3-2 Network Implementation

3.7 Given a connectivity scenario, determine the impact on network functionality of a particular security implementation (For example: port blocking / filtering, authentication and encryption).

> Port Blocking / Filtering

A network layer firewall works as a packet filter by deciding what packets will pass the firewall according to rules defined by the administrator. Filtering rules can act on the basis of source and destination address and on ports, in addition to whatever higher-level network protocols the packet contains. Network layer firewalls tend to operate very fast, and transparently to users.

Network layer firewalls generally fall into two sub-categories, stateful and stateless. Stateful firewalls hold some information on the state of connections (for example: established or not, initiation, handshaking, data or breaking down the connection) as part of their rules (e.g. only hosts inside the firewall can establish connections on a certain port).

Stateless firewalls have packet-filtering capabilities but cannot make more complex decisions on what stage communications between hosts have reached. Stateless firewalls therefore offer less security. Stateless firewalls somewhat resemble a router in their ability to filter packets.

Any normal computer running an operating system which supports packet filtering and routing can function as a network layer firewall. Appropriate operating systems for such a configuration include Linux, Solaris, BSDs or Windows Server.

> Authentication

The process of identifying an individual, usually based on a username and password. In security systems, authentication is distinct from authorization , which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.

> Encryption

Encryption is part of a larger process of encoding and decoding messages to keep information secure. This process, though commonly called encryption, is more correctly called cryptography, is the use of mathematical transformations to protect data.

Cryptography is primarily a software-based solution and, in most cases, should not include significant hardware costs. It is a key tool in protecting privacy as it allows only authorized parties to view the data. Encryption is also used to ensure data integrity, as it protects data from being modified or corrupted.

3.8 Identify the main characteristics of VLANs (Virtual Local Area Networks).

A Virtual LAN is a group of devices on one or more LANs that are configured using management software so that they can communicate as if they were attached to the same LAN segment, when in fact they are located on a number of different segments. Because VLANs are based on logical instead of physical connections, they are more flexible.

For a computer to communicate with devices on different LAN segments other than the segment it is located on, requires the use of a router. And as networks expand, more routers are needed to separate users into broadcast and collision domains, and provide connectivity to other LANs. Since routers add latency, this can result in the delay of data transfer over the network.

Switches are used in VLANs to create the same division of the network into separate broadcast domains, but without the latency problems of a router.

Advantages to using VLANs:

Switched networks increase performance, by reducing the size of collision domains. Users can be grouped into logical networks which will increase performance by limiting broadcast traffic to users performing similar functions or within individual workgroups. Less traffic needs to be routed, causing the latency added by routers to be reduced.

VLANs provide an easier way to modify logical groups in changing environments. VLANs make large networks more manageable by allowing centralized configuration of devices located in physically different locations.

Software configurations can be made across machines with the consolidation of a department’s resources into a single subnet. IP addresses, subnet masks, and local network protocols will be more consistent across the entire VLAN.

VLANs provide independence from the physical topology of the network by allowing physically diverse workgroups to be logically connected within a single broadcast domain.

A switched network delivers frames only to the intended recipients, and broadcast frames only to other members of the VLAN. This allows the network administrator to segment users requiring access to sensitive information into separate VLANs from the rest of the general user community regardless of physical location, thus enhancing security.

3.9 Identify the main characteristics and purpose of extranets and intranets.

> Extranets

An extranet is a private network that uses Internet protocols, network connectivity, to securely share part of an organization's information or operations with suppliers, vendors, partners, customers or other businesses. An extranet can be viewed as part of a company's Intranet that is extended to users outside the company normally over the Internet.

An extranet requires security and privacy. These can include firewalls, server management, the issuance and use of digital certificates or similar means of user authentication, encryption of messages, and the use of virtual private networks (VPNs) that tunnel through the public network.

Advantages

• Extranets can improve organization productivity by automating processes that were previously done manually.
• Extranets allow organization or project information to be viewed at times convenient for business partners, customers, employees, suppliers and other stake-holders.
• Information on an extranet can be updated, edited and changed instantly. All authorised users therefore have immediate access to the most up-to-date information.

Disadvantages

• Extranets can be expensive to implement and maintain within an organisation
• Security of extranets can be a big concern when dealing with valuable information.
• Extranets can reduce personal contact (face-to-face meetings) with customers and business partners. This could cause a lack of connections made between people and a company

> Intranet

Intranets differ from "Extranets" in that the former is generally restricted to employees of the organization while extranets can generally be accessed by customers, suppliers, or other approved parties.

An intranet is a private computer network that uses Internet protocols, network connectivity, to securely share part of an organization's information or operations with its employees. Sometimes the term refers only to the most visible service, the internal website. The same concepts and technologies of the Internet such as clients and servers running on the Internet protocol suite are used to build an intranet. HTTP and other Internet protocols are commonly used as well, especially FTP and e-mail.

3.10 Identify the purpose, benefits and characteristics of using antivirus software.

Antivirus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software.

Antivirus software typically uses two different techniques to accomplish this:

• Examining files to look for known viruses matching definitions in a virus dictionary
• Identifying suspicious behavior from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods.

Most commercial antivirus software uses both of these approaches, with an emphasis on the virus dictionary approach.

Dictionary Approach: When the antivirus software looks at a file, it refers to a dictionary of known viruses that the authors of the antivirus software have identified. If a piece of code in the file matches any virus identified in the dictionary, then the antivirus software can take one of the following actions:

• attempt to repair the file by removing the virus itself from the file
• quarantine the file
• delete the infected file.

Suspicious Behavior Approach: Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. Most antivirus software are not using this approach much today.

Using this approach the antivirus software:

• Doesn't attempt to identify known viruses
• Monitors the behavior of all programs.
• If one program tries to write data to an executable program, the antivirus software can flag this suspicious behavior
• alert a user and ask what to do.

Heuristic Analysis Approach:

• Antivirus software could try to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable.
• If the program seems to use self-modifying code or otherwise appears as a virus, one could assume that a virus has infected the executable. However, this method could result in a lot of false positives.

3.11 Identify the purpose and characteristics of fault tolerance:

Fault tolerance is the ability of a system to continue functioning when part of the system fails. Normally, fault tolerance is used in describing disk subsystems, but it can also apply to other parts of the system or the entire system. Fully fault-tolerant systems use redundant disk controllers and power supplies as well as fault-tolerant disk subsystems. You can also use an uninterruptible power supply (UPS) to safeguard against local power failure.

Although the data is always available in a fault-tolerant system, you still need to make backups that are stored offsite to protect the data against disasters such as a fire.

> Network Redundancy

Service interruptions on a network are not always the result of a computer or drive failure. Sometimes the network itself is to blame. For this reason, many larger internetworks are designed with redundant components that enable traffic to reach a given destination in more than one way. If a network cable is cut or broken, or if a router or switch fails, redundant equipment enables data to take another path to its destination. There are several ways to provide redundant paths. Typically, you have at least two routers or switches connected to each network, so that the computers can use either one as a gateway to the other segments.

Example, you can build a network with two backbones. Each workstation can use either of the routers on its local segment as a gateway. You can also use this arrangement to balance the traffic on the two backbones by configuring half of the computers on each local area network (LAN) to use one of the routers as its default gateway and the other half to use the other router.

> Storage

A redundant array of independent disks (RAID) is an example of a fault-tolerant storage device that uses data redundancy.

RAID

Redundant Array of Inexpensive (or Independent) Disks. A RAID array is a collection of drives which collectively act as a single storage system, which can tolerate the failure of a drive without losing data, and which can operate independently of each other.

Level 0 referred to as striping, is not redundant. Data is split across drives, resulting in higher data throughput. Since no redundant information is stored, performance is very good, but the failure of any disk in the array results in all data loss.

Level 1 referred to as mirroring with 2 hard drives. It provides redundancy by duplicating all data from one drive on another drive. Performance is better than a single drive, but if either drive fails, no data is lost. This is a good entry-level redundant system, since only two drives are required.

Level 2, which uses Hamming error correction codes, is intended for use with drives which do not have built-in error detection. All SCSI drives support built-in error detection, so this level is not needed if using SCSI drives.

Level 3 stripes data at a byte level across several drives, with parity stored on one drive. It is otherwise similar to level 4. Byte-level striping requires hardware support for efficient use.

Level 4 stripes data at a block level across several drives, with parity stored on one drive. The parity information allows recovery from the failure of any single drive. Performance is very good for reads. Writes, however, require that parity data be updated each time. This slows small random writes, in particular, though large writes or sequential writes are fairly fast.

Level 5 striping with distributed parity. Similar to level 4, but distributes parity among the drives. No single disk is devoted to parity. This can speed small writes in multiprocessing systems. Because parity data must be distributed on each drive during reads, the performance for reads tends to be considerably lower than a level 4 array.

3.12 Identify the purpose and characteristics of disaster recovery:

> Backup / restore

Offsite storage

A remote backup service, online backup service or managed backup service is a service that provides users with an online system for backing up and storing computer files. Managed backup providers are companies that have the software and server space for storing files.

Hot and cold spares

• A hot spare disk is running, ready to start working in the case of a failure.
• A cold spare disk is not running.

A hot spare is used as a failover mechanism to provide reliability in system configurations. The hot spare is active and connected as part of a working system. When a key component fails, the hot spare is switched into operation.

Examples of hot spares are components such as networked printers, and hard disks. The equipment is powered on, or considered "hot", but not actively functioning in the system. In the case of a disk drive, data is being mirrored so when the hot spare takes over, the system continues to operate with minimal or no downtime.

Hot Spare Disk is a disk or group of disks used to automatically or manually, replace a failing or failed disk in a RAID configuration. The hot spare disk reduces the mean time to recovery (MTTR) for the RAID redundancy group, thus reducing the probability of a second disk failure and the resultant data loss that would occur in any singly redundant RAID (e.g., RAID-1, RAID-5, RAID-10).

Hot, warm and cold sites

A backup site is a location where a business can easily relocate following a disaster, such as fire, flood.

There are three types of backup sites, including cold sites, warm sites, and hot sites. The differences between the types are determined by the costs and effort required to implement each.

Hot Site is a duplicate of the original site of the business, with full computer systems as well as near-complete backups of user data. Following a disaster, the hot site exists so that the business can relocate with minimal losses to normal operations. Ideally, a hot site will be up and running within a matter of hours. This type of backup site is the most expensive to operate.

Warm Site is a location where the business can relocate to after the disaster that is already stocked with computer hardware similar to that of the original site, but does not contain backed up copies of data and information.

Cold Site is the most inexpensive type of backup site for a business to operate. It does not include backed up copies of data and information from the its original location, nor does it include hardware already set up. The lack of hardware contributes to the minimal startup costs of the cold site, but requires additional time following the disaster to have the operation running at a capacity close to that prior to the disaster.