For example, if a company had a slow network connection between buildings, users might find logging into the network, saving data to a server, or accessing network resources slow.. In a
Trang 1can save their work to a dedicated server in a central location This would keep everyone’s files on one or more servers, allowing their work to be kept secure and regularly backed up
decentralized (distributed)
When a decentralized network model is used, a network’s resources are distributed through different areas of the network, and administration is shared by designating responsibility to system administrators or individual users For example, printers may be scattered throughout an organization, with managers of each office being responsible for assigning permissions to user accounts to use specific printers By sharing administrative burdens in this way, certain resources can now be managed by other members of the organization
A decentralized network model has a variety of servers, equipment, and other resources distributed across the geographical area making up the net-work Although a network administrator may be able to access them over the computer network, such network components aren’t readily accessible physically As such, a network administrator must rely on people who are designated as system administrators in those locations These people must
be properly trained on the system and responsible enough to take matters like security seriously If not, something as simple as changing a backup tape could be problematic or even disastrous
Even if an organization initially decides on having a centralized network, decentralizing the network may be the only viable option if cost factors or other issues come into play For example, if a company had a slow network connection between buildings, users might find logging into the network, saving data to a server, or accessing network resources slow One solution would be to put a server in each building, so computers would be able to be authenticated and quickly access data on the server that’s closest to them By distributing servers in this instance, network performance would improve, because users wouldn’t have to authenticate or necessarily use the slow con-nection to the other server
Once your network model has been selected, you can then deploy your client systems, servers, and resources accordingly There are multiple logical topologies you will need to select from such as peer-to-peer, client/server, VPNs, and VLANs
peer-to-peer
Years ago, most computers on a network weren’t very powerful Hard disks, memory, printers, and other components making up a computer system were expensive, creating a need for dedicated servers that other computers
Trang 2accessed to store data and access necessary resources These dedicated
servers could be mainframes or high-end computers with additional memory,
storage space, and processing power As technology progressed, computer
workstations came to be as powerful (or in many cases more powerful) than
the servers of years past, making peer-to-peer networks a viable solution for
smaller networks
In a peer-to-peer network, computers on the network act as equals, with
each workstation providing access to resources and data This is a simple
type of network, where computers are able to communicate with one another,
and share what is on or attached to their computer with other users It is also
one of the easiest types of architectures to create
Individual users have responsibility over who can access data and
resources on their computer OSes such as Windows XP and Windows Vista
allow accounts to be set up that will be used when other users connect to
their computer Accounts, passwords, and permissions are saved in a local
hEAd oF ThE ClASS…
Centralized Access Control
Even when servers and resources are distributed
throughout a network, it does not mean that access
control can’t be centralized Centralized access control
is when users achieve access to the network through
a central point of authentication Users log onto the
network through some form of authentication, such as
a username and password, which is passed to a server
that processes their request for access The server
compares this information to a corresponding account
that’s stored in a database, and determines whether
the user has correctly identified himself or herself, and
what this person is authorized to access The server
sends back data that authorizes the user, allowing
them to use specific resources on the network.
Because users acquire access to resources through
one source, it saves them from having to log onto each
server Early versions of network OSes required users to
determine which server they wanted to use, and then
enter the username and password for their account on
that server Using centralized access control, the users
only need to be authenticated once to be able to access
resources on any server they are given permissions and rights to use.
Another benefit of centralizing access control is that administration of accounts can be done for an entire network through one control system For exam-ple, on networks using Windows 2000 Server or 2003 Server, user accounts and information are stored in Active Directory, while Novell NetWare networks use Novell Directory Services (NDS) or eDirectory Using ConsoleOne in NetWare or the Microsoft Management Console (MMC) in Windows, a network administrator has the ability to connect to the directory containing user information, and control which folders a user can access, password requirements, when the user can log onto the network, and numerous other conditions and controls Rather than making changes to each server, the administrator only needs to make changes to an account one to affect a user’s access throughout the network Because of this, centralized access control is often used in enterprises, where there are large num-bers of computers and user accounts that need to be managed.
Trang 3database, which is used to determine what someone can do when connecting
to the computer For example, one account may allow a user to send print jobs to your printer, while another account may allow the user to access files
in certain directories but not print
Because peer-to-peer networks are generally small, creating one can
be as simple as installing network adapters into each computer, attach-ing a network cable to the adapter, and connectattach-ing the other end to
a hub or switch If a wireless network is being created, then even the cables aren’t necessary, as wireless adapters and a wireless router are all that’s needed Once this is done, each computer is configured to use the network adapter that’s installed, and a protocol is configured to allow communication between the computers In cases where OSes such as Windows XP or Vista are used, this configuration can be done through a wizard program, which takes you step by step through the configuration process
One important issue with peer-to-peer networks is security Each computer on this type of network may allow or deny access to other com-puters, as access to data and resources are controlled on each machine For example, a user could share a folder on his or her computer, allowing other users to access the files in that folder Because users can have the ability to control access to files and resources on their computers, net-work administration isn’t controlled by one person However, problems may exist where users grant access to data and resources based on friend-ship with another person instead of a person’s need to perform their job
As such, peer-to-peer networks are generally used in situations where security isn’t a major concern, as in the case of some home networks or small businesses
Client/Server
In looking at the peer-to-peer network model, when one computer requests data or other services from another computer, it acts as a client, while the other computer delivering that data or service acts as a server These roles seem obscured because both computers act in either of these roles In the Client/Server model, these roles are clearer because it involves dedicated servers that provide services and data to clients, without making similar requests of them
The Client/Server model consists of high-end computers serving clients
on a network, by providing them with specific services upon request Years ago, each server generally performed a single role, such as:
Trang 4File server, which allow clients to save data to folders on its hard
■
■
drive
Print server, which redirect print jobs from clients to specific printers
■
■
Application server, which allow clients to run certain programs
■
■
on the server, and enables multiple users to access common
applications across the network
Database server, which allow authorized clients to view, modify,
■
■
and/or delete data in a common database
Today, computers are more powerful and network OSes are more
effec-tive, so each server may act in several different roles For example, a server
may be a web server for the local intranet, but also allow users to access a
database and store files in an area of its hard drive The services provided by
the server will vary greatly depending on how it’s been configured and what’s
been installed
The software that’s installed largely dictates the roles a dedicated
server can perform First and foremost, the server needs to have a
net-work OS such as Windows Server 2003, Windows Server 2008, or Linux
installed on it These server OSes provide features specifically for
ser-vicing clients, and can respond more efficiently to a greater number of
client requests than standard OSes such as Windows XP or Windows
Vista
Once a high-end computer has server software installed, the services
provided by it need to be configured and other programs may need to be
installed Many of the server’s functions are dependent on the server
soft-ware installed on it For example, a server that acts as a SQL Server is a
data-base server, but needs to have a program like Microsoft SQL Server installed
on it In the same way, a Web server on a Windows Server 2003 server would
need Internet Information Services (IIS) configured By installing server
soft-ware on the dedicated server, you define the role that server will play on your
network
Although a dedicated server may play a variety of roles, you should
determine whether the load placed on the server is too great, causing
per-formance to decrease Some services provided by a server may be accessed
frequently, creating a larger workload for the server Rather than creating
a burden for the server, the server will be dedicated to performing a
sin-gle role, or at least a decreased number of roles For example, an e-mail
server may be accessed frequently by users of the network who want to
check for messages Because it is used so often, many organizations will
Trang 5have one server performing only this role to avoid it from being bogged down and have users finding it slow to access their e-mail In the same way, if the service is essential to a business, such as Web server being necessary for a business that sells products on the Internet, that server will be dedicated to only that role The more a server is dedicated to a specific or limited number of functions, the better its performance and the less chance there will be of everything becoming unavailable if one server fails
At the beginning of this chapter, we explained that a network exists when two or more computers are connected together so they can share various resources Although this defines the basic nature of a network, it doesn’t provide an understanding of the different sizes and shapes a network can take as it’s designed and developed Having this understanding is important
in determining the scope and physical layout of computers, cables, and other network components It is also vital when considering the type of media that will be used, and whether additional components are necessary to expand your network
virtual private Network
A VPN provides users with a secure method of connectivity through a public internetwork such as the Internet Most companies use dedicated connec-tions to connect to remote sites, but when users want to send private data over the Internet they should provide additional security by encrypting the data using a VPN
dAMAGE ANd dEFENSE
only use Servers as Servers
Although dedicated servers are designed to serve
clients, many of the server OSes have the ability to be
used as if they were clients For example, Windows
servers have always had the same GUI as other
versions of Windows for standalone computers or
network workstations This means you could install
and use Microsoft Office, games, or any number of
other software products However, it is unwise to use
a server as if it were any other client machine on your
network.
Every time you run software on a computer, memory, processing, and other resources are used, which could otherwise be used for responding to client requests, and you run the risk of crashing the server Think of the num-ber of times a program has locked up your computer, and then think of the implications of what would happen if hundreds of users had been accessing it as a server and were now unable to do their work The reason you have a server is for it to act as a server Unless you are perform-ing work on the server related to how it functions as a server, it is not advisable to use it for other purposes.
Trang 6What is a VPN?
When a VPN is implemented properly, it provides improved wide area
security, reduces costs associated with traditional WANs, improves
produc-tivity, and improves support for users who telecommute Cost savings are
twofold First, companies save money using public networks (such as the
Internet) instead of paying for dedicated circuits (such as point-to-point T1
circuits) between remote offices Second, telecommuters do not have to pay
long-distance fees to connect to Remote Access Servers (RAS) They can
sim-ply dial into their local ISPs and create a virtual tunnel to the office A tunnel
is created by wrapping (or encapsulating) a data packet inside another data
packet and transmitting it over a public medium Tunneling requires three
different protocols:
■
■ Carrier Protocol The protocol used by the network (IP on the
Inter-net) that the information is traveling over
■
■ Encapsulating Protocol The protocol, such as Point-to-Point
Tun-neling Protocol (PPTP), Layer 2 TunTun-neling Protocol (L2TP), IPSec,
or Secure Shell (SSH), that is wrapped around the original data
■
■ Passenger Protocol The original data being carried.
Essentially, there are two different types of VPNs: site-to-site and remote
access
site-to-site VPN
Site-to-site VPNs are normally established between corporate offices that are
separated by a physical distance extending further than normal LAN media
covers VPNs are available as software (such as Windows VPN, available on
Windows 2003 and 2008) and hardware (firewalls such as Cisco PIX or ASA
and Nokia/Checkpoint) implementations In general, software
implementa-tions are easier to maintain However, hardware implementaimplementa-tions are
con-sidered more secure, because they are not impacted by OS vulnerabilities
For example, suppose that Company XYZ has offices in Boston and Phoenix
As shown in Figure 1.1, both offices connect to the Internet via a T1
con-nection They have implemented VPN-capable firewalls in both offices and
established an encryption tunnel between them
The first step in creating a site-to-site VPN is selecting the security
pro-tocols to be used Common propro-tocols associated with VPN transmission
security are PPTP, L2TP, SSH, and IPSec
PPTP and L2TP are used to establish a secure tunnel connection between
two sites Once a tunnel is established, encryption protocols are used to
Trang 7secure data passing through the tunnel As data is passed from one VPN to
another, it is encapsulated at the source and unwrapped at the destination
The process of establishing the VPN and wrapping and unwrapping the data
is transparent to the end user
Most commercially available firewalls come with a VPN module that can
be set up to easily communicate with another VPN-capable device Microsoft has implemented site-to-site VPN tools on the Windows 2003 platform using either RRAS or the newest rendition of Microsoft’s Proxy server, Microsoft ISA Server 2006 (www.microsoft.com/forefront/edgesecurity/ isaserver/en/us/default.aspx) Whichever product or service is used, it is important to ensure that each end of the VPN is configured with identical protocols and settings
remote Access VPN
A remote access VPN, known as a private virtual dial-up network (PVDN), differs from a site-to-site VPN in that end users are responsible for
FIGurE 1.1 A Site-to-Site VPN Established between Two Remote Offices.
NoTES FroM ThE FIEld…
Issues with Site-to-Site vpNs
A common mistake that network security professionals
make is setting up a site-to-site VPN, then disregarding
other types of security Access control (such as Windows
NTFS permissions) should also be implemented so that users on remote networks cannot access the local network freely.
Trang 8establishing the VPN tunnel between their workstation and their remote
office An alternative to connecting directly to the corporate VPN is
connect-ing to an enterprise service provider (ESP) that ultimately connects users to
the corporate VPN
In either case, users connect to the Internet or an ESP through a point of
presence (POP) using their particular VPN client software (Figure 1.2) Once
the tunnel is set up, users are forced to authenticate with the VPN server,
usually by username and password
A remote access VPN is a great solution for a company with several
employees working in the field The remote access VPN allows these
employ-ees to transmit data to their home offices from any location RRAS offers an
easy solution for creating a remote access VPN VPNs will be covered in
depth in Chapter 9
virtual local Area Network
VLANs allow network administrators to divide the network by
designat-ing certain ports as part of a logical network Although several computers
or devices can be connected to the same physical network, they can be all
FIGurE 1.2 A Remote-Access VPN Solution Using Regular Internet POPs.
Trang 9separated logically through the use of a VLAN VLAN databases can provide important details to any individual who is trying to discern the logical breakup of the network VLANs logically divide the network and affect the traffic and security of a switched network
Configuring VLANs
The first thing that might come to mind when we mention VLANs or Virtual LANS is that somehow they don’t exist physically They do exist and they are very commonly used in the enterprise or corporate computing networks
to segment networks In the past, to separate or segment networks, separate pieces of hardware such as hubs or switches were used It became very clear that when hubs and switches only come in predefined capacities such as
5, 8, 12, 24, or even 36 ports, potentially we could be wasting resources by not fully utilizing all the ports on these devices In addition, as companies expand and spread into different locations, it became difficult to have people
in the same departments on the same LAN segments Someone envisioned being able to reconfigure one physical device into multiple logical segments and VLANs were born
phySICAl NETworKING ModElS
Just as size defines a network, so does the way it’s laid out The topology of a network is the physical layout of computers, hubs, routers, cables, and other components It provides a map of where things are, and how the network is configured
Although networks are often unique to one another, the topology of each network will share characteristics with one another Networks will either use one of the topologies we’ll discuss, or in many cases a combination of them: Bus
■
■ Star
■
■ Ring
■
■ Mesh
■
■ Point-to-point
■
■ Point-to-multipoint
■
■ Hybrid
■
■ Wireless
■
■
Trang 10Bus topologies are one of the most straightforward networks and are easy
to set up and install As shown in Figure 1.3, all of the computers in a bus
topology are connected together using a single cable, which is called a trunk,
backbone, or segment Coaxial cable is commonly used for the trunk, which
is the same cable that’s used to connect to your TV to receive cable
televi-sion The computers are attached to the cable segment using T-connectors,
which get their name because they’re shaped like the letter T Because all of
these computers use the same cable, only one computer can send packets of
data (which are electronic signals) onto the network at a time
When a computer sends a packet of data onto the trunk, it is sent in both
directions so that every computer on the network has the chance to receive
it Each of the computers on this type of topology listen to the network traffic,
so that they can determine whether any packets being sent over the network
are intended for them When a computer listens to the network, any packets
that aren’t addressed to it are ignored, while any specifically addressed to it
are accepted The exception to this is when a broadcast is made, which are
packets that are destined for every computer on the network
Because the topology is linear, when data is sent over the trunk, it runs
the length of the cable To prevent data signals from staying on the cable
indefinitely, the cable needs to be terminated at each end so electronic
sig-nals are absorbed when they reach the cable’s end The terminator absorbs
the signal, so that the cable is clear for other computers to send packets
on the network Without termination, a computer would send packets to
another computer over the trunk, and they would bounce back and forth
along the length of the cable until the network was brought down To prevent
the signal from bouncing up and down the cable, terminators are attached at
both ends of the cable Without termination, the entire network fails
Bus topologies have several
bene-fits to organizations Although we
mentioned that they are easy to set
up, they are also a passive topology
In other words, when a computer is FIGurE 1.3 A Bus Topology.
Exam warning
One of the testable items on the Network+ exam is being able to identify a topology
based on either the description given, or by looking at a picture of a topology Make
sure that you know each of the topologies covered in this section, and can identify them
simply by looking at them before taking the exam.