Thursday, October 3, 2019

Different Types Of Network Devices

Different Types Of Network Devices Infrastructure security depends on the correct use of the network components. Network components are an essential aspect of the computing environment to improve the performance and security. The network components such as routers, switches and cables connect to the firewalls and gateways that manage communication from the network design to the protocols employed. If security fails then the availability of the system fails. Security failures can occur in two ways as follows: 1. Sometimes unauthorised users access the resources and data, which they are not authorised to use. 2. Security failure prevents the user from accessing the resources and data, the user is authorised to use. Both these security failures are serious. Hence, primary goal of network infrastructure security is to allow all authorised usage and deny all unauthorised usage of resources. 8.2 Devices Todays business environment consists of not only clients and servers but also network devices that are required to connect them. These network devices are called communication devices. These devices are hubs, switches, routers, LAN cards, gateway, modem, hardware firewall and so on. This also includes wireless access points, special-purpose devices such as Virtual Private Network (VPN) devices. Each of these devices has a specific network functions and plays an important role in maintaining network infrastructure security. 8.2.1 Workstations The workstations are client computers in the client-server architecture. This device is used to send and receive e-mail, to create spreadsheets, to write report in a word processing program and to play game. Many threats to information security can start at a workstation when it is connected to a network. Workstation security can be maintained by following basic steps as follows: Remove all share point that is not required. Rename the administrator account and secured it with a strong password. Remove unnecessary user accounts. Install an antivirus program and keep it updated. Disable USB ports in CMOS settings to restrict data transfer through USB devices. Install firewall between the machine and the Internet. Install latest patch for the operating system (OS) and keep the OS up to date. 8.2.2 Servers Servers are the computers in a network that host applications and data for users to share. Servers are available in many sizes, from small single CPU systems to multiple CPU systems such as mainframe computers. Servers use operating system such as Windows Server, Linux, UNIX and other mainframe operating systems. Server OS is more robust than the workstation OS and is designed to service multiple users over a network at the same time. Workstation security basic steps are applicable to server as well. 8.2.3 Network Interface Cards Network Interface Card (NIC) is a hardware device used to connect a server or workstation to a network. A NIC is used for particular type of network connection, either ethernet or token ring. In local area networks, ethernet protocol is the most common network type in use and RJ-45 is most common connector. A NIC is the physical connection between a computer and the network. NICs are available as single-port and multiport NIC. Workstation use single-port NIC, as only a single network connection is required. Whereas, server use multiport NIC to increase the number of network connections that increases the data throughput to and from the network. Every NIC has a 48-bit unique number, referred to as a Media Access Control (MAC) address which is stored in Read Only Memory (ROM). MAC address is used in the addressing and delivery of network packets to the correct system. 8.2.4 Hubs Hub is a central connecting device in a computer network. It connects multiple machines together in a star configuration with the hub as the centre. Hub broadcasts all data packets that are received, to all LAN cards in a network. The intended recipient picks the data and all other computers discard the data packets. Hub has five, eight, sixteen and more ports. One of the ports is called uplink port and this port is used to connect with the next hub. 8.2.5 Bridges Bridges operate at the data link layer of the OSI model. Bridges check the incoming traffic and decide whether to forward or discard it. 8.2.6 Switches Switches are a type of networking device similar to hubs, which connect network equipment together. In todays high-performance network environment switches have replaced both hubs and bridges. Switches operate at the data link layer of the OSI model. It uses MAC address of network cards to route packets to the correct port. Switches are intelligent network devices and are therefore can get hijacked by hackers. Switches are administered using the Simple Network Management Protocol (SNMP) and telnet protocol. Both the protocols have a serious weakness. These two protocols send passwords across the networks in clear text. In such instances hacker can capture the administrative password. The major problem with the switch is that it ship with default passwords. If user does not change this password during setup, hacker can easily access it. Caution: To secure a switch, disable all access protocols other than a secure protocol such as Secure Shell (SSH). Use only secure methods to access switch will limit the exposure to hackers and malicious users. 8.2.7 Routers Router connects two or more computer networks and then exchanges packets of data between them. Each data packet contains address information that a router can use to determine if the source and destination are on the same network, or if the data packet must be transferred from one network to another. Routers operate at the network layer of the OSI model. It has two or more network interfaces through which network traffic is forwarded or blocked. They are used to segment networks into smaller subnets or to link multiple networks together. The router decides how and when to forward packets between the networks based on an internal routing table. Routing table tells the router which packets to forward. Routers allow technicians to explicitly deny some packets the ability to be forwarded between segments. For example, internal security features of some routers can prevent users on the internal network from using telnet to access external system. Telnet is always a security risk as the passwords and all communications are transmitted in clear text. Hence, do not create telnet sessions between the internal network and an external network. Router has the ability to block spoofed packets. Spoofed packets are packets that contain an IP address in the header which is not the actual IP address of the source computer. Hackers used this technique to fool the systems showing that the packet came from an authorised system whereas, it actually came from the hackers system. Router has the ability to drop such packets. Routers are available in various sizes, small and big and from different vendors. Small router is used with cable modem and DSL service. (Figure). Larger routers handle traffic of up to tens of gigabytes per second per channel, using fibre optic cables and moving tens of thousands of concurrent Internet connections across the network. 8.2.8 Firewalls A firewall is hardware or a software program that is used to protect an internal network from outside intruders. It is much like a wall with a window. The wall keeps things out, except those permitted through the window. (Figure.). Network security policies act like a glass in the window. Security policies define what traffic is permissible and what traffic is to be blocked or denied. For example, Web server connected to the Internet may be configured to allow traffic only on port 80 for HTTP and have all other ports blocked. Firewall allows only the necessary access for a function, and block or denies all unnecessary functions. 8.2.9 Wireless In wireless device, radio waves or infrared carry data, that allows anyone within range access to the data. Placing a wireless device behind the firewall does not serve, as firewall stops only physically connected traffic from reaching the device. The devices associated with wireless networking are wireless access points. The wireless network cards are used to communicate with the access points. (Figure). Wireless access points have a limited range within which they can communicate with the client systems. When planning a wireless implementation within a new construction, make sure that the external walls contain metal studs that are grounded. Create wireless shield by using thin layers of aluminium under the drywall. This will block radio transmission into and out of the building. This will also interfere with pager and cellular phone usage. Note: Applying secure transmission protocols and configuring the wireless access point to only accept authorised connections will help in securing a network. 8.2.10 Modems Modulator and Demodulator (Modem) converts analogue signals to digital and vice versa. Modems are slow method of remote connection that is used to connect client computers to remote services over standard telephone lines. Modems are becoming less necessary, but many corporate systems still have modems installed for remote access. In corporate network, modems are located in Remote Access Service (RAS) servers and fax servers. Corporate users remotely access their system configuring modem in their PC. This is done when no other remote access solution is available or the existing remote access solution is inconvenient. These types of situations can provide an intruder the entry point to a network. The best solution to avoid this is to implement a security policy to control the installation of modems on corporate systems. Also verify that systems which need modems are properly secure. 8.2.11 Telecom/PBX In the IT security field Telecommunication (Telecom) is often overlooked. Most small companies use a small number of dedicated telephone lines for both incoming and outgoing calls. However, in larger companies having dedicated lines for thousands of employees is both inefficient and expensive. Hence, to overcome these problems install a Private Branch eXchange (PBX). A PBX is a device that handles routing of internal and external telephone lines. This allows a company to have limited number of external lines and an unlimited number of internal lines. PBX systems are cost beneficial to large companies but they also have their own vulnerabilities. PBX s is designed to be maintained by an offsite vendor and therefore have remote access available. The remote access can be through a modem or through a LAN. Hence, disable these remote access methods to limit the susceptibility to direct remote access attacks until the vendor is notified that they need to perform maintenance or prepare an update. 8.2.12 RAS Remote Access Service (RAS) connects the client and server through a dial-up telephone connection. It is slower than cable and Digital subscriber line (DSL) connection. When a user dials into the computer system, authentication and authorisation are performed through a remote access protocols. RAS servers offer security feature such as mandatory callback. This allows server to call back to the client at a set of telephone number for the data exchange. For more information on remote access protocols refer chapter 9, Authentication and Remote Access 8.2.13 VPN VPN allows users to create a secure tunnel through an unsecured network to connect to their corporate network. In large environments, VPNs are less expensive to implement and maintain than RAS servers, because there is no incoming telephone line or modem. In addition, a higher level of security can be implemented as communications are encrypted to create a secure tunnel. 8.2.14 Intrusion Detection Systems Intrusion Detection Systems (IDS) is a device designed to monitor network or system activities for malicious activities or policy violations. They are an essential part of network security. There are two main types of IDS that are used: network-based IDS and host-based IDS. For more information on intrusion detection systems refer chapter 11, Intrusion Detection Systems 8.2.15 Network Access Control Network Access Control is a method of network security that restricts the availability of network resources to endpoint devices as defined in the security policy. There are two main competing methodologies exist: Network Access Protection (NAP) and Network Admission Control (NAC). NAP is a Microsoft technology that controls network access of a computer host whereas, NAC is Ciscos technology that controls network admission. 8.2.16 Network Monitoring or Diagnostic The computer network needs continuous monitoring or diagnostic routine to keep administrators aware of the status of the network and allow them to take corrective actions to potential problems. This can be done through monitoring software or dedicated devices located on the network. Network monitoring or diagnostic equipment that is remotely accessible uses strong password and encrypted sessions to handle security vulnerabilities. 8.2.17 Mobile Devices Mobile phones and Personal Digital Assistants (PDAs) are the latest devices used to send and receive e-mail, connect to remote network applications, browsing the Web and so on. Many of the devices have word processor and spreadsheet applications and the ability to store limited amounts of data. Since these devices can be connected to the Internet, they are remotely accessible to potential attackers. Hence, use data encryption which is available in newer mobile devices built into their OS or use third-party software. 8.3 Media Media is used for transmitting data to and from network devices. The media can be either in the form of wire, fibre or radio frequency waves. There are four common methods used to connect devices at the physical layer as follows: Coaxial Cable Twisted-pair Cable Fibre Optics Wireless Coaxial Cable Coaxial cables are used for cabling televisions, radio sets and computer networks. The cable is referred to as coaxial because both the centre wire and the braided metal shield share a common axis. It is less susceptible to interference. Today, coaxial cable is replaced by faster and cheaper twisted-pair cable. UTP/STP Twisted pair cables replaced coaxial cables in ethernet networks. Single pairs of twisted cables reduce electrical crosstalk and electromagnetic interference. Multiple groups of twisted pairs are then bundled together and easily wired between devices. Twisted pairs are of two types: Unshielded Twisted Pair (UTP) and Shielded Twisted Pair (STP). STP has a foil shield around the pairs to provide extra shielding from electromagnetic interference. Whereas, in UTP twist itself eliminates interference. Depending upon the data transmission, twisted pair cables are classified into three different categories as follows: Category 3 (Cat 3) It is used for data and voice transmission and for 10Mbps Ethernet. Category 5 (Cat 5/ Cat 5e) It is used for 100 Mbps fast ethernet. Cat 5e is an enhanced version of the Cat 5 specification to address far end crosstalk. Category 6 (Cat 6) It is used for gigabit ethernet. Fibre Fibre is a very thin piece of glass or plastic that has been stretched out and enclosed in a sheath. Fibre optic cable uses beams of laser light to connect devices. It transfers data over long distances and at higher speeds. Since it does not contain any metal part to conduct current, it is not vulnerable to electromagnetic interference. This also protects it from lightening strikes. Two major drawbacks using these cables are their high cost. Other drawback is the connection has to be optically perfect or performance will be downgraded or the cable may not work. Figure: Unguided Media Unguided media does not use any physical connector between the two devices for communication. The data transmission and reception is through the air or antenna and is referred to as wireless. The three types of wireless media are as follows: Radio waves Microwaves Infrared waves 8.4 Transmission Media Security 8.5 Removable Media Removable media is a type of storage device that can be removed from a computer while the system is running. These media introduces virus when they are attached back to the network. Theft or loss of organisation secret information stored on a media can be severe financial problem or it will effect on organisations reputation. These issues can be rectified by using security policies and software. The removable media are of three types: magnetic, optical and flash memory. Magnetic Media Magnetic media devices are hard drives, floppy disks, zip disks and magnetic tape. Each device is sensitive to external magnetic field. These devices are also affected by the high temperatures and by exposure to water. For the security concern about the critical and important organisational data, do not allow users to bring floppy disk inside the organisation, as they could contain viruses or other malicious programs. Another security policy can be applied by removing floppy disk drive from users computers. Encrypting the contents of a hard drive and tape ensures the security of data. Optical Media Optical media such as CD, DVD, blu-ray and optical jukebox hold the data in digital form. The data on the physical media is read and write by laser. Optical disks are not vulnerable to magnets hence, they are more reliable and durable than the magnetic tape. CDs are very vulnerable to being scratched. If the plastic disk from the media is scratched too much, the laser will be unable to reflect through the plastic and the data will not be readable. For security of data, do not allow personal CDs inside office premises. Only authorised users should have the access to these devices and for other users these devices should be disabled or physically removed from the computers. Electronic Media The electronic media uses integrated circuit technology to store the data hence they are more stable. Since these devices are small and portable, they can be used to store limited amounts of data when portability or reliability are key necessities. Smart cards, flash cards, memory sticks and CompactFlash devices are examples of electronic media. These devices are commonly used in digital cameras, mobile phones, MP3 player, video game consoles and so on. These devices are also used to transfer data between computers. Hence, they can easily carry the virus and worms with data. For security purpose run the antivirus software before transferring any data. 8.6 Security Topologies Multiple hardware devices are connected within a network and a key characteristics of a network is its layout or topology. Security topology is implemented in such a way that it provides the internal security and public access. For example, to place an online order the organisation will require Web servers which can be accessed by the users. Then the Web servers will require access to internal database servers and internal users will require access to different servers and Internet. 8.6.1 Security Zones Modern secure network have different layers of protection with outermost layer provides basic protection and the innermost layer provides the highest level of protection. Trade-offs between access and security are handled through zones with successive zones guarded by firewalls. The outmost zone is the Internet is guarded by the firewall. The internal secure corporate network and the Internet is an area where computers are considered at risk. This zone is called as Demilitarised Zone (DMZ). DMZ DMZ acts as a buffer zone between the Internet and organisations internal secure network. To differentiate the zones, a firewall is placed at both sides of the DMZ. The firewalls are placed in such a way that the Internet users cannot directly access the organisations secure data (Refer to Figure ). Web servers, remote access server and external e-mail servers are fall in DMZ area. Domain name servers and database servers which has organisation important data should not be accessible to the Internet users. As well as application servers, file servers and print servers of trusted network zone should be placed behind both the firewalls. The main idea behind using the DMZ topology is to force an outside user to get across DMZ before user can access information inside the trusted network zone. Internet The Internet is a worldwide connection of networks. It is used to transfer e-mail, Web pages, files, financial records between networks. It is an untrusted network as it is not possible to apply security policies. Hence a firewall should be present between organisations trusted network and the Internet. Intranet Intranet resides inside the trusted area of a network and network administrators can manage its security. Intranet Web servers contents are not available to the Internet users. The organisation data can be published to outside users with two methods as follows: 1. Information can be duplicated onto computers in the DMZ so that untrusted users can access it 2. Extranets can be used to publish data to trusted users. Extranet Extranet allows outside users such as companys partners, vendors, customers and resellers to share some of the business information with authentication and authorization. Extranet allows to access data available on the intranet mainly in the DMZ. To provide security and privacy of the information, extranet requires firewall server management or digital certificates or user authentication, encryption of messages. To protect it from unauthorised access use the VPN. VLAN Virtual LAN (VLAN) is network of computers and these computers are connected to the same broadcast domain, even though they are physically located on different location. VLAN s are configured through software hence they are more flexible. When system is physically moved to different location, without any hardware reconfiguration the system stay on the same VLAN. Increased network performance, easy manageability, less configurations and higher security is the advantages of VLAN.   Note: A broadcast domain is a network (or portion of a network) that will receive a broadcast packet from any node located within that network. NAT Network Address Translation (NAT) is developed by Cisco. It is commonly used in TCP/IP network. It works at OSI layer 3 which is network layer. It uses two sets of IP addresses, one set for internal use and other for external use.   NAT is a feature of firewalls, proxies and routing capable systems. It has ability to hide the IP address and the internal network from the Internet users. This feature of NAT reduces the risk of strangers to collect important information about the network such as structure of a network, the network layout, the names and IP address of systems, and so on. Hence, they cannot gain access of the network. NAT enables internal users within an organisation to use nonroutable IP addresses which means that these IP addresses will not be routed across the Internet. These IP address is called private IP address. The private address ranges are as follows: Class A 10.0.0.0 10.255.255.255 Class B 172.16.0.0-172.31.255.255 Class C 192.168.0.0- 192.168.255.255 After NAT configuration, external malicious users can access only the IP address of the NAT host that is directly connected to the Internet. The users are not able to access any of the internal systems that go through the NAT host to access the Internet. When NAT is used to hide internal IP addresses (Refer to Figure), it is called a NAT firewall. Internal users communicate with outside networks through the NAT device such as NAT router (Refer to Figure). This NAT router has a routing table. This table keeps track of all connection requests that have come from internal network. Each outgoing request proceeds through NAT and replaces the internal users IP address with its own IP address. This IP address then forwards to the final destination. Returned packets look up in the routing table and forward the information to the correct internal user.   8.7 Chapter Review Questions 1. Which layer of the OSI model switches operate? (A) Physical layer (C) Network layer (B) Data link layer (D) Transport layer Ans: B 2. Which layer of the OSI model router operates? (A) Physical layer (C) Network layer (B) Data link layer (D) Transport layer Ans: C 3. DSL stands for ________. (A) Domain Subscriber Line (C) Digital Specific Line (B) Domain Specific Line (D) Digital Subscriber Line Ans: D 4. What should you do to secure data on the hard drive if the drive is removed from the site? (A) Encrypt the data (C) Archive the data (B) Compress the data (D) Keep strong password to log into all computers at the site Ans: A 5. Which is the most secure cable for implementing a secure network infrastructure? (A) Coaxial cable (C) Fibre cable (B) Twisted-pair cable (D) None of these Ans: C 6. What network topology area will contain public Web servers? (A) VPN (C) Firewall (B) VLAN (D) DMZ Ans: D 7. What network topology area will contain critical servers such as private Web servers, domain controllers or SQL servers? (A) Intranet (C) Internet (B) Extranet (D) DMZ Ans: A 8. What network topology area will allow business partners, customers to access the owners intranet? (A) Intranet (C) Internet (B) Extranet (D) DMZ Ans: B 9. Network access control is associated with which of the following? (A) NAT (C) IPv6 (B) IPsec (D) NAP Ans: D 10. The purpose of twisting the cables in twisted-pair circuits is to _____. (A) reduce crosstalk (C) increase bandwidth (B) increase speed (D) None of these Ans: A 8.7.1 Answers 1. B 2. C 3. D 4. A 5. C 6. D 7. A 8. B 9. D 10. A Summary In the chapter, Infrastructure Security, you learnt about Different types network devices such as Workstations, Servers, NIC, Hubs, Bridges, Switches, Routers, Firewalls, Wireless, Modems, Telecom/PBX, RAS, VPN, IDS, Network Access Control, Network Monitoring and Diagnostic and Mobile Devices. Different types of communication media between the devices such as Coaxial Cable, UTP/STP Cable, Fibre Cable and Unguided Media. Different types of removable media such as Magnetic Media, Optical Media and Electronic Media. Different types of security topologies such as DMZ, Internet, Intranet, Extranet, VLAN and NAT.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.