Chapter 11 Build a Small Network (Network Design (Devices in a Small…
Chapter 11 Build a Small Network
Devices in a Small Network
Small Network Topologies
The network topologies typically involve a single router and one or more switches.
Small networks may also have wireless access points (possibly built into the router) and IP phones.
As for connection to the Internet, normally a small network has a single WAN connection provided by DSL, cable, or an Ethernet connection.
Device Selection for a Small Network
When implementing a small network, one of the first design considerations is the type of intermediate devices to use to support the network
Speed and Types of Ports/Interfaces
: Networking devices come in both fixed and modular physical configurations
Operating System Features and Services
Quality of Service (QoS)
Voice over IP (VoIP)
Layer 3 switching
Network Address Translation (NAT)
Dynamic Host Configuration Protocol (DHCP)
IP Addressing for a Small Network
Examples of different types of devices that will factor into the IP design are:
End devices for users
Servers and peripherals
Hosts that are accessible from the Internet
Redundancy in a Small Network
There are many ways to accomplish redundancy in a network. Redundancy can be accomplished by installing duplicate equipment, but it can also be accomplished by supplying duplicate network links for critical areas, as shown in the figure.
it may be advisable for a small business to pay for a second service provider as backup.
The network administrator should consider the various types of traffic and their treatment in the network design.
The routers and switches in a small network should be configured to support real-time traffic, such as voice and video, in a distinct manner relative to other data traffic
Small Network Applications and Protocols
There are two forms of software programs or processes that provide access to the network:
Applications are the software programs used to communicate over the network. Some end-user applications are network-aware, meaning that they implement application layer protocols and are able to communicate directly with the lower layers of the protocol stack. Email clients and web browsers are examples of this type of application.
Application Layer Services
Though transparent to an employee, these services are the programs that interface with the network and prepare the data for transfer.
IMAP, POP, IMAP
Voice and Video Applications
To support the existing and proposed real-time applications, the infrastructure must accommodate the characteristics of each type of traffic. The network designer must determine whether the existing switches and cabling can support the traffic that will be added to the network.
VoIP devices convert analog into digital IP packets. The device could be an analog telephone adapter (ATA) that is attached between a traditional analog phone and the Ethernet switch.
In IP telephony, the IP phone itself performs voice-to-IP conversion. Voice-enabled routers are not required within a network with an integrated IP telephony solution. IP phones use a dedicated server for call control and signaling. There are now many vendors with dedicated IP telephony solutions for small networks.
To transport streaming media effectively, the network must be able to support applications that require delay-sensitive delivery. Real-Time Transport Protocol (RTP) and Real-Time Transport Control Protocol (RTCP) are two protocols that support this requirement
RTP and RTCP enable control and scalability of the network resources by allowing Quality of Service (QoS) mechanisms to be incorporated. These QoS mechanisms provide valuable tools for minimizing latency issues for real-time streaming applications.
Scale to Larger Networks
Small Network Growth
To scale a network, several elements are required:
- physical and logical topology
- list of devices that use or comprise the network
- itemized IT budget, including fiscal year equipment purchasing budget
- protocols, applications, and services and their respective traffic requirements, should be documented
t is important to understand the type of traffic that is crossing the network as well as the current traffic flow
To determine traffic flow patterns, it is important to:
Capture traffic during
utilization times to get a good representation of the different traffic types.
capture on different network segments
; some traffic will be local to a particular segment.
Sometimes, simply relocating a server or service to another network segment improves network performance and accommodates the growing traffic needs. At other times, optimizing the network performance requires major network redesign and intervention.
Employee Network Utilization
A network administrator must also be aware of how network use is changing.
a small network administrator has the ability to obtain in-person IT “snapshots” of employee application utilization for a significant portion of the employee workforce over time
Security Threats and Vulnerabilities
Types of Threats
Intrusion by an unauthorized person
can result in costly network outages and loss of work. Attacks on a network can be devastating and can result in a
loss of time and money
damage or theft of important information or assets
Intruders can gain access to a network through
someone's username and password
Intruders who gain access by modifying software or exploiting software vulnerabilities are often called
After the hacker gains access to the network, four types of threats may arise.
Data loss an manipulation
: This is breaking into a computer to destroy or alter data records
: This a form of information theft where personal information is stolen for the purpose of taking over someone's identity.
Disruption of service
: This is preventing legitimate users from accessing services to which they should be entitled. e.g. Denial of Service (
) attacks on servers, network devices or network communications links
: This is breaking into a computer to obtain confidential information. Information can be used or sold.
The four classes of physical threats are:
- physical damage to servers, routers, switches, cabling plant, and workstations
- temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry)
- voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss
- poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling
Types of Vulnerabilities
Vulnerability is the degree of weakness which is inherent in every network and device.
There are three primary vulnerabilities or weaknesses:
: TCP/IP Protocol weakness. Operating System weakness. Network Equipment weakness
: Unsecured user accounts (not encrypted or easy to guess), default settings, mis-configured network equipment or Internet services.
: Lack of written security policy, lack of authentication, not logical access control, disaster recovery plan is nonexistent
Types of Malware
Malware or malicious code (malcode) is short for malicious software.
It is code or software that is specifically
designed to damage, disrupt, steal, or inflict “bad” or illegitimate action on data, hosts, or networks
: Is a type of malware that propagates by inserting a copy of itself into, and becoming part of, another program. It spreads from one computer to another, leaving infections as it travels. Viruses can range in severity from causing mildly annoying effects to damaging data or software and causing denial-of-service (DoS) conditions.
Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program.
When the host code is executed, the viral code is executed as well. Normally, the host program keeps functioning after it is infected by the virus. However, some viruses overwrite other programs with copies of themselves, which destroys the host program altogether. Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected e-mail attachments.
: Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file,
worms are standalone software and do not require a host program or human help to propagate.
A worm does not need to attach to a program to infect a host and enter a computer through a vulnerability in the system.
Worms take advantage of system features to travel through the network unaided.
: It is a harmful piece of software that
. Users are typically tricked into loading and executing it on their systems.
After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojan horses are also known to create back doors to give malicious users access to the system.
Unlike viruses and worms, Trojan horses do not reproduce by infecting other files, nor do they self-replicate.
Trojan horses must spread through user interaction such as opening an e-mail attachment or downloading and running a file from the Internet.
Network attacks can be classified into three major categories:
- the discovery and mapping of systems, services, or vulnerabilities
external attackers can use Internet tools, such as the nslookup and whois utilities, to easily determine the IP address space assigned to a given corporation or entity.
After the IP address space is determined, an attacker can then ping the publicly available IP addresses to identify the addresses that are active. To help automate this step, an attacker may use a ping sweep tool, such as fping or gping, which systematically pings all network addresses in a given range or subnet.
- the unauthorized manipulation of data, system access, or user privileges
exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information.
An access attack allows an individual to gain unauthorized access to information that they have no right to view. Access attacks can be classified into four types:
Denial of service
- the disabling or corruption of networks, systems, or services
To help prevent DoS attacks it is important to stay up to date with the latest security updates for operating systems and applications. For example, the ping of death is no longer a threat because updates to operating systems have fixed the vulnerability that it exploited.
: attacker sends multiple SYN request to a web server, the servers replies with SYN/BACK, but the attacker does not replies the final ACK, so the server waits to complete the three way handshake
. Attacker use many intermediate host (zombies/bot) to create a botnet and launch the attack
: Victim is inundated with large (ECHO reply) messages
Network Attack Mitigation
Backup, Upgrade, Update, and Patch
he most effective way to mitigate a worm attack is to download security updates from the operating system vendor and patch all vulnerable systems.
Authentication, Authorization, and Accounting
AAA, or “triple A” network security services provide the primary framework to set up access control on a network device.
AAA is a way to control
is permitted to access a network (authenticate),
they can do while they are there (authorize), and what actions they perform while accessing the network (accounting).
A firewall is one of the most effective security tools available for protecting users from external threats. Network firewalls reside between two or more networks, control the traffic between them, and help prevent unauthorized access. Host-based firewalls or personal firewalls are installed on end systems. Firewall products use various techniques for determining what is permitted or denied access to a network.
Packet filtering - Prevents or allows access based on IP or MAC addresses
Application filtering - Prevents or allows access by specific application types based on port numbers
URL filtering - Prevents or allows access to websites based on specific URLs or keywords
Stateful packet inspection (SPI) - Incoming packets must be legitimate responses to requests from internal hosts. Unsolicited packets are blocked unless permitted specifically. SPI can also include the capability to recognize and filter out specific types of attacks, such as denial of service (DoS)
An endpoint, or host, is an individual computer system or device that acts as a network client.
Policies often include the use of antivirus software and host intrusion prevention. More comprehensive endpoint security solutions rely on network access control.
Device Security Overview
When a new operating system is installed on a device, the security settings are set to the default values. In most cases, this level of security is inadequate.
For Cisco routers, the Cisco AutoSecure feature can be used to assist securing the system
there are some simple steps that should be taken that apply to most operating systems:
Default usernames and passwords should be changed immediately.
Access to system resources should be restricted to only the individuals that are authorized to use those resources.
Any unnecessary services and applications should be turned off and uninstalled when possible.
Here are standard guidelines to follow:
Use a password length of at least 8 characters, preferably 10 or more characters. A longer password is a better password.
Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces, if allowed.
Avoid passwords based on repetition, common dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates, ID numbers, ancestor names, or other easily identifiable pieces of information.
Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.
Change passwords often. If a password is unknowingly compromised, the window of opportunity for the attacker to use the password is limited.
Do not write passwords down and leave them in obvious places such as on the desk or monitor.
one method to create a strong password is to use the space bar and create a phrase made of many words. This is called a
Basic Security Practices
Using the global configuration command
prevents unauthorized individuals from viewing passwords in plain text in the configuration file
Additionally, to ensure that all configured passwords are a minimum of a specified length, use the
security passwords min-length
command in global configuration mode.
It is possible to prevent brute force attacks by blocking login attempts to the device if a set number of failures occur within a specific amount of time.
login block-for 120 attempts 3 within 60
This command will block login attempts for 120 seconds if there are three failed login attempts within 60 seconds.
By setting the exec timeout, you are telling the Cisco device to automatically disconnect users on a line after they have been idle for the duration of the exec timeout value. Exec timeouts can be configured on console, VTY, and aux ports using the exec-timeout command in line configuration mode.
Router(config)# line vty 0 4
Router(config-line)# exec-timeout 10 (minutes)