[List of Question Contents] 1 Names of sites which require the study of the band width of the leased lines 2 Effect of adding sites on the existing network Sub-Question 3 1 Problems re
Trang 12001 Autumn
Technical Engineer Examination (Network)(Afternoon Part 2)
Questions must be answered in accordance with the following:
Question Nos Q1 to Q2
Question Selection Select one of the above two
Examination Time 14:30-16:30 (120 minutes)
(4) Write each answer in the space specified for that question
(5) Write your answers clearly and neatly Answer that is difficult to read will receive a lower score
Do not open the exam booklet until instructed to do so
Inquiries about the exam questions will not be answered
Trang 3[List of Question Contents]
(1) Names of sites which require the study of the band width of the leased lines
(2) Effect of adding sites on the existing network Sub-Question 3
(1) Problems resolved by installing a server for the integrated application program in the main office
(2) Reason why increased traffic between the plant and main office affects other sites
(5) Information useful in troubleshooting when IPsec is not used Sub-Question 5
(1) Reliability problems solved by the new network (2) Reason why communication with the main office is not possible if the IPsec function is implemented using PCs in regional sales offices
(3) Features and associated reasons behind IP address planning when using IP-VPN service
Sub-Question 3
(1) Basic knowledge regarding duplexing mail systems (2) Reason why implementing processing to prevent illegal relays is simple
Sub-Question 4
(1) Basic knowledge regarding RAID (2) Reason why a load balancing device is not used for distribution to an application server
(3) Zone information managed by DNS server 2 Sub-Question 5
(1) Basic knowledge regarding use of housing services offered
by an Internet data center (2) Role of a UPS when switching to an in-house power generator
(3) Tasks that should be indicated in an operation management manual in order to operate an electronic commerce system (4) New issues that Company Y should consider to prevent system failure when using the housing service of an Internet data center
[Illustration]
Sub-Question 5
(1) Completing the configuration of an electronic commerce system when using the housing service of an Internet data center
Trang 4Q1 Read the following description of re-constructing a network using IP-VPN service and answer
Sub-Questions 1 through 5
Company A mainly sells customized PCs to corporations Since the scope of the business
is rather large, Company A has a regional sales offices in charge of each region and branch offices that oversee them For their salesmen and designers, corporate customers order PCs with optimum specifications to do their jobs When a salesman receives an order, he sends
to the plant the customization specifications as requested by the customer A PC is assembled according to the customization specifications The assembled PC is sent to a distribution center and shipped on the specified day of delivery to the customer who placed the order
[Overview of the Previous System]
Company A used to run separate business application programs (hereafter referred to as
“distributed business APs”) on servers located at its branch offices and plants The distributed business AP on each server was used with a corresponding client application program (hereafter referred to as a “terminal AP”) which ran on PCs They were connected via TCP/IP communication lines
The distributed business APs at branch offices were used for order entry and business activity reports, while the distributed business AP at plants was used for production control In addition, the terminal AP used by salesmen to make business activity reports was accessing through FTP to the distributed business AP used to make business activity reports which ran on servers at branch offices
[Background Behind New System Development]
A year ago, the Planning Department of Company A began sales of PCs to individuals using a Web page-based online sales system installed in the main office Even in the case
of PCs sold to individuals, there were many cases where PCs needed to be customized to meet the requirements of individual customers
In the case of sales to individuals, customers wanted to be able to access the status of their order at any time from the PC order placement to its delivery This service is called a
“tracking service” Salesmen also wanted this service in order to quickly respond to inquiries about delivery and so forth from corporate customers
Trang 5Although the distributed business AP was developed by the Information System Department at the main office, there were many problems because many additional functions had been repeatedly added Maintenance personnel were used to take care of problems at branch offices and plants, but many times they could not solve problems and the Information System Department had to take care of it This was a hindrance to the development work being performed by Information System Department
[Overview of the Current System]
Six months ago, Company A got rid of the distributed business APs and distributed servers that it had been using, and began running a newly developed business application program (hereafter referred to as an “integrated business AP”) on a new server located in the main office The integrated business AP included a function for linking with the nonstore sales system and a function for tracking service, while also implementing all the business functions of the old distributed business APs The new server could be used from a PC using TCP/IP
It was decided to aim at quick development of the current system and to continue the use
of the previous system Fig 1 shows the configuration of the current system network
PCPC
RASRouter
PCPC
Router
Leased Line
Leased Line Leased Line
Leased Line
Branch Office Plant
PCPC
Router
PCPC
tion Center
Distribu-Regional Sales Office 1
ISDN Router
ISDN Router
Regional Sales Office 5
FW: Firewall (details of configuration of
firewall omitted)
RAS: Remote Access Server
W: Web server for nonstore sales
Trang 6Salesmen in regional sales offices also have demands Business activity reports are made
by accessing the integrated business AP using a terminal AP for making such reports as in the past Since terminal APs other than this have been abolished with the operation of the integrated business AP, it was decided to use the integrated business AP using PC browsers A salesman can therefore use a browser to find out the status of a PC order at any time up to its delivery
[Reconstruction of the Current Network]
Business at Company A has increased steadily using the integrated business AP With this increased business, more working hours are spent referencing the specifications and design documents The traffic between the plant and the main office has seen particularly dramatic growth This has caused longer response times at multiple sites on the network and is hindering business However, the communication bandwidth between the main office and branch offices is sufficient and there are no problems here
The Information Systems Department was assigned to study the reconstruction of the current network for better network reliability and expandability to handle increased traffic and the addition of new sites in the future
The Information Systems Department, with Mr T as a leader, has collected the requirements of the new network and presented its findings to a communication service provider As a result, Mr K, an engineer working for the communication service provider, has proposed IP-VPN service using MPLS (Multi-Protocol Label Switching) It was decided to study with him the suitability of IP-VPN service for the new network
Fig 2 shows the configuration of the new network using IP-VPN service as proposed by
Regional Sales Office 1
ISDN Router
ISDN Router
Leased Line
Leased Line
Leased Line
Regional Sales Office 5
PC
PCPC
IP-Router
Plant
tion center
Distribu-Fig 2 Configuration of New Network
Trang 7The following is a conversation between Mr T and Mr K
Mr T: First, please tell me about the packet transfer method used with IP-VPN
Mr K: The router connected to the leased lines in Fig 2 are called “customer edge routers”
(Hereafter referred to as CERs.) When using IP-VPN service, the communication service provider’s provider edge routers (hereafter referred to as PERs) are connected to customer CERs via leased lines having the required bandwidth This leased line is called an “access line” An IP packet arriving at a PER from a CER is given a/an a at the PER based on its destination address Inside the IP-VPN network, routing between the sending PER and destination PER is performed based on a a is removed by
b at the transfer destination, restored to a regular c , and transferred to
Mr T: Inside the IP-VPN network, packets having a different format than IP packets are
transferred, right?
Mr K: Yes, that’s right
Mr T: Can security be achieved when using IP-VPN service?
Mr K: Of course it can At the sending PER, it is possible to know which IP packets came from
which customer This does not arrive at the CERs of other customers In other words, the sending PER identifies the sending customer, and determines the destination PER according to the destination IP address in the received IP packet If the sending customer is different, that IP packet is transferred to e CER even if the destination IP address
in the IP packet received from the customer exactly matches that of the sending PER This allows security equivalent to communications to be achieved using conventional leased lines
Mr T: Please tell me about the case of future expansion stated in your proposal
Mr K: For example, imagine that you are going to establish a new distribution center In your
current network configuration, this means connecting the new distribution center to the plant using a leased line In this case, it is also necessary to study the bandwidth of existing leased lines between f and g and between g and h In contrast, in the new network configuration being proposed, expansion will be easy because the effect on the existing network of adding sites can be i just by studying the bandwidth of existing access lines between f and IP-VPN
Mr T further continued his investigation on the assumption that a new network would be configured using IP-VPN service because it allows for communication security and can be done at low cost
Trang 8[Connecting the Regional Sales Offices to the Main Office]
Mr K’s proposal was that regional sales offices and the main office be connected over the Internet Mr T investigated the method of the connection with Mr K
Mr K: Connections to regional sales offices shall be made with the main office which has the
Information Systems Department Since the main office and each regional sales office are physically separated, connections which use ISDN in the current network will be switched
to connections that use the Internet
Mr T: Although I think it is appropriate to connect regional sales offices to the main office, the
proposals from other communication service providers suggest using IP-VPN service at regional sales offices as well Why doesn’t the proposal from your company suggest IP-VPN service be used at the regional sales offices?
Mr K: We feel that the frequency of use of the network by regional sales offices is low We
therefore thought that IP-VPN service was inappropriate because it is not very cost effective to use leased lines as the access lines with regional sales offices
Mr T: Can anything besides leased lines be used as the access lines?
Mr K: Nothing can be used except leased lines
Mr T: Although security is achieved under IP-VPN, I’m very concerned about security when
communications are made over the Internet Is there anything we can do?
Mr K: Security for communications over the Internet between the regional offices and main office
can be achieved at the IP layer by using IPsec to safely transfer IP packets When using IPsec, the sender encrypts IP packets and the receiver decrypts encrypted IP packets Figure 3 shows a basic overview of using IPsec packets as currently being proposed
IP packet before encryption
New IP header ESP header IP header TCP header TCP data Supplemental
ESP data
ESP i
Authentica-tion data Target of encryption
Target of identification
ESP: Encapsulating Security Payload
Fig 3 Overview of IPsec Packets Used at Company A
Trang 9Mr K: The IP packet before encryption and the newly added supplemental ESP data are
encrypted The ESP header, which differs from a TCP header, and encrypted data are the target of falsification detection
Mr T: Are there any problems with reduced communication throughput due to encryption
overhead or Internet congestion?
Mr K: The main business being conducted by regional sales offices is producing business activity
reports The terminal AP used for making business activity reports uses FTP to connect to the integrated business AP and download a report template Then report data created by a salesman is sent to the integrated AP Since the amount of data sent with FTP is small, we think that it is not a big problem
Mr T performed a file transfer test using IPsec and FTP over the Internet
[Connection Test between Regional Sales Offices and the Main Office]
First, Mr T made preparations to perform a connection test using FTP over the Internet between each regional sales office and the main office Although the FTP server used for the test possessed an IPsec function, in preparation for trouble analysis, the IPsec function was not used
Company A uses a private, in-house IP address In order to connect to the Internet, Mr T set the packet filter for ISDN routers used on the current network for use under an Internet connection The table gives an excerpt of the contents of packet filters for ISDN routers used for the connection test
Table: Contents of Packet Filters of ISDN Routers Used in the Connection Test
(Excerpt)
Direction Sender’s
IP address
Destination IP address SYN bit ACK bit
Sender's port
no
Destination port no
Trang 10In addition, it was possible to use the Internet from multiple PCs which possessed a private
IP address by assigning a single global IP address to each of the ISDN routers used in the test
Mr T downloaded files from an FTP server located in the DMZ of the firewall from a regional sales office using a browser Next, he tried downloading the files using the terminal AP for making business activity reports However, he could not download files from the FTP server using the terminal AP for making business activity reports Mr T reported the results of this test to Mr K and decided to find out the causes of problems and their solutions
Mr T: I was able to download files when using the browser in a regional sales office However,
download failed when attempting to use the terminal AP for making business activity reports Here is the packet monitoring data between the FTP server and the FTP client obtained from the DMZ of the firewall Looking at this data, it appears that the TCP connection from the regional sales office was disconnected, but I don't understand the cause
Mr K: Judging from the monitoring results, the TCP connection was disconnected by the ISDN
router I will explain using Fig 4, which shows an overview of FTP active mode
FTP client
P: 3201 P: 3200
FTP server P: 21 P: 20 Establish connection for control
Transfer PORT <IP address, Port No.> command Transfer RETR <file path> command Establish connection for data transfer
Transfer files Connection for data transfer disconnected Connection for control disconnected
Note: “P” indicates the Port No
Fig 4 Overview of FTP Active Mode
Trang 11Mr K: First, the FTP client requests that a connection for control be established The IP address
and Port No of the FTP client are sent to the FTP server by the PORT command using the connection for control This information is used to establish a connection for data transfer The request for the establishment of a connection for data transfer is made by j FTP active mode is used based on packet monitoring data for the terminal AP used for making business activity reports
Mr T: Why can’t files be transferred when the terminal AP for making business activity reports is
using FTP active mode?
Mr K: That’s because the packet filtering setting of the ISDN router does not correspond to FTP
active mode However, if router settings are made to correspond with FTP active mode, there is a possibility that the security at regional sales offices will decrease
Mr T: Since the FTP client is separated from the current network under the current environment, I
don’t think that in-house security is a problem I'm going to perform a connection test using different ISDN router settings
Mr T confirmed that it was possible to download files using the terminal AP for business activity reports in an environment which does not use the IPsec function
According to the proposal made by Mr K, existing ISDN routers were to be changed to models with an IPsec function Mr T confirmed that it was possible to download files using the terminal AP for business activity reports in an environment that uses the IPsec function when using ISDN routers that include the IPsec function In addition, he also confirmed that communication throughput did not decrease even when the IPsec function was added
[Investigation of the IPsec Function]
In order to reduce the costs, Mr T proposed using the IPsec function by software processing on a PC installed in the regional sales offices, rather than switching existing ISDN routers to models with the IPsec function and discussed this possibility with Mr K