CSC 424: NETWORK SYSTEM ADMINISTRATION AND SECURITY

COURSE OUTLINE

WEEK1
CHAPTER ONE: INTRODUCTION
  Definitions- Network, Node, Segment, Backbone, Topology;
  Network topologies; Bus, Star, RiSSSSSSSSSSSSSSSng.
  Transmission Media.
 Network Protocols; OSI/TCPIP.

WEEK 2
CHAPTER TWO: NETWORK PLANNING
  Gathering user requirements
  Conducting site survey
  Network design principles.
 Assignment 1 : Develop a design for simple office network

WEEK 3
CHAPTER THREE: NETWORK H/W AND SOFTWARE
  Routers and Switches.
  Network Servers and Clients
 Network Operating Systems.

WEEK 4
CHAPTER FOUR : ACQUIRING NETWORK RESOURCES
  Procurement vs Outsourcing Options
  Request for proposals
 Acquisition process

WEEK 5
CHAPTER FIVE: CONFIGURING NETWORK DEVICES
  Server Configuration
  Client Configuration
 Connecting to the internet

WEEK 6

CHAPTER SIX: NETWORK SECURITY

  Firewalls.
  Intrusion detection systems(IDS).
  Security policies and procedures.
 Assignment 2 : Develop Network Security Policy for Medium Sized Company

i
 WEEK 7
CHAPTER SEVEN: TROUBLESHOOTING NETWORK PROBLEMS
  Diagnostic tools
  Network management software
WEEK 8
CHAPTER EIGHT: DISASTER RECOVERY

  Risk assessment
  Risk mitigation Strategies
 Data backup and recovery techniques

WEEK 9
CHAPTER NINE: CASE STUDY
  Introduction to Linux Operating Systems
  Installation
  Configuration
  Security
  Diagnostic tools
 User management

WEEK 10
CHAPTER TEN: NETWORK MONITORING TOOLS
WEEK 11
CHAPTER ELEVEN: NETWORK PERFORMANCE
WEEK 12
CHAPTER TWELVE: NETWOK TROUBLESHOUTING
REVISION GUIDE
 CHAPTER ONE: INTRODUCTION
1.1 Definitions
Network - A group of computers connected together in a way that allows
information to be exchanged between the computers.
Node - Anything that is connected to the network. While a node is typically a
computer, it can also be devices such as:
– Mainframes, minicomputers, supercomputers
– Workstations
– Printers, disk servers, robots
– X-terminals
– Gateways, switches, routers, bridges
– Cellular phone, Pager.
– Refrigerator, Television, Video Tape Recorder

Segment - Any portion of a network that is separated, by a switch, bridge or router,

from other parts of the network.
Backbone - The main cabling of a network that all of the segments connect to.
Typically, the backbone is capable of carrying more information than the individual
segments. For example, each segment may have a transfer rate of 10 Mbps
(megabits per second: 1 million bits a second), while the backbone may operate at
100 Mbps.
Topology - The way that each node is physically connected to the network.

1.2 Network Topologies

A network topology can be physical or logical.
Physical Topology is the actual layout of a network and its connections. Logical
Topology is the way in which data accesses the medium and transmits packets. There
are several network topologies:

1.2.1 Physical Bus Topology

Each node is daisy-chained (connected one right after the other) along the same
backbone. Information sent from a node travels along the backbone until it reaches

1
 its destination node. Each end of a bus network must be terminated with a resistor
to keep the packets from getting lost.

Physical Bus Topology

Advantages
 Inexpensive to install.

 Easy to add stations.

 Use less cable compared to other topologies.

 Works well for small networks.

Disadvantages

 No longer recommended, due to frequent collisions of packets

 If backbone breaks, whole network down

 Limited no of devices can be attached

 Difficult to isolate problems.

 Sharing same cable slows response rates

1.2.2 Physical Ring Topology

Similar to a bus network, rings have nodes daisy chained, but the end of the network
in a ring topology comes back around to the first node, creating a complete circuit.
Each node takes a turn sending and receiving information through the use of a token.
The token along with any data is sent from the first node to the second node which
extracts the data addressed to it and adds any data it wishes to send. Then second
node passes the token and data to the third node, etc. until it comes back around to
the first node again. Only the node with the token is allowed to send data . All other
nodes must wait for the token to come to them.

2
 Physical Token Ring
Advantages
 Data packets travel at great speed

 No collisions

 Easier to fault find

 No terminators required

Disadvantages

 Requires more cable than a bus

 A break in the ring will bring it down

 Not as common as the bus – less devices available

1.2.3 Physical Star Topology

In a star network, each node is connected to a central device called a hub. The hub
takes a signal that comes from any node and passes it along to all the other nodes in
the network. A hub does not perform any type of filtering or routing of the data. A
hub is a junction that joins all the different nodes together.

3
 Advantages
 Easy to add devices as the network expands

 One cable failure does not bring down the entire network (resilience) 

 Hub provides centralised management

 Easy to find device and cable problems

 Can be upgraded to faster speeds

 Lots of support as it is the most used
Disadvantages
 A star network requires more cable than a ring or bus network

 Failure of the central hub can bring down the entire network

 Costs are higher (installation and equipment) than for most bus networks

Star networks can be extended by interconnecting several hubs to form segments.

1.2.4 Logical Topologies

There are three logical topologies (bus, ring, and switching) which are usually
implemented as a physical star.

1.2.5 Logical Bus Topology

4
 HUB

Modern Ethernet networks are Star Topologies (physically) but logically they are bus
topologies. The Hub is at the centre, and defines a Star Topology.
In any network, computers communicate by sending information across the media as
a series of signals. In a logical bus topology, the signals travel along the length of the
cable in all directions until they weaken enough so as not to be detectable or until
they encounter a device that absorbs them. This traveling across the medium is
called signal propagation
When a computer has data to send, it addresses that data, breaks it into manageable
chunks, and sends it across the network as electronic signals
 
 All computers on a logical bus receive them
 
 Only the destination computer accepts the data


All users must share the available amount
of transmission time,
 implying network performance is reduced
 
 Collisions are bound to occur since all nodes are sharing same bus.

Advantages
 
 A single node failure does not bring the network down
 
 Most widely implemented topology
 
 Network can be added to or changed without affecting other stations

 Disadvantages

  Collisions can occur easily

 Only one device can access the network media at a time

5
 1.3.2 Logical Ring Topology

Multiple Access Unit(MAU)

Data in a logical ring topology travels from one computer to the next computer until
the data reaches its destination. Token passing is one method for sending data around
a ring
Token is a small packet which passes around the ring to each computer in turn.
If a computer (sender) has packets to send, it modifies the token, adds address and
data, and sends it around the ring. The receiver returns an acknowledgement packet
to the sender.
Upon receiving the acknowledgement packet, the sender releases the tokens and
sends it around the ring for another sender to use.
Logical ring can be implemented on a physical star. Modern logical ring topologies
use ―smart hubs‖ that recognize a computer‘s failure and remove the computer
from the ring automatically. One advantage of the ring topology lies in its capability
to share network resources fairly.

Advantages
 The amount of data that can be carried in a single message is greater
than on a logical bus.

 There are no collisions.
6
 Disadvantages
 A broken ring will stop all transmissions.

 A device must wait for an empty token to be able to transmit.

1.2.6 Switching
A switch takes a signal coming from a device connected and builds a circuit on the
fly to forward the signal to the intended destination computer
Superior to other logical topologies because unlike bus and ring, multiple computers
can communicate simultaneously without affecting each other. Switching is the
dominant logical topology in LAN design.

1.3 Transmission Media

This refers to the mode in which messages are delivered from one node to another
over the network. There are several types of media:
1.3.1 Guided Transmission Media - uses a conductor cable to transmit data e.g.
twisted pair(shielded/unshielded), coaxial cable.

Twisted pair Cable

Twisted pair is two insulated copper wires that are twisted around each other to
minimize interference and noise from other wires. Based on the presence of
individual shield and overall (outer) shield, there are three types of twisted pair, i.e.
UTP, STP, and ScTP. Individual shield encloses a single twisted pair, while outer
shield encloses all twisted pairs in a cable. A shield is a protective sheath that is
made from conductive material (metal) and functions to protect the twisted

7
pair from external interference. An insulator is made from non-conductive material,
such as plastic.

UTP (Unshielded Twisted Pair) is a cable containing several twisted pairs that is only
insulated but not shielded. UTP is the most widely used cable in telephone and
computer networks because it is relatively cheaper than other cables and performs
well in normal electrical environment such as inside an office or a house.
Coaxial cable contains a solid or stranded wire in the core that is insulated with a
dielectric layer, then protected with a solid or braided metallic shield, and covered
with an outer insulator. Electromagnetic wave propagation in a coaxial cable is
confined within the space between the core and the outer conductors. The structure
of a coaxial cable makes it less susceptible to interference, noise, and crosstalk than
the twisted pair cable.

Coaxial Cable

1.3.2 Glass or plastic - Uses optical technology to transmit data using light waves
e.g. fiber optics

Fibre Optic Cable

8
Fiber-optic cable or optical fiber provides a medium for signals using light

rather than electricity. Light waves are immune to electromagnetic

interference and crosstalk. Optical fiber can be used for much longer

distances before the signal must be amplified. Data transmission using optical

fiber is many times faster than with electrical methods.

1.3.3 Wireless transmission - Uses air interface to transmit e.g. microwave,

satellite. Microwave links are widely used to provide communication links when
it is

impractical or too expensive to install physical transmission media. Two

properties of microwave transmission place restrictions on its use. First,

microwaves travel in a straight line and will not follow the earth’s

curvature. Second, atmospheric conditions and solid objects interfere with

microwaves. For example, they cannot travel through buildings.

Satellite transmission is microwave transmission in which one of the stations

is a satellite orbiting the earth. A microwave beam is transmitted to the
satellite from the ground. This beam is received and retransmitted (relayed)
to the predetermined destination. Receiver and transmitter in satellites is
known as transponder.
The optimum frequency range for satellite transmission is in the range 1 to
10 GHz. Below 1 GHz, there is significant noise from natural sources,

9
atmospheric noise, and noise from electronic devices. Above 10 GHz,
the signal is attenuated by atmospheric absorption.

1.4 Network Protocols

Communication between devices on a network is governed by a set of rules called
protocols. There are two types of network protocols, TCP/IP and OSI.

1.4.1 TCP/IP Protocol

TCP/IP is responsible for a wide range of activity: it interfaces with hardware, route
data to appropriate nodes, provides error control, and much more.
The developers of TCP/IP designed a modular protocol stack- meaning that the
TCP/IP system was divided into separate components or layers. But why use a
modular design? Not only does it aid in the education process, but it also lets
manufacturers easily adapt to specific hardware and operating system needs.
For example- if we had a token ring network and an extended star network, we surely
wouldn‘t want to create entirely different network software builds for each one.
Instead, we can just edit the network layer, called the Network Access Layer, to
allow compatibility. Not only does this benefit manufacturers, but it greatly aids
networking students in education. The TCP/IP suite is divided into four layers.
Network Access Layer – The Network Access Layer is fairly self explanatory- it
interfaces with the physical network. It formats data and addresses data for subnets,
based on physical hardware addresses. More importantly, it provides error control
for data delivered on the physical network.
Internet Layer – The Internet Layer provides logical addressing. More specifically,
the internet layer relates physical addresses from the network access layer to
logical addresses. This can be an IP address, for instance. This is vital for passing
along information to subnets that aren‘t on the same network as other parts of the
network. This layer also provides routing that may reduce traffic, and supports
delivery across an internetwork. (An internetwork is simply a greater network of
LANs, perhaps a large company or organization.)

Transport Layer – The Transport Layer provides flow control, error control, and
serves as an interface for network applications. An example of the transport layer

10
would be Transmission Control Protocol (TCP) - a protocol suite that is connection-
oriented. We may also use UDP- a connectionless means of transporting data.

Application Layer – Lastly, we have the Application Layer. We use this layer for
troubleshooting, file transfer, internet activities, and a slew of other activities.
This layer interacts with many types of applications, such as a database manager,
email program, or Telnet.

1.4.2 Open System Interconnection(OSI) Protocol

The International Organization of Standardization (ISO) defined procedures for
computer communications which was called Open System Interconnection (OSI)
Reference Model or OSI Model for short. The OSI Model describes how data
flows from one computer to another computer in a network.

The OSI Model

The Open System Interconnection Model, more commonly known as simply OSI, is
another model that can help break the TCP/IP suite into modules. Technically
speaking, it is exactly the same as the TCP/IP model, except that it has more layers.
This is currently being pushed by Cisco since it aids in learning the TCP/IP stack in
an easier manner.

11
Physical Layer – They Physical Layer converts data into streams of electric or analog
pulses- commonly referred to as ―1‘s and 0‘s.‖ Data is broke down into simple
electric pulses, and rebuilt at the receiving end.

Data Link Layer – The Data Link layer provides an interface with the network
adapter, and can also perform basic error checking. It also maintains logical
links for subnets, so that subnets can communicate with other parts of the
network without problem.

Network Layer – Much like the Transport Layer of the TCP/IP model, the Network
Layer simply supports logical addressing and routing. The IP protocol operates on
the Network Layer.

Transport Layer – Since we left out the error and flow control in the Network
Layer, we introduce it into the Transport Layer. The Transport Layer is responsible
for keeping a reliable end-to-end connection for the network.

Session Layer – The Session Layer establishes sessions between applications on

a network. This may be useful for network monitoring, using a login system, and
reporting. The Session Layer is actually not used a great deal over networks,
although it does still serve good use in streaming video and audio, or web
conferencing.

Presentation Layer – The Presentation Layer translates data into a standard

format, while also being able to provide encryption and data compression.
Encryption or data compression does not have to be done at the Presentation
Layer, although it is commonly performed in this layer.

Application Layer – The Application Layer provides a network interface for

applications and supports network applications. This is where many protocols
such as FTP, SMTP, POP3, and many others operate. Telnet can be used at this
layer to send a ping request- if it is successful, it means that each layer of the OSI
model should be properly.

12
 Review Questions
i) Define a the following terms:
a) Protocol
b) Network
c) Physical Topology
d) Logical Topology
ii) Differentiate between TCP/IP and OSI protocols and give the benefits
of each.
iii) Describe the biggest limitation of bus topology.

CHAPTER TWO: NETWORK PLANNING

2.1 Gathering Requirements
Every organization has unique needs for which they would require a network. There
are several factors to consider when gathering requirements:
 Identify the nature and volume of data and how it is used within and
outside the organization.

 Determine how the network will be used and by whom which often dictates
the topology you use. Location of data with respect to users is also critical
here.

 Decide the types of devices for interconnecting computers and sites

 The type and usage level of network resources dictates how many servers
you need and where to place servers.

2.2 Selecting a topology

Most new network designs come down to only one choice: How fast should the
network be?
This will be guided by the needs identified earlier, in particular the location of sites,
volume of data and nature of existing equipment and consideration for future
expansion.

13
 In most cases the physical topology will almost certainly be a star, and the logical
topology is almost always switching. Ethernet switches are typically used on a LAN,
but you might consider other logical topologies for reasons such as:
 
 Use of legacy equipment – such as token ring
 
 Network size – using hub-based bus topology
 
 Cost restrictions – using hub instead of switch
 
Difficulty to run cables – consider wireless ?

2.3 Conducting site Survey

The purpose of a site survey is to understand the nature of the business premises
in terms of how the building, office space and electrical wiring are set up. It helps
answer whether or not the type of network requested can be supported by the
organization of the building. It also helps estimate how much material will be
required to layout the network.

2.4 Capacity Planning

Capacity planning involves trying to determine the amount of network
bandwidth necessary to support an application or a set of applications.
A number of techniques exist for performing capacity planning, including linear
projection, computer simulation, benchmarking, and analytical modeling.
Linear projection involves predicting one or more network capacities based on
the current network parameters and multiplying by some constant.
A computer simulation involves modeling an existing system or proposed
system using a computer-based simulation tool.
Benchmarking involves generating system statistics under a controlled environment
and then comparing those statistics against known measurements.
Analytical modeling involves the creation of mathematical equations to
calculate various network values.

2.5 Creating a Baseline

Involves the measurement and recording of a network‘s state of operation over
a given period of time.

14
 A baseline can be used to determine current network performance and to help
determine future network needs.
Baseline studies should be ongoing projects, and not something started and
stopped every so many years.
To perform a baseline study, you should:
 Collect information on number and type of system nodes, including
workstations, routers, bridges, switches, hubs, and servers.

 Create an up-to-date roadmap of all nodes along with model numbers,
serial numbers and any address information such as IP or Ethernet
addresses.

 Collect information on operational protocols used throughout the system.

 List all network applications, including the number, type and
utilization level.

 Create a fairly extensive list of statistics to help meet your goals. These
statistics can include average network utilization, peak network
utilization, average frame size, peak frame size, average frames per
second, peak frames per second, total network collisions, network
collisions per second, total runts, total jabbers, total CRC errors, and
nodes with highest percentage of utilization.

2.6 Designing the Network

A network design must be documented, and network diagram must be kept up
to date.
Some useful questions to be answered before drawing the diagram:
 
 How many client computers will be attached?
 
 How many servers will be attached?
 
 Will there be a connection to the Internet?


How will the building‘s physical architecture influence decisions,

 such as whether to use a wired or wireless topology, or both?
 
Which topology or topologies will you use?

15
 2.7 Network Development Life Cycle(NDLC)
The NDLC is a model that summarizes the network design process, from initial
problem/needs assessment to implementation.

Analysis

Management Design

Simulation/
Prototyping
Monitoring

Implementation

2.7.1 Analyze requirements

A network cannot very well provide effective solutions to problems that have not
been clearly defined in objective terms. To attempt to implement networks before
everyone agrees to (buy-in) the exact nature of the problem to be solved is
somewhat akin to hitting a moving target. The network will never satisfy all
constituencies‘ needs because no one agreed what those needs were in the first
place. All network development efforts start with a problem as perceived by
someone, be they management or end-users. At some point, management agrees
that a problem exists that is worth expending resources to at least investigate. The
responsibility for conducting the investigation may be given to in-house personnel
or to an outside consultant or facilitator.
 Interviews with users and technical personnel

 Understand business and technical goals for a new or enhanced system

16
  Characterize the existing network: logical and physical topology,
and network performance

 Analyze current and future network traffic, including traffic flow and
load, protocol behavior, and QoS requirements

2.7.2 Develop the logical design

An IP network has two very important resources, its IP addresses and the
corresponding naming structure within the network. To provide effective
communication between hosts or stations in a network, each station must maintain
a unique identity. In an IP network this is achieved by the IP address. The
distribution and management of these addresses is an important consideration in
an IP network design. IP addresses are inherently not easy to remember. People
find it much easier to remember names and have these names related to individual
machines connected to a network. Even applications rarely refer to hosts by their
binary identifiers, in general they use ASCII strings such as polo@umma.ke. These
names must be translated to IP addresses because the network does not utilize
identifiers based on ASCII strings. The management of these names and the
translation mechanism used must also be considered by the IP network designer.

2.7.3 Develop the physical design

Specific technologies and products to realize the logical design are selected.
The investigation into service providers must be completed during this phase.

17
 Network Layout Diagram

2.7.4 Factors That Affect a Network Design

Designing a network is more than merely planning to use the latest gadget in
the market. A good network design takes into consideration many factors:
Size Matters
At the end of the day, size does matter. Designing a LAN for a small office with
a few users is different from building one for a large company with two thousand
users. In building a small LAN, a flat design is usually used, where all connecting
devices may be connected to each other. For a large company, a hierachical
approach should be used.
Geographies
The geographical locations of the sites that need to be connected are important
in a network design. The decision making process for selecting the right
technology and equipment for remote connections, especially those of cross-
country nature, is different from that for a LAN. The tariffs, local expertise,
quality of service from service providers, are some of the important criteria.
Politics
Politics in the office ultimately decides how a network should be partitioned.
18
Department A may not want to share data with department B, while department C
allows only department D to access its data. At the network level, requirements
such as these are usually done through filtering at the router so as to direct traffic
flow in the correct manner. Business and security needs determine how
information flows in a network and the right tool has to be chosen to carry this
out.
Types of Application
The types of application deployed determines the bandwidth required. While a
text-based transaction may require a few kbps of bandwidth, a multimedia help

2.8 IP Addresses and Address Classes

An IP address is defined in RFC 1166 - Internet Numbers as a 32-bit number
having two parts:
IP address = <network number><host number>
The first part of the address, the network number, is assigned by a regional
authority and will vary in its length depending on the class of addresses to which it
belongs. The network number part of the IP address is used by the IP protocol to
route IP datagrams throughout TCP/IP networks. These networks may be within
your enterprise and under your control, in which case, to some extent, you are free
to allocate this part of the address yourself without prior reference to the Internet
authority, but if you do so, you are encouraged to use the private IP addresses that
have been reserved by the Internet Assigned Number Authority (IANA) for that
purpose.
However if your routing may take you into networks outside of your control,
using for example, the worldwide services, it is imperative that you obtain a
unique IP address from your regional Internet address authority.
The second part of the IP address, the host number, is used to identify the
individual host within a network. This portion of the address is assigned locally
within a network by the authority that controls that network. The length of this
number is, as mentioned before, dependent on the class of the IP address being
used and also on whether subnetting is in use. (subnetting is beyond the scope
of this course).
The 32 bits that make up the IP address are usually written as four 8-bit
decimal 19
values concatenated with dots (periods). This representation is commonly
referred to as a dotted decimal notation. An example of this is the IP address
172.16.3.14. In this example the 172.16 is the network number and the 3.14 is the
host number. The split into network number and host number is determined by
the class of the IP address.
Class A addresses have the first bit set to 0. The next 7 bits are used for the
network number. This gives a possibility of 128 networks (27). However, it should
be noted that there are two cases, the all bits 0 number and the all bits 1
number, which have special significance in classes A, B and C.

The remaining 24 bits of a Class A address are used for the host number. Once
again, the two special cases apply to the host number part of an IP address.
Each Class A network can therefore have a total of 16,777,214 hosts (224 -2).
Class A addresses are assigned only to networks with very large numbers of hosts
(historically, large corporations). An example is the 9.0.0.0 network, which is
assigned to IBM.
The Class B address is more suited to medium-sized networks. The first two
bits of the address are predefined as 10. The next 14 bits are used for the
network number and the remaining 16 bits identify the host number. This gives
a possibility of 16,382 networks each containing up to 65,534 hosts.
The Class C address offers a maximum of 254 hosts per network and is
therefore suited to smaller networks. However, with the first three bits of the
address predefined to 110, the next 21 bits provide for a maximum of 2,097,150
such networks.
The remaining classes of address, D and E, are reserved classes and have a
special meaning. Class E addresses are reserved for future use while Class D
addresses are used to address groups of hosts in a limited area. This function is
known as multicasting.

Review Questions
i) Describe the process of gathering user requirements for a small network.
ii) Why is it important to consider future expansion when planning for a

20
 network?
iii) Briefly describe the five network classes.
iv) Differentiate between a public and a private IP address
v) How many hosts can the following network have : 172.16.0.0

21
 CHAPTERTHREE: NETWORK HARDWARE AND SOFTWARE COMPONENTS

3.1 Hardware and Software Components

A network component's functions are not necessarily handled by a specific device.

Many devices combine several networking functions. For example: a router could
have a built-in switch, a residential gateway that includes a broadband modem, etc.
So, be sure to check the product specification before buying to avoid duplication.
You must also check interfaces that are supported by a product. They must be
compatible with the ports available in your computers or other devices.

A network component's functions may also be performed by a software

application. For example, Windows XP provides built-in support for Network
Bridging that handle a bridge's functions in a home network with mixed media.
There are also built-in or add-on software applications that handle modem, router,
or gateway functions. However, the software-only alternative is mostly suitable
for small networks. Some of the hardware components are:

3.1.1 Network Adapter(Network Interface Card)

Network adapter works as an interface between a computer or device and a
network. You may need Ethernet, Wi-Fi, HomePNA, or HomePlug network adapter
depending on the type of network your computer is connecting to. Network
adapter converts a computer message into electrical or optical signals for
transmission across the network. A network adapter is identified in a network
through a MAC address that is hard-coded onto the hardware by its manufacturer.

22
Network Adapter Cards

Built-in network adapter is integrated with a computer motherboard. Internal

network adapter is installed inside a computer on an expansion slot. It is often called
NIC (network interface card) usually inserted into a PCI slot in a PC or a mini PCI slot
in a notebook.

3.1.2 Modem
Modem means modulator-demodulator. At the sending end, a modem modulates a
carrier with the data (baseband signal) to prepare it for transmission. At the
receiving end, the modulated carrier is demodulated (i.e. converted back to the
original shape) and the data is extracted. A modem also performs other functions,
such as digital-to-analog/analog-to-digital conversion, compression/decompression,
error correction, and encryption/decryption.

Modem in Internet access

3.1.3 Repeater
Repeater receives signal from a transmitter, amplifies it, and retransmits it to a
receiver. A repeater is put in a network to extend the network to a longer distance
or a greater area. There can be more than one repeater between a transmitter and
a receiver, however the number of repeaters is not unlimited, because additional
repeaters may introduce more interference or noise.

Repeater

3.1.4 Hub
Hub is the central connection point in a network. Hub is used in a network that
uses star topology. A sending computer transmits its signal to a hub, the hub then
retransmits the signal to all other computers. A passive hub functions as a relay
station that receives and retransmits signal. An active hub functions as a
repeater that regenerates signal before retransmitting.

23
 Hub
Using a hub, the network bandwidth (capacity) is shared by all available computers,
therefore each computer only uses a portion of bandwidth. That's why hub is mostly
used in small networks where there are only a few connected devices or computers.
However, hub is not required if there are only two computers in a network. In that
case, a direct connection using cable or wireless link can be used to connect both
computers.

3.1.5 Switch
Like hub, switch works as the central connection point in a network. However
when a switch receives a packet from a sending computer, it examines the
destination address (i.e. MAC address of the destination computer) from the packet
header and retransmits the packet to the destination computer only. That's
possible because a switch maintains a table that maps all its ports with all
connected devices' MAC addresses.

Switch

3.1.6 Wireless Access Point

Access point in a wireless LAN (Wi-Fi) functions like a hub or a switch in wired
network. It connects computers or devices together to create a wireless network.
Most wireless access points also function as a network bridge that connects the Wi-
Fi network to a wired network such as Ethernet. An access point has an interface to
a broadband modem or a router that is used when the Wi-Fi network connects to
the Internet. Some access points come as a multi-function device that incorporates
the functions of switch, bridge, router, or broadband modem. An access point is
also known as base station.

Wireless (Wi-Fi) Access Point.

Data transfer rate decreases as the distance from a computer or a device to the
access point increases. A Wi-Fi access point provides wireless network coverage
24
within an area of up to about 100 meters outdoor. In typical indoor application, an
access point can cover an area of up to about 50 meters. The exact coverage
depends on the access point transceiver and antenna design. Physical obstacles and
interference from other wireless networks can reduce the wireless signal range.
An area that is within a Wi-Fi network coverage is popularly known as hotspot.
Many public places such as airports, hotels, and cafs provide public Wi-Fi hotspots
that have broadband connection to the Internet. Such hotspots can be accessed by
the public for free or with a fee. To connect to a Wi-Fi hotspot, your wireless
network adapter must be compatible with the hotspot's access point.

3.1.7 Router
Router functions to forward packets across different networks. Router maintains a
routing table. The routing table contains IP addresses of other networks routers. In
a static router the routing table is configured manually, while a dynamic router
can communicate with other routers and configure the routing table according to
information it receives from other routers.

Router in OSI Model protocol stack

3.1.8 Residential Gateway
Residential gateway is basically a router that is configured to enable the sharing of
a single Internet connection (subscription) by multiple users in a home network.
However when you buy a residential gateway, it most likely incorporates other
functions such as hub, switch, wireless access point, or bridge. Some residential
gateways also already include broadband (cable/DSL) modem.

Residential Gateway
By using a residential gateway to connect your home network to the Internet, you
don't need to always turn on a computer as an ICS host.
With a residential gateway, you don't have to manually set an IP address for each
computer in your network because a residential gateway usually has DHCP
server. Using DHCP, IP address for each computer is assigned dynamically by the
residential gateway.

25
A residential gateway also keeps your computers anonymous on the Internet
because it translates the IP address of each computer to an IP address assigned
by the ISP. This function is called Network Address Translation (NAT).
Besides, a residential gateway protects your home network from intruders that try
to gain access through certain applications in your computers because it has built-
in firewall.
Residential gateway is also known as broadband router or Internet gateway device
(IGD).

3.1.9 Gateway

Gateway functions to connect two completely different networks. It performs

protocol translation. Although gateway is considered a Layer 7 device in many
publications, it actually works across the seven layers of the OSI Model. In Internet
Telephony, a gateway connects the VoIP network to the PSTN.

Gateway

The following table summarizes network components along with their functions and
the corresponding layers in the OSI Model:

Network Component Functions OSI Model

converts a computer Physical

Network Adapter
M o d e m
Repeater (Regenerator)
message into (Layer 1)
electrical/optical signals
for transmission across a
network.
puts a message (baseband Physical
signal) on a carrier for (Layer 1)
efficient transmission;
takes the baseband signal
from the carrier.
receives signal, amplifies Physical
it, then retransmits it. (Layer 1)

26
 B r i d g e connects networks with Data Link
different Layer 2 (Layer 2)
protocols; divides a
network into several
segments to filter traffic.
H u b connects computers in a Physical
network; receives a (Layer 1)
packet from a sending
computer and transmits
it to all other computers.
S w i t c h connects computers in a Data Link
network; receives a (Layer 2)
packet from a sending
computer and transmits
it only to its destination.
A c c e s sP o i n t Connects computers in a Data Link
wireless network; (Layer 2)
connects the wireless
network to wired
networks; connects it to
the Internet.
R o u t e r Forwards a packet to its Network
destination by examining (Layer 3)
the packet destination network
address.
Residential Gateway Connects a home network Network
to the Internet; hides all (Layer 3)
computers in the home
network from the
Internet.
G a t e w a y Connects two totally All layers
different networks;
translates one
signaling/protocol into
another.

3.2 Network Operating Systems

Any modern Operating System contains built-in software designed to simplify
networking of a computer. Typical O/S software includes an implementation of
TCP/IP protocol stack and related utility programs like ping and traceroute. This
includes the necessary device drivers and other software to automatically enable a
27
device's Ethernet interface. Mobile devices also normally provide the
programs needed to enable Wi-Fi, Bluetooth, or other wireless connectivity.

The early versions of Microsoft Windows did not provide any computer networking
support. Microsoft added basic networking capability into its operating system
starting with Windows 95 and Windows for Workgroups. Microsoft also introduced
its Internet Connection Sharing (ICS) feature in Windows 98 Second Edition (Win98
SE). Contrast that with Unix, which was designed from the beginning with
networking capability. Nearly any consumer O/S today qualifies as a network
operating system due to the popularity of the Internet.

Network operating systems (NOSs) distribute their functions over a number of

networked computers they add functions that allow access to shared resources by
a number of users concurrently.

Client systems contain specialized software that allows them to request shared
resources that are controlled by server systems responding to a client request. The
NOS enhances the reach of the client PC by making remote services available as
extensions of the local native operating system.

NOSs also support multiple user accounts at the same time and enables
concurrent access to shared resources by multiple clients. A NOS server is a
multitasking system.

28
 Several clients in a network

3.2.1 Choosing a NOS

The main features to consider when selecting a NOS include:

 Performance

 Management and monitoring tools

 Security

 Scalability

 Robustness/fault tolerance

3.2.2 Types

There are two popular competing NOS families. Windows based and Unix based.
The former is proprietary whereas the latter is open source.

Windows NOS

Windows server-based networks that run Windows NT Server or Windows 2000

Server are based on the concept of the domain. A domain is a group of computers
and users that serves a boundary of administrative authority.

29
Windows NT domains and Windows 2000 domains, although similar in function,
interact with one another differently. In Windows NT 4.0, the Domain Structure of
Windows NT was entirely different from the Domain Structure in Windows 2000.

Instead of Active Directory, Windows NT provides an administrative tool called the

User Manager for Domains. It is accessed from the domain controller and is used to
create, manage, and remove domain user accounts. Each NT domain requires one
Primary Domain Controller (PDC). A domain can also have one or more Backup
Domain Controllers (BDCs).

Windows 2000 and 2003 Family of Operating Systems includes:

– Windows 2000 Professional

– Windows 2000 Server

– Windows 2000 Advanced Server

Unix/Linux

Linux is an operating system similar to UNIX. It runs on many different

computers and was first released in 1991. Linux is portable, which means
versions can be found running on name brand or clone PCs. It offers many
features adopted from other versions of UNIX.

The UNIX NOS was developed in 1969, and it has evolved into many varieties.

The source code is opened, that is, available at no cost to anyone who wants to
modify it. It is written in C programming language so businesses, academic
institutions, and even individuals can develop their own versions. There are
hundreds of different versions of UNIX. Linux is sometimes referred to as "UNIX
Lite", and it is designed to run on Intel-compatible PCs. Linux brings the advantages
of UNIX to home and small business computers.

The following are a few of the most popular types:

• Red Hat Linux

• Linux Mandrake

• Caldera eDesktop and eServer

30
 • Debian GNU/Linux

• Corel Linux

• Turbo Linux

• Ubuntu

Other Software and Programs

A popular use of a Linux system is a web server. Web server software uses
Hypertext Transfer Protocol (HTTP) to deliver files to users that request them,
using a web browser from their workstation.

A Mail Server is a system that is configured with the proper programs and services
that enable handling the exchange of e-mail sent from one client to another.

Review Questions

i) Describe the following network devices and what they do:

  Switch
  Gateway
  Repeater
ii) Network Operating systems are said to be multi-user and
multi-tasking. Differentiate these two terms.
iii) How does a network operating system differ from a
standalone operating system?
iv) What factors will you consider before choosing a network
operating system?
v) Describe the role of software in supporting a computer network.

31
 CHAPTER FOUR: PROCURING NETWORK RESOURCES
4.1 Introduction

The dependency on computer networks has increased progressively for

organizations as a strategically important competitive advantage. If planned,
developed, and managed properly, a network can bring about greater efficiency in
organizational operations, better working environments, and effective decision-
making processes. Therefore, many organizations are trying to catch up the
development gap with the industry by means of technology acquisition.
Technology acquisition process is essential in developing a good management
information system for an organization. Many IT projects have failed because of
poor design planning, false selection of the development, and a lack of follow up
on key milestones addressed in the acquisition process.

4.2 Decision Making Strategy in Network Resource acquisition

The term ‗acquisition‘ refers to all the stages from buying, introducing, applying,
adopting, adapting, localizing, and developing through to diffusion. The set of
processes for the build, lease, or buy decision must be identical for every instance
or business opportunity that arises. The processes determine the strategic value
and potential savings of the proposed acquisition, as well as factors like business
transformation versus drive for competitive advantage.

Prior to the acquisition process, the detail requirements of the process should have
already been identified clearly. More importantly, the business objectives should
be identified for the solution being sought and the management decision whether
building, leasing, or buying the resources should consider a value-versus-risk matrix
to determine which options can be applied. Both IT auditors and corporate

32
management should evaluate offerings over the long term and compare the
"trickling" investment over time to the one-time cost of buying and implementing
a network. Moreover, this technology acquisition process requires an extensive
evaluation considering the system requirements, feasibility analysis, and risk
management assessment. ]

4.3 IT Acquisition Process

The acquisition process should involve the identification and analysis of alternative
solutions that are each compared with the established business requirements. The
decision making to acquire a device primarily consists of the following stages:

Identifying the Business Objective

One of the most essential assessments in decision making process is identifying the
business objective after first knowing the problems being solved. The management
should primarily identify the business processes involved in the organization. The
first phase of the acquisition process should align the business process with the
company objectives and the business plan. Note that specific process may need to
be prioritized to fully obtain the benefits of the implementation. Moreover, each
process should be carefully analyzed to ensure that it will have the certain
functionality to meet the requirements of the business process and the users, as
well as the benefits which can be justified with its cost.

Analyzing alternatives

There are several options in procuring networking solutions. Some available

alternatives are: (1)Buying all equipment from a vendor and installing on your own
(2) Leasing equipment from a service provider (ISP) or lease through utility
computing (contracted development), (3) Outsourcing network services
from another company etc.

While an organization is in the phase of deciding which alternative being

selected, the management should carefully examine not only the advantages and
33
 disadvantages of each procuring option, but more importantly, the option must
be best-fit with the organization business plan.

Conducting a feasibility analysis

As a part of the assessment in acquiring the solutions, a feasibility analysis is

important to identify the constraints for each alternative from both technical and
business perspective. Feasibility analysis incorporates the following categories:

 Economic feasibility analysis provides cost-benefit justification with

being regard to the expenses of a system, which include procurement,
project-specific, start-up, and operational costs. Some cost examples are
one-time and recurring cost, consultants, support staff, infrastructure,
maintenance and training costs. This examination ensures that the
solution won‘t exceed the budget limit as well as it increase the
efficiency and better resource utilization.

 Technical feasibility assessment analyzes the technical reasonableness of
the proposed solution. Technical feasibility evaluates whether the
company has the infrastructure and resources including hardware,
software capability to support the new network. Meanwhile, it also
assesses the consistency of the proposed system in terms of the technical
requirements with the company technical resource. Therefore, this
assessment guarantees the reliability and capacity for the future growth.

 Operational feasibility evaluation reviews the extent of organizational
changes required to accommodate the proposed system. The proposed
system should solve the business problems and provide better
opportunity for the business since the business process might be
changed. Some alignments that may occur include business process,
human resource management, and products or service offered.

 Legal and contractual feasibility. The proposed solution must pass any
related legal or contractual obligations associated with. Corporate legal
counsel should ensure that there are no illegal practices corresponding to
the new system related with any preexisting regulations. Organization

34
 also may work with some experts from Computer Law Association to
make sure this analysis strictly enforced. Thus, the underlying theme will
protect the company and the establishment of the remedy process
should the vendor or contractor fail to perform as promised.

Upon completion of the series of feasibility analyses, the risk analysis review most
likely will be conducted. Risk analysis evaluate the security of proposed system,
potential threats, vulnerabilities, impacts, as well as the feasibility of other
controls can be used to minimize the identified threats.

Selection Procedure

Selection procedure is the process of identifying the best match between the
available options and the identified requirements. In this process, the company
requests for a proposal from prospective providers, evaluates the proposal, and
selects the best available alternative. There are various ways to solicit responses
from providers. Some of the common methods comprise request for information
(RFI), request for bid (RFB), and request for proposal (RFP). An RFI is used to seek
information from vendors for a specific intention. RFI should act as a tool for
determining the alternatives or associated alternatives for meeting the
organization‘s needs. An RFB is designed to procure specific items or services and
used where either multiple vendors are equally competent of meeting all of the
technical and functional specifications or only one provider can meet them.
Furthermore, an RFP specifies the minimal acceptable requirements, including
functional, technical, and contractual aspects. This document offers flexibility to
respondents to further define the requested requirements. RFPs can be a lead to
a purchase or continued negotiation.

All of these processes should be structurally proceeded to ensure the process would be
completed neatly in a timely fashion. If done properly, this process turns out to be a
purchasing decision for the selected application. Note that the entire process must be
documented in a written letter before moving to the next step. This is an important
issue to avoid a bid protest that may be filled from any other potential

35
vendors. Management, IT auditor and also legal counsel must review every point
in detail before the proposal evaluation process begins.

Proposal Evaluation Process

Proposal evaluation is a crucial process in the acquisition since one of more key
stakeholders reviews submitted proposals using a list of objective selection criteria
and decide the best match between the product features and functionality with
the identified requirements.

Negotiating a contract

Once the vendor is selected, then the company can move to the contract
negotiation, in which the company can specify the price of the job and the type of
the support to be provided by the vendor. The contract must describe the detailed
specifications, all the included services provided by the vendor, and other detail
terms of the system. Contract is a legal document so the company should involve
the experienced staff in IT and legal matters. Since the contract can be very tricky
so these legal counsel should be involved from the beginning of selection process.

Establishing a service level agreement (SLA) SLA is formal agreement regarding the
distribution of work between the organization and its vendor. Such agreement is
created according to a set of agreed-upon objective, quality tests, and some what-if
situations. Overall, SLA defines: (1) company and vendor responsibilities,
(2) framework for designing support services, (3) company privilege to have most
of the control over their system.

Implementing the Solution

Upon completion of the contract negotiation, an acceptance plan should be agreed by

both the company and the vendor so that the network can be ready to be installed.
During this process, the level of performance is also tested and user reactions are
evaluated. After implementation the company management may deal

36
 with organizational issues such as conversion strategies, training, and resistant
to change.

Review Questions Learni

ng
i) Why is it important to do a needs assessment before setting up Objec
a computer network.
tives
ii) There are various ways to solicit responses from providers,
describe any three.
iii) Describe the following techniques of procuring network resources:
  Outsourcing network services
  Leasing network equipment
  Buying from a vendor and installing on your own
iv) Explain why it is important for organizations to sign service
level agreements(SLAs) wit vendors
v) You have been appointed to negotiate a contract with a vendor
to install a network in your company. Describe three things you
will consider when arriving at your price.

CHAPTER FIVE: CONFIGURING NETWORK DEVICES

5.1 LAN network address

The first three octets of an IP address should be the same for all computers in the
LAN. For example, if a total of 128 hosts exist in a single LAN, the IP addresses
could be assigned starting with 192.168.1.x, where x represents a number in the
range of 1 to 128. You could create consecutive LANs within the same company in
a similar manner consisting of up to another 128 computers. Of course, you are not
limited to 128 computers, as there are other ranges of IP addresses that allow you
to build even larger networks.

There are different classes of networks that determine the size and total possible
unique IP addresses of any given LAN. For example, a class A LAN can have over 16
million unique IP addresses. A class B LAN can have over 65,000 unique IP
addresses. The size of your LAN depends on which reserved address range you use
and the subnet mask(explained later) associated with that range. (see Table
below.).
37
Table 1. Address ranges and LAN sizes
Address range Subnet mask Provides Addresses per LAN

10.0.0.0 - 10.255.255.255.255 255.0.0.0 1 class A LAN 16,777,216

172.16.0.0 - 172.31.255.255 255.255.0.0 16 class B LANs 65,536

192.168.0.0 - 192.168.255.255 25.255.255.0 256 class C LANs 256

5.2 Network and broadcast addresses

Another important aspect of building a LAN is that the addresses at the two
extreme ends of the address range are reserved for use as the LAN's network
address and broadcast address. The network address is used by an application to
represent the overall network. The broadcast address is used by an application to
send the same message to all other hosts in the network simultaneously.

For example, if you use addresses in the range of 192.168.1.0 to 192.168.1.128,

the first address (192.168.1.0) is reserved as the network address, and the last
address (192.168.1.128) is reserved as the broadcast address. Therefore, you only
assign individual computers on the LAN IP addresses in the range of 192.168.1.1 to
192.168.1.127:

Network address: 192.168.1.0

Individual hosts: 192.168.1.1 to 192.168.1.127

Broadcast address: 192.168.1.128

5.3 Subnet masks

Each host in a LAN has a subnet mask. The subnet mask is an octet that uses the
number 255 to represent the network address portion of the IP address and a
zero to identify the host portion of the address. For example, the subnet mask
255.255.255.0 is used by each host to determine which LAN or class it belongs
to. The zero at the end of the subnet mask represents a unique host within that
network.

38
5.4 Domain name
The domain name, or network name, is a unique name followed by a standard
Internet suffixes such as .com, .org, .mil, .net, etc. You can pretty much name
your LAN anything if it has a simple dial-up connection and your LAN is not a server
providing some type of service to other hosts directly. In addition, our sample
network is considered private since it uses IP addresses in the range of
192.168.1.x. Most importantly, the domain name of choice should not be
accessible from the Internet if the above constraints are strictly enforced. Lastly,
to obtain an "official" domain name you could register through InterNIC, Network
Solutions or Register.com.

5.5 Hostnames
Another important step in setting up a LAN is assigning a unique hostname to each
computer in the LAN. A hostname is simply a unique name that can be made up and is
used to identify a unique computer in the LAN. Also, the name should not contain any
blank spaces or punctuation. For example, the following are valid hostnames that
could be assigned to each computer in a LAN consisting of 5 hosts: hostname 1
- Simba; hostname 2 - Chui; hostname 3 - Duma; hostname 4 - Nyati; and hostname
5 - Ndume. Each of these hostnames conforms to the requirement that no blank
spaces or punctuation marks are present. Use short hostnames to eliminate
excessive typing, and choose a name that is easy to remember.

Table 2 summarizes what we have covered so far in this article. Every host in the
LAN will have the same network address, broadcast address, subnet mask, and
domain name because those addresses identify the network in its entirety. Each
computer in the LAN will have a hostname and IP address that uniquely identifies
that particular host. The network address is 192.168.1.0, and the broadcast
address is 192.168.1.128. Therefore, each host in the LAN must have an IP address
between 192.168.1.1 to 192.168.127.

Table 2. Sample IP addresses for a LAN with 127 or fewer interconnected

computers
IP address Example Same/unique

39
Network address 192.168.1.0 Same for all hosts

Domain name www.yourcompanyname.com Same for all hosts

Broadcast address 192.168.1.128 Same for all hosts

Subnet mask 255.255.255.0 Same for all hosts

Hostname Any valid name Unique to each host

Host addresses 192.168.1.x X must be unique to each host

5.6 Assigning IP addresses in a LAN

There are two ways to assign IP addresses in a LAN. You can manually assign a
static IP address to each computer in the LAN, or you can use a special type of
server that automatically assigns a dynamic IP address to each computer as it
logs into the network.

5.6.1 Static IP addressing

Static IP addressing means manually assigning a unique IP address to each computer in
the LAN. The first three octets must be the same for each host, and the last digit must
be a unique number for each host. In addition, a unique hostname will need to be
assigned to each computer. Each host in the LAN will have the same network address
(192.168.1.0), broadcast address (192.168.1.128), subnet mask
(255.255.255.0), and domain name (yourcompanyname.com). It's a good idea to
start by visiting each computer in the LAN and jotting down the hostname and IP
address for future reference.

5.6.2 Dynamic IP addressing

Dynamic IP addressing is accomplished via a server or host called DHCP (Dynamic
Host Configuration Program) that automatically assigns a unique IP address to
each computer as it connects to the LAN. A similar service called BootP can also
automatically assign unique IP addresses to each host in the network. The DHCP/
BootP service is a program or device that will act as a host with a unique IP
address. An example of a DHCP device is a router that acts as an Ethernet hub on

40
one end and allows a connection to the Internet on the opposite end. Furthermore,
the DHCP server will also assign the network and broadcast addresses. You will not
be required to manually assign hostnames and domain names in a dynamic IP
addressing scheme.

5.7 The LAN hardware

Assigning hostname and IP addresses will be useless if there is no hardware

available to connect all the computers together. There are several different types
of hardware schemes such as Ethernet, Token Ring, FDDI, Token Bus, etc. Since
Ethernet is the most widely used hardware scheme, we will focus our attention on
it. Ethernet is available from several different computer vendors, and it is
relatively inexpensive. Ethernet is a 10-Mbps baseband LAN specification developed
by Xerox, Intel, and Digital Equipment. In order to build an Ethernet hub you need
the following: an Ethernet Network Interface Card (NIC) for each computer, an
Ethernet compatible hub with at least the same number of ports as there will be
computers in the LAN, and Ethernet cables (or 10BaseT cables) to connect each
computer's NIC to the Ethernet hub.

Also make sure that the hardware of choice is compatible with the operating
system. This hardware/software compatibility information is usually found in the
Requirements section on the back of the box of each product. Alternatively, you
could ask a computer sales person about hardware/software requirements. You
can usually save money by purchasing LAN cards as a package vs. purchasing them
individually.

When choosing an Ethernet hub ensure that it contains at least as many ports as
there are computers that will participate in the LAN. It is always best to choose a
hub with additional ports to allow for expansion.

If you plan to use all of the computers in the LAN to access the Internet via a local
Internet Service Provider (ISP), the router/Ethernet combo is an ideal choice. The
router/Ethernet unit is normally configured using any computer that is connected to
the LAN. Assuming that all computers in the LAN will be running the Red Hat

41
Linux operating system, a router will be required that can be configured using
a Linux configuration program such as LinuxConf.

Finally, choose network cables to allow for expansion. Typically, most Ethernet
networks use 10BaseT cables with RJ45 jacks at each end. It's always a good idea to
purchase cables that are 1 or 2 times longer than the required length in case the
structure (topology) of the LAN changes in the future.

5.8 Installing the hardware

Assuming that all LAN hardware is available, the next step is to install it. First
turn off all the computers that will participate in the LAN. Next, open the case on
each computer and install each NIC in the appropriate slot on the motherboard,
being careful to follow the manufacturer's instructions.

Find a convenient but safe location for the Ethernet hub, preferably a centralized
location in the same building or room along with the computers. Next, run the
cable from the NIC in each computer to the Ethernet hub ensuring all cables are
out of the way of users who will need physical access to each computer in the
LAN. Moreover, make sure you follow all instructions provided with the LAN
hardware before starting up any of the computers that will participate in the LAN.

If you are using a router to connect the LAN to the Internet or using a DHCP server,
you will need to do some configuration as required by the user's manual. Lastly,
assuming all computers are attached to the Ethernet hub via the NIC and a specific
port on the hub, you can now begin the software configuration process using the
Red Hat operating system.

5.9 Configuring the LAN

How you configure the computers on the LAN will depend on whether the Red Hat
OS was installed before or after the LAN hardware. If you installed the LAN
hardware before installing Red Hat you will be prompted for network configuration
during the Red Hat installation process. However, if you installed the Red Hat OS
after the LAN hardware, a program called "Kudzu" will detect the newly installed

42
Ethernet card and initiate the configuration process automatically. Follow these
steps when configuring each Ethernet card using the "Kudzu" program:

1. During the bootup process look for a dialog box titled "Welcome to Kudzu."
Press Enter to begin the configuration process.
2. Next, you should see another dialog box that displays the brand name for the
installed Ethernet card. Press Enter again to continue.
3. After a brief delay you should see "Would You Like to Set up Networking".
4. Select the NO option using the Tab key and then press Enter. I will describe
setting up networking using a utility called LinuxConf later in this article.

At this point, the bootup process should continue normally and you will be
required to log on to the computer as the root user. You should have been given
the opportunity to create a root account during the initial installation of Red Hat.

5.9.2 Using LinuxConf to configure your Ethernet card

You can use an application program called LinuxConf to configure or reconfigure
the NIC of each computer in the LAN. You can launch the LinuxConf utility by
typing linuxconf at the command prompt of any terminal window in the KDE or
GNOME desktop environment. Another way to start the LinuxConf utility is to click
the Main menu button, select System, then LinuxConf. When the LinuxConf
application is displayed, follow the steps below to configure the Ethernet card:

1. From the LinuxConf tree structure, select Config, Networking, Client

Tasks, Basic Host Information.
2. Type the fully qualified hostname that you assigned to this computer on the
Host name tab.
3. Next, click the Adaptor 1 tab, which displays your Ethernet card settings.
4. Verify that the Enabled button is selected to ensure that the Ethernet
card will be accessible.
5. Choose the Manual option if you will not be using a DHCP or BootP server on
your LAN and continue to step 6. Otherwise, if you will be using a DHCP or
BootP server, choose either DHCP or BootP accordingly and continue to step
12.
43
 6. Enter this computer's hostname followed by a period and the domain name
of the LAN for the Primary name + domain option.
7. Enter the computer's hostname in addition to any aliases separated by
a blank space under the Aliases option.
8. Enter the IP address assigned to this computer next to IP Address (such as
192.168.1.1).
9. Type in 255.255.255.0 for the Netmask.
10. For net device, type eth0, which represents the first Ethernet card
located inside the computer.
11. The driver or Kernel Module option for the Ethernet card should
automatically be filled in upon exiting LinuxConf.
12. Click the Accept button to activate all changes.
13. Repeat steps 1-12 for each computer in the LAN, verifying that you've
entered the correct hostname and the corresponding IP address.

5.9.3 Nameserver specification

Another important step in setting up LAN is to configure the Nameserver
specification, which is used by Linux to look up IP addresses when only the
computer's hostname is given. There are two methods that are used by Red Hat
Linux to resolve hostnames into IP addresses. One method is via Domain Name
Services (DNS), and the other is by means of a local file at /etc/hosts. Locate the
hosts file by typing cd /etc to change to the /etc directory. The /etc directory is
where most system configuration files are found for each computer. Next, follow
the steps below to resolve hostnames into IP address using the /etc/hosts file:

1. In the left column of LinuxConf, open the Nameserver specification (DNS)

category.
2. Left-click the DNS Usage option. (The button should be pushed in.)
3. Enter localdomain next to the Search Domain 1 category.
4. If you know the primary and secondary IP addresses for the nameserver,
which should be available for this Ethernet card, enter those in the IP of
nameserver 1 and IP of nameserver 2 categories. Otherwise, you can
leave those categories blank.

44
 5. Left-click the Accept button to activate all changes.

5.9.4 Hostname search path

The hostname search path is used by Red Hat Linux to search for IP addresses
assigned to hostnames. To configure the hostname search path so that the
local host (/etc/hosts) file is used to resolve local hostnames, and the ISP
domain services to resolve Internet domain services, follow these steps:

1. In the left column of LinuxConf, open the Routing and Gateways category.
2. Select the Host Name Search path option.
3. In the right column of LinuxConf, select the Multiple IPs for One Host option.
4. Select the hosts, dns option in the right portion of LinuxConf.
5. Left-click the Accept button to activate all changes.

5.9.5 Setting up /etc/hosts

The Red Hat Linux OS needs some way to find IP addresses within the LAN based on
the each computer's hostname. I described earlier in the article that the Domain
Name Service (DNS) is one method of resolving hostnames into IP addresses. In a
DNS configuration the hostnames and IP addresses should already be listed in a pre-
existing nameserver. Consult your local ISP to obtain those IP addresses. On the
other hand, if there is a centralized nameserver, as with small LANs, a host file
will need to be configured on each computer that was assigned a hostname, IP
address, and any aliases. This configuration process involves editing a text file
located at /etc/host. You will need to go to one of the computers in the LAN and
follow the below steps in order to create and configure the /etc/hosts file:

1. In the left column of LinuxConf, open the Misc category.

2. Open the Information about hosts category. You should see an entry for
this computer that includes the IP address, hostname, and any aliases.
3. Left-click the Add button once to add an entry for another host in the LAN.
4. Type the Primary + Domain Name for another host in the LAN in the dialog
box that appears (such as trinity.yourcompanyname.com).
5. Type one or more aliases for this computer next to the Alias option (such as
tank).
45
 6. Enter the IP address for the hostname that you've assigned for this computer
next to IP number.
7. Left-click the Accept button to activate all changes.
8. Repeat steps 1-7 for each computer in your LAN.

After you have done steps 1-7 for all computers, the /etc/hosts tab of LinuxConf
should list one entry for every computer in your LAN, in addition to the local
host's loopback interface. The local host name should appear as localhost. Finally,
you can save all changes and exit the LinuxConf application by following the steps
below:

1. Left-click the Quit button in the /etc/host screen after all hostnames and IP
addresses have been entered.
2. To exit the LinuxConf application, left-click the Quit button at the bottom-
left corner.
3. Left-click the Activate the Changes button to activate all changes and
exit LinuxConf.

Now that you have configured one computer in your LAN, you will need to go
back and repeat all the above steps for each computer starting with the section
"Configuring the LAN". If you would prefer a less time-consuming procedure of
configuring each computer, you can modify the /etc/hosts file on each computer
manually using a copy method.

You can copy the /etc/hosts file that you have just created to a flash disk or CD-
ROM (if you have a writeable CD-ROM drive) and copy that file to the /etc directory
of each computer in your LAN.

Next, take the flash to each computer in the LAN and type the command cp
/flash/ hosts /etc/host in a terminal window. This will copy the hosts file to the
/etc directory on each host. The /etc/hosts file, as you probably noticed, is just a
text file with a list of hostnames and IP addresses separated into three columns.
Lastly, make sure that the local computer and its associated IP address are listed
twice and all the other computers in the LAN are listed only once.

46
5.10 Testing the LAN

To test the completely configured LAN, make sure that the computers are able
to communicate with each other after the bootup process. You can start by
typing reboot at the command prompt at a command terminal on each
computer. This allows you to monitor the testing information that scrolls down
the screen as a standard procedure during the Linux boot process. Look for the
following information:

Setting hostname: <hostname you assigned to this computer>

Bringing up Interface lo: <OK> or <FAILED>

Bringing up interface eth0 <OK> or <FAILED>

The Setting hostname field should display the hostname that you assigned for
this computer. The lo and eth0 interfaces should display [OK] to indicate that
both tests were successful.

To determine whether each computer can communicate with every other computer
in the LAN, use the ping command. Open any terminal window on the current host
and type the command ping <IP address> or <hostname>, where <IP address> or
<hostname> is the IP address and/or the hostname that you assigned to this
computer. Note that you must type either the IP address or the hostname in order
for the ping command to work properly.

If you have configured the DNS nameserver specification properly, the ping
<hostname> command should resolve the hostname into a corresponding IP address.
Otherwise, you will need to use the IP address that you should currently already
have listed for all computers in the LAN. The ping command will send messages
across the LAN to the designated IP address or computer. You should see several
messages or packets (consisting of bytes of information) if the computers are
"talking" or communicating with each other. These packets look similar to the
following:

64 bytes from 192.168.1.x : icmp_seq=0 ttl=255 time=0.8ms

47
64 bytes from 192.168.1.x : icmp_seq=0 ttl=255 time=0.8ms
64 bytes from 192.168.1.x : icmp_seq=0 ttl=255 time=0.8ms

Note that the "192.168.1" represents the LAN that this particular host is a
member of and the x indicates the specific host number that you are attempting
to ping (e.g. such as Oracle) which jointly makes up the IP address. You can press
the Ctrl+C to terminate the test and you should see the following basic
information about the entire ping test:

--- hostname.yourcompanyname.com ping statistics ---

4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.3/0.4/0.8 ms

Verify that the packet loss is 0%, which is an immediate indication that the test
was successful. However, there is a problem if the ping command results in the
following message:

From hostname.comanyname.com (192.168.1.1): Destination Host Unreachable

This is an immediate indication that the two computers are not communicating at
all. If the computers are not communicating, see the next section,
"Troubleshooting the LAN". Otherwise, when you can successfully ping all other
computers in the LAN from one designated computer, the overall basic
communications functionality is indeed a success. At this point, you can consider
this LAN to be a fully functional network that you can install and on which you
can configure various network services as desired.

5.11 Troubleshooting the LAN

If you are unable to ping another computer in the LAN, here's how to get to the
source of the problem. First of all, it's a good idea to shut down every computer in
the LAN using the shutdown command. At the command prompt on each computer,

48
type shutdown. The main reason for shutting down all computers is to monitor
feedback from the boot process when each computer is started up again.

Check all cable connections between every computer, making sure that all
RJ45 jacks are connected properly. After verifying that all the cables are
secured properly, start each computer one at a time and look for the following
response during the boot process:

Setting hostname: hostname.networkname [OK]

You can turn on the interactive mode by typing I at the LILO boot prompt during
the initial bootup process of Red Hat to get a closer view of the feedback. Ensure
that the hostname and network name that was assigned to this computer is spelled
correctly. If this is not the case, you will need to return to the Basic Host
Information section of LinuxConf. In interactive mode you will be prompted to start
several services. Respond to each question with Yes and pay close attention to
results of various tests. If the Kudzu program detects an Ethernet card, then this an
indication that the card was not properly configured the first time around. Proceed
to let Kudzu configure the card. When you are prompted to configure the network,
choose "Yes" and type the correct IP address and other related information for this
particular computer.

Another important response to examine carefully is the following:

Bringing up interface eth0 [OK]

This line indicates whether the Ethernet card is working properly. If this test fails
you should check all network settings using LinuxConf to ensure that the card was
configured properly. If the network settings are correct, there is probably a defect
in the Ethernet card itself. In order to verify this, consult the manufacturer of the
Ethernet card or a computer technician to determine whether or not the card is

49
 defective. Repeat the preceding troubleshooting procedures on each new
Ethernet card installed.

5.12 Connecting to the Internet

There are several ways to do connect your computers to the internet. According
to this manual, there are at least 3 :

 Modem sharing - similar to sharing a hard disk, a folder or a printer over

a network, you can also share a modem, but this requires additional
software.

 Routing - i.e. using a separate machine (a router, or an old computer set
up to function as a router by running routing software) that transfers
network packets from and to the internet, based on their address. This
usually involves some Network Address Translation (NAT) as well. 

 Proxy server : software that handles your communication with the internet
for you (and other computers on your network). Proxy servers are
"application gateways" : they serve certain applications, such as your web
browser. Using a proxy server to browse the web is therefore easy to set up,
but other applications (e-mail, games, ...) might require additional software
to be 'proxy-enabled'.




Routing

This is what most businesses use. They get a block of static IP addresses from
their ISP and give each of their machines an IP address. In most cases, what I
call the "gateway computer" is in fact a router, a special hardware device
which forwards the packets. Many operatings systems (e.g. Unix, Windows
NT/2K, OS/2 etc.) can route IP packets too. ) The disadvantage of routing that
it is more expensive because you will have to 'buy' static IP addresses from
your ISP. Not only that, the ISP will have to define a "route" to your own little
subnet on their systems. That means they'll have to do

50
some work and thus they want to be paid for it. It also means that
intervention by your ISP is required, i.e. you can't do it all on your own.
This is in contrast with the next two strategies.

Proxy servers

Routing works great for businesses which are connected to the Internet 24
hours a day. But what if you're not, and you still want to hook up a whole
LAN to the Internet once in a while? One solution would be if somehow a
workstation computer could ask the gateway computer to send and receive
data on it's behalf. The software which does the trick is called a proxy
server. A well known example is WinGate. As far as the operating system is
concerned, the proxy server is a normal TCP/IP application. A workstation
computer sends a request to the gateway asking it to send data to the
Internet. The data is sent using the gateway's IP address, and any response
comes back the same way. Any number of computers on your LAN can use
the connection in this way at the same time, as long as the data for separate
requests is kept separate. The gateway computer can be a 'normal' PC with a
standard Internet connection. There are several different way to do
proxying: using the SOCKS protocol, socket relays and application proxies.

The SOCKS protocol is defined by an official standard. TCP/IP applications

have got to support SOCKS (in other words: must be SOCKSified) in order to
connect to a SOCKS proxy server. Some do, but many of them do not. Some
operatings systems, such as Warp 4, have special support in their TCP/IP stack
so that non-SOCKS aware programs can be used with SOCKS servers.

With socket relay (also known as "port mapping"), the proxy server mirrors ports
from the remote machine on the Internet and makes them available as though
it was providing the services. In this case, when a workstation on the internal
network connects to for instance the SMTP port on the proxy server, the proxy
server opens a matching socket on the connection to the Internet and then just
ferries data between the two connections. Unlike SOCKS, a socket relay does
not require any special support on behalf of the client

51
program, so it can be used with most applications. The disadvantage of
socket relays is that not all protocols can be handled. For instance, using
the FTP protocol in non-passive mode is very problematical, and is not
normally possible with a socket relay system.

An application proxy is a special TCP/IP program that knows about a

particular application protocol, and will accept requests using this protocol.
A common example of this is the HTTP proxy provided by many internet
server providers. This program accepts HTTP requests from clients using the
HTTP protocol and converts them to requests to other HTTP servers.

IP Masquerading (NAT)

Some operating systems, most notably Linux, have the capability to perform
IP routing with the addition of changing the IP address in the packets on the
fly, i.e. as the data is passed through from the LAN to the Internet. When
there is a mapping of multiple addresses on an internal LAN to one particular
IP address of the gateway, this is called IP Masquerading. When the mapping
is a bit broader (any IP address to any other IP address) the feature is called
Network Address Translation (NAT). NAT is a superset of IP Masquerading and
is often used in firewalls for security reasons. Note that ISPA also has a
feature called NAT (used for a different purpose).

Let's say in the following example that you use IPRoute for NAT. IPRoute
changes the addresses in the packets it receives from the workstation
machines into the address it is using itself. For example, 2 workstation
machines can each run a webbrowser. IPRoute changes the addresses so the
ISP thinks both webbrowsers are running on one and the same machine!
There's nothing strange with that, it has always been possible to run multiple
webbrowsers on one machine.

Running servers (say, webservers) on multiple workstation machines is a bit

less transparent. Most servers listen to a "well-known" port number. For a
webserver this is port 80. But only 1 server can listen to a port at the same

52
time. That means that the gateway machine can remap a port to only one
workstation machine. So, if you want to run more than one webserver on
your internal network which must all be reachable from the outside, there is
a problem. Fortunately, there is also a solution. Let's say you have
webservers on each port 80 of the workstation machines 192.168.0.2,
192.168.0.3 and 192.168.0.4. You can remap port 80 on the gateway
machine to port 80 on 192.168.0.2, port 81 to port 80 on 192.168.0.3 and
port 82 to port 80 on 192.168.0.4. People on the outside will have to specify
URLs with "non-standard" ports for the last two workstation machines, say
http://www.example.com:81/ and http://www.example.com:82/ It works
but it isn't very elegant...

Routing vs proxy servers vs IP Masquerading

One of the major problems with using the SOCKS protocol is that it requires
that clients be able to perform name lookups for external addresses, usually
via DNS. This means that as well as implementing a SOCKs server, the proxy
server must also provide a full DNS service to it's clients. Additionally, some
protocols do not lend themselves to transport via SOCKs. The FTP protocol,
in non-passive mode, can be particularly difficult. It is also possible to use a
socket relay server without access to a DNS server, but this is not always
the case.

If you have several workstation machines who all hit the same webpage at
the same time, a caching proxy server may be provide better performance
than a system with IP Masquerading. That is because the webpages can be

served from the cache (local harddisk) instead of getting each of them over
the modem/ ISDN link. On the other hand, a caching proxy may require a
more powerful machine with a big harddisk.

53
Review Questions
i) Describe the structure of an IP- address.
ii) You have been given an IP address 172.16.1.1 determine
i. Network address
ii. The range of addresses you can assign to individual hosts
iii. Broadcast address
iv. Network address
v. Subnet mask

iii) Differentiate between static IP-addressing and dynamic IP-addressing.

iv) What is the function of /etc/hosts file in linux machine?
v) Contrast between routing, proxy server and IP- Masquerading
with respect to routing.

54
 CHAPTER SIX: NETWORK SECURITY

Introduction

This chapter discusses security issues regarding TCP/IP networks and provides an
overview of solutions to resolve security problems before they can occur. The
field of network security in general and of TCP/IP security in particular is too
wide to be dealt with in an all encompassing way in this manual, so the focus of
this chapter is on the most common security exposures and measures to
counteract them. Because many, if not all, security solutions are based on
cryptographic algorithms, we also provide a brief overview of this topic for the
better understanding of concepts presented throughout this chapter.

6.1 Security Issues

This section gives an overview of some of the most common attacks on
computer security, and it presents viable solutions to those exposures and lists
actual implementations.

6.1.1 Common Attacks

For thousands of years, people have been guarding the gates to where they store
their treasures and assets. Failure to do so usually resulted in being robbed,
neglected by society or even killed. Though things are usually not as dramatic
anymore, they can still become very bad. Modern day I/T managers have realized
that it is equally important to protect their communications networks against
intruders and saboteurs from both inside and outside. We do not have to be
overly paranoid to find some good reasons why this is the case:

 Wire tapping: listening a link to get access to cleartext data and passwords

 Impersonation: to get unauthorized access to data or to
create unauthorized e-mails, orders, etc.

55
  Denial-of-service: to render network resources non-functional

 Replay of messages: to get access to and change information in transit

 Guessing of passwords: to get access to information and services that
would normally be denied (dictionary attack)

 Guessing of keys: to get access to encrypted data and passwords (brute-
force attack, chosen ciphertext attack, chosen plaintext attack)

 Viruses, trojan horses and logic bombs: to destroy data

Though these attacks are not exclusively specific to TCP/IP networks, they
should be considered potential threats to anyone who is going to base his/her
network on TCP/IP, which is what the majority of enterprises, organizations and
small businesses around the world are doing today. Hackers (more precisely,
crackers) do likewise and hence find easy prey.

6.1.2 Observing the Basics

Before even thinking about implementing advanced security techniques, you should
make sure that basic security rules are in place:
Passwords: Make sure that passwords are enforced to be of a minimum length
(typically six to eight characters), to contain at least one numeric character, to
be different from the user ID to which they belong, and to be changed at least
once every two months.
User IDs: Make sure that every user has a password and that users are locked out
after several logon attempts with wrong passwords (typically five attempts).
Keep the passwords to superuser accounts (root, supervisor,administrator, maint,
etc.) among a very limited circle of trusted system,network and security
administrators.
System defaults: Make sure that default user IDs are either disabled or have
passwords that adhere to the minimum requirements stated above. Likewise,
make sure that only those services are enabled that are required for a system
to fulfill its designated role.
Physical access: Make sure that access to the locations where your systems
and users physically reside is controlled appropriately. Information security
begins at the receptionist, not at the corporate firewall.
56
Help desk: Make sure that callers are properly identified by help desk
representatives or system administrators before they give out "forgotten"
passwords or user IDs. Social engineering is often the first step to attack a
computer network.

6.2 Solutions to Security Issues

With the same zealousness that intruders search for a way to get into someone's
computer network, the owners of such networks should, and most likely will, try
to protect themselves. Taking on the exposures mentioned earlier, here are some
solutions to effectively defend yourself against an attack. It has to be noted that
any of those solutions solve only a single or just a very limited number of security
problems. Therefore, a combination of several such solutions should be considered
in order to guarantee a certain level of safety and security. Encryption: to protect
data and passwords
Authentication and authorization: to prevent improper access
Integrity checking and message authentication codes (MACs): to protect
against the improper alteration of messages
Non-repudiation: to make sure that an action cannot be denied by the
person who performed it
Digital signatures and certificates: to ascertain a party's identity
Frequent key refresh, strong keys and prevention of deriving future keys: to
protect against breaking of keys (crypto-analysis)
Address concealment: to protect against denial-of-service attacks
Content inspection: to check application-level data for malicious
content before delivering it into the secure network

Summary Security Exposures and Protections

Problem / Exposure
How to make break-ins into
my network as difficult as
possible?
Remedy Available Technologies
Install a combination of Firewalls (IP filtering +
security technologies for proxy
networks aswell as for servers + SOCKS + IPSec,
applications. etc.). Antivirus + content
inspection + intrusion
57

How to protect against
viruses, trojan horses, logic
bombs, etc.?
detection
software. No system
defaults +
enforced password
policies.
Passwords for every user
and
every service/application
+
ACLs. Extensive logging +
alerting + frequent log
audits/analysis. No
unauthorized dial-in +
callback
Restrict access to outside IBM/Norton AntiVirus, etc.
sources. Run antivirus Content Technologies'
software MIMESweeper and
on every server and WebSweeper, etc. Finjan
workstation. Run Surfingate, etc.
content-screening
software on
your gateways for
application
data (mail, files, Web
pages,
etc.) and mobile code
(Java,
ActiveX, etc.). Update
that
software frequently.
58
How to prevent the
improper use of services by
otherwise properly
authenticated users?
Server file systems
(UNIX, NTFS, NetWare,
HPFS-386, etc.). System
security services (RACF,
DCE,
UNIX, NT, etc.).
How to obtain information
on possible security
exposures?
How to make sure that only
those people, that you want
dial into your network?
How do you know that your
system has been broken
into?
Use a multi-layer access
control model based on
ACLs.
Observe security
directives by organizations
such as CERT and your
hardware and software
vendors
Use access control at link
establishment by virtue of
central authentication
services, two-factor
authentication, etc.
Use extensive logging and
examine logs frequently.
Use intrusion detection
programs.
59
Application security
(DBMS, Web servers, Lotus
Notes, etc.).
http://www.cert.org
RADIUS (optionally using
Kerberos, RACF, etc.),
TACACS. Security
Dynamics'
SecureID ACE/Server, etc.
Application/Service access
logs
(Lotus Notes, DB2/UDB,
Web
servers, etc.). System logs
(UNIX, Windows NT,
AS/400,
etc.). Firewall logs and
alerting
(IBM firewalls, etc.).
 Systems
management and alerting
(Tivoli, etc.)

How to prevent wire tappers Encrypt messages, SET, SSL, IPSec, Kerberos,
from reading messages? typically PPP
using a shared secret key.
Secret keys offer a
tremendous performance
advantage over
public/private
keys.)

6.3 The Need for a Security Policy

It is important to point out that you cannot implement security if you have not
decided what needs to be protected and from whom. You need a security policy,
a list of what you consider allowable and what you do not consider allowable,
upon which to base any decisions regarding security. The policy should also
determine your response to security violations.
An organization's overall security policy must be determined according to
security analysis and business requirements analysis. Since a firewall, for
instance, relates to network security only, a firewall has little value unless the
overall security policy is properly defined. The following questions should provide
some general guidelines:
 Exactly who do you want to guard against?

 Do remote users need access to your networks and systems?

 How do you classify confidential or sensitive information?

 Do the systems contain confidential or sensitive information?

60
  What will the consequences be if this information is leaked to
your competitors or other outsiders?

 Will passwords or encryption provide enough protection?

 How much access do you want to allow to your systems from the Internet
and/or users outside your network (business partners, suppliers, corporate
affiliates, etc.)?

 What action will you take if you discover a breach in your security?

 Who in your organization will enforce and supervise this policy?

This list is short, and your policy will probably encompass a lot more before it is
complete. Perhaps the very first thing you need to assess is the depth of your
paranoia. Any security policy is based on how much you trust people, both inside
and outside your organization. The policy must, however, provide a balance
between allowing your users reasonable access to the information they require to
do their jobs, and totally disallowing access to your information. The point where
this line is drawn will determine your policy.

6.3.1 Network Security Policy

If you connect your system to the Internet then you can safely assume that your
network is potentially at risk of being attacked. Your gateway or firewall is your
greatest exposure, so the following is recommended:
 The gateway should not run any more applications than is absolutely
necessary; for example, proxy servers and logging because applications
have defects that can be exploited.

 The gateway should strictly limit the type and number of protocols allowed
to flow through it or terminate connections at the gateway from either side,
because protocols potentially provide security holes. 

 Any system containing confidential or sensitive information should not
be directly accessible from the outside.

 Generally, anonymous access should at best be granted to servers in a
demilitarized zone.

 All services within a corporate intranet should require at least password

61
 authentication and appropriate access control.
 Direct access from the outside should always be authenticated
and accounted.

 The network security policy defines those services that will be explicitly
allowed or denied, how these services will be used and the exceptions to
these rules.

 Every rule in the network security policy should be implemented on a
firewall and/or Remote Access Server (RAS). Generally, a firewall uses
one of the following methods.

6.3.2 Everything not specifically permitted is denied.

This approach blocks all traffic between two networks except for those
services and applications that are permitted. Therefore, each desired service
and application should be implemented one by one. No service or application
that might be a potential hole on the firewall should be permitted. This is the
most secure method, denying services and applications unless explicitly
allowed by the administrator. On the other hand, from the point of users, it
might be more restrictive and less convenient.
6.3.3 Everything not specifically denied is permitted.
This approach allows all traffic between two networks except for those
services and applications that are denied. Therefore, each untrusted or
potentially harmful service or application should be denied one by one.
Although this is a flexible and convenient method for the users, it could
potentially cause some serious security problems.
Remote access servers should provide authentication of users and should ideally
also provide for limiting certain users to certain systems and/or networks
within the corporate intranet (authorization). Remote access servers must also
determine if a user is considered roaming (can connect from multiple remote
locations) or stationary (can connect only from a single remote location), and if
the server should use callback for particular users once they are properly
authenticated.

62
6.4 Incorporating Security into Your Network Design

You have seen throughout previous chapters that the design of an IP network is
sometimes exposed to environmental and circumstantial influences that dictate
certain topologies or strongly favor one design approach over another. One such
influential topic is IP security.

6.4.1 Expecting the Worst, Planning for the Worst

In general, network administrators tend to either overemphasize or neglect
security aspects when designing their networks. It is very important that you do
not follow either of those cases but take great care that the security measures
you need to implement in your network match those specified in your overall
security policy. Once a security policy is in place, adequate technologies and their
impact on the network design can be discussed.
However, if in doubt, expect the worst and add one more layer of security. You can
remove it later if a thorough investigation reveals that it is not required. Do not
trade in security for availability or performance unless you can really justify it.
It helps to divide your network into three major zones in order to define a more
detailed security policy and the designs required to implement them at the right
points within the network. Those zones are described below:
Core Network: This is the network where your business-critical applications and
their supporting systems are located. This part of the network requires maximum
protection from the outside and is usually also kept apart from internal users as an
additional layer of protection.
Perimeter Network: This is the network where your public resources are located.
These include Web and FTP servers but also application gateways and systems that
provide specialized security functions, such as content inspection, virus protection
and intrusion detection. This part of the network is typically secured from the
outside as well as the inside to provide maximum isolation of the traffic in this
network. This part of the network may also contain internal users.
Access Network: This is the network, whether private, public or virtual, leased
or dial-up, that is used by the outside to access your network and its services and
applications. This network is typically secured to the outside only.

63
Review Questions
i) What is network security?
ii) Describe three security compromises that can be performed on data.
iii) Explain why it is necessary for an organization to have a network security
policy.
iv) Explain how a firewall works to enforce a security policy.
v) You are network administrator in an organization. How will you know that
the network has been broken into? What will you do?
vi) How does a security plan differ from a security policy?
vii) Why is it important to achieve buy-in from users, managers, and technical
staff for the security policy?
viii) What are some methods for keeping hackers from viewing and
changing router and switch configuration information?
ix) How can a network manager secure a wireless network?

64
65
66
 CHAPTER SEVEN: TROUBLESHOOTING NETWORK PROBLEMS
7.1 Introduction

Troubleshooting is a process of identifying common network problems. If a

computer is unable to connect to a network or see other computers on a network
for instance, it may be necessary to troubleshoot the network. A network may
not work because of any of the below reasons.

1. Network card not connected properly.

2. Bad network card drivers or software settings.
3. Firewall preventing computers from seeing each other.
4. Connection related issues.
5. Bad network hardware.

Because of the large variety of network configurations, operating systems, setup,

etc... not all of the above information may apply to your network or operating
system. If your computer is connected to a company or large network, or you are
not the administrator of the network, it is recommended that if you are unable
to resolve your issues after following the below recommendations that you
contact the network administrator or company representative.

7.2 Basic Troubleshooting

 Verify connections / LEDs


 Verify that the network cable is properly connected to the back of the
computer. In addition, when checking the connection of the network
cable, ensure that the LEDs on the network are properly illuminated. For
example, a network card with a solid green LED or light usually indicates
that the card is either connected or receiving a signal. Note: generally,
when the green light is flashing, this is an indication of data being sent or
received.

67
 If, however, the card does not have any lights or has orange or red
lights, it is possible that either the card is bad, the card is not connected
properly, or that the card is not receiving a signal from the network.

 If you are on a small or local network and have the capability of checking
a hub or switch, verify that the cables are properly connected and that
the hub or switch has power.

 Verify that the network card is capable of pinging or seeing itself by using
the ping command. Windows / MS-DOS users ping the computer from a
MS-DOS prompt. Unix / Linux variant users ping the computer from the
shell. To ping the card or the localhost, type either ping 127.0.0.1 or ping
localhost

 If your computer network utilizes a firewall, ensure that all ports
required are open. If possible, close the firewall software program or
disconnect the computer from the firewall to ensure it is not causing the
problem.

7.3 Network Management

Network management refers to the activities, methods, procedures, and tools that
pertain to the operation, administration, maintenance, and provisioning of
networked systems.

There exists a wide variety of software and hardware products that help network
system administrators manage a network. Network management covers a wide
area, including:

Security: Ensuring that the network is protected from unauthorized users.

Performance: Eliminating bottlenecks in the network.
Reliability: Making sure the network is available to users and
responding to hardware and software malfunctions.

68
 Network management involves keeping an eye on the following:

Network Operations: keeping the network (and the services that the network
provides) up and running smoothly. It includes monitoring the network to spot
problems as soon as possible, ideally before users are affected.
Administration: deals with keeping track of resources in the network and how they
are assigned.
Maintenance: concerned with performing repairs and upgrades. Maintenance also
involves corrective and preventive measures to make the managed network run
"better‖.
Provisioning: is concerned with configuring resources in the network to support a
given service.
We Monitor
 System & Services
o Available, reachable
 Resources

o Expansion planning, maintain availability
 Performance

o Round-trip-time, throughput
 Changes and configurations

o Documentation, revision control,
logging We Keep Track of
 Statistics

o For purposes of accounting and metering
 Faults (Intrusion Detection)

o Detection of issues,
o Troubleshooting issues and tracking their history

69
  Ticketing systems are good at this

 Help Desks are a useful to critical component

7.4 Expectations
A network in operation needs to be monitored in order to:
 Deliver projected SLAs (Service Level
Agreements)

  SLAs depend on policy
 
 What does your management expect?
 
 What do your users expect?
 
 What do your customers expect?
 
What does the rest of the Internet expect?

7.5 Functional Areas of Network Management

The International Organization for Standardization (ISO) Network
Management forum divided network management into five functional areas:
– Fault Management
– Configuration Management
– Security Management
– Performance Management
– Accounting Management

7.5.1 Fault Management

Is the process of locating problems, or faults, on the data network
It involves the following steps:
– Discover the problem
– Isolate the problem
– Fix the problem (if possible)

7.5.2 Configuration Management

The configuration of certain network devices controls the behavior of the
data network. Configuration management is the process of finding and setting
up (configuring) these critical devices
70
7.5.3 Security Management
Is the process of controlling access to information on the data network
Provides a way to monitor access points and records information on a
periodic basis.
Provides audit trails and sounds alarms for security breaches
7.5.4 Performance Management
Involves measuring the performance of the network hardware, software, and
media.
Examples of measured activities are:
– Overall throughput
– Percentage utilization
– Error rates
– Response time

7.5.5 Accounting Management

Involves tracking individual‘s utilization and grouping of network resources to
ensure that users have sufficient resources
Involves granting or removing permission for access to the network

Review Questions
i) what is the first thing you will do if you discover your computer is not
connecting?
ii) What is network management? Why do networks need to be managed?
iii) Describe the five functional areas of network management.

71
 CHAPTER EIGHT: DISASTER RECOVERY
8.1 Introduction

The fundamental precept of information security is to support the mission of the

organization. All organizations are exposed to uncertainties, some of which
impact the organization in a negative manner. In order to support the
organization, IT security professionals must be able to help their organizations‘
management understand and manage these uncertainties.
Managing uncertainties is not an easy task. Limited resources and an ever-
changing landscape of threats and vulnerabilities make completely mitigating all
risks impossible. Therefore, network security professionals must have a toolset to
assist them in sharing a commonly understood view with IT and business managers
concerning the potential impact of various network security related
threats to the mission. This toolset needs to be consistent, repeatable, cost-
effective and reduce risks to a reasonable level.
Risk management is nothing new. There are many tools and techniques available
for managing organizational risks. There are even a number of tools and
techniques that focus on managing risks to information systems. This chapter
explores the issue of risk management with respect to information systems and
seeks to answer the following questions:
• What is risk with respect to information systems?
• Why is it important to understand risk?
• How is risk assessed?
• How is risk managed?
• What are some common risk assessment/management methodologies
and tools?

72
8.2 What Is Risk With Respect To Network Systems?
Risk is the potential harm that may arise from some current process or from
some future event.
Risk is present in every aspect of our lives and many different disciplines focus on
risk as it applies to them. From the network security perspective, risk management
is the process of understanding and responding to factors that may lead to a failure
in the confidentiality, integrity or availability of an information system. Network
security risk is the harm to a process or the related information resulting from
some purposeful or accidental event that negatively impacts the process or the
related information.
Risk is a function of the likelihood of a given threat-source’s exercising a
particular potential vulnerability, and the resulting impact of that adverse event
on the organization.
Threat: The potential for a threat source to exercise (accidentally trigger
or intentionally exploit) a specific vulnerability.
Threat-Source: Either (1) intent and method targeted at the intentional
exploitation of a vulnerability or (2) a situation and method that may
accidentally trigger a vulnerability. The threat is merely the potential for the
exercise of a particular vulnerability. Threats in themselves are not actions.
Threats must be coupled with threat-sources to become dangerous.
This is an important distinction when assessing and managing risks, since each
threat-source may be associated with a different likelihood, which, as will be
demonstrated, affects risk assessment and risk management. It is often expedient
to incorporate threat sources into threats. The list below shows some (but not
all) of the possible threats to information systems.
Vulnerability: A flaw or weakness in system security procedures, design,
implementation, or internal controls that could be exercised (accidentally
triggered or intentionally exploited) and result in a security breach or a violation of
the system‘s security policy.Notice that the vulnerability can be a flaw or
weakness in any aspect of the system.
Vulnerabilities are not merely flaws in the technical protections provided by
the system.

73
 Significant vulnerabilities are often contained in the standard operating procedures
that systems administrators perform, the process that the help desk uses to reset
passwords or inadequate log review. Another area where vulnerabilities may be
identified is at the policy level. For instance, a lack of a clearly defined security
testing policy may be directly responsible for the lack of vulnerability scanning.
Here are a few examples of vulnerabilities related to contingency planning/
disaster recovery:

 Not having clearly defined contingency directives and procedures


 Lack of a clearly defined, tested contingency plan

 The absence of adequate formal contingency training

 Lack of information (data and operating system) backups

 Inadequate information system recovery procedures, for all processing
areas (including networks)

 Not having alternate processing or storage sites

 Not having alternate communication services

8.3 Why Is It Important to Manage Risk?

The principle reason for managing risk in an organization is to protect the mission
and assets of the organization. Therefore, risk management must be a
management function rather than a technical function.
It is vital to manage risks to systems. Understanding risk, and in particular,
understanding the specific risks to a system allow the system owner to protect the
information system commensurate with its value to the organization. The fact is
that all organizations have limited resources and risk can never be reduced to zero.
So, understanding risk, especially the magnitude of the risk, allows organizations to
prioritize scarce resources.

8.4 Risk Assessment

Risk is assessed by identifying threats and vulnerabilities, then determining the
likelihood and impact for each risk. It‘s easy, right? Unfortunately, risk assessment
is a complex undertaking,usually based on imperfect information. There are many

74
methodologies aimed at allowing risk assessment to be repeatable and give
consistent results.

8.4.1 Quantitative Risk Assessment

Quantitative risk assessment draws upon methodologies used by financial
institutions and insurance companies. By assigning values to information,
systems, business processes, recovery costs, etc., impact, and therefore risk, can
be measured in terms of direct and indirect costs.
Mathematically, quantitative risk can be expressed as Annualized Loss Expectancy
(ALE). ALE is the expected monetary loss that can be expected for an asset due to
a risk being realized over a one-year period.
ALE = SLE *
ARO Where:
• SLE (Single Loss Expectancy) is the value of a single loss of the asset. This may
or may not be the entire asset. This is the impact of the loss.
• ARO (Annualized Rate of Occurrence) is how often the loss occurs. This is the
likelihood.
Mathematically, this gets complicated very quickly, involving statistical
techniques that are beyond the scope of this discussion.
While utilizing quantitative risk assessment seems straightforward and logical,
there are issues with using this approach with information systems. While the
cost of a system may be easy to define, the indirect costs, such as value of the
information, lost production activity and the cost to recover is imperfectly known
at best. Moreover, the other major element of risk, likelihood, is often even less
perfectly known. For example, what is the likelihood that someone will use social
engineering to gain access to a user account on the accounting system?
Therefore, a large margin of error is typically inherent in quantitative risk
assessments for information systems. This might not always be the case in the
future. As the body of statistical evidence becomes available, trends can be
extrapolated on past experience. Insurance companies and financial institutions
make excellent use of such statistics to ensure that their quantitative risk
assessments are meaningful, repeatable and consistent.

75
 Typically, it is not cost-effective to perform a quantitative risk assessment for an
IT system, due to the relative difficulty of obtaining accurate and complete
information. However, if the information is deemed reliable, a qualitative risk
assessment is an extremely powerful tool to communicate risk to all level of
management.

8.4.2 Qualitative Risk Assessment

Qualitative risk assessments assume that there is already a great degree of
uncertainty in the likelihood and impact values and defines them, and thus risk,
in somewhat subjective or qualitative terms. Similar to the issues in quantitative
risk assessment, the great difficulty in qualitative risk assessment is defining the
likelihood and impact values. Moreover, these values need to be defined in a
manner that allows the same scales to be consistently used across multiple risk
assessments.
The results of qualitative risk assessments are inherently more difficult to concisely
communicate to management. Qualitative risk assessments typically give risk
results of ―High‖,
―Moderate‖ and ―Low‖. However, by providing the impact and likelihood definition
tables and the description of the impact, it is possible to adequately communicate
the assessment to the organization‘s management.

8.4.3 Identifying Threats

As was alluded to in the section on threats, both threat-sources and threats must
be identified.
Threats should include the threat-source to ensure accurate assessment.
Some common threat-sources include:
 Natural Threats—floods, earthquakes, hurricanes

 Human Threats—threats caused by human beings, including both
unintentional (Inadvertent data entry) and deliberate actions
(network based attacks, virus infection, unauthorized access)

 Environmental Threats—power failure, pollution, chemicals, water damage

76
 It is valuable to compile a list of threats that are present across the
organization and use this list as the basis for all risk management activities. As a
major consideration of risk management is to ensure consistency and
repeatability, an organizational threat list is invaluable.

8.4.4 Identifying Vulnerabilities

Vulnerabilities can be identified by numerous means. Different risk management
schemes offer different methodologies for identifying vulnerabilities. In general,
start with commonly available vulnerability lists or control areas. Then, working
with the system owners or other individuals with knowledge of the system or
organization, start to identify the vulnerabilities that apply to the system. Specific
vulnerabilities can be found by reviewing vendor web sites and public vulnerability
archives, such as Common Vulnerabilities and Exposures (CVE -
http://cve.mitre.org) or the National Vulnerability Database (NVD -
http://nvd.nist.gov). If they exist, previous risk assessments and audit reports are
the best place to start.
Additionally, while the following tools and techniques are typically used
to evaluate the effectiveness of controls, they can also be used to identify
vulnerabilities:
 Vulnerability Scanners – Software that can examine an operating system,
network application or code for known flaws by comparing the system
(or system responses to known stimuli) to a database of flaw signatures.

 Penetration Testing – An attempt by human security analysts to exercise
threats against the system. This includes operational vulnerabilities, such
as social engineering

 Audit of Operational and Management Controls – A thorough review of
operational and management controls by comparing the current
documentation to best practices (such as ISO 17799) and by comparing
actual practices against current documented processes.
It is invaluable to have a base list of vulnerabilities that are always considered during
every risk assessment in the organization. This practice ensures at least a minimum
level of consistency between risk assessments. Moreover, vulnerabilities
77
discovered during past assessments of the system should be included in all future
assessments. Doing this allows management to understand that past risk
management activities have been effective.

8.4.5 Relating Threats to Vulnerabilities

One of the more difficult activities in the risk management process is to relate
a threat to a vulnerability. Nonetheless, establishing these relationships is a
mandatory activity, since risk is defined as the exercise of a threat against a
vulnerability. This is often called threat-vulnerability (T-V) pairing. Once again,
there are many techniques to perform this task.
Not every threat-action/threat can be exercised against every vulnerability. For
instance, a threat of ―flood‖ obviously applies to a vulnerability of ―lack of
contingency planning‖, but not to a vulnerability of ―failure to change default
authenticators.‖ While logically it seems that a standard set of T-V pairs would be
widely available and used; there currently is not one readily available. This may
be due to the fact that threats and especially vulnerabilities are constantly being
discovered and that the T-V pairs would change fairly often.
Nonetheless, an organizational standard list of T-V pairs should be established and
used as a baseline. Developing the T-V pair list is accomplished by reviewing the
vulnerability list and pairing a vulnerability with every threat that applies, then
by reviewing the threat list and ensuring that all the vulnerabilities that that
threat-action/threat can act against have been identified. For each system, the
standard T-V pair list should then be tailored.

8.4.6 Defining Likelihood

Determining likelihood is fairly straightforward. It is the probability that a threat
caused by a threat-source will occur against a vulnerability. In order to ensure that
risk assessments are consistent, it is an excellent idea to utilize a standard
definition of likelihood on all risk assessments.

78
8.4.7 Sample Likelihood Definitions
Low 0-25% chance of successful exercise of threat during a one-year period
Moderate 26-75% chance of successful exercise of threat during a one-year period
High 76-100% chance of successful exercise of threat during a one-year period
The most important thing is to make sure that the definitions are consistently used,
clearly communicated, agreed upon and understood by the team performing the
assessment and by organizational management.

8.4.8 Defining Impact

In order to ensure repeatability, impact is best defined in terms of impact upon
availability,impact upon integrity and impact upon confidentiality.Sample Impact
Definitions illustrates a workable approach to evaluating impact by focusing
attention on the three aspects of information security. However, in order to be
meaningful, reusable and easily communicated, specific ratings should be
produced for the entire organization.

8.4.9 How Is Risk Managed?

Recall that the purpose of assessing risk is to assist management in determining
where to direct resources. There are four basic strategies for managing risk:
mitigation, transference, acceptance and avoidance. Each will be discussed below.
For each risk in the risk assessment report, a risk management strategy must be
devised that reduces the risk to an acceptable level for an acceptable cost. For
each risk management strategy, the cost associated with the strategy and the
basic steps for achieving the strategy (known as the Plan Of Action & Milestones or
POAM) must also be determined.
Mitigation is the most commonly considered risk management strategy. Mitigation
involves fixing the flaw or providing some type of compensatory control to reduce
the likelihood or impact associated with the flaw. A common mitigation for a
technical security flaw is to install a patch provided by the vendor. Sometimes
the process of determining mitigation strategies is called control analysis.
Transference
Transference is the process of allowing another party to accept the risk on your
behalf. This is not widely done for IT systems, but everyone does it all the time in
79
their personal lives. Car, health and life insurance are all ways to transfer risk. In
these cases, risk is transferred from the individual to a pool of insurance holders,
including the insurance company. Note that this does not decrease the likelihood or
fix any flaws, but it does reduce the overall impact (primarily financial) on the
organization.

Acceptance
Acceptance is the practice of simply allowing the system to operate with a known
risk. Many low risks are simply accepted. Risks that have an extremely high cost to
mitigate are also often accepted. Beware of high risks being accepted by
management. Ensure that this strategy is in writing and accepted by the
manager(s) making the decision. Often risks are accepted that should not have
been accepted, and then when the penetration occurs, the IT security personnel
are held responsible. Typically, business managers, not IT security personnel, are
the ones authorized to accept risk on behalf of an organization.
Avoidance
Avoidance is the practice of removing the vulnerable aspect of the system or even
the system itself. For instance, during a risk assessment, a website was uncovered
that let vendors view their invoices, using a vendor ID embedded in the HTML file
name as the identification and no authentication or authorization per vendor.
When notified about the web pages and the risk to the organization, management
decided to remove the web pages and provide vendor invoices via another
mechanism. In this case, the risk was avoided by removing the vulnerable web
pages.

8.4.10 Communicating Risks and Risk Management Strategies

Risk must also be communicated. Once risk is understood, risks and risk
management strategies must be clearly communicated to organizational
management in terms easily understandable to organizational management.
Managers are used to managing risk, they do it every day. So presenting risk in a
80
way that they will understand is key. Ensure you do not try to use ―fear,
uncertainty and doubt.‖ Instead, present risk in terms of likelihood and impact.
The more concrete the terms are, the more likely organizational management
will understand and accept the findings and recommendations.
With a quantitative risk assessment methodology, risk management decisions are
typically based on comparing the costs of the risk against the costs of risk
management strategy. A return on investment (ROI) analysis is a powerful tool to
include in the risk assessment report. This is a tool commonly used in business to
justify taking or not taking a certain action. Managers are very familiar with
using ROI to make decisions.

Review Questions
 Explain three ways of mitigating against risk.
 Describe the relationship between attack ,threat and vulnerability.
 Why is it important to quantify risk before developing
mitigating mechanisms ?
 How can a network manager secure a wireless network?

81
 CHAPTER TEN: NETWORK MONITORING TOOLS

1. Microsoft Network Monitor

Microsoft Network Monitor is a packet analyzer that allows you to capture, view and analyze
network traffic. This tool is handy for troubleshooting network problems and applications on the
network. Main features include support for over 300 public and Microsoft proprietary protocols,
simultaneous capture sessions, a Wireless Monitor Mode and sniffing of promiscuous mode traffic,
amongst others.

When you launch Microsoft Network Monitor, choose which adapter to bind to from the main
window and then click “New Capture” to initiate a new capture tab. Within the Capture tab, click
“Capture Settings” to change filter options, adapter options, or global settings accordingly and then
hit “Start” to initiate the packet capture process.

2. Nagios
Nagios is a powerful network monitoring tool that helps you to ensure that your critical systems,
applications and services are always up and running. It provides features such as alerting, event
handling and reporting. The Nagios Core is the heart of the application that contains the core
monitoring engine and a basic web UI. On top of the Nagios Core, you are able to implement
plugins that will allow you to monitor services, applications, and metrics, a chosen frontend as
well as add-ons for data visualisation, graphs, load distribution, and MySQL database support,
amongst others.
Tip: If you want to try out Nagios without needing to install and configure it from scratch,
download Nagios XI and enable the free version. Nagios XI is the pre-configured enterprise class
version built upon Nagios Core and is backed by a commercial company that offers support and
additional features such as more plugins and advanced reporting.
Note: The free version of Nagios XI is ideal for smaller environments and will monitor up to seven
nodes.

Once you’ve installed and configured Nagios, launch the Web UI and begin to configure host
groups and service groups. Once Nagios has had some time to monitor the status of the specified
hosts and services, it can start to paint a picture of what the health of your systems look like.

3. OpenNMS
OpenNMS is an open source enterprise grade network management application that offers
automated discovery, event and notification management, performance measurement, and service
assurance features. OpenNMS includes a client app for the iPhone, iPad or iPod Touch for on-the-
go access, giving you the ability to view outages, nodes, alarms and add an interface to monitor.
Once you successfully login to the OpenNMS web UI, use the dashboard to get a quick ‘snapshot
view’ of any outages, alarms or notifications. You can drill down and get more information about
any of these sections from the Status drop down menu. The Reports section allows you to generate
reports to send by e-mail or download as a PDF.

4. Advanced IP Scanner
Advanced IP Scanner is a fast and easy to use network scanner that detects any network devices
(including wireless devices such as mobile phones, printers and WIFI routers) on your network. It
allows you to connect to common services such as HTTP, FTP and shared folders if they are
enabled on the remote machine. You are also able to wake up and shut down remote computers.

The installer allows you to fully install the application on your machine or run the portable version.
When you launch Advanced IP Scanner, start by going to Settings > Options to select which
resources to scan and how fast/accurate you want the results to be. You can then choose which
subnet to scan and proceed with pressing the “Scan” button. Once the scan is complete, expand
the results to see which resources you are able to connect to for each discovered device.

5. Capsa Free
Capsa Free is a network analyzer that allows you to monitor network traffic, troubleshoot network
issues and analyze packets. Features include support for over 300 network protocols (including the
ability to create and customize protocols), MSN and Yahoo Messenger filters, email monitor and
auto-save, and customizable reports and dashboards.

When you launch Capsa, choose the adapter you want it to bind to and click “Start” to initiate the
capture process. Use the tabs in the main window to view the dashboard, a summary of the traffic
statistics, the TCP/UDP conversations, as well as packet analysis.

6. Fiddler
Fiddler is a web debugging tool that captures HTTP traffic between chosen computers and the
Internet. It allows you to analyze incoming and outgoing data to monitor and modify requests and
responses before they hit the browser. Fiddler gives you extremely detailed information about
HTTP traffic and can be used for testing the performance of your websites or security testing of
your web applications (e.g. Fiddler can decrypt HTTPS traffic).

When you launch Fiddler, HTTP traffic will start to be captured automatically. To toggle traffic
capturing, hit F12. You can choose which processes you wish to capture HTTP traffic for by
clicking on “All Processes” in the bottom status bar, or by dragging the “Any Process” icon from
the top menu bar onto an open application.

7. NetworkMiner
NetworkMiner captures network packets and then parses the data to extract files and images,
helping you to reconstruct events that a user has taken on the network – it can also do this by
parsing a pre-captured PCAP file. You can enter keywords which will be highlighted as network
packets are being captured. NetworkMiner is classed as a Network Forensic Analysis Tool (NFAT)
that can obtain information such as hostname, operating system and open ports from hosts.

In the example above, I set NetworkMiner to capture packets, opened a web browser and searched
for “soccer” as a keyword on Google Images. The images displayed in the Images tab are what I
saw during my browser session.
When you load NetworkMiner, choose a network adapter to bind to and hit the “Start” button to
initiate the packet capture process.

8. Pandora FMS
Pandora FMS is a performance monitoring, network monitoring and availability management tool
that keeps an eye on servers, applications and communications. It has an advanced event
correlation system that allows you to create alerts based on events from different sources and notify
administrators before an issue escalates.
When you login to the Pandora FMS Web UI, start by going to the ‘Agent detail’ and ‘Services’
node from the left hand navigation pane. From here, you can configure monitoring agents and
services.

9. Zenoss Core
Zenoss Core is a powerful open source IT monitoring platform that monitors applications, servers,
storage, networking and virtualization to provide availability and performance statistics. It also has
a high performance event handling system and an advanced notification system.

Once you login to Zenoss Core Web UI for the first time, you are presented with a two-step wizard
that asks you to create user accounts and add your first few devices / hosts to monitor. You are
then taken directly to the Dashboard tab. Use the Dashboard, Events, Infrastructure, Reports and
Advanced tabs to configure Zenoss Core and review reports and events that need attention.

10. PRTG Network Monitor Freeware

PRTG Network Monitor monitors network availability and network usage using a variety of
protocols including SNMP, Netflow and WMI. It is a powerful tool that offers an easy to use web-
based interface and apps for iOS and Android. Amongst others, PRTG Network Monitor’s key
features include:
(1) Comprehensive Network Monitoring which offers more than 170 sensor types for application
monitoring, virtual server monitoring, SLA monitoring, QoS monitoring
(2) Flexible Alerting, including 9 different notification methods, status alerts, limit alerts, threshold
alerts, conditional alerts, and alert scheduling
(3) In-Depth Reporting, including the ability to create reports in HTML/PDF format, scheduled
reports, as well as pre-defined reports (e.g. Top 100 Ping Times) and report templates.
Note: The Freeware version of PRTG Network Monitor is limited to 10 sensors.

When you launch PRTG Network Monitor, head straight to the configuration wizard to get started.
This wizard will run you through the main configuration settings required to get the application up
and running, including the adding of servers to monitors and which sensors to use.

11. The Dude

The Dude is a network monitoring tool that monitors devices and alerts you when there is a
problem. It can also automatically scan all devices on a given subnet and then draw and layout a
map of your network.
When you launch The Dude, you first choose to connect to a local or remote network and specify
credentials accordingly. Click ‘Settings’ to configure options for SNMP, Polling, Syslog and
Reports.

12 Splunk
Splunk is a data collection and analysis platform that allows you to monitor, gather and analyze
data from different sources on your network (e.g. event logs, devices, services, TCP/UDP traffic,
etc). You can set up alerts to notify you when something is wrong or use Splunk’s extensive search,
reporting and dashboard features to make the most of the collected data. Splunk also allows you
to install ‘Apps’ to extend system functionality.
Note: When you first download and install Splunk, it automatically installs the Enterprise version
for you to trial for 60 days before switching to the Free version. To switch to the Free version
straight away, go to Manager > Licensing.

When you login to the Splunk web UI for the first

time, add a data source and configure your
indexes to get started. Once you do this you can
then create reports, build dashboards, and search
and analyze data
.
13. Angry IP Scanner
Angry IP Scanner is standalone application that
facilitates IP address and port scanning. It is used to scan a range of IP addresses to find hosts that
are alive and obtain information about them (including MAC address, open ports, hostname, ping
time, NetBios information, etc).

When you execute the application, go to Tools > Preferences to configure Scanning and Port
options, then go to Tools > Fetchers to choose what information to gather from each scanned IP
address.

14 Icinga 2
Icigna is a Linux based fully open source monitoring application which checks the availability of
network resources and immediately notifies users when something goes down. Icigna provides
business intelligence data for in depth analysis and a powerful command line interface.

When you first launch the Icigna web UI, you are prompted for credentials. Once you’ve
authenticated, use the navigation menu on the left hand side to manage the configuration of hosts,
view the dashboard, reports, see a history of events, and more.

15. Total Network Monitor

Total Network Monitor continuously monitors hosts and services on the local network, notifying
you of any issues that require attention via a detailed report of the problem. The result of each
probe is classified using green, red, or black colors to quickly show whether the probe was
successful, had a negative result or wasn’t able to complete.

When you launch Total Network Monitor, go to Tools > Scan Wizard to have the wizard scan a
specified network range automatically and assign the discovered hosts to a group. Alternatively,
create a new group manually to start adding devices/hosts individually.

16. NetXMS
NetXMS is a multi-platform network management and monitoring system that offers event
management, performance monitoring, alerting, reporting and graphing for the entire IT
infrastructure model. NetXMS’s main features include support for multiple operating systems and
database engines, distributed network monitoring, auto-discovery, and business impact analysis
tools, amongst others. NetXMS gives you the option to run a web-based interface or a management
console.

Once you login to NetXMS you need to first go to the “Server Configuration” window to change
a few settings that are dependent on your network requirements (e.g. changing the number of data
collection handlers or enabling network discovery). You can then run the Network Discovery
option for NetXMS to automatically discover devices on your network, or add new nodes by right
clicking on “Infrastructure Services” and selecting Tools > Create Node.

17. Xymon
Xymon is a web-based system – designed to run on Unix-based systems – that allows you to dive
deep into the configuration, performance and real-time statistics of your networking environment.
It offers monitoring capabilities with historical data, reporting and performance graphs.

Once you’ve installed Xymon, the first place you need to go is the hosts.cfg file to add the hosts
that you are going to monitor. Here, you add information such as the host IP address, the network
services to be monitored, what URLs to check, and so on.
When you launch the Xymon Web UI, the main page lists the systems and services being
monitored by Xymon. Clicking on each system or service allows you to bring up status information
about a particular host and then drill down to view specific information such as CPU utilization,
memory consumption, RAID status, etc.

18. WirelessNetView
WirelessNetView is a lightweight utility (available as a standalone executable or installation
package) that monitors the activity of reachable wireless networks and displays information related
to them, such as SSID, Signal Quality, MAC Address, Channel Number, Cipher Algorithm, etc.
As soon as you execute WirelessNetView, it automatically populates a list of all reachable Wi-Fi
networks in the area and displays information relevant to them (all columns are enabled by default).
Note: Wireless Network Watcher is a small utility that goes hand in hand with WirelessNetView.
It scans your wireless network and displays a list of all computers and devices that are currently
connected, showing information such as IP adddress, MAC address, computer name and NIC card
manufacturer – all of which can be exported to a html/xml/csv/txt file.

19. Xirrus Wi-Fi Inspector

Xirrus Wi-Fi Inspector can be used to search for Wi-Fi networks, manage and troubleshoot
connections, verify Wi-Fi coverage, locate Wi-Fi devices and detect rogue Access Points. Xirrus
Wi-Fi Inspector comes with built-in connection, quality and speed tests.

Once you launch Wi-Fi Inspector and choose an adapter, a list of available Wi-Fi connections is
displayed in the “Networks” pane. Details related to your current Wi-Fi connection are displayed
in the top right hand corner. Everything pretty much happens from the top ribbon bar – you can
run a test, change the layout, edit settings, refresh connections, etc.
20. WireShark
This list wouldn’t be complete without the ever popular WireShark. WireShark is an interactive
network protocol analyzer and capture utility. It provides for in-depth inspection of hundreds of
protocols and runs on multiple platforms.

When you launch Wireshark, choose which interface you want to bind to and click the green shark
fin icon to get going. Packets will immediately start to be captured. Once you’ve collected what
you need, you can export the data to a file for analysis in another application or use the in-built
filter to drill down and analyze the captured packets at a deeper level from within Wireshark itself.

CHAPTER TWELVE: NETWORK TROUBLESHOOTING

Cisco's eight-step troubleshooting method to fix your network

Even if you don't use Cisco equipment on your network, Cisco's eight-step troubleshooting
method can help solve your system's connectivity issues. Warren Heaton explains the method
and shares an additional tip for preventing recurrences. One of the skills a network administrator
must have is the ability to effectively troubleshoot network problems. To emphasize the
importance of network troubleshooting, Cisco has dedicated an entire exam to the topic as part of
the Cisco Certified Network Professional (CCNP) certification. Additionally, the Cisco
Internetwork Troubleshooting (CIT) course is recommended curriculum for anyone pursuing the
much-coveted CCIE certification. Although the CIT material presents Cisco’s troubleshooting
model, the same steps can be applied to just about any type of network or system failure you will
encounter.

The eight steps

The most important part of troubleshooting any problem is to divide the tasks of problem
resolution into a systematic process of elimination. Cisco has broken this process into eight
steps:
1. Define the problem.
2. Gather detailed information.
3. Consider probable cause for the failure.
4. Devise a plan to solve the problem.
5. Implement the plan.
6. Observe the results of the implementation.
7. Repeat the process if the plan does not resolve the problem.
8. Document the changes made to solve the problem.

Define the problem and gather facts

How many times have you heard this: “My computer does not work”? Which leads us to the
network administrator’s response: “Could you please be more vague?”
Often the user reporting the problem is frustrated and only knows that the computer is preventing
the completion of a task. It is the responsibility of the network administrator to find out what aspect
of the user’s machine is not working.
Handling such situations goes more smoothly when you have a good rapport with your support
personnel and users. A good network administrator can explain that more information is required
to diagnose the problem and more information must be obtained in order to quickly resolve the
problem.
Often, administrators will not receive all the information needed to thoroughly define the problem.
They must then rely on tools such as ping, trace, or a network monitor to identify the trouble.
Consider the possibilities
After a problem has been identified, the next step is to consider all of the possible causes.
Connectivity issues can be very difficult to trace to a single point of failure. In most situations,
there are several possible causes for a network error, and the administrator should identify each
probable cause.

Create and implement an action plan

Once the network problem and possible causes have been identified, it’s time to produce a solution.
When developing a solution, it’s critical to thoroughly analyze the proposed solution and
brainstorm with your peers the potential impacts your solution may have.
Here are a few of the most important guidelines to follow when implementing a solution:
 Make one change at a time.
 Make transparent changes first. This means if there are multiple possible causes for a
problem, solve those problems that have the least impact on your users first.
 Do not create security holes when implementing your changes.
 Finally, and most importantly, always be sure you can back out of any changes you make.

Observe results and, if necessary, try another solution

Some changes may take time to trigger. Observe the results of your solution. Go back to the fact-
gathering phase and determine if your solution solved the problem. If the trouble still exists,
reference your list of possible causes and attempt to resolve the next most likely cause of the
problem.

After a problem has been corrected, the work of the network administrator is not over. Too many
times, network administrators end up solving the same problem repeatedly. The best way to
prevent this is to maintain a problem log and to update this log every time a network failure occurs.

Solve problems before they happen

Using these eight steps to quickly and efficiently solve problems is great, but the best solution for
your network woes is to solve the problem before it affects your users. The only way to do that is
to devote time to creating baselines for your network and to continually monitor your network for
changes. In network administration, an ounce of prevention can prevent a 24-hour shift to solve an
unnecessary network failure.
Windows Tools
So my first line of defense (or troubleshooting) are built-in Windows tools.

There are a couple of basic commands to diagnose a network problem that every network admin
needs to know. Let’s get down to the nitty gritty.

You have an issue with a computer on your network. It cannot connect to the internet and doesn’t
have any network resources. The first thing you need to do is check the condition of the physical
connection i.e. the network cable. After that is secured, I jump to a command prompt and do a
IPCONFIG /all like so:

I check that the IP address, default gateway and subnet mask are all correct. If they are not, I make
my modifications and we are back online. Too bad the problems don’t usually go away that
easily. Next up, I attempt to ping the servers by IP address using the ping command, like so:
Now I check for DNS issues by pinging the server’s name. If this fails, it is our internal DNS issue
and I know where to move on to.

If I get a correct response, I try to ping a website like www.google.com. That tests external DNS
resolution. If that works as well, the trouble runs deeper. I would then run a Netstat ““a and see
who is connected to my machine and determine if maybe a Trojan or virus has gained control of
it.
Everything looks clean. Now I would try pathping or tracert between the machine and the internet
to diagnose any remaining network problems. This one I will not show you as all the output would
reveal my network settings and what not. I am not looking to create more problems!

During your tests you might conclude that another machine is using the same IP address or host
name as your desktop and causing issues. For this, I would recommend using Angry Ipscanner.exe
(found here here) to query for that IP address or the entire network to find the host name”¦

I have been using this application for more than a decade to diagnose network problems! If you
cannot figure out what is going on and why you cannot get to the resource you are trying to, then
the issue might be network-related and has nothing to do with your machine. First, check if you
can get to the resource from a different machine.

Then it might be time to fire up Wireshark (which used to be called Ethereal, covered here for you
old schoolers). Wireshark will listen to your network adapter for all traffic and responses. The
answer is in the data but you do need to know how to read it. There are lots of good resources
online or you could always come knocking at AskTheAdmin.com with your output and ask us to
help!

How would you troubleshoot a fidgety connection? Do you have any secret commands?

Troubleshooting tips for wireless network connection problems.

1. Recheck WAN and LAN physical connections.

Physical connections are an oft-overlooked common culprit. Check all wireless access point (AP)
or wireless router ports to ensure that Ethernet cables are inserted tightly and link status LEDs are
green at both ends. If not:
 Verify that devices at both ends of each Ethernet cable are powered on and that ports are
enabled. For example, your AP may be connected to a wall port that is disabled, or the
upstream switch or modem may be off.
 Try swapping Ethernet cables to isolate a damaged cable or connector.
 Check your AP or router manual to ensure that you're using the right type of cable. For
example, Internet/WAN ports may require crossover cables.
 Connect another Ethernet-capable device, such as a laptop, to the affected AP or router
port. If link status LEDs change, the device that you just replaced may be failing link auto-
negotiation. Check port configurations at both ends and reconfigure as needed to match
speed and duplex mode.
Figure 1. Check physical connections.

2. Verify the wireless adapter is installed and working properly.

It might seem obvious, but it's important to ensure the client's Wi-Fi adapter used for network
troubleshooting is enabled and ready to connect.
 When using a Windows client, select your wireless network adapter from the Network
Connections Control Panel and check to see if its status is Enabled. If not, right-click to
enable the connection. If this fails when using a laptop, look for a function key or physical
button or slider-switch to take the laptop out of airplane mode. If this fails when using a
removable client such as a USB adapter, remove or re-insert it.
 When using an Apple iOS client, use the Settings app to verify that your iPhone or iPad is
not in airplane mode and that Wi-Fi is on and ready to connect. For further iOS client
troubleshooting, see Part 2 of this series.
 On an Android client, use the Settings app in a similar manner to verify that your
smartphone or tablet is not in airplane mode and that Wi-Fi is on. For further Android client
troubleshooting, see Part 3 of this series.
Figure 2. Verify Wi-Fi client adapter is enabled.

3. Verify access point or router's network settings.

Use your wireless AP or router's administrative GUI to verify network settings for the wireless
network service set identifier (SSID) to which your Wi-Fi client is trying to connect.
 Locate the SSID that you're troubleshooting. On a basic wireless router, there may be just
one SSID, or one for each radio band (2.4 GHz and 5 GHz). On a small business or
enterprise AP, there may be several SSIDs used to segregate wireless clients and their
traffic.
 Identify the IP subnet [and, if applicable, virtual LAN (VLAN) ID] assigned to that SSID.
Upon successful connection, your Wi-Fi client should receive a local IP address from this
subnet.
  Identify the router or AP's own local IP address that should be reachable through this subnet
(and, if applicable, VLAN).
 Check your router's events log or status GUI to verify that an IP address from this subnet
is indeed assigned to your Wi-Fi client when it connects.

Figure 3. Verify AP or router's network settings.

4. Verify TCP/IP settings.

Although we describe using Windows to manage wireless connections here, troubleshooting is
conceptually similar when using other kinds of Wi-Fi clients.
 Open the network connections control panel and select your wireless network adapter. If
the status is still Disabled, return to step 2.
 If status is Not Connected, select your wireless network's SSID and click Connect. If your
network's SSID does not appear in the list or you cannot connect to your network, go to
step 8 to debug wireless settings.
 While attempting to connect, status may change briefly to Authenticating or Acquiring
Network Address, then Connected. At that point, use Status/Support to determine the
client's assigned IP address. If the client's IP is 0.0.0.0 or 169.254.x.x, click Diagnose. If
that persists, go to step 8.
  Otherwise, if the Wi-Fi client's IP address is not in your AP or router's subnet, use the
Properties/Internet (TCP/IP) panel to reconfigure the connection to get an address
automatically and repeat step 4.

Figure 4. Verify wireless client's TCP/IP settings.

5. Use ping to verify network connectivity.

Once your wireless client has a valid IP address, use ping to verify network connectivity.
Run a Command Prompt window from the wireless client's Start menu and use it to ping your AP
or router's IP address with the Internet Control Message Protocol as shown in Figure 5.
 If pinging your AP or router repeatedly fails, skip to step 6.
 If pinging your AP or router is successful, then ping any other wired or wireless LAN client
that you wish to share files or printers with. If that ping fails, then the destination may be
using a firewall to block incoming messages.
 After disabling the destination's Windows firewall, ping again. If ping is now successful,
then the firewall you disabled may also be blocking Windows network protocols.
Reconfigure the firewall to permit the traffic you want to exchange between LAN clients.
For example, re-enable the firewall and permit inbound file and printer sharing.
Figure 5. Test and permit desired traffic.

6. How to handle wireless-specific problems.

If your wireless client still cannot connect, get a valid IP address or ping your AP or router, then
it's time to consider wireless-specific problems.
The wireless AP or router and client must use compatible 802.11 standards and the same network
name (SSID). Use your AP or router's admin GUI to view WLAN settings and compare them to
your client's wireless connection parameters.
 If your SSID does not appear in the Client's Available Networks list, enable SSID
broadcasts on your AP or router. Alternatively, add the SSID to your client's Wireless
Networks list, allowing devices to connect even if the SSID is hidden. Be sure to match the
SSID exactly, including capitalization.
 802.11ac, dual-band 802.11n and older 802.11a clients can connect to 802.11ac or 802.11n
APs or routers using channels in the 5 GHz band.
 802.11n and older 802.11b/g clients can also connect to 802.11n APs or routers using
channels in the 2.4 GHz band.
  To connect older 802.11a or 802.11b/g clients, enable Mixed Mode and slower modulation
and coding scheme rates on your AP or router. For example, to connect to 802.11b clients,
at least the 11 Mbps rate must be enabled. To connect to 802.11g clients, at least the 54
Mbps rate must be supported. Even slow rates are needed to connect to old clients over
longer distances.

Figure 6. Check radio settings.

7. Look for a security mismatch.

If a matched wireless client and AP or router can "hear" each other but still can't connect or
exchange traffic, look for a security mismatch.
The client must support the security mode the AP or router requires: Open, WEP, WPA or WPA2.
Unless the WLAN is open (unsecured), the AP or router and client must also have (or dynamically
receive) the same keys used to encrypt traffic between them. Compare your AP or router's WLAN
security settings to your client's wireless connection properties to match them.
 If your AP or router uses WEP, set the client's encryption to WEP and match the
authentication type (open or shared). Copy the AP or router's first WEP key to the client,
translating from ASCII to hex if needed.
 If your AP or router uses WPA-Personal, set the client's authentication to WPA-PSK and
match the encryption type (TKIP). Enter the same passphrase on both devices Remember:
Capitalization counts!
 If your AP or router uses WPA2-Personal, set the client's authentication to WPA2-PSK,
match the encryption type (AES) and enter the same passphrase on both devices. If you
must support both WPA and WPA2 clients, set your AP or router to allow both TKIP and
AES encryption.
 If your AP or router uses WPA or WPA2-Enterprise, set the client's authentication to WPA
or WPA2 respectively, match the encryption type and continue 802.1X set-up in step 8.

Figure 7. Check security settings.

8. Ensure RADIUS is working.
WPA and WPA2-Enterprise log the client into the network and deliver encryption keys using
an 802.1X-capable RADIUS server. If you do not already have a RADIUS server, consult this tip.
Otherwise, try the following:
 Reconfigure your AP or router and server with a matching RADIUS secret.
 Reconfigure your RADIUS server to accept requests from your AP or router.
 Use ping to verify AP or router-to-RADIUS server network reachability.
 Watch LAN packet counters to verify that RADIUS is being sent, or use a LAN analyzer
debug RADIUS protocol issues.

Figure 8. Ensure RADIUS is working.

9. Check for 802.1X EAP or user login problems.

If RADIUS is working but the client's access requests are rejected, look for an 802.1X Extensible
Authentication Protocol (EAP) or user login problem.
Your client must support one of the EAP types your server requires and must supply a valid login
and password, token, certificate or other kind of credential.
 If your server requires EAP-TLS, select Smart Card or other Certificate on the client's
Network Properties/Authentication panel.
 If your server requires PEAP, select Protected EAP on that panel.
 If your server requires EAP-TTLS or EAP-FAST, install a third-party 802.1X Supplicant
program like Cisco's Trust Agent on the client.
 Make sure that client and server EAP-specific properties match, including server certificate
Trusted Root Authority, server domain name (optional) and tunneled authentication
method (e.g., EAP-MSCHAPv2, EAP-GTC).
 If you are prompted to accept the server's certificate at connect time, examine the certificate
carefully, verifying issuer and identity. Never add an unrecognized or suspicious certificate
to your trusted list.
 If EAP-TLS problems persist, use a Web browser to inspect the client's certificate and
make sure the certificate is valid (e.g., not expired).
 If PEAP problems persist, use CHAP Configure to prevent Windows auto-logon and enter
a valid username and password when prompted.
 If you still haven't spotted the problem, consult your RADIUS server's 802.1X
documentation for EAP configuration and debugging hints.
Figure 9. Verify client's 802.1X/EAP settings.

10. Solving intermittent network connectivity problems.

Finally, if your wireless client connects and pings successfully, but encounters intermittent
network connectivity problems (e.g., some pings work, some fail), you may be experiencing poor
signal strength, RF interference, or disconnection caused by AP roaming.
 CHAPTER THIRTEEN: NETWORK PERFOMANCE

Network Performance

It is essential for network administrators to periodically assess the reliability of network

technology and its ability to meet business needs. Therefore, network performance assessments
are important as it helps organizations to determine whether the programs, hosts, and applications
that are installed on the corporate network function properly. These performance audits need to
examine the network's bandwidth use as well as the company's Internet use, cable performance,
and e-mail server activities. Auditors should assess the company network management activities,
including its network's capacity use, change management processes, incident response activities,
and log monitoring functions.

Internet Use

Besides network bandwidth use, violation of Internet use policies can cause network performance
problems. Unauthorized network activities typically performed during work hours include:

1. Accessing pornographic Web sites, as well as file, photo, and video sharing sites.
2. Performing online trading.
3. Accessing personal e-mails and forwarding e-mails with large attachments, such as videos,
PowerPoint presentations, and pictures.
4. Downloading unlicensed software that might contain malware which may cause attack.

To determine whether employees are adhering to established Internet use policies, internal auditors
and network administrators can monitor and analyze data packet traffic flowing between the
organization's gateway and the Internet service provider (ISP). This can be achieved by using a
switched port analyzer (SPAN) Aor placing a hub (i.e., a common connection point for devices in
a network) between the ISP and the organization's router or firewall and also the auditor can
recommend that the organization obtains an Internet use statistics report from the ISP, if possible.
Additionally, Internet use analyses can detect malware infections in the local area network (LAN)
that are the result of inappropriate Internet use or determine if applications residing in the network
are using the Internet redundantly. It also can be used to determine whether the organization needs
to upgrade its current Internet bandwidth and speed.

Cable Performance

Another performance problem leading to network congestion is cable-pair connectivity. In

essence, the network may experience a signal loss during a data transfer session if any of the two
copper wire pairs is not properly connected end-to-end. Because any signal loss during a data
transfer session could result in low network performance, auditors need to determine if the cables
are connected properly.

To do this, auditors need to use a pair of hardware cable testers, which need to be connected at the
two ends of the physical network cable. When conducting the test, all lights must blink on the
cable tester. If this happens, then the network cable has perfect point-to-point connectivity.
E-Mail Server Review

Many companies implement a private or local mail server for internal and external e-mail use. For
instance, the organization may have a single mailbox for all employees that are hosted by an e-
mail service provider. The organization will then install a local mail server at their end to retrieve
information from this single mailbox, which is then segregated locally based on employee e-mail
IDs. Therefore, if an employee wishes to send an e-mail to a co-worker, the e-mail is sent through
this local mail server directly to the recipient. Otherwise, the local mail server will forward the e-
mail to its parent mail server for further delivery to the intended external recipient. Key points to
look for when reviewing e-mail server performance include:

 The presence of large numbers of rejected e-mails, especially to a particular user.

 Any malicious requests by or to any user in the organization.
 The possibility of an open-relay mail server.
 The presence of large numbers of attachments, especially spam (i.e., unsolicited e-mail)
attachments.
 The ratio of spam e-mail to genuine e-mail.

These key points need to be analyzed and verified manually by the auditor along with the network
or system administrator. Also, a cross-verification should be performed by analyzing e-mail server
logs. For example, if spam e-mail is congesting the majority of the network's bandwidth, the
organization should upgrade its existing spam-filtering solution.

Network Activity Assessments

The auditor also needs to analyze the effectiveness of the processes or activities that are used to
manage the network. These activities include the network's capacity use, change management
processes, incident response activities, and log monitoring functions.

Capacity Use
The network capacity planning process compares the organization's current and future network
capacity in terms of their use and efficiency. Any variation between any user requirements and
the organization's capacity can lead to inefficient network use. Therefore, the aim of network
capacity planning is to resolve this difference.

Change Management
Change management is a logical approach that defines the policies, procedures, and controls that
need to be used for specific business functions or activities. In terms of network performance, the
organization's change management policy needs to document, for instance:

 How Active Directory changes will be handled.

 Different firewall rules, such as opening a port.
 Changes in logging systems.
 How to change user access rights to network resources or data.
 The addition and removal of new computers.
 The proper way to configure network access for individual users.
A systematic documentation of all network changes can help administrators to easily manage the
network, as well as help management and internal auditors to quickly understand networkwide
changes.

Change management policies and actions also can enable auditors and administrators to evaluate
network problems at a quick glance and determine the causes for network performance issues or,
worse, a security breach after a particular change or upgrade is made.

Before a change or upgrade is made to a network component, auditors need to recommend that
network or system administrators discuss the activity with a senior executive, such as the chief
technology, information, or security officer, to evaluate the impact the change or upgrade can have
on various network aspects

Finally, auditors need to ensure that the change management policy or document is authorized and
signed by the senior manager

Incident Response
companies need to have a standard procedure to handle network problems and provide a quick and
efficient solution to those problems. Key items internal auditors need to review when assessing an
organization's network incident response plan or document include:

 The level of vendor support (i.e., how will the vendor provide support for problems
reported by the organization — will this support be provided over the phone or in person?
In addition, is the vendor support team or contact person located in a nearby location or
foreign country?).
 An inventory of all network programs and applications.
 Service-level agreements between the organization and the vendor for specific network
programs and applications identified in the inventory list.
 Change management policies and procedures.
 A list of incident response team members and their qualifications.
 The organization's approach toward solving any network incidents and the steps that will
be taken for mitigating the same as specified in the business continuity or disaster recovery
plan, in addition to determining how the plan will be maintained.
 Configuration backups for all network programs and applications (e.g., are these devices
tested in a test environment prior to restoration, are backups encrypted, and where are the
backups stored)?

Log Monitoring
when it comes to network performance, proactive steps apply to monitoring network activities and
identifying problems that might affect the organization in the future. One of the best ways to
monitor network activities is through data logging. Logs generated can be either from a firewall,
managed switch, operating system log, or an application log. For instance, an organization is
growing rapidly in terms of its revenue and number of employees within a short period of time.
To keep up with this growth, network administrators need to identify the effectiveness of currently
used network switches, cables, computer systems, and accessories in keeping up with network
performance. Network administrators may also need to update or increase the availability of these
and other network components within the next three months so that the company's continuity of
flow is not disrupted.
A Good Measure of Network Operations

The use of ongoing performance audits can help IT departments’ better measure the network's
effectiveness and efficiency. To this end, internal auditors need to examine key network functions
and components, such as the company's network bandwidth use, the current level of Internet use,
the performance of network cables, and e-mail server activities. These network performance audits
need to be an ongoing part of the organization's proactive measures to identify any IT system break
downs before they hinder the organization's day-to-day activities. Besides collecting and reviewing
this information, auditors can examine the network's server memory use and central processing
unit (CPU) capacity, which may also hinder network performance.

NETWORK SECURITY REVISION GUIDE

Q1. What Is A Firewall?

Answer : A Firewall is software that blocks unauthorized users from connecting to your computer.
All computers at Bank Street are protected by a firewall which is monitored and updated by CIS.

Q2. How would you handle network security for a client that allows employees to bring their
own devices?
Having outside devices connected to a network can result in major security vulnerabilities that you
should be able to address. Interviewers ask this question to assess your problem-solving skills and
determine what you would do in situations where you can't avoid certain types of risks and
vulnerabilities

Q3. What is Network Security?

Answer : Network security consists of the policies and practices adopted to prevent and monitor
unauthorized access, misuse, modification, or denial of a computer network and network-
accessible resources.

Q4. How does network security work?

Answer : Network security combines multiple layers of defences at the edge and in the network.
Each network security layer implements policies and controls. Authorized users gain access to
network resources, but malicious actors are blocked from carrying out exploits and threats.

Q5. What Type Of Traffic Are You Denying At The Firewall?

Answer : There should be a default deny rule on all firewalls to disallow anything that is not
explicitly permitted. This is more secure than explicitly denying certain traffic because that can
create holes and oversights on some potentially malicious traffic.

Q6. Outline the 2 rules for multi-level security.

Answer: The 2- rules for multi-level security
An issue will solely browse on object of less or equal security level. This can be named as easy
security property.
An issue will solely write into AN object of bigger or equal security level. This can be named as
‘*’ property
Q7. What are the different types of network security?
Answer : There are many different types of network security features are available, they are:
Access control, Antivirus and antimalware software, Application security, Behavioural analytics,
Data loss prevention, Email security, Firewalls, Intrusion prevention systems, Mobile device
security, Network segmentation, Security information and event management, VPN, Web security,
Wireless security, etc.

Q8. Define protocol

Answer : It is a set of rules that govern all aspects of information communication.

Q9. What is Intrusion prevention systems (IPS)?

Answer : An intrusion prevention system (IPS) scans network traffic to actively block attacks.

Q10. Difference between hub and switch?

Answer : A hub is a networking device that connects multiple computers together, while switch
is a control unit that turns the flow of electricity in a circuit.

Q11. What is a VPN?

Answer :A virtual private network encrypts the connection from an endpoint to a network, often
over the Internet. Typically, a remote-access VPN uses IPsec or Secure Sockets Layer to
authenticate the communication between device and network.

Q12. What are the factors that affect the performance of the network?
Answer : Type of transmission media, Softwares, Number of users, Hardware.

Q13. What is Ransomware?

Answer : Ransomware is a type of malicious software, also known as malware. It encrypts a
victim’s data until the attacker is paid a predetermined ransom. Typically, the attacker demands
payment in a form of cryptocurrency such as bitcoin. Only then will the attacker send a
decryption key to release the victim’s data.

Q14. How does ransomware work?

Answer. Ransomware is typically distributed through a few main avenues. These include email
phishing, malvertising (malicious advertising), and exploit kits. After it is distributed, the
ransomware encrypts selected files and notifies the victim of the required payment.

Q15. Name some user support layers?

Answer. Application layer
Presentation layer
Session layer

Q16. Can you give me some Ransomware variants?

Answer. Ransomware variants of all types are discovered through the powerful research of
Talos, our world-class threat intelligence group. To find out more about recent threats such as
CryptoLocker, WannaCry, TeslaCrypt, Nyetya, and more.

Q17. What Resources Are Located On Your Internal Network?

Answer : In addition to internal web, mail, and DNS servers, your internal network could also
include databases, application servers, and test and development servers.
Q18. What Is Your Backup Policy?
Answer : VPNs should be used for remote access and other sensitive communication. IPSEC is a
great choice for this purpose. Strong encryption protocols such as 3DES and AES should be used
whenever possible. Web access to sensitive or proprietary information should

Q19. What Is The Defining Difference Between Computer Security And Information
Security?
Answer : Ar 25-2

Q20. What is the use of TCP in the IP packets?

Ans. TCP is an acronym of transmission control protocol. It is used as a communications protocol
in a private network.

Q21. Why Does Active Ftp Not Work With Network Firewalls?
Answer : When a user initiates a connection with the FTP server, two TCP connections are
established. The second TCP connection (FTP data connection) is initiated and established from
the FTP server. When a firewall is between the FTP client and server, the firewall would block the
connection initiated from the FTP server since it is a connection initiated from outside. To resolve
this, Passive FTP can be used or the firewall rule can be modified to add the FTP server as trusted.

Q22. How Can You Prevent A Brute Force Attack On A Windows Login Page?
Answer : Setup a account lockout for specific number of attempts, so that the user account would
be locked up automatically after the specified number.

Q23. Name the types of errors?

Answer . There are two types of errors:
1. Single bit error
2. Burst error

Q24. What do you see as the objective of information security within a business or
organization?
Answer : Network security should:

 Ensure uninterrupted network availability to all users

 Prevent unauthorized network access
 Preserve the privacy of all users
 Defend the networks from malware, hackers, and DDoS attacks
 Protect and secure all data from corruption and theft.

Q25. In An Icmp Address Mask Request, What Is The Attacker Looking For?
Answer : The attacker is looking for the subnet/network mask of the victim. This would help the
attacker to map the internal network.

Q26. What do you use on your own personal network?

Answer: An interviewer will want to know what sort of security measures you use on your own
home devices. After all, if you’re a hotshot network security expert, clearly that must be reflected
in the network that means the most to you; your personal system! An employer can tell a lot about
your network savviness by analyzing what measures you use for your devices.

Q27. What does VPN stand for?

Answer : VPN stands for virtual private network. It creates a secure network connection over a
public network like the internet.

Q28. Which Feature On A Network Switch Can Be Used To Protect Against Cam Flooding
Attacks?
Answer : Port-Security feature can be used for the same. In a cam flooding attack, the attacker
sends a storm of mac-addresses (frames) with different values. The goal of the attacker is to fill up
the cam table. Port-Security can be used to limit the number of mac-addresses allowed on the port.

Q29. How informed do you keep yourself on network security-related news, and how often
do you check out these stories? Where do you get your security news from?
Answer :Network security incidents are big news today, and there have been many high-profile
news stories about data breaches and hackers in the past few years. An employer is going to want
to know how well-informed you are on the latest security news and incidents. HINT: If you don’t
make it a practice of keeping abreast of the latest network security-related news, you better start
now!
In terms of news sources, your best bets are Team Cymru, Twitter, or Reddit. Make sure to check
the sources of accuracy, though.

Q30. What Is Srm (security Reference Monitor)?

Answer : The Security Reference Monitor is the kernel mode component that does the actual access
validation, as well as audit generation.

Q31. What are the steps involved in creating the checksum?

Answer.

 Divide the data into sections

 Add the sections together using 1’s complement arithmetic
 Take the complement of the final sum.

Q32. What is ALOHA?

Answer. It is used to solve the channel allocation issue. Two types of aloha:

 Pure aloha
 Slotted aloha

Q33. Explain the difference between symmetric and asymmetric encryption.

Answer :Long story short, symmetric encryption uses the same key for both encryption and
decryption, whereas asymmetric encryption employs different keys for the two processes.
Symmetric isasymmetric encryption employs different keys for the two processes. Symmetric is
faster for obvious reasons but requires sending the key through an unencrypted channel, which is
a risk.

Q34. How Did Early Computer Security Work?

Answer : It was pretty simple- just passwords to protect one’s computer. With the innovation of
the internet, however, computers have increased security with firewalls and hundreds of anti-
virus programs.
Q35. Name the three means of user authentication.
Answer : There is biometrics (e.g. a thumbprint, iris scan), a token, or a password. There is also
two-level authentication, which employs two of those methods.

Q36. What Is Another Name For Unsolicited E-mail Messages?

Answer : Spam

Q37. Can Police Track An Ip Address After It Has Been Changed?

Answer : Sometimes-for example, if the user has a dynamic IP address, and their IP address
changes within this system as usual, it can generally be tracked. If the user uses a proxy service
to make their IP address appear as if it is located in some random other IP.

Q38. You discover an active problem on your organization’s network, but it’s out of your
sphere of influence. There’s no doubt that you can fix it, though; so what do you do?
Answer : While the first impulse may be to immediately fix the problem, you need to go through
the proper channels. Things may be as they are for a reason. Use e-mail to notify the person in
charge of that department, expressing your concerns, and asking for clarification. Make sure your
boss is CC’ed into the email chain, and make sure that you save a copy for yourself, in case you
need to refer to it later.

Q39. Why are internal threats usually more effective than external threats?
Answer : It all comes down to a question of physical location. A disgruntled soon to be ex-
employee, a hacker posing as a deliveryman, even just a careless curious user, all end up having
better access to the system due to them being on-site. Being “inside” physically makes it easier to
get inside virtually.

Q40. What Is A Sid (security Id)?

Answer : SID stands for Security Identifier and is an internal value used to uniquely identify a
user or a group. A SID contain * User and group security descriptors * 48-bit ID authority *
Revision level * Variable sub authority values.

Q41. What is CIA?

Answer: CIA stands for Confidentiality, Integrity, and Availability. CIA is a model designed to
guide the policies for information security in organizations.

Q42. What is IPS?

Answer: An IPS is a threat prevention technology that investigates all network data flow to identify
and prevent malicious activity and to detect vulnerability in the network. IPS is helpful because it
can be configured to detect a variety of network attacks and understand vulnerabilities in the
network. IPS is usually deployed on the perimeter of the network. There are many types of IPS,
some of the approaches to prevent intrusions are signature-based, anomaly-based, protocol-based
and policy-based IPS.

Q43. What is Data encryption?

Answer. Data encryption ensures data safety and very important for confidential or critical data. It
protect data from being read, altered or forged while transmission.

Q44. What are the differences among encoding, encryption and hashing?
Answer: Encoding: Basically encoding is used to protect the integrity of data as it crosses through
communication network to keep its original message upon arriving. It is primarily an insecure
function because it is easily reversible.
Encryption: Encryption is basically designed for confidentiality and data integrity and reversible
only if you have the appropriate key
Hashing: With hashing the operation is one-way i.e. non-reversible. It takes an input (or ,message
) and returns a fixed-size string, which is called the hash value.

Q45 What Type Of Traffic Are You Denying At The Firewall?

Answer : There should be a default deny rule on all firewalls to disallow anything that is not
explicitly permitted. This is more secure than explicitly denying certain traffic because that can
create holes and oversights on some potentially malicious traffic.

Q46. How Do You Remove Network Security Keys?

Answer : Go to your router options on your computer and it should say remove.

Q47. In An Icmp Address Mask Request, What Is The Attacker Looking For?
Answer : The attacker is looking for the subnet/network mask of the victim. This would help the
attacker to map the internal network.

Q48. How Do You Prevent Ddos Attack?

Answer : You do not have much choice, only correctly configured firewall/iptables (which is not
a trivial task to do) can help you to prevent it. But there is no 100%

Q49. What is Digital Signatures ?

Answer : Digital signature is an attachment to an electronic message used for security purpose. It
is used to verify the authenticity of the sender.

Q50. What Is An Ip Grabber?

Answer : An ip grabber is a program that will find the ip address of another computer. Often used
by hackers.

What can be the impact of a computer network attack?

Answer:
Hackers or attackers target computer networks to cause irreversible damage to organizations.
Computer networks, when compromised by an attack or hacks, will result in negative implications
to include.

 Loss of sensitive information and proprietary data

 Loss of value with shareholders
 Reduced profits
 The decline in trust with customers,
 Deterioration of brand value
 Loss of reputation
What is the objective of information security within an organization?
Answer:
Some of the objectives of having a network security program in organizations include,

 Prevent unauthorized network access

 Protect the privacy, integrity and sensitive information of users in the network
  Protect the network from external attacks hacks and prevent unauthorized users from
gaining access to the network
 Protect the network from malware or from different attack types (DDoS, MITM,
Eavesdropping, etc.)
 Protect all data, stored and in-transit and to secure all information in the network from
being stolen by malicious users
 To ensure the availability of the network.
What is the meaning of threat, vulnerability, and risk?
Answer:
In the context of security, threat means the event that can cause harm or serious damage to
computer systems or networks. For example, a virus attack is viewed as a threat. Threats often
result in an attack on computer networks. Threats are caused by attackers who attempt to make use
of weaknesses in computers in the network.
4. What is the meaning of AAA?
Answer:
AAA stands for Authentication, Authorization, and Accounting.
Authentication is the process of determining if a user is legitimate to use the system and the
network. Authentication is usually done using login and password. For example, you will use a
username and password to access your email. The email server authenticates your username and
password and provides further access.
Authorization refers to access control rights. This implies every user on the network is allowed
access to certain portions of data and information, and applications according to his/her level in
the organization. For example, a marketing person will not be able to record financial transactions.
Hence, a user is authorized to perform only certain functions on the network system. These
authorization levels are defined by the system administrator who has access to all the resources
and user policies in the network.
Accounting is known as network accounting which is used to gather all activity on the network for
each use.
Hence, AAA is a framework for network security that is used to control user access, implement
policies, audit usage and keep track of all activities in the network. AAA helps the system
administrators and security experts to identify any malicious activity on the network.
hat is the CIA?
Answer:
CIA stands for Confidentiality, Integrity, and Availability. CIA is a model designed to guide the
policies for information security in organizations.
Confidentiality is almost equivalent to privacy. Computer networks must ensure confidentiality to
mitigate attacks in order to avoid sensitive information from falling into the wrong hands.
Confidentiality is ensured by implementing access restriction mechanisms. Confidentiality can be
understood as ensuring user privacy in the system.
Integrity refers to maintaining consistency, accuracy, and trust of data over its entire lifecycle. It
must be understood that data is vulnerable during transit, and steps must be taken to ensure that
data during transit cannot be modified by unauthorized people, thus compromising confidentiality.
There are many methods to ensure data integrity; for example, the use of cryptographic checksums
to verify data integrity. Also, measures such as backup and redundant storage may be required to
restore lost data immediately.
Availability refers to the entire network with resources and hardware infrastructure is available to
authorized users. Availability is ensured by maintaining all hardware is working well and carrying
out repairs immediately; also, availability is needed to maintain a fully functional operating system
that is free of software conflicts. It is also important to perform necessary upgrades, software
patches, and security patches when available from the vendor.
Hence, adequate precautions and safeguards to protect all information in the computer network
must be planned, and security procedures must be implemented to ensure uninterrupted network
services.
How do you define risk, vulnerability, and threat, in the context of network security?
A: A risk is defined as the result of a system being secure but not secured sufficiently, thereby
increasing the likelihood of a threat. A vulnerability is a weakness or breach in your network or
equipment (e.g. modems, routers, access points). A threat is the actual means of causing an
incident; for instance, a virus attack is deemed a threat.

What are the possible results of an attack on a computer network?

A: Possible results include:

 Loss or corruption of sensitive data that is essential for a company’s survival and success
 Diminished reputation and trust among customers
 The decline in value with shareholders
 Reduced brand value
 Reduction in profits

What do you use on your own personal network?

A: An interviewer will want to know what sort of security measures you use on your own home
devices. After all, if you’re a hotshot network security expert, clearly that must be reflected in the
network that means the most to you; your personal system! An employer can tell a lot about your
network savviness by analyzing what measures you use for your devices. Speaking of your home
network, do you have a Wireless Access Point, and if so, how do you defend it? A: There are many
methods of protecting a WAP, but the three most popular are: employing MAC address filtering,
using WPA2, and not broadcasting the SSID. This is yet another attempt by an employer to see
what matters to you personally in terms of security. After all, people tend to prefer the best things
for themselves!
How informed do you keep yourself on network security-related news, and how often do you check
out these stories? Where do you get your security news from?
A: Network security incidents are big news today, and there have been many high-profile news
stories about data breaches and hackers in the past few years. An employer is going to want to
know how well-informed you are on the latest security news and incidents. HINT: If you don’t
make it a practice of keeping abreast of the latest network security-related news, you better start
now! In terms of news sources, your best bets are Team Cymru, Twitter, or Reddit. Make sure to
check the sources of accuracy, though.

What are the best defenses against a brute force login attack?
A: There are three major measures you can take to defend against a brute force login attack. For
starters, there’s an account lockout. Offending accounts are locked out until such time as the
administrator decides to open it again. Next comes the progressive delay defense. Here, the account
stays locked for a given number of days after a few unsuccessful login attempts are made. Finally,
there’s the challenge-response test, which heads off automatic submissions employed on the login
page.

What is IPS?
Answer:
An IPS is a threat prevention technology that investigates all network data flow to identify and
prevent malicious activity and to detect vulnerability in the network. IPS is helpful because it can
be configured to detect various network attacks and understand vulnerabilities in the network. IPS
is usually deployed on the perimeter of the network. There are many IPS types; some of the
approaches to prevent intrusions are signature-based, anomaly-based, protocol-based and policy-
based IPS.
What Does Your Network/security Architecture Diagram Look Like?

 The physical topologies

 Logical topologies (Ethernet, ATM, 802.11, VoIP, etc.)
 Types of operating systems
 Perimeter protection measures (firewall and IDS placement, etc.)
 Types of devices used (routers, switches, etc.)
 Location of DMZs
 IP address ranges and subnets
 Use of NAT In addition, you must know where the diagram is stored and that it is regularly
updated as changes are made.
What Security Measures Are In Place For In-house Developed Applications?
Any development that is taking place in house should include security from the beginning of the
development process. Security needs to be a part of standard requirements and testing procedures.
Code reviews should be conducted by a test team to look for vulnerabilities such as buffer
overflows and backdoors. For security reasons, it is not a good idea to subcontract development
work to third parties.
How Are You Monitoring For Trojans And Back Doors?
In addition to periodic vulnerability scanning, outgoing traffic should be inspected before it leaves
the network, looking for potentially compromised systems. Organizations often focus on traffic
and attacks coming into the network and forget about monitoring outgoing traffic. Not only will
this detect compromised systems with Trojans and backdoors, but it will also detect potentially
malicious or inappropriate insider activity.
What are the different layers of OSI?

 Data Link layer

 Transport layer
 Application layer
 Session layer
 Presentation layer
Explain pipelining.
When a task has begun before the previous task has ended is called Pipelining.
Which layers are referred to as network support layers?

 Data Link layer

 Physical layer
 Network layer
Define simplex with an example.
A type of communication in which data is transmitted in one direction is known as simplex.
Example: Monitor
What is RIP?
RIP stands for Routing Information Protocol, which is a simple protocol used to exchange
information between the routers.

What are the factors that affect the performance of the network?
  Type of transmission media
 Software
 Number of users
 Hardware
What is the difference between a wired LAN and a wireless LAN?
Wired LAN used Ethernet devices like router, hub, and switch, while wireless LAN uses devices
like MiFi router and WLAN router.
Which protocols use the application layer?

 SMTP
 DNS
 TELNET
 FTP
What is an intranet?
It is a private network based on TCP/IP protocols accessible only by the company’s members or
someone with authorization.
What are the different types of network security tools?

 Access control
 Antivirus and antimalware software
 Application security
 Data Loss Prevention (DLP)
 Email security
 Firewalls
 Intrusion prevention systems
 Mobile device security
 Host-based Intrusion Detection System (HIDS)
 Network Intrusion Detection System (NIDS)
 Behavioral analytics
 Network segmentation
 Virtual Private Network (VPN)
 Web security
 Wireless security
Security Mitigation Techniques
Mitigation
Description
Method

AAA A group of three services (authentication, authorization, and accounting) that are

used in conjunction with TACACS or RADIUS to provide a secure network

connec-

tion with a record of user activities.

Cisco ACL An ordered list of permit and deny statements that can be applied on a Cisco

device to effectively determine whether a packet will be permitted or denied access

to the network.
SSH A data transmission protocol that uses strong authentication and an encrypted tun-

nel to ensure secure communications between an SSH client and the SSH server.

SSH protects otherwise-vulnerable services such as Telnet, news, and mail.

SNMP A management protocol that monitors the network and manages configurations by

collecting statistics to analyze network performance and ensure network security.

Syslog Log messages are collected from the Cisco device and are sent to a syslog server

to keep records of any network occurrences.

NTP A protocol that synchronizes clocks on the local network to provide accurate local

time on the user system.

IPsec A set of protocols that were developed to secure the transfer of packets at the

Network layer (Layer 3) of the OSI model.

SSL A protocol that provides a secure channel between two devices at the Application

layer (Layer 7) of the OSI model.

Firewall Either software or hardware that is installed to protect a network from outside

networks, such as the Internet.

IPS An active device that is inline with the traffic path on a network. An IPS listens

promiscuously to all incoming traffic to identify attacks, which the system

can then block.

IDS A passive device that may not be inline with the traffic path on a network. An IDS

also listens promiscuously to all incoming traffic to generate alerts and issue TCP

resets if necessary.
Which layers are referred to as network support layers?
Ans. The following layers are referred to as network support layers

 Data Link layer

 Physical layer
 Network layer

What are the factors that affect the performance of the network?
Ans. The factors that affect the performance of the network are:

 Type of transmission media

 Software
 Number of users
 Hardware

What are the steps involved in creating the checksum?

Ans. The following steps are involved in creating the checksum:

 Divide the data into sections

 Add the sections together using 1’s complement arithmetic
 Take the complement of the final sum

What are the different types of network security tools?

Ans. The different types of network security tools are:

 Access control
 Antivirus and antimalware software
 Application security
 Data Loss Prevention (DLP)
 Email security
 Firewalls
 Intrusion prevention systems
 Mobile device security
 Host-based Intrusion Detection System (HIDS)
 Network Intrusion Detection System (NIDS)
 Behavioral analytics
 Network segmentation
 Virtual Private Network (VPN)
 Web security
 Wireless security

Explain the basic working of network security.

Ans. Network security is an activity that is designed to protect the usability and integrity of the
network and data. It includes both hardware and software technologies and targets a variety of
threats. It combines various layers of defenses at the edge and in the network. Every network
security layer implements distinct policies and controls. While authorized users gain access to
network resources, the malicious or unauthorized agents are blocked from carrying out exploits
and threats.

What is the meaning of AAA in network security?

Ans. AAA stands for Authentication, Authorization, and Accounting. It refers to the protocols that
mediate network access. It is a framework to control user access, implement policies, and keep
track of all activities in the network. Two network protocols provide AAA functionality namely,
Radius and Diameter.

 Authentication ascertains whether a user is legitimate to use the system and the network or
not. It requires a login and password.
 Authorization refers to access control rights. It means that every user on the network can
access only certain data and information, depending on his/her level in the organization.
 Accounting helps in gathering all activity on the network for each use.

What is IPS in network security?

Ans. IPS stands for Intrusion Prevention System. It is also known as Intrusion Detection
Prevention System (IDPS). IPS focuses on tracking the network for any suspicious or malicious
activities attempting to exploit a known vulnerability. It identifies such activity and then either
detects and allows (IDS) or prevents (IPS) the threat. Some of the approaches to prevent intrusions
are signature-based, protocol-based, anomaly-based, and policy-based IPS.
The IPS reports such events to system administrators and takes preventative action, such as closing
access points and configuring firewalls to prevent future attacks.

What are the potential consequences of a network security attack for an organization?
Ans. A network security attack can result in irreversible damage to the organization. Some of the
potential outcomes of a network security attack are:

 Loss of sensitive information and proprietary data

 Reduction profits
 Loss of value with shareholders
 Loss of reputation
 Deterioration of brand value
 Reduced trust with customers

What are the Administrator Privileges? Why they are required while trying to install a download?
Ans. Administrative Privileges refer to the permissions granted by administrators to users. These
privileges enable them to create, delete, and modify items and settings.
Without administrative privileges, we cannot perform many system modifications, such as
installing software or changing network settings. If we don’t have administrator privileges, then
we may be able to use a program, but not upgrade it.
What is network encryption? How does it work?
Ans. Network encryption is the process of encrypting or encoding data and messages transmitted
over a computer network. It includes various tools, techniques, and standards to ensure that the
messages are unreadable they are transmitting between two or more network nodes.
Network encryption helps in maintaining the confidentiality of information transmitted over a
network by making it difficult for unauthorized agents to have the information and understand it
or get anything useful from it if they intercept the information in transit. Each message is sent in
an encrypted form and is decrypted and converted back into its original form at the recipient’s end
using encryption/decryption keys.

What do you mean by the CIA Triad?

Ans. CIA stands for Confidentiality, Integrity, and Availability. CIA or CIA Triad is a popular
model that is designed to maintain privacy policies for information security in organizations.
Security professionals evaluate threats after assessing their potential impact on the confidentiality,
integrity, and availability of the organization’s assets. A network is secure only when it possesses
the components that constitute the CIA Triad.

 Confidentiality refers to an organization’s efforts to keep its data private or secret. Thus,
only those who are authorized have access to specific assets while those who are
unauthorized are prevented from accessing.
 Integrity refers to ensuring that data is authentic and reliable. Also, it has not been tampered
with.
 Availability refers to ensuring that systems, applications, and data are up and running; and
authorized users have access to resources when they are needed.

What are the benefits of a firewall?

Ans. The benefits of firewalls are:

 Monitors network traffic

 Enhances Privacy
 Stops Spyware
 Prevents hacking
 Inhibits virus attacks

Why does an Active FTP not work with network firewalls?

Ans. Initiating a connection with the FTP server, established two TCP connections. The second
TCP connection (FTP data connection) initiates and establishes from the FTP server. If a firewall
is between the FTP client and server, it would block the connection initiated from the FTP server
because it is a connection initiated from outside. Thus, Passive FTP can be used or the firewall
rule can be modified to add the FTP server as trusted.

What is a DDoS attack?

Ans. A DDoS or Distributed-Denial-of-Service attack is a cyber-attack in which the central server
is continuously flooded with frequent data requests. Such attacks intend to disrupt the target system
and business. In a DDoS attack, the hackers make a network resource (a website or computer
system) unavailable to its users by disrupting the services of a host connected to the Internet. It is
done by flooding or crashing the website with too much traffic.

What are the types of DDoS attacks?

Ans. There are three basic categories of DDoS attacks are:

 Volume-based attacks – they use high traffic to overload the network bandwidth
 Protocol attacks – their objective is to exploit server resources
 Application attacks – they focus on web applications and are the most serious type of
attacks
Different types of attacks fall into categories based on the traffic quantity and the vulnerabilities
being targeted. Here are some popular types of DDoS attacks:

 ICMP (Ping) Flood

 SYN Flood
 NTP Amplification
 HTTP Flood
 Zero-day DDoS attacks
 UDP Flood
 Smurf Attack
 Fraggle Attack
 Slowloris

What is Phishing?
Ans. Phishing is the fraudulent practice of sending fraudulent emails, calls, or text messages to
targets that appear to come from a reputable source. It is a cybercrime that tricks the target into
sharing passwords, credit card numbers, and other sensitive information or installing malware on
the victim’s machine by posing as a trusted source. It is a type of social engineering attack.

how does phishing work?

Phishing is a type of social engineering attack that enables hackers to steal the victim’s sensitive
data, such as login credentials and credit card numbers. It starts with a fraudulent email or other
communication like a text message that is created to tempt a victim. The communication looks as
if it has come from a trusted source.
The phishers dupe victims into opening those emails or text messages and the victim is coaxed
into providing confidential information, leading to devastating results.
Apart from stealing sensitive data, hackers can infect computers with viruses and convince victims
to participate in money laundering.

What are the different types of phishing attacks?

Ans. The different types of phishing attacks are:

1. Email Phishing: This is the most common type of Phishing. The phisher will register a
fake domain that looks like a genuine source and send generic requests to obtain
 confidential information from the victims. Phishers use the data to steal money or to launch
other attacks.
2. Spear Phishing: It targets specific individuals instead of a wide group of people after
searching the victims on social media and other sites to customize their communications
and appear more authentic.
3. Whaling: In this, the attackers go after those working in senior positions. Attackers spend
considerable time profiling the target to find the best time as well as the means of stealing
their sensitive information.
4. Smishing and Vishing: In smishing, the victim is contacted through text messages while
vishing involves a telephonic conversation. The end goal of both is the same as any other
kind of phishing attack.

What does VPN stand for and state its use and types?
Ans. VPN stands for the Virtual Private Network. It creates a secure network connection over a
public network like the internet.
Ans. A VPN or virtual private network is an encrypted connection over the Internet from a device
to a network. It provides online privacy and anonymity by creating a private network from a public
internet connection. It prevents unauthorized people from spying on the traffic and allows the user
to conduct work remotely.
Ans. The different types of VPNs are:

 Remote access
 Site-to-site

What is Shadow IT?

Ans. Shadow IT refers to the use of information technology systems, software, devices,
applications, and services without informing the organization’s IT or security group. It includes
the projects that are managed outside of, and without the knowledge of the organization’s IT
department. This practice has grown exponentially lately with the adoption of cloud-based
applications and services. Shadow IT can introduce serious security risks to the organization
through data leaks and potential compliance violations.
Give some examples of Shadow IT.
Ans. Shadow IT consists of all activities and purchases related to IT that the IT department is
unaware of. It includes all those projects that are conducted out of compliance with official
company policies. The examples of Shadow IT purchases include:

 Hardware: PCs, laptops, tablets, servers, flash drives, external drives, and smartphones
 Productivity apps: Trello and Slack
 Communication apps: Skype and VOIP
 Packaged software
 Cloud Services: Software as a Service (SaaS), Infrastructure as a Service (IaaS), and
Platform as a Service (PaaS)
Is a network engineer a good career?
Ans. Nowadays, organizations look for network security professionals to protect their business
from threats and safeguard sensitive data like personal information. Network security jobs have
become one of the most in-demand jobs in the IT industry today. Despite a strong demand for
network engineers, there is a shortage of qualified professionals who can take up that role.
Moreover, salary and advancement opportunities are great. Thus, a network engineer job can be
an exciting and lucrative career choice.
What are some of the popular job titles in the network security field?
Ans. Some of the popular job titles in the network security domain are –

1. Network Engineer
2. Systems Engineer
3. Network Architect
4. Network Support
5. Systems Support Engineer
6. Network Administrator.
What does a network security professional do?
Ans. Network security professionals protect the IT infrastructure of organizations. They make the
network more secure by providing using various tools, such as intrusion detection systems,
encryption, and digital certificates.
What is the salary of a network engineer in India?
Ans. As per AmbitionBox, the average salary of a network engineer is Rs. 3.2 Lakh per year in
India.
What are the key skills required for network security professionals?
Ans. The key skills required for a network security professional are –
Technical Skills –

1. Knowledge of Secure Network Architecture

2. Threat Modeling Knowledge
3. Knowledge Virtualization Technologies
4. Understanding of Cloud Security
5. Proficiency in Vulnerability Testing
6. Understanding of Secure Coding Practices
7. Knowledge of Security Frameworks, Firewall, and Data Encryption Programs;
Soft Skills –

1. Interpersonal Skills
2. Communication
3. Innovation
4. Collaboration
5. Problem-solving
What are the major roles and responsibilities of a network engineer?
Ans. Major roles and responsibilities of a network engineer include –

1. Designing and implementing new network solutions

2. Installing and configuring network equipment
3. Improving the efficiency of current networks
4. Procuring network equipment and managing subcontractors involved with network
installation
5. Maximizing network efficiency
6. Monitoring network performance and troubleshooting
7. Identifying faults in the network
8. Upgrading network equipment
9. Reporting network status to key stakeholders
How would you educate your colleagues about best practices for preventing security
breaches?

IT professionals who work with network security need to be able to establish standards for how
their colleagues and other users interact with a network. Educating others about how to preserve a
network's integrity and protect their own data is one of the first steps toward preventing security
breaches, Example: "I would start by creating training documents to use in the onboarding process
so all new employees have the same expectations about device and password security. I would
also clearly post any security requirements to make it easy for all employees to reference."

What is the meaning of confidentiality, integrity and availability in IT?

These three characteristics of information security, also known as the "CIA triad," are known as
the basis of any IT security program.. Example: "Confidentiality refers to keeping information
private between authorized users. IT security measures can help keep sensitive information
confidential and protect client privacy. Integrity involves the accuracy and quality of network data,
including preventing outside users from editing and altering information. Availability involves
ensuring that authorized users can securely access information to facilitate operations."

What does it mean if your network experiences frequent, substantial cyberattack attempts?

This question addresses your knowledge of what makes a system attractive to hackers and other
threats. Network security experts should be able to determine the root cause of unusual behavior
alongside their primary role of preserving data integrity. Example: "**Dealing with basic port
scan attacks, worms and viruses are a standard part of managing network security, but more serious
attacks can indicate a problem with the entire security system. If I noticed an increase in severe
cyberattacks I would determine how the potential attacks would affect the network and establish
changes to protect those elements of the IT system."

How do you accurately diagnose and discuss network issues over the phone?

Network security professionals may have to provide direct IT support to clients, customers or
colleagues that are experiencing network problems. This question targets your ability to
communicate with others over the phone about complex network security programs. Example: "I
ask specific questions to the other person and verify their answers, carefully describing how their
screen should look at each step in the troubleshooting process."

What time management strategies would you use to balance the many aspects of network
security?

Managing network security involves a range of passive and active responsibilities, so potential
employers may ask about your time management, multitasking and organizational abilities.
Example: "I would sort my tasks by severity, with active network problems taking highest
priority. I predict how much time each network security ticket might take, then schedule
maintenance, patches and updates during downtime."
What are some of the possible consequences of poor network security?

Interviewers ask this question to ensure that you understand the impact of your work as a network
security professional. By identifying the impact of poor security practices, you can demonstrate
your ability to avoid those issues. Example: "Poor network security practices can cause a loss of
sensitive information, mistrust among customers, interruptions in network security and a decrease
in profits from inconsistent IT resources."

What procedures have you used to prevent phishing in your previous positions?

When working with network security, you may encounter phishing attempts where hackers try to
trick users into sharing information or downloading a virus. Interviewers may ask about phishing
to ensure you understand how social engineering and human error can impact a network's security.
Example: "In my last position, I scheduled mock phishing attempts to determine how many people
on staff would click an unsafe link, then use the data from the test scenario to send out helpful tips
on identifying scams."

REVISION QUESTIONS

`
1) Automation plots an essential role in service configuration management as the mechanism
makes the server reach a desirable state previously defined by provisioning scripts using
a tool’s specific language and feature. Discuss three benefits of configuration management
for server. [6 marks]
2) Umma is intending to employ a network system administrator to monitor the computing
environment. Describe any five ethical considerations to be factored in while hiring a system
administrator. [5 marks]
3) An active directory structure has two aspects of components. Briefly describe the two
aspects. [5 marks]
4) Differentiate between a local user account and a domain user account as applied in
networking. [ 4marks]
5) There are many configuration tools available in the market, each one with a different set of
features and different complexity levels. Describe factors to be considered before choosing a
configuration management tools. [8 marks]
6) Dynamic host configuration protocol (DHCP) automatically provides an internet protocol
(IP) host with the IP address and other related configuration information such as subnet
mask and default hence reducing network administration. Discuss five features that
necessitate DHEP to reduce network administration [10 marks]
7) Microsoft active directory offers some features that make it a highly flexible directory
service. Discus the five major features [10 marks]
8) Define network troubleshooting and discuss three major troubleshooting techniques as
applied in networking. [8 marks]
9) Discuss three major functions of a domain controller as applied in active directory’s physical
structure. [6 marks]
10) System administrators use a group policy object (GPO) to configure use and computer
operating environment remotely. State your functions of group policies. [4 marks]
11) Describe four software tools that can help in solving network connecting problem. [4
marks]
12) Describe what an information security blue print is identify its major components explain how
it supports the information security program. (15 marks)
13) Explain the packt-filtering router ruler set. (5 marks)
14) Alice and Bob wish to share a private message who’s each of them of two separate keys
generated. What strategy will enable them achieve confidentiality, key management and
authentication for conversation between Alice and Bob?(10 marks)
15) Network addresses are designed to be unique across the network although some networks
allow for local, private addresses or locally administered addresses that may not be
unique. Briefly discuss the difference between class A, class B and class C addresses. [6
marks]
16) Differentiate between domain Name service (DNS) and window internet service (WINS)
[4 marks]
17) Describe the role of NetBIOS (Network Basic Input/Output System) as applied in
networking [3 marks]
18) What is a Virtual Private Network (VPN)? Explain briefly what a VPN is, and how, in
general terms, it is implemented.
19) What is Network Security? And How does network security work?
20) What are the different types of network security?
21) Discuss Intrusion prevention systems (IPS)?
22) Discuss network planning
23) State and explain various network devices
24) Briefly discuss troubleshooting
25) State and explain any seven network tools
26) Discuss risk management in networking
27) Discuss IP addressing
28) What is meant by intrusion detection? Describe briefly, mentioning the role of signature
detection.
29) Imagine yourself as the sysadmin of a server which has been successfully attacked
(hacked). You have just discovered the break-in, and the attacker seems to still be
“occupying” the system. (i) How would you expect to become aware of the successful break-
in? That is, what “observable phenomena” would lead you to the conclusion that a computer
system had been compromised? Explain briefly. (ii) What, in general terms, would normally
be your first few actions on discovering the break-in? Explain briefly why you would take
these actions. (ii) Normally you will subject the compromised system to a forensic analysis
before repairing it and returning it to production use. Give an overview of the actions you
would take in preparing the system for analysis, and briefly describe the steps in performing
the analysis.
30) You have been given an IP address 182.25.18.5 determine Network address, the range of
addresses you can assign to individual hosts, Broadcast address , Network address & Subnet
mask (5 marks)
31) The caesar cipher is a secret key encryption technique that uses a set of functions and
procedures to convert plaintext into cipher text. Using a substitution technique. Use
the caser cipher substitutin technique to convert the following plaintext into the
corresponding cipher text. Show their steps clearly plaintext: COMMANDER. (5 marks)
32) Describe the steps necessary to recover from an information security incident which has
been identified in anetwork. (10 marks)
33) List and describe the components of an network security program. (8 marks)
34) Explain the processes of:
(i) Terminating a UTP cable. (3 marks)
(ii) Assigning and configuring IP addresses in an organization. (3 marks)
35) Define a network operating system (NOS) and give two examples of NOS (3 marks)
36) Define phishing and discuss its types in network security. (6 marks)
37) To filter TCP incoming or outgoing connections at a border router is very simple. How so?
Explain briefly.
38) What is NAT and how (briefly) does it work?
39) Describe with diagrams and adequate justifications, the best network media that can be
applied in the following areas:
(i) Hilly and un-even terrains that experience heavy torrential rains. (3 marks)
(ii) With transformers, generators and other heavy machineries. (3 marks)
40) As antwork security professional calculate the highest amount that could be recommended for
investment annually on a countermeasure for protecting assets valued at $US
1 million form a potential threat with an annualized rate of occurrence (ARO) of once
every 5 years on an exposure factor of 10%.(6 marks)
41) Explain the steps necessary establishing an encrypted session using a Data Encryption
Standard (DES)key. (5 marks)
42) Explain the process of vulnerability identification and assessment for different threats in a
network.(7 marks)
43) Describe while giving examples any THREE types of controls that can be used to manage
security risks in an organization. [6 Marks]
44) Justify by giving FOUR reasons why a network administrator may decide to create
VLANS in a network [4 Marks]
45) Discus any four consideration during network planning. [4 Marks]
46) Historically, many computer systems have been successfully compromised using techniques
which rely on guessing (or otherwise discovering) passwords. Briefly explain the meaning of
each of the following terms which are related to these kinds of attacks: (i) “joe” accounts (ii)
packet sniffing (iii) dictionary-based attack
47) What is a rootkit, and what does it typically provide to an attacker? Explain very briefly
48) You have an IP of 156.233.42.56 with a subnet mask of 7 bits. Determine the possible
number of hosts and subnets. Show your workings.(6 Marks)
49) In a given network, many devices share the same piece of network media, devices vie for
time on the cable through a process called media access. Discuss the three (3) media access
methods. (15 Marks)
50) Network requirements translate into four (4) primary network design goals. Explain each.
(6 Marks)
51) According to international standards organization network management process consist of
five (5) main areas. Discuss each. (10 Marks)
52) Explain any three (3) reasons that may compel a network engineer to opt for wireless
network implementation in place of cabled network implementation. (6 Marks)
53) Describe any four (4) network status monitoring tools. (6 Marks)
54) Explain fault management in the context of networking and hence describe the steps involved
in it. (8 Marks)
55) Explain any four (4) reasons that may lead to sub netting or segmenting of a network. (6
Marks)
56) Discuss any four (4) features of TCP/IP protocol that make it the most suitable protocol for
communication over the internet. (6 Marks)
82