Professional Documents
Culture Documents
N10-006 Objectives & Notes
N10-006 Objectives & Notes
N10-006 Objectives & Notes
Objectives
And
Notes
By Taona Ralph
This page has been intentionally left blank. There is absolutely no reason why I skipped this page. I have
tried, long and hard, to think of a reason why I should write on this page. Even I am surprised I didn’t get
one… Oh well…
Section 1: Network Architecture
1.1 Explain the functions and applications of various network devices
Router
o Layer 3 device
o Routes traffic between 2 IP subnets
o Often connects diverse network types
o Routers inside switches are sometimes called L3 switches or multilayer switches
Switch
o Layer 2 device
o Bridging is done by ASIC chips (which are very fast)- hardware based switching
o Makes forwarding decisions based on hardware/MAC/Physical address
o Core of an enterprise network
o High bandwidth to handle simultaneous packets
Multilayer Switch
o IDS- monitor hosts or networks detect suspicious behavior and can alert
administrators of attacks. Attacks are only detected, not blocked. Normally
complements other devices (like firewalls)
o Can be passive or active
Passive IDS does not take any corrective action when suspicions activity has
been identified
Active IDS will monitor, and log, any suspicious activity, and then take some
corrective action.
o NB: An active IDS is now known as an Intrusion Prevention System (IPS)
o IPS- like an IDS, they monitor Hosts or Networks, but have additional capabilities to
block attacks, or other corrective measure.
o Wireless Access Points (WAPs) are network devices that can be connected to the
wired network to allow a wireless client to pass through and access the wired
network and its resources
o aka cell, which is a device that transmits and receives radio frequencies between the
PCs and network devices with wireless transmitters connected to them.
o Layer 2 device
o NB: A WAP is a wireless bridge (not a wireless router), and therefore makes
forwarding decisions based on MAC address.
Content Filter
o A network appliance that allows you to split the workload (the request) for an
application across many servers
o Distributes the request across many physical servers
o Adds fault tolerance
o Can cache and prioritize traffic (QoS)
o Very common in large environments (especially on websites- webservers are
typically connected to a load balancer.
o Goal is to improve performance (and availability), as no single system is handling all
the requests.
Hub
o Layer 1 device
o Multi-port repeater
o Half duplex operation- you can either send or receive at a time
o Less efficient as speed and bandwidth requirements increase
o A passive hub has no power source or electrical components, there is no signal
processing, and there is no signal regeneration.
o An active hub provides the same functionality as a passive hub, with the ability to
amplify the signal before sending it to all destination ports. It has a power source
and built in repeaters to boost the signal. Also known as a multiport repeater.
o NB: a passive hub does not regenerate the signal as the active hub does; therefore,
the cable distance between two PCs is the total cable length and not PC-to-hub
length, as with active hubs.
Analog modem
o MOdulator/DEModulator
o Used on Public Switched Telephone Network (PSTN)
o Converts digital signals from PC to analog transmission for sending on phone lines.
o Post Office Telephone System (POTS) modems are now used for backup and utility
functions.
VPN Concentrator
-A Virtual Private Network (VPN) extends a private network across a public network, enabling
users to send and receive data across shared or public networks as if their computing devices
were directly connected to the private network.
-It provides tunneling through a public network with a secure communications channel.
-Uses PPTP, L2TP or SSTP for secure connections to a remote network- you are able to tunnel
through an Internet or LAN connection without compromising security.
-Purpose is to ensure that no one can intercept the data and read it because it is transmitted in
an encrypted format.
-Major benefits include:
a. Secure communication across an unsecure medium
b. lack of long distance costs incurred to communicate between the two locations
Each site/location has a VPN appliance (VPN Router) to create the encrypted
tunnel from one location to another.
Clients are not directly establishing the VPN tunnel, but instead go through the
VPN router that will create a VPN connection to the other location.
The tunnel is established once by the VPN appliance and all users send
information securely through the one tunnel.
Host to site
The client (host) creates the secure VPN tunnel to the remote location. If
multiple users wanted to transmit data to the remote site securely, each client
would create its own VPN tunnel.
Host to host
Creates an encrypted tunnel between two computers in a host-to-host
topology.
A client computer is creating a VPN connection to another client computer and
all communications between the two are encrypted.
o VPN Protocols
IPSec
-The IP Security protocol is used to encrypt All IP traffic once IPSec has been
enabled on the system/device
-L3 security- confidentiality and integrity/anti-replay
-IPSec uses Encapsulation Security Payload (ESP) to encrypt traffic,
Authentication Header (AH) protocol for message integrity and authentication,
and Internet Key Exchange (IKE) to exchange encryption keys between systems.
GRE
-Generic Routing Encapsulation provides a private, secure path for transporting
packets through an otherwise public network by encapsulating (tunneling) the
packets, ie, it is the tunnel itself.
SSL VPN
-Secures communication over SSL traffic (port 443); based on common Internet
protocols (SSL).
-Newer approach to encrypting VPN traffic (preferred over PPTP and L2TP).
PTP/PPTP
-Point-to-Point Tunneling Protocol
-Older VPN protocol used to encrypt PPP traffic
-Common in Microsoft environments
-Uses GRE to transport PPP packets
-Uses TCP port 1723 (control port) and protocol ID 47 (carries the data) on the
firewall.
-Controls the tunnel
TACACS/RADIUS
o Remote Authentication Dial-In User Service (RADIUS)
-is a central authentication service that you can use to control who can connect to the
network via VPN solutions, wireless and wired network connections.
-RADIUS is an authentication and accounting system used to provide remote access.
Usernames and passwords are passed to Remote Access Servers (RAS) and then
authenticated against a central database.
o Terminal Access Control Access Control System (TACACS)
-TACACS is similar to RADIUS, but is an older authentication service that was common
with UNIX environments. It has been replaced by RADIUS and TACACS+.
Network Controllers
o -These are network interfaces, or network cards, in a system or device.
-responsible for sending and receiving data to and from the network.
-you can increase bandwidth of a network device by installing multiple network
controllers and teaming the network controller(s) together (bonding). The device can
then use both network controllers at the same time to increase performance.
1.3 Install and configure the following networking services/applications
DHCP
-Dynamic Host Configuration Protocol, responsible for assigning IP address information
automatically to systems on the network. The network administrator configures the DHCP
server by configuring a scope (range of addresses) that the server can assign addresses
from. The DHCP service may configure a client with all the TCP/IP settings, including the
subnet mask, default gateway, and the addresses of both the DNS server and WINS server.
-DHCP runs on UDP ports 67 and 68.
o Static vs Dynamic IP addressing
-Static IP addresses are manually configured on a network device by a network
administrator, while Dynamic addresses are automatically assigned by a DHCP server.
o Reservations
-This refers to the process of excluding certain IP addresses from the DHCP pool, for
hosts as defined by their MAC addresses.
o Scopes
-an administrative grouping of IP addresses that are leased by a DHCP server.
o Leases
-DHCP servers lease IP addresses to hosts for a specified period of time.
o Options
-Administrators can specify options that allow additional information to be configured
by the DHCP server.
-Typically consists of DNS servers, WINS Servers, Router Address and Domain Names
o IP Helper/DHCP Relay
-DHCP requests are in the form of broadcasts. By default, routers do not forward
broadcasts. If a network administrator wants to pass DHCP requests across networks,
they use a relay agent to send the request to a DHCP server on a separate logical
network.
DNS
o Domain Name System- a solution for converting FQDN to IP addresses.
o DNS Servers
Top-Level Domains (TLD)
-This is the last segment of the domain name, immediately following the (.), eg,
.com
-Identifies something about the website associated with it, eg, purpose,
organization that owns it, or the geographical area where it originates.
-The root servers are responsible for ensuring that any requests for an Internet
resource are forwarded to the correct TLD.
-Popular TLDs include:
.com- commercial organizations (www.yahoo.com),
.org- for nonprofit organizations (www.savethechildren.org),
.net- for networking organizations or ISPs (www.zimbiz.net),
.mil- military organizations (www.marines.mil)
.gov- This is for US government offices only (www.usa.gov),
.edu- educational organizations (www.universityofcalifornia.edu)
o DNS Files
Most DNS servers maintain their DNS data in a number of files that exist on the hard
disk on the server. In the old days, you’d manage the records by updating these text
files- today, most DNS server environments support GUI tools to create and manage the
records for your DNS server.
When you create the records graphically, the DNS files are updated.
o DNS Records
Hosts (A)- resolves FQDN to an IPv4 address
Hosts (AAAA)- resolves FQDN to an IPv6 address
Alias (CNAME)- a way to create a record that has a name and points to another
host record. Allows you to create many records with different names, with all
the names referencing the one IP address.
Mail Exchange (MX)- points to your inbound email server.
Name Server (NS)- specifies who the DNS servers are for the zone.
Start Of Authority (SOA)- stores settings for the DNS zone (eg,
increment/version number, which increments any time the zone changes. If the
secondary DNS server has a different increment number, then the secondary
DNS knows that it needs to copy the zone from the primary DNS server to be up
to date.
Pointer (PTR)- created in a reverse lookup zone and associates the IP address
with a DNS name for reverse lookups.
Many providers offer commercial or free Dynamic DNS service for this scenario.
The automatic reconfiguration is generally implemented in the user's router or
computer, which runs software to update the DDNS service.
o Proxy/Reverse Proxy
A proxy server is a computer that offers a computer network service to allow clients to
make indirect network connections to other network services. A client connects to the
proxy server, then requests a connection, file, or other resource available on a different
server.
A proxy server is configured as the default gateway for your clients so that all clients
pass data destined to the Internet through the proxy server.
Benefits include:
o NAT- proxy servers implement NAT so that all requests coming from clients are
translated to use the public IP address of the NAT device.
o Authentication/Authorization- the proxy server can ensure that the user is
authenticated to the network before being allowed to surf the Internet. Once the
user is authenticated, the proxy server can allow or deny users access to the
Internet.
o Restrict site- the proxy server can be configured to restrict access to certain sites. A
company may not want employees surfing facebook.com from work- the site can be
blocked/disabled by the proxy server.
o Protocol Rules- the proxy server has rules that allow or disallow different Internet
protocols. You may be able to surf the Internet using HTTP, but the proxy server
may block access to FTP as a protocol.
o Content Filters- the proxy server can have content filters that block access to certain
sites based on their content.
o Caching- the proxy server can cache webpages on its disk. This means that when a
2nd employee requests a page; the page is returned from cache instead of being
retrieved from the Internet.
o Reverse Proxy- a feature that allows an Internet user to send a request to one of
your internal web servers, but the request goes to the proxy server, who then
verifies the request and forwards it to the internal web server on behalf of the
Internet user.
It is important to note that when the client sends the request for a webpage to the
proxy server, the proxy server retrieves the page from the Internet for the user—in this
example, the user is not accessing Internet resources, which helps protect the client
from attack.
o Fiber
Synchronous Optical NETwork (SONET)
-A North American ANSI fiber optic WAN technology that allows the uniting of unlike
transmissions into one data stream, to deliver voice, data and video at speeds starting at
51.84Mbps.
-Multiple companies can transmit the packets on their networks onto a SONET
backbone to be transmitted to a remote location using fiber-optic cabling.
-A standardized access method for all carriers- guarantees interoperability between
equipment from different manufacturers.
-Multiple digital signals are multiplexed over a fiber optic cable.
-All circuits use the same clock (synchronous).
-Exam Tip: Synchronous Digital Hierarchy (SDH) is the European counterpart to SONET.
For the exam, equate SDH with SONET.