users and business community who lack such a detailed understanding to explicitly state what should be allowed in prefer a “default-allow” ruleset, in which all traffic is allowed unless it has been specifically blocked. – Even though this configuration is relatively more prone to inadvertent network connections and system compromise, it is more commonly used because of mere lack of knowledge and new applications that come into existence. Firewalls • Not all firewalls need to have the same capability. • One cannot compare the “goodness” of two firewalls based on the security policies they are configured with.