NET 102 - Networking Essentials II

Chapter 11, Wide Area Networks; Chapter 12, Network Policies and Procedures

Objectives:

This lesson discusses other features of networks, and features of wireless networks. Objectives important to this lesson:

  1. WAN concepts
  2. WAN connections
  3. Internet Connectivity
  4. Remote access
  5. WAN troubleshooting
  6. Network design, documentation, and policies
  7. Safety
  8. Risk management
  9. Security policies and assessments
Concepts:
Chapter 11, Wide Area Networks

Wide Area Networks are needed to connect LANs that are separated by long distances to each other.

Think of making phone call: the caller may own the wiring of a site, the instrument being used, and connectivity devices at that site, but they will not own anything past their own site. The person making a call is "leasing" the use of the infrastructure of one or more companies for that connection. Someone who leases the use of equipment like this can be called a subscriber. (If you have an account with a cable TV service, for example, you are a subscriber on their network.)

The material presents a list of WAN terms that may appear on a certification test:

  • CPE - Customer Premises Equipment is owned by a service subscriber. For instance, I own my cable modem, so it is a CPE device. For someone who leases a cable modem from their service provider, it would not be a CPE device.
  • Demarcation point - This is sometimes called the point of demarcation, or just the demarc. It is the boundary between what the subscriber owns, and what the service provider owns. 
    The telephone demarc at my home is a box mounted on an outside wall. I own the wiring from there into my home, and all the devices inside my home. The point is responsibility: who pays for fixing something that breaks or fails. As the text explains, a network demarc is the box at which the service provider's responsibility ends.
  • Telco - a telecommunication service provider. Historically, this role has been filled by telephone companies.
  • Local loop - the infrastructure that connects a demarc to the closest switching point (also called a switching office, or central office) of the telco.
  • Central Office - can also be called a CO, a switching office, or a Point of Presence (POP, which has nothing to do with Post Office Protocol). This is an access point to the service provider's network. As noted above, a subscriber connects to the central office through a local loop.
  • Toll network - a trunk line inside the service provider's network. Remember that a trunk line carries traffic from multiple networks/subnets.
  • DCE - Data Communication Equipment, or Data Channel Equipment, or Data Circuit-terminating Equipment, generally means devices that provide access to communication channels, like modems or CSU/DSUs. Think of this as necessary eqipment to connect to the ISP's data channels.
  • DTE - Data Terminal Equipment generally means computers or terminals. This would typically be CPE equipment.
  • ISP - Internet Service Providers sell or grant access to their networks and the Internet.

In general, you should be able to categorize equipment as belonging to the subscriber or to the service provider.

The discussion continues with a short list of WAN connection types that begins to drown us in alphabet soup:

  • Dedicated - also called leased lines, or point-to-point lines. These are hotline connections from one subscriber location,through the provider's network, to another subscriber location. Very costly, due to constant up time and wide bandwidth.
  • Circuit-switched - Connections must be established for each session, like dialing a phone call. The text says that, typically, the provider is a phone company, but phone companies are generally the telecommunications providers in all cases. Cheaper, but better suited for short ("bursty") communications.
  • Packet-switched - This is like having VPN service on a larger network. The subscriber gets data transport service over a provider's data network that is shared by other subscribers. Bandwidth may vary from transmission to transmission, depending on the number of other users.

One of our Cisco books lists several protocols as the ones most used on Cisco networks. Of these, Frame Relay, HDLC, and PPP are the ones most commonly configured on serial interfaces:

  • PSTN - Circuit switching is used, which means a circuit is established for each new call and it stays in effect for the length of the call. The local part of the circuit uses Plain Old Telephone Service (POTS), but the WAN part typically uses digital signals and fiber optic lines.
  • Frame Relay - like X.25, but with less overhead for correcting line noise. Has dynamic bandwidth allocation and congestion control (helpful in packet-switched connections),
  • ISDN - Uses existing digital phone lines for data and voice. May used as a backup connection for sites using Frame Relay or T1 lines.
  • HDLC - High-level Data-Link Control. A data-link protocol, without a header marking for the network layer protocol being used. Each vendor has its own proprietary version of HDLC: each version works only with that vendor's equipment.
  • PPP - Can be used regardless of the make of the equipment being used. This protocol runs on Layer 2, but it is compatible with several Network layer protocols. Supports encryption, but the protocols mentioned on Testout (PAP and CHAP) are not used much any more.
  • ATM - Asynchronous Transfer Mode can be both a LAN and WAN protocol. It maps to the first three layers of the ISO-OSI model. It is listed in your text as another topology type, due to its unusual features:
    • Uses 53 byte blocks called cells.
    • Uses virtual channels.
    • Can use most media: fiber optic, STP, or UTP
    • Uses Internetworking Units (IWUs) to connect networks
  • MPLS - Multiprotocol Label Switching was developed specifically to support TCP/IP connections over WANs; adds a label and other fields after the header in a frame, providing more information
    • MPLS label - identifies MPLS traffic
    • Cost of Service - rates the importance of the frame
    • S - set to 1 if this is the first of several MPLS packets
    • Time to Live - limit on the number of hops allowed
  • SONET - Synchronous Optical NETwork (SONET) is a United States version of Synchronous Digital Hierarchy (SDH) which is a European standard. Both systems use fiber optic lines for WAN connections. A notable characteristic is the use of dual, counter rotating fiber optic rings. This method is called FDDI, a form of token ring system.

Token Rings need not be wired as physical rings. A star wired ring is the most common type. Several workstations may be connected to Multistation Access Units (MSAUs), which act like concentrators. The MSAUs are connected together by way of special ports called Ring Inand Ring Out. You connect the Ring In port of one MSAU to the Ring Out port of another MSAU. This allows you to extend the circle to include more MSAUs and more workstations as necessary.

FDDI is a fiber optic ring standard. This is an ANSI standard, not an IEEE standard, but it makes use of the IEEE 802.2 and 802.5 standards. It is very fast, and has high capacity, making it useful for three main applications:

  • Backbones - connections to other networks that need to be fast and wide
  • Computer room networks - fast connections between critical devices
  • High data rate LANs - connections for users of data intensive applications like CAD

FDDI uses two rings that are counter rotating. This means that traffic travels clockwise on one ring and counterclockwise on the other, making reconfiguration simple. If a break occurs between two workstations, the rings cross over at those workstations, turning the two rings into one, longer loop.

TestOut summarizes several ways to get access to the Internet through common Internet service providers.

How does a home user connect? Lots of technologies exist, but your choices are limited by your location.

  • Dial-up service - once very popular, still available, uses the Public Switched Telephone Network, also called Plain Old Telephone Service; requires the use of a modem (modulator/demodulator) to turn the digital signal of a computer to an analog signal for the PSTN
  • The text lists several generations of modem standards by their V.x numbers. They were established by the CCITT, which was mainly French, which explains the various standards ending in bis, which means revised. Know that modems evolved from 300 bps through 14.4 kbps, 28.8 kbps, and 56.6 kbps, where they have topped out. The book has somewhat different numbers. It depends on whether you call a kilobyte 1000 bytes or 1024 bytes. Both definitions are used by the industry.
  • ISDN - After three paragraphs of history, the text tells us that an Integrated Services Digital Network connection gives you a digital connection to the telephone company's digital network, eliminating the need for a modem, as such. It uses a terminal adapter instead, which you can think of as a digital modem or adapter. ISDN is limited by distance: you can't get it unless your location is within 18,000 feet of a central office that offers it.
  • DSL - digital subscriber lines come in several types: symmetric, asymmetric, and very high bit rate are listed in the text. Like ISDN, you can't get this option unless you are within 18,000 feet of a central office that offers this service, which it will not do unless the telephone cable to your location is up to the task. A DSL connection requires a phone jack, a DSL modem, and a patch cable to a NIC in your computer.
  • Cable modem - uses a cable modem that looks like a DSL modem, except for the coaxial jack; uses Digital Over Cable Service Interface Specification (DOCSIS) protocol
  • Satellite systems - available for the most remote locations, may be one way (download only) or two way service
  • Cellular WAN - the text discusses two main types: cellular modems for laptops use Mobile Data Service, typically through a cellular provider; WiMAX is also called 802.16, and is a long range wireless service (3 to 30 miles) made available in communities
  • Fiber - the text is referring to fiber connecttions from telephone companies, as opposed to cable system fiber, both of which are available in some markets
  • BPL - Broadband over Power Line is a newer technology that has not performed as well as the established methods

The text moves on, in this chapter that seems like it will never end, to remote access, which is not the same thing as just using the Internet. Remote access means accessing your organization's assets from a remote location, The methods discussed vary by their cost, their bandwidth, and their level of security. The author's list also varies in purpose from line to line:

  • Dial-up to an ISP - this a about creating a dial-up connecction to an Internet Service Provider, which requires a modem, and does not by itself grant access to your company's network
  • Private dial-up - still using a modem, making a connection through the PSTN to some kind of server that provides gateway access to the network you are seeking; the text mentions Microsoft's Remote Access Server (RAS) as an example of a product that will allow a server to provide access through a modem connection
  • Virtual Private Network - the text spends little time on this item which is a more valid way to get a secure connection; using VPN software, you get an encrypted connection to your desired network, which might be done by any of the methods above, or by using a broadband connection to access the Internet, and then your network gateway
  • Dedicated connection - this method is always on, typically thhrough a leased line from a data carrier (probably a cable or telephone company), which may be a T1 or any other grade of connection we have discussed; the author includes cable and DSL connections in this discussion
  • Remote terminal - a remote terminal program lets you run a session on a remote system as though your computer were on that system; this does not belong on the list because this is a way to do something but not a way to connect to the distant network: it relies on a dial-up, Internet, or dedicated line to function
  • Voice over IP (VoIP) - does not belong on this list, but the author covers three protocols that are commonly used for VoIP: Real-time Transport Protocol (RTP) defines VoIP packets, Session Initiation Protocol (SIP), and H.323 provide session set up and packet delivery services.

Another section in TestOut discusses making a secure connection. Know the definitions of these words. A user who has presented proper credentials to a system and been identified as a known person is a user who has been authenticated. Note that authenticated and authorized are two different things. This leads to the next set of bullet points:

  • Authentication - the process by which users prove their identities to a system
  • Authorization - The process of granting or denying permissions to authenticated users.
  • Acccounting - The process by which a system maintains records of the actions of users.

The material also discusses methods to control remote connections to a network. Management of large numbers of switches and routers may be easier with Terminal Access Controller Access Control System (TACACS), which has a horrible name, but it provides a central database of user IDs and passwords. This is also a security risk, so it must be protected. It also provides the ability to require that specific commands to the devices can only be performed by specific IDs. Another text also recommends that if we must use SNMP, use SNMPv3 instead, because it supports authentication requirements.

RADIUS servers are also discussed. This note is taken from my Wireless Networking class:

The text explains the use of a RADIUS server. The acronym stands for Remote Authentication Dial In User Service. It was invented in 1992 for remote users dialing in across plain telephone service. It is now used across the Internet, as well as in internal wireless access to a local WLAN, so Remote and Dial In are not always accurate regarding the present use. To use RADIUS, a client for it must be installed on the AP involved in the process. The connection steps shown below assume a wireless client is making a connection:

  1. The wireless device in a RADIUS scenario is called a supplicant. It makes a request to connect to an AP (Access Point).
  2. The AP requests a user ID and password from the supplicant. The AP is called the authenticator.
  3. The supplicant provides its information, and the AP creates an authentication request, which it sends to the RADIUS server. The request contains information to identify the AP, as well as the supplicant's provided user name and password, which are encrypted.
  4. The RADIUS server verifies that the AP sending the request is an approved AP. If it is, then the data from the supplicant is decrypted.
  5. The RADIUS server passes the user name and password to an appropriate database, such as Active Directory, for authentication.
  6. If the user information is correct, the RADIUS server sends an authentication acknowledgment to the AP, along with information about approved services. If the user information is not correct, the RADIUS server sends an authentication reject message to the AP. 
  7. If tracking is enabled, an accounting database is updated in either case.
  8. The AP receives the message from the RADIUS server and proceeds to allow or deny access to the WLAN.

RADIUS Server Authentication

Transmissions between the supplicant and the authenticator must be secure, so they are required to be compliant with a guideline called the Extensible Authentication Protocol (EAP). This is not a protocol. It is a guideline that may be met by several different protocols.

Review the WAN troubleshooting material in TestOut and note its use of common system commands to use on Cisco routers.

Chapter 12, Network Policies and Procedures

Chapter 12 addresses concepts that are explored further in other courses. It begins with an exploration of the needs a new network might be designed to meet. Think about what the network must do, what physical topologies make sense for this network, and what logical topologies will provide rapid service and protection. Review this lesson from the NET 226 class on this subject.

Policies are not documents. They are rules about what is allowed to happen on a network. Consider this list of definitions from a lesson in ITS 305:

  • Policies - rules about the conduct of our organization with regard to particular actions (we will limit ourselves to particular models chosen by the IT department); how we will approach the expectation
  • Standards - a method or process that may be proceddural or technical (orders are to be placed by approved requesters within each work area); what steps are to be followed to assure general compliance with policy
  • Baselines - standards from which other standards are developed; we might have a baseline standard that all PCs will come from one vendor contract with a minimum feature set, and specific standards for advanced models for IT system developers
  • Procedure - a detailed set of steps to follow to be in compliance (requests are to be made to your manager, who will forward approved requests to your authorized requester); variations or limitations that apply to specific work areas, to be followed if they apply to your area
  • Guidelines - a suggested addition to any of the items above that is recommended but optional (submit your requests two weeks before the end of a quarter to allow processing time); do this to make it work better
  • Taxonomy - a set of definitions of how terms are used in our organization; this can also mean naming standards for objects in our organization, used in Active Directory or a management program; naming systems can be based on location, use, categorization, department or division ownership, or other concepts important to your organization

The author for that course goes on to talk about growing a library of these documents being like growing a tree. Like a tree, the parts of your business need to grow, to reach maturity, to produce fruit or nuts or seeds, and to be cut away to make room for new growth when they are no use any longer. The pieces of your policy framework should be expected to do the same. We need new rules about new products, new problems, and new changes to the environment.

TestOut also discusses management of assets. It begins with considerations about obtaining, using, and retiring assets for a network, but it also discusses asset management in the context of risk management.

Let's consider some vocabulary:

  • Asset - information, property, people or anything else that we care about
  • Threat - a potential form of loss or damage; many threats are only potential threats, but we plan for them because they might happen
  • Threat agent - a vector for the threat, a way for the threat to occur; could be a person, an event, or a program running an attack
  • Vulnerability - a weak spot where an attack is more likely to succeed
  • Exploit - a method of attack
  • Probability of occurrence - the odds that a particular threat will exploit a particular vulnerability successfully
  • Impact - the kind (e.g. money, productivity, customer confidence) and scale (usually expressed in dollars) of loss that an occurrence would have on an organization; a high score here means we should concentrate some of our limited budget on a particular asset
  • Risk - The text for Tactical Perimeter Defense defines this twice, the first time using words it defines later in its list. It is easier to understand the long definition after you look at the items above this one. It says risk is the probability that a particular threat will exploit a vulnerability causing harm to an organization.

    The second version says that we can quantify risk by saying it is the probability of an occurrence multiplied by the impact of that occurrence. Isn't it nice to be able to do math?
  • Control - A process that we put in place to reduce the impact and/or probability of a risk.

The effects and the causes of risk are concern for everyone in an organization. The systems, the users, the policies, and the threat agents all affect whether there will be a successful attack on our organization.

The following material is selected from my notes for the text mentioned above:

Risk Assessment

The text returns to the concept of risk assessment on page 26. It poses a good question that has more than one answer. How shall we count the valueof an asset? This is easier to answer once we choose between two points of view:

  • Quantitative Risk Assessment - Every asset must be given a currency value of some sort that can be used in the measure of its impact on the organization. Several methods of assigning this value are discussed.
    • Replacement cost - What would it cost us to replace this asset if it were compromised or destroyed in an attack? If a partial loss is possible, what would be the value of each part of it?
    • Purchase cost - What did the asset cost to acquire it or develop it?
    • Depreciated cost - If the asset loses value over time, at what rate is it lost, and what is it worth now?
  • Qualitative Risk Assessment - In this method, every asset is given a relative value, not a currency value, which means that each must be measured against the others in terms of its worth to the organization

Impact risk on parts of ISSThe text continues with a discussion that leads to a complicated calculation. You need to pay attention to each step. The text presents the concepts in a different order than I have seen before. I think this one is clearer:

  • Asset Value (AV): the value that an asset has for the next several calculations; this value may be different depending on the context of its use
  • Exposure Factor (EF): the percentage of the value that would be lost in a single successful attack/exploit/loss; this accommodates the idea that an entire asset is not always lost to an attack
  • Single Loss Expectancy (SLE): this is a number that can be obtained by multiplying AV times EF.
    SLE = AV * EF
  • Frequency of Occurrence: this number tells you how many attacks to expect in some time period; this is ambiguous if we are not told whether this is the rate for all such attacks, or the rate for all such successful attacks
    We generally assume that the number given is the rate at which successful attacks occur.
  • Annualized Rate of Occurrence (ARO): often, known frequency of occurrence may be expressed in days or hours, but the executive you report to may want the numbers expressed in years. This is understandable if, for example, we are talking about establishing a yearly budget for IT Security. Reporting is often done based on calendar or fiscal years, which is another argument for making this conversion.
  • Annualized Loss Expectancy (ALE): the final number stands for the currency value of our expected loss for a given asset in one year; provided you have calculated the numbers so far, ALE equals SLE times ARO.
    ALE = SLE * ARO
Risk Management Strategies

The text lists four major strategies for managing risk in your environment. Here are five:

  • defense (avoidance) - make every effort to avoid your vulnerabilities being exploited; make the attack less possible, make the threat less likely to occur; avoid risk by avoiding the activity associated with the risk, and by providing an active defense against it
  • transferal (transference) - in general, letting someone else worry about it
    In the ITIL model, this is included in the definition of a service:
    "A service is a means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific costs and risks." 
    A reader might misunderstand this statement, thinking that the customer does not pay anything. That is not the case. An IT service provider would assume the costs and risks of an operation in return for the customer's payment for the service. This can be done in-house or by outsourcing.
  • mitigation (mitigation) - this method seeks to reduce the effects of an attack, to minimize and contain the damage that an attack can do; Incident Response plans, Business Continuity plans, and Disaster Recovery plans are all part of a mitigation plan 
  • acceptance (acceptance) - this counterintuitive idea makes sense if the cost of an incident is minimal, and the cost of each of the other methods is too high to accept; the basic idea here is that it costs less just to let it happen in some cases, and to clean up afterward
  • termination (not listed in the text) - instead of accepting the risk of leaving the asset open to attack, the owner may choose to remove the asset from the environment that holds the risk of attack; it is arguable that any environment can be totally safe, but it may be possible to move the asset to an environment that presents different, lesser risks; if this is not possible, the owner may choose to stop offering a service, stop presenting data to the public, or otherwise stop exposing such an asset to risks

This is another set of notes from the same course:

  • Business Impact Analysis - The green highlight on this bullet is to show that this step should be done when times are good and we can examine our systems performing normally.
    Before you can plan for what to do, you have to figure out what is normal for your business, what can go wrong, and what can be done to minimize the impact of incidents and problems/disasters (see the bullets below).
    • What are the business's critical functions? Can we construct a prioritized list of them?
    • What are the resources (IT and other types as well) that support those functions?
    • What would be the effect of a successful attack on each resource?
    • What controls should be put in place to minimize the effects of an incident or disaster? (Controls are proactive measures to prevent or minimize threat exposure.)

  • Incident Response Planning - The red highlight on this bullet is to acknowledge that the plans made in this step are used when there is an emergency for one or more users. (Shields up, red alert? Why were the shields down?)
    The text is consistent with the ITIL guidelines that call a single occurrence of a negative event an incident. An incident response plan is aprocedure that would be followed when a single instance is called in, found, or detected. 

    For example, a user calls a help desk to report a failure of a monitor that is under warranty. (Note that this is an example of an IT incident, not an IT security incident. What further details might make this part of a security incident?) There should be a common plan to follow to repair or replace the monitor. Incident Response Plans (Procedures) may be used on a daily basis.

  • Business Continuity Planning - The orange highlight is meant to indicate that these plans are not concerned with fighting the fire, but with conducting business while the fire is being put out.

    Business continuity means keeping the business running, typically while the effects of a disaster are still being felt. If we have no power, we run generators. If we cannot run generators (or our generators fail), we go where there is power and we set up an alternate business site. Or, if the scope of the event is small (one or two users out of many) maybe we pursue incident management for those users and business continuity is not a problem.

  • Disaster Recovery Planning - The yellow highlight here is to indicate that the crisis should be over and we are cleaning up the crime scene with these plans.

    A disaster requires widespread effects that must be overcome. A disaster might be most easily understood if you think of a hurricane, consequent loss of power, flooding that follows, and the rotting of the workplace along with the ruined computers and associated equipment. 

    A disaster plan is what we do to restore the business to operational status after the disaster is over. There may be specific plans to follow for disasters under the two bullets above, but the disaster recovery plan is used after the crisis, unless this term is applied differently in your working environment.

  • By the way, in ITIL terms, a series of incidents may lead us to discover what ITIL calls a problem, something that is inherently wrong in a system that might affect all its users. When a problem knocks out a critical service, we have a disaster. The organization you work for may use all three terms, or any two of them to mean different scopes of trouble. You need to know the vocabulary to use in the setting where you work, and you need to call events by the names they use.

The text also mentions analysis of the incident and our response. Analysis of the incident should begin during the incident, to lead us to a good solution. Analysis after the incident can examine what actually happened, whether the steps we took were effective, and what we should recommendor require to avoid such an event in the future.

TestOut continues its discussion of security concerns:

  • Acceptable use policy - This policy must contain specific exammples of general principles, such as only using company assets for company business, not breaking any laws or company rules, and not exposing company data to corruption or theft.
  • E-mail policy - This one must tell users what is acceptable and unacceptable regarding e-mail, such as no spam, no chain e-mail, and limits to allowed personal use of e-mail.
  • Privacy policy - Protecting the private data of the company and its customers is very important. This policy should summarize applicable lawsand regulations. It should also specify rules about data transport and encryption.
  • System access policy - This policy is about how and when users may access the organization's systems. User ID and password rules belong here, as well as authentication procedures for particular networks.
  • Physical security and clean desk policy - Many organizations handle data they consider to be sensitive, so there will be rules about access to doors, rooms, and data processing locations. This is physical security. A clean desk policy states that company data should never be exposed by being left open on a desk. This includes hard copy files and computer access, which leads to a policy about locking a computer before you walk away from your desk.
  • Corporate mobility policy - Mobile device policies include wireless access methods and rules about use inside and outside the corporate buildings. It may also include rules about the acceptable and unacceptable use of personal devices accessing corporate data or e-mail. As the text mentions, there is a trend toward allowing this through a policy.
  • Social networking policy - Social networks were not meant for thee display of company data when they were created. People have done enough of that kind of posting that some organizations prefer to have their own pages on social network sites, managed by an office of information, and to have policies that forbid employees to post any data about company operations or staff. This is reasonable, given that such sites are commonly used by hackers when they are looking for background information before an attack

TestOut also discussses security measures that should be used when granting new permissions to staff when they are new hires, and removing permissions from staff when they leave our organization.

The last topic in this chapter covers looking for vulnerabilities that might be exploited in our organization. Make note of the common technical items to examine, such as unprotected ports and devices, as well as the exploits that use social engineering. This one is an entire subject in itself. They may be the nicest or meanest thieves you will ever meet. These are some techniques used by talented social engineers:

  • authority - pretend to be someone who has the right to make the request
  • intimidation - in an oppressive environment, it may be easy to use fear of what would happen if the request is not granted
  • consensus/social proof - tell a believable lie that others have granted this request in the past
  • scarcity -  tell the victim that you are short on time, or you have to get this before it can't be done
  • urgency -  tell the victim that you need this right now, and that you will complete the red tape later
  • familiarity/liking - act like one of the family, especially one who appreciate the work the victim does for the company
  • trust - use details about the organization to make it seem like you are a part of it

Week 6 Assignment: Labs for Chapters 11 and 12 (and all the chapters after that)

  1. Complete as many labs as you can, as soon as you can. For this week, concentrate on doing the labs in Chapters 11 and 12 of the TestOut lessons. Repeat the labs until you score at least 80% on them.
  2. When you have done what you can for this week, capture a screen that shows your current progress, and submit it to me as this week's report of your progress.