1. Part 2 Logical Network Design
Network Topology
Addressing and Naming
Switching and Routing Protocols
Network Security Strategies
Management Strategies

2. Chapter Five Designing a Network Topology
Copyright 2010 Cisco Press & Priscilla Oppenheimer

3. Network Topology Design Themes
Hierarchy (opposite to flat or mesh network)
Core layer
Distribution layer
Access layers
Redundancy
Modularity
Well-defined entries and exits
Protected areas

4. Why Use a Hierarchical Model?
Reduces workload on network devices
Avoids devices having to communicate with too many other devices (reduces “CPU adjacencies”)
Constrains broadcast domains
Minimize costs. Only buy appropriate devices for each layer
Facilitates changes easy and cheap
Good for modularity and scalability

6. Hierarchical Network Design
Enterprise WAN
Backbone
Core Layer
Campus A
Campus B
Campus C
Distribution Layer
Campus C Backbone
Access Layer
Building C-1
Building C-2

7. Cisco’s Hierarchical Design Model
A core layer of high-end routers and switches that are optimized for availability and speed
A distribution layer of routers and switches that implement policies and segment traffic
An access layer that connects users via hubs, switches, and other devices

8. Access Layer requirements:
Utilize the Hierarchical Design Model to Develop a Cost-Effective Network Design
Access Layer requirements:
Connectivity for existing devices and new devices
VLANs to separate voice, security, wireless, and normal data services
Redundancy
QoS
Graphic:

9. Distribution layer requirements: Redundant components and links
Utilize the Hierarchical Design Model to Develop a Cost-Effective Network Design
Distribution layer requirements:
Redundant components and links
High-density routing
Traffic filtering
QoS implementation
High-bandwidth connectivity
Fast convergence
Route summarization
Graphic:

10. Core Layer requirements: High-speed connectivity
Utilize the Hierarchical Design Model to Develop a Cost-Effective Network Design
Core Layer requirements:
High-speed connectivity
Routed interconnections
High-speed redundant links
Graphic:

11. Flat Versus Hierarchy Flat Loop Topology
Headquarters in Medford
Ashland Branch Office
Klamath Falls Branch Office
Grants Pass Branch Office
White City Branch Office
Headquarters in Medford
Grants Pass Branch Office
Ashland Branch Office
Klamath Falls Branch Office
Flat Loop Topology
Hierarchical Redundant Topology

12. Mesh Designs
Partial-Mesh Topology
Full-Mesh Topology

13. A Partial-Mesh Hierarchical Design
Headquarters (Core Layer)
Regional Offices (Distribution Layer)
Branch Offices (Access Layer)

14. A Hub-and-Spoke Hierarchical Topology for small company
Corporate Headquarters
Branch Office
Home Office
Branch Office

15. Avoid Chains and Backdoors
Chain: extra layer
Back door: connection between devices in the same layer, makes unexpected routing and switching problems.
Core Layer
Distribution Layer
Access Layer
Backdoor
Chain

16. Campus Topology Design
Use a hierarchical, modular approach
Minimize the size of bandwidth domains
Minimize the size of broadcast domains
Provide redundancy

17. A Simple Campus Redundant Design
Host A
LAN X
Switch 1
Switch 2
LAN Y
Host B

18. Bridges and Switches use Spanning-Tree Protocol (STP) to Avoid Loops
Host A
LAN X X
Switch 1
Switch 2
LAN Y
Host B

19. Virtual LANs (VLANs) VLANs versus Real LANs
Switch A
Switch B
To understand VLANs, it helps to think about real (non-virtual) LANs first. Imagine two switches that are not connected to each other in any way. Switch A connects stations in Network A and Switch B connects stations in Network B,
When Station A1 sends a broadcast, Station A2 and Station A3 receive the broadcast, but none of the stations in Network B receive the broadcast, because the two switches are not connected. This same configuration can be implemented through configuration options in a single switch, with the result looking like the next slide.
Station A1
Station A2
Station A3
Station B1
Station B2
Station B3
Network A
Network B
Two switches that are not connected to each other in any way. When Station A1 sends a broadcast, Station A2 and Station A3 receive the broadcast, but none of the stations in Network B receive the broadcast

20. A Switch with VLANs
Through the configuration of the switch there are now two virtual LANs implemented in a single switch. The broadcast, multicast, and unknown-destination traffic originating with any member of VLAN A is forwarded to all other members of VLAN A, and not to a member of VLAN B. VLAN A has the same properties as a physically separate LAN bounded by routers.
Station A1
Station A2
Station A3
VLAN A
Station B1
Station B2
Station B3
VLAN B
Through the configuration of the switch there are now two virtual LANs implemented in a single switch, instead of two separate physical LANs. This is the beauty of VLANs. The broadcast, multicast, and unknown-destination traffic originating with any member of VLAN A is forwarded to all other members of VLAN A, and not to a member of VLAN B. VLAN A has the same properties as a physically separate LAN bounded by routers. The protocol behavior in this slide is exactly the same as the protocol behavior in the previous slide.

21. VLANs Span Switches VLANs can span multiple switches. Switch A
Station B1
Station B2
Station B3
Switch B
Station B4
Station B5
Station B6
Station A1
Station A2
Station A3
Station A4
Station A5
Station A6
VLAN B
VLAN A
VLANs can span multiple switches. In this slide, both switches contain stations that are members of VLAN A and VLAN B. This design introduces a new problem, the solution to which is specified in the IEEE 802.1Q standard and the Cisco proprietary Inter-Switch Link (ISL) protocol. The problem has to do with the forwarding of broadcast, multicast, or unknown-destination frames from a member of a VLAN on one switch to the members of the same VLAN on the other switch.
In this slide, all frames going from Switch A to Switch B take the same interconnection path. The 802.1Q standard and Cisco's ISL protocol define a method for Switch B to recognize whether an incoming frame belongs to VLAN A or to VLAN B. As a frame leaves Switch A, a special header is added to the frame, called the VLAN tag. The VLAN tag contains a VLAN identifier (ID) that specifies to which VLAN the frame belongs.
Because both switches have been configured to recognize VLAN A and VLAN B, they can exchange frames across the interconnection link, and the recipient switch can determine the VLAN into which those frames should be sent by examining the VLAN tag. The link between the two switches is sometimes called a trunk link or simply a trunk.
Trunk links allow the network designer to stitch together VLANs that span multiple switches. A major design consideration is determining the scope of each VLAN and how many switches it should span. Most designers try to keep the scope small. Each VLAN is a broadcast domain. In general, a single broadcast domain should be limited to a few hundred workstations (or other devices, such as IP phones).
VLANs can span multiple switches.

22. Incorporate Wireless Connectivity into the LAN Design
Factors influencing availability in a wireless network:
Location of the AP
Signal strength of the AP
Number of users
Dynamic
reconfiguration
Centralization
Graphic:

23. WLANs and VLANs A wireless LAN (WLAN) is often implemented as a VLAN
WLAN should be a separate subnet
Clients roaming but Users remain in the same VLAN and IP subnet as they roam, so there’s no need to change addressing information
Also makes it easier to set up filters ACL(Access Control Lists) to protect the wired network from wireless users.

24. Security Topologies DMZ Enterprise Internet Network
Web, File, DNS, Mail Servers

25. DMZ
DMZ: demilitarized zone:  is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger untrusted network, usually the Internet.
The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.
In a computer network, the hosts most vulnerable to attack are those that provide services to users outside of the local area network, such as  , web and Domain Name System (DNS) servers.

26. Security Topologies Firewall: boundary between two or more networks
Internet
Firewall
DMZ
Enterprise Network
Web, File, DNS, Mail Servers

27. Firewall
A firewall can either be software-based or hardware-based and is used to help keep a network secure. Its primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set.

28. Summary Use a systematic, top-down approach
Plan the logical design before the physical design
Topology design should feature hierarchy, redundancy, modularity, and security

29. Review Questions
Why are hierarchy and modularity important for network designs?
What are the three layers of Cisco’s hierarchical network design?
What are the major components of Cisco’s enterprise composite network model?
What are the advantages and disadvantages of the various options for multihoming an Internet connection?

30. Chapter Six Designing Models for Addressing and Naming
Copyright 2010 Cisco Press & Priscilla Oppenheimer

31. Guidelines for Addressing and Naming
Use a structured model for addressing and naming
Assign addresses and names hierarchically
Decide in advance

32. Advantages of Structured Models for Addressing & Naming
It makes it easier to
Read network maps
Operate network management software
Recognize devices in protocol analyzer traces
Meet goals for usability
Design filters on firewalls and routers
Implement route summarization

33. Public IP Addresses
Managed by the Internet Assigned Numbers Authority (IANA)
Users are assigned IP addresses by Internet Service Providers (ISPs).
ISPs obtain allocations of IP addresses from their appropriate Regional Internet Registry (RIR)
Public address is essential for web server or other servers that external users access. But not necessary for all internal hosts and networks. Private address is ok.
Addressing for internal host that need access to outside services can be handled by NAT (Network Address Translation) gateway.

34. Regional Internet Registries (RIR)
American Registry for Internet Numbers (ARIN) serves North America and parts of the Caribbean.
RIPE Network Coordination Centre (RIPE NCC) serves Europe, the Middle East, and Central Asia.
Asia-Pacific Network Information Centre (APNIC) serves Asia and the Pacific region.
Latin American and Caribbean Internet Addresses Registry (LACNIC) serves Latin America and parts of the Caribbean.
African Network Information Centre (AfriNIC) serves Africa.

35. Private Addressing
An enterprise network administrator assigns to internal networks and hosts without any coordination from an ISP or RIRs. – – –
Advantages:
Security. Private network numbers are not advertised.
Flexibility. Easy to change to new ISP.
Save IP address resources.

36. The Two Parts of an IP Address
32 Bits
Prefix
Host
Prefix Length

37. Designing Networks with Subnets
Determining subnet size
Computing subnet mask
Computing IP addresses

38. Subnets
Subnetting is the process to divide a network into several smaller networks.
Within a subnet, all the hosts have the same network ID in their IP addresses.
With subnets, a physical network can be divided into logical units.
The hosts in each unit can directly communicate with each other and use the same router to communicate with the hosts in the other subnets.
Local broadcasting is limited within a subnet.

39. Reasons for Using Subnets
To efficiently use IP addresses
To reduce the number of collisions
To reduce broadcasting traffic
To strengthen network security control
To implement the network structure at the site, building, department, and office levels
To reduce the cost of paying the ISP for public IP addresses

40. Subnet Masks
A subnet mask is a string of 32-bit binary code used to determine which part of an IP address is used as the network ID.
Binary Subnet Mask
Decimal Subnet Mask
The leftmost bits in a subnet mask are a sequence of consecutive 1s and rightmost bits must be consecutive 0s. Invalid masks are listed below.
Binary
Decimal

41. Addresses to Avoid When Subnetting
A node address of all ones (broadcast)
A node address of all zeros (network)
A subnet address of all ones (all subnets)
A subnet address of all zeros (confusing)

42. Classful IP Addressing
Class First First Byte Prefix Intent
Few Bits Length
A * 8 Very large networks
B Large networks
C Small networks
D NA IP multicast
E NA Experimental
*Addresses starting with 127 are reserved for IP traffic local to a host.

43. Division of the Classful Address Space
Class Prefix Number of Addresses
Length per Network
A = 16,777,214
B = 65,534
C = 254

44. Classful IP is Wasteful
Class A uses 50% of address space
Class B uses 25% of address space
Class C uses 12.5% of address space
Class D and E use 12.5% of address space

45. Classless Addressing Prefix/host boundary can be anywhere
Less wasteful
Supports route summarization (Aggregation)
Also known as
Aggregation
Supernetting
Classless routing
Classless inter-domain routing (CIDR)
Prefix routing

46. Enterprise Core Network Branch-Office Networks
Supernetting
Branch-Office Router
Enterprise Core Network
Branch-Office Networks
Move prefix boundary to the left
Branch office advertises /14

47. Guidelines for Assigning Names
Names should be
Short
Meaningful
Clear
Distinct
Case insensitive
Avoid names with unusual characters
Hyphens, underscores, asterisks, and so on

48. Domain Name System (DNS)
Maps names to IP addresses
Supports hierarchical naming
example: eent3.lsbu.ac.uk
A DNS server has a database of resource records (RRs) that maps names to addresses in the server’s “zone of authority”
Client queries server
Uses UDP port 53 for name queries and replies
Uses TCP port 53 for zone transfers

49. Describe IPv6 Implementations and IPv6 to IPv4 Interactions
Enhancements available with IPv6:
Mobility and security
Simpler header
Address formatting
Graphic:

50. Summary
Use a systematic, structured, top-down approach to addressing and naming
Assign addresses in a hierarchical fashion
Distribute authority for addressing and naming where appropriate
IPv6 looms in our future

51. Review Questions
Why is it important to use a structured model for addressing and naming?
When is it appropriate to use IP private addressing versus public addressing?
When is it appropriate to use static versus dynamic addressing?
What are some approaches to upgrading to IPv6?

52. Chapter Seven Selecting Switching and Routing Protocols
Copyright 2010 Cisco Press & Priscilla Oppenheimer

53. Switching and Routing Choices
Layer 2 transparent bridging (switching)
Multilayer switching
Spanning Tree Protocol enhancements
VLAN technologies
Routing
Static or dynamic
Distance-vector and link-state protocols
Interior and exterior
Etc.

54. Selection Criteria for Switching and Routing Protocols
Network traffic characteristics
Bandwidth, memory, and CPU usage
The number of peers supported
The capability to adapt to changes quickly
Support for authentication

55. Example Decision Table

56. Transparent Bridging (Switching) Tasks
Forward frames transparently
Learn location of devices by source address in each frame
Bridge develops a switch/bridge table, or MAC address table, or Content Address Memory (CAM) table.
Floods unknown or broadcast frames
Layer 1 and 2 device (physical address), don’t look at IP address.
Store-and-forward device. Receive a complete frame, determines outgoing port, calculates CRC then transmits the frame when the port is free

57. Switching Table on a Bridge or Switch

58. Protocols for Transporting VLAN Information
Switches need a method to make sure intra- VLAN traffic goes to the correct interfaces.
IEEE 802.1Q
VLAN Trunk Protocol (VTP)
VLAN management protocol
Switch A
Station B1
Station B2
Station B3
Switch B
Station B4
Station B5
Station B6
Station A1
Station A2
Station A3
Station A4
Station A5
Station A6
VLAN B
VLAN A

59. Routing vs. Bridging and Switching Routing is operating at the Network Layer of the OSI Model. Bridging and switching occur on the Data Link Layer.

60. Selecting Routing Protocols
A routing protocol lets a router dynamically learn how to reach other networks and exchange this information with other routers.
They all have the same general goal:
To share network reachability information among routers
They differ in many ways:
Interior versus exterior
Metrics supported
Dynamic versus static and default
Distance-vector versus link-sate
Classful versus classless
Scalability

61. Interior Versus Exterior Routing Protocols
Interior routing protocols are used within one organization. The current lead Interior Routing Protocol is OSPF. Other Interior Protocols include IS-IS, RIP, and EIGRP.
Exterior routing protocols are used between organizations. The current lead Exterior Gateway Protocol is BGP. The current revision of BGP is BGP4. There are no other Exterior Gateway Routing protocols in current competition with BGP4.

62. Routing Protocol Metrics
Metric: the determining factor used by a routing algorithm to decide which route to a network is better than another
Examples of metrics:
Bandwidth - capacity
Delay - time
Load - amount of network traffic
Reliability - error rate
Hop count - number of routers that a packet must travel through before reaching the destination network
Cost - arbitrary value defined by the protocol or administrator

63. Routing Algorithms Static routing Default routing
Calculated beforehand, offline
Default routing
“If I don’t recognize the destination, just send the packet to Router X”
Cisco’s On-Demand Routing
Routing for stub networks
Uses Cisco Discovery Protocol (CDP)
Dynamic routing protocol
Distance-vector algorithms
Link-state algorithms

64. Distance-Vector Vs. Link-State
Distance-vector algorithms keep a list of networks, with next hop and distance (metric) information
Link-state algorithms keep a database of routers and links between them
Link-state algorithms think of the internetwork as a graph instead of a list
When changes occur, link-state algorithms apply Dijkstra’s shortest-path algorithm to find the shortest path between any two nodes

65. Choosing Between Distance-Vector and Link-State
Choose Distance- Vector
Simple, flat topology
Hub-and-spoke topology
Junior network administrators
Convergence time not a big concern
Choose Link-State
Hierarchical topology
More senior network administrators
Fast convergence is critical

66. Dynamic IP Routing Protocols
Distance-Vector
Routing Information Protocol (RIP) Version 1 and 2
Interior Gateway Routing Protocol (IGRP)
Enhanced IGRP
Border Gateway Protocol (BGP)
Link-State
Open Shortest Path First (OSPF)
Intermediate System-to-Intermediate System (IS-IS)

68. Summary
The selection of switching and routing protocols should be based on an analysis of
Goals
Scalability and performance characteristics of the protocols
Transparent bridging is used on modern switches
But other choices involve enhancements to STP and protocols for transporting VLAN information
There are many types of routing protocols and many choices within each type

69. Review Questions
What are some options for enhancing the Spanning Tree Protocol?
What factors will help you decide whether distance-vector or link-state routing is best for your design customer?
What factors will help you select a specific routing protocol?
Why do static and default routing still play a role in many modern network designs?

70. Chapter Eight Developing Network Security Strategies
Copyright 2010 Cisco Press & Priscilla Oppenheimer

71. Network Security Design The 12 Step Program
Identify network assets
Analyze security risks
Analyze security requirements and tradeoffs
Develop a security plan
Define a security policy
Develop procedures for applying
security policies
ch2
The first three steps were covered more in Chapter 2. Chapter 8 picks up that discussion and focuses on selecting the right security mechanisms for the different components of a modular network design.
ch8

72. The 12 Step Program (continued)
Develop a technical implementation strategy
Achieve buy-in from users, managers, and technical staff
Train users, managers, and technical staff
Implement the technical strategy and security procedures
Test the security and update it if any problems are found
Maintain security
out
ch12
Maintain security by scheduling periodic independent audits, reading audit logs, responding to incidents, reading current literature and agency alerts, installing patches and security fixes, continuing to test and train, and updating the security plan and policy.
ch8

73. Network Assets Hardware Software Applications Data
Intellectual property
Trade secrets
Company’s reputation

74. Security Risks Hacked network devices
Data can be intercepted, analyzed, altered, or deleted
User passwords can be compromised
Device configurations can be changed
Reconnaissance attacks (gather information )
Denial-of-service attacks (make a computer resource unavailable to its intended users)
Intercept—obstruct
Home : Intrusion Detection System : Reconnaissance Attacks
to a friend Print version Comments
Reconnaissance Attacks
Reconnaissance Attacks Reconnaissance attacks are used to gather information about a target network or system. Such attacks may seem harmless at the time and may be overlooked by security administrators as "network noise" or pestering behavior, but it is usually the information gained through reconnaissance attacks that is used in subsequent Access or DoS attacks. Several means may be used to gather information about an organization and could include automated and manual technological attacks as well as human social attacks. Examples might include ICMP ping sweeps against a network or SNMP walking techniques to gather network map and device configuration data. Likewise, application-level scanners could be used to search for vulnerabilities such as web server CGI or ASP weaknesses.
No specific damage may be caused by the reconnaissance attack, but it is akin to burglars staking out a neighborhood, watching for times of inactivity, and occasionally testing windows and doors for access.
Reconnaissance attacks are quite common and should be considered a serious threat to an organization as they may give potential attackers the information required to perform access or DoS attacks.
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person, or multiple people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. The term is generally used with regards to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management.[1]
One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. Such attacks usually lead to a server overload. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
Denial-of-service attacks are considered violations of the IAB's Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers. They also commonly constitute violations of the laws of individual nations.[

75. Security Tradeoffs
Tradeoffs must be made between security goals and other goals:
Affordability
Usability
Performance
Availability
Manageability
An example of a tradeoff is that security can reduce network redundancy. If all traffic must go through an encryption device, for example, the device becomes a single point of failure. This makes it hard to meet availability goals.
Security adds to management work (user ID, passwords ), and affects network performance. Encryption consume upto 15% of CPU power on a router or network throughput.

76. A Security Plan
High-level document that proposes what an organization is going to do to meet security requirements
Specifies time, people, and other resources that will be required to develop a security policy and achieve implementation of the policy

77. A Security Policy A security policy is a The policy should address
“Formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.”
The policy should address
Access, accountability, authentication, privacy, and computer technology purchasing guidelines

78. Security Mechanisms Physical security Authentication Authorization
Accounting (Auditing)
Data encryption
Packet filters
Firewalls
Intrusion Detection Systems (IDS)
Intrusion Prevention Systems (IPS)

79. Modularizing Security Design
Security defense in depth
Network security should be multilayered with many different techniques used to protect the network
Belt-and-suspenders approach
Don’t get caught with your pants down

80. Modularizing Security Design
Secure all components of a modular design:
Internet connections
Public servers and e-commerce servers
Remote access networks and VPNs
Network services and network management
Server farms
User services
Wireless networks

81. Securing Internet Connections
Physical security
Firewalls and packet filters
Audit logs, authentication, authorization
Well-defined exit and entry points
Routing protocols that support authentication

82. Securing Public Servers
Place servers in a DMZ that is protected via firewalls
Run a firewall on the server itself
Enable DoS protection
Limit the number of connections per timeframe
Use reliable operating systems with the latest security patches
Maintain modularity
Front-end Web server doesn’t also run other services (FTP services not run on the same server as Web services, e-commerce database should not be on the web server.)
Security experts recommend that FTP services not run on the same server as Web services. FTP users have more opportunities for reading and possibly changing files than Web users do. A hacker could use FTP to damage a company’s Web pages, thus damaging the company’s image and possibly compromising Web-based electronic-commerce and other applications. In addition, any e-commerce database server that holds sensitive customer financial information should be separate from the front-end Web server that users see.

83. Securing Remote-Access and Virtual Private Networks (VPN)
Physical security
Firewalls
Authentication, authorization, and auditing
Encryption
One-time passwords
Security protocols
CHAP
RADIUS
IPSec

84. Securing Network Services
Treat each network device (routers, switches, and so on) as a high-value host and harden it against possible intrusions
Require login IDs and passwords for accessing devices
Require extra authorization for risky configuration commands
Use SSH rather than Telnet
Change the welcome banner to be less welcoming

85. Securing Server Farms
Deploy network and host IDSs to monitor server subnets and individual servers
Configure filters that limit connectivity from the server in case the server is compromised
Fix known security bugs in server operating systems
Require authentication and authorization for server access and management
Limit root password to a few people
Avoid guest accounts

86. Securing User Services
Specify which applications are allowed to run on networked PCs in the security policy
Require personal firewalls and antivirus software on networked PCs
Implement written procedures that specify how the software is installed and kept current
Encourage users to log out when leaving their desks
Consider using 802.1X port-based security on switches

87. Securing Wireless Networks
Place wireless LANs (WLANs) in their own subnet or VLAN
Simplifies addressing and makes it easier to configure packet filters
Require all wireless (and wired) laptops to run personal firewall and antivirus software
Disable beacons that broadcast the SSID, and require MAC address authentication
Except in cases where the WLAN is used by visitors

88. WLAN Security Options Wired Equivalent Privacy (WEP) (danger)
IEEE i
Wi-Fi Protected Access (WPA)
IEEE 802.1X Extensible Authentication Protocol (EAP)
Lightweight EAP or LEAP (Cisco)
Protected EAP (PEAP)
Virtual Private Networks (VPNs)
Any other acronyms we can think of? :-)

89. Wired Equivalent Privacy (WEP)
Defined by IEEE
Users must possess the appropriate WEP key that is also configured on the access point
64 or 128-bit key (or passphrase)
WEP encrypts the data using the RC4 stream cipher method
Infamous for being crackable (within 30 minutes by normal laptop)

90. WEP Alternatives Vendor enhancements to WEP
Temporal Key Integrity Protocol (TKIP)
Every frame has a new and unique WEP key
Advanced Encryption Standard (AES)
IEEE i
Wi-Fi Protected Access (WPA) from the Wi- Fi Alliance

91. Extensible Authentication Protocol (EAP)
With 802.1X and EAP, devices take on one of three roles:
The supplicant resides on the wireless LAN client
The authenticator resides on the access point
An authentication server resides on a RADIUS server

92. EAP (Continued)
An EAP supplicant on the client obtains credentials from the user, which could be a user ID and password
The credentials are passed by the authenticator to the server and a session key is developed
Periodically the client must reauthenticate to maintain network connectivity
Reauthentication generates a new, dynamic WEP key

93. VPN Software on Wireless Clients
Safest way to do wireless networking for corporations
Wireless client requires VPN software
Connects to VPN concentrator at HQ
Creates a tunnel for sending all traffic
VPN security provides:
User authentication
Strong encryption of data
Data integrity

94. Summary Use a top-down approach
Chapter 2 talks about identifying assets and risks and developing security requirements
Chapter 5 talks about logical design for security (secure topologies)
Chapter 8 talks about the security plan, policy, and procedures
Chapter 8 also covers security mechanisms and selecting the right mechanisms for the different components of a modular network design

95. Review Questions
How does a security plan differ from a security policy?
Why is it important to achieve buy-in from users, managers, and technical staff for the security policy?
What are some methods for keeping hackers from viewing and changing router and switch configuration information?
How can a network manager secure a wireless network?

96. Chapter Nine Developing Network Management Strategies
Copyright 2010 Cisco Press & Priscilla Oppenheimer

97. Network Management
Helps an organization achieve availability, performance, and security goals
Helps an organization measure how well design goals are being met and adjust network parameters if they are not being met
Facilitates scalability
Helps an organization analyze current network behavior, apply upgrades appropriately, and troubleshoot any problems with upgrades

98. Network Management Design
Consider scalability, traffic patterns, data formats, cost/benefit tradeoffs
Determine which resources should be monitored
Determine metrics for measuring performance
Determine which and how much data to collect

99. Proactive Network Management
Plan to check the health of the network during normal operation, not just when there are problems
Recognize potential problems as they develop
Optimize performance
Plan upgrades appropriately

100. Network Management Processes According to the ISO
Fault management
Configuration management
Accounting management
Performance management
Security management

101. Fault Management Detect, isolate, diagnose, and correct problems
Report status to end users and managers
Track trends related to problems

102. Configuration Management
Keep track of network devices and their configurations
Maintain an inventory of network assets
Log versions of operating systems and applications

103. Accounting Management
Keep track of network usage by departments or individuals
Facilitate usage-based billing
Find abusers who use more resources than they should

104. Performance Management
Monitor end-to-end performance
Also monitor component performance (individual links and devices)
Test reachability
Measure response times
Measure traffic flow and volume
Record route changes

105. Security Management Maintain and distribute user names and passwords
Generate, distribute, and store encryption keys
Analyze router, switch, and server configurations for compliance with security policies and procedures
Collect, store, and examine security audit logs

106. Network Management Components
A managed device is a network node that collects and stores management information
An agent is network-management software that resides in a managed device
A network-management system (NMS) runs applications to display management data, monitor and control managed devices, and communicate with agents

107. Network Management Architecture
NMS
Agent
Agent
Agent
Management Database
Management Database
Management Database
Managed Devices

108. Architecture Concerns
In-band versus out-of-band monitoring
In-band control passes control data on the same connection as main data. Out-of-band control passes control data on a separate connection from main data. In-band is easier to develop, but results in management data being impacted by network problems
Centralized versus distributed monitoring
Centralized management is simpler to develop and maintain, but may require huge amounts of information to travel back to a centralized network operations center (NOC)
In-band control is a characteristic of network protocols with which data control is regulated. In-band control passes control data on the same connection as main data. Protocols that use in-band control include HTTP and SMTP. This is as opposed to Out-of-band control used by protocols such as FTP.
Out-of-band control is a characteristic of network protocols with which data control is regulated. Out-of-band control passes control data on a separate connection from main data. Protocols such as FTP use out-of-band control.
FTP sends its control information, which includes user identification, password, and put/get commands, on one connection, and sends data files on a separate parallel connection. Because it uses a separate connection for the control information, FTP uses out-of-band control.

109. Simple Network Management Protocol (SNMP)
Most popular network management protocol
SNMPv3 should gradually supplant versions 1 and 2 because it offers better authentication
SNMP works with Management Information Bases (MIBs)

110. Remote Monitoring (RMON)
Developed by the IETF in the early 1990s to address shortcomings in standard MIBs
Provides information on data link and physical layer parameters
Nine groups of data for Ethernet
The statistics group tracks packets, octets, packet-size distribution, broadcasts, collisions, dropped packets, fragments, CRC and alignment errors, jabbers, and undersized and oversized packets

111. Cisco Tools Cisco Discovery Protocol NetFlow Accounting
With the show cdp neighbors detail command, you can display detailed information about neighboring routers and switches, including which protocols are enabled, network addresses for enabled protocols, the number and types of interfaces, the type of platform and its capabilities, and the version of Cisco IOS Software running on the neighbor.
NetFlow Accounting
An integral part of Cisco IOS Software that collects and measures data as it enters router or switch interfaces

112. Summary
Determine which resources to monitor, which data about these resources to collect, and how to interpret that data
Develop processes that address performance, fault, configuration, security, and accounting management
Develop a network management architecture
Select management protocols and tools

113. Review Questions Why is network management design important?
Define the five types of network management processes according to the ISO.
What are some advantages and disadvantages of using in-band network management versus out-of-band network management?
What are some advantages and disadvantages of using centralized network management versus distributed network management?