Please enable JavaScript.
Coggle requires JavaScript to display documents.
7.5.5 APPLICATION OF THE OSI MODEL IN NETWORK ARCHITECTURES (LAN…
7.5.5 APPLICATION OF THE OSI MODEL IN NETWORK
ARCHITECTURES
Local Area Network
LAN Design Fundamentals and Specifications
To set up a LAN,
an organization must assess cost, speed, flexibility and reliability.
The issues include:
• Assessing
media
for physically transmitting data
• Assessing
methods
for the
physical network medium
• Understanding from a performance and security standpoint how
data will be transmitted
across the network and
how the actual LAN network is organized and structured
in terms of
optimizing the performance of the devices connected to it
Network Physical Media Specifications
Physical media used to connect various types of computing devices together in a network include:
• Twisted pairs
Two insulated wires are twisted around each other, with current flowing through them in opposite directions.
the common standards for twisted-pair circuits are CAT5e, CAT6 and CAT7.
disadvantage
not immune to the effects of electromagnetic
interference (EMI)
should be run in dedicated conduits, away from
sources of potential interference, such as fluorescent lights
reduces the opportunity for cross talk between pairs in the same bundle
Parallel runs of cable over long distances should also be avoided since the signals on one cable can interfere with signals on adjacent cables
• Fiber optics for high-capacity and specific architectures
used to
carry binary signals
as
flashes of light.
low transmission loss as
compared to twisted-pair circuits.
do not radiate energy nor
conduct electricity
preferred choice for high-volume,
longer-distance runs.
• Infrared and radio (wireless)
using low-powered systems that broadcast (or radiate) and
receive electromagnetic signals representing data.
low-powered systems that broadcast (or radiate) and receive
electromagnetic signals representing data.
LAN Topologies and Protocols
LAN topologies define how networks are organized from a physical standpoint
, whereas protocols define how information transmitted over the network is interpreted by systems
LAN Media Access Technologies
for accessing physical transmission media give devices shared access to the network, while also preventing a single device from monopolizing the network.
Ethernet
Ethernet has
evolved from its original bus configuration
, providing 10 Mbps speed with two coaxial cable versions (thin and thick),
to star configurations
Ethernet is a Carrier Sense Multiple Access/Collision Detection (CSMA/CD) protocol
The use of coaxial cable in ethernet is problematic. The cable itself is a single point of failure
To alleviate this problem, a physical implementation using a twisted-pair telephone cable was developed.
first implementation has all of the points of the star connected together using an
unintelligent device called a hub
—basically, a panel of connectors that allows all of the wires to be joined together. Circuitry within the hub electrically disconnects any branch that is not active.
Replacing hubs
with switches was a significant advance in technology. A
switch is an intelligent device that provides a private path for each pair of connections on the switch
From a security perspective, switches provide another significant improvement. Each device on the network can only see traffic destined for its MAC address and cannot eavesdrop on network traffic intended for other destinations.
LAN Components
Repeaters PL
physical layer devices
that extend the range of a network or connect two separate network segments together
receive signals from one network segment and
amplify (regenerate)
the signal to compensate for signals (analog or digital) that are
distorted due to a reduction of signal strength during transmission (i.e., attenuation).
Hubs
PL
physical layer devices
that serve as the center of a star-topology network or a network concentrator
Bridges DL
data link layer devices
that were developed
to connect LANs or create two separate LAN or WAN network segments
from a single segment to reduce collision domains.
The two segments work as different LANs
below the data link level of the OSI reference model,
Bridges act as store-andforward
devices in moving frames toward their destination.
by analyzing the MAC header of a data packet, which represents the hardware address of an NIC
Bridges can also filter frames based on Layer 2
information.
Bridges are softwarebased, and they are less efficient than other similar hardware-based devices, such as switches.
Layer 2 Switches DL
data link level devices that can divide and interconnect network segments and
help to reduce collision domains in Ethernet-based networks.
provide more robust functionality than bridges through use of more sophisticated data link layer protocols
that are implemented via specialized hardware called
application-specific integrated circuits (ASIC)
#
switches store and forward frames, filtering and forwarding packets among network segments,
based on Layer 2 MAC source and destination addresses,
as bridges and hubs do at the data link layer.
technology are performance efficiencies gained through , ,
reduced costs
low latency or idle time
and a greater number of ports on a switch with dedicated high-speed bandwidth capabilities
A Layer 3 NL
This switch goes beyond the Layer 2–MAC addressing, acting at the
network layer of the OSI model like a router
switch compares the
destination IP address to the list of addresses in its tables, to actively calculate the best way to send a packet to its destination.
creates a virtual circuit
(i.e., the switch has the ability to segment the LAN within itself and will create a pathway between the receiving and the transmitting device to send the data).
forwards the packet to the recipient’s address.
provides the added benefit of reducing the size of network broadcast domains.
Router vs layer 3 SWITCH
major difference between a router and a Layer 3 switch is that a router performs packet switching using a microprocessor, whereas a Layer 3 switch performs the switching using application ASIC hardware
VLAN
Layer 3 switches also enable the
concept of establishing a VLAN
Allows flexibility
flexibility enables
administrators to
restrict users’ access
of network resources to only those specified and
segment network resources for optimal performance
VLAN is set up by
configuring ports
on a switch, ,
so
devices attached to these ports may communicate as if they were attached to the same physical network segment
although the devices are located on different LAN segments.
Layer 4
some application information is considered along with
Layer 3 addresses.
These devices, unlike Layer 3 switches, are
more resource intensive since they have to store application-based protocol information.
Layer 4 through 7 switches
also known as
content-switches,
content services switches,
web-switches or
application-switches.
typically used for load balancing among groups of servers.
Load balancing can be based on Hypertext Transfer Protocol (HTTP), Secured Hypertext Transfer Protocol (HTTPS) and/or VPN, or for any application TCP/IP traffic using a specific port.
Routers
link two or more physically separate network segments.
operate at the OSI network layer by examining network addresses (i.e., routing information encoded in an IP packet).
Router Vs. Switches
Routers differ from switches operating at the data link layer in that they use logically based network addresses, use different network addresses/segments off all ports, block broadcast information, block traffic to unknown addresses, and filter traffic based on network or host information.
not as efficient as switches because they are generally software-based devices and they examine every packet coming through, which can create significant bottlenecks within a network.
Gateways
devices that are protocol converters.
Typically, they connect and convert between LANs and the mainframe, or between LANs and the Internet,
at the application layer of the OSI reference model.
LAN Technology Selection Criteria
• What are the
applications
?
• What are the
bandwidth needs
?
• What is the
area to be covered
and what are the
physical constraints
?
• What is the
budget
?
• What are the
remote management needs?
• What are the
security needs
?
• What
network redundancy/resiliency
is required?
LAN Security
Risk associated with use of LANs includes:
•
Lack of current data protection
through inability to maintain version control
•
Exposure to external activity through poor user verification
and potential public network access
#
from remote connections
•
Virus and worm infection
•
Improper disclosure of data
#
because of general access rather than need-to know access provisions
• Illegal access
#
by impersonating or masquerading as a legitimate LAN user
• Internal user sniffing
(obtaining seemingly unimportant information, such as network addresses, from the network that can be used to launch an attack)
•
Internal user spoofing
(reconfiguring a network address to pretend to be a different address)
•
Lack of enabled detailed automated logs of activity (audit trails)
• Destruction of the logging and auditing data
•
Loss of data and program
integrity
#
through unauthorized changes
LAN security PROVISIONS, available depend on the software product, product version and implementation
Commonly available
network security administrative capabilities include:
•
Declaring ownership of programs, files and storage
• Limiting access under the
principle of least privilege
(users can only access what they need to perform their role)
•
Implementing record and file locking to prevent simultaneous update
•
Enforcing user ID/password sign-on procedures,
including the rules relating to password length, format and change frequency
•
Using switches to implement port security policies
rather than hubs or non manageable routers. This will prevent unauthorized hosts, with unknown MAC addresses, to connect to the LAN.
• Encrypting local traffic using IPSec protocol
To gain a full understanding of the LAN, the IS auditor should identify and document the following
• Users or groups with privileged access rights
• LAN topology and network design
• LAN administrator/LAN owner
• Functions performed by the LAN administrator/owner
• Computer applications used on the LAN
• Procedures and standards relating to network design, support, naming conventions and data security
• Distinct groups of LAN users
A
B
AP
B
RMN
S
N
