CMPC 323
CIS Audit
NETWORKS
The first computer networks were created by connecting serial ports between two or more computers. This primitive
design used modem software to handle file transfer between systems.
Networks evolved with the invention of token passing and broadcast transmissions. The invention of the hub, or shared
media access unit, created the opportunity to connect multiple computers together on the same segment (again,
referred to as a subnet). The concept of a net- work bridge was created to connect two subnets into the same, single
subnet. A layer 2 bridge allows all traffic to pass from one side to the next. The bridge could be configured to allow
broadcast across it or configured to filter broadcasts and reduce noise—it depended on the bridge manufacturer’s
design. Later, it became apparent that it would be necessary to connect two separate networks together without
merging them into a single subnet as a bridge would. Many people complained that too many systems were creating too
much traffic when all the computers were located within one giant subnet. Thus came the development of the router.
Early routers were simply computers with two interface cards. Interface 1 serviced a connection to LAN 1, and interface
2 provided a connection to LAN 2. A software-routing program was then loaded to be run on the computer’s CPU. The
routing program basically determines whether individual traffic requests need to cross to the other side. If so, the router
passes the request through the other LAN interface to reach its destination. If the destination is within the same subnet
(LAN 1 to LAN 1), the router ignores the traffic. This protects the other subnet from unnecessary data transmission noise
(LAN 2). That is the basic function of a
router. Routers forward data traffic when
necessary and insulate users on other
subnets.
In modern networks, the routing function
can be loaded onto a router card installed in
the network switch chassis. Traditional
routers are usually a dedicated device in
their own chassis.
Overview of Network Topologies
As networks grew, creating a standardized topology for all the connections became necessary. Early networks were very
proprietary. It was difficult to mix equipment from different vendors. Although this was good for the manufacturer, it
drove computer users nuts. Over the years, three basic network cable topologies have become widely accepted: bus,
star, and ring. Let’s look at the design of these three topologies.
Identifying Bus Topologies
One of the first topologies to become accepted was the bus
topology (see Figure 4.29). This presented a relatively inexpensive
method for connecting multiple computers. In a bus topology, each
computer is daisy-chained to the next computer. A single coaxial
cable passes through the connector on the back of each computer
on
the network. This cable runs through the office like a single rope, which ties all the systems together. The design has one
Page 1
CMPC 323
CIS Audit
major drawback: A break in the bus cable would interrupt transmission for all the computers attached to that cable.
Cabling a bus topology can also be cumbersome.
Identifying Star Topologies
The star topology is the most popular topology in use today (see Figure 4.30)
In a star topology, each computer has a dedicated cable connection running
to a network hub (or switch). This design offers the most flexibility for
placement of workstations. It also offers the highest degree of cable
redundancy. The cable redundancy ensures that other computers are not
affected by a failure of another workstation’s connection. This is the design of most data networks. It is also used by the
PBX telephone switch to connect individual telephone stations. The primary drawback to the star topology is the cost of
all the additional cable required to make connections for each station.
Figure 4.31 demonstrates the practical application of the star topology. Notice that each workstation has a connection
to a nearby wiring closet. This design ensures that you do not exceed the maximum recommended cable length. The
acceptable length of cable varies depending on the cabling type used. Normally it is 100 meters on unshielded twistedpair (UTP). The star topology helps reduce the cabling cost by shortening the cable distance to reach each user. The hubs
and switches are located in the wiring closet to connect users to the network. Every cable is terminated at the wall plate
near the user and at a patch panel in the wire closet. A patch cord connects the building cable from the patch panel to
the ports of the hub/switch. A backbone connection is then run from the data centre to the wiring closet to establish a
complete path for network communication. Figure 4.31 shows the real-world implementation of a star topology,
complete with wiring closet and backbone to the data center.
Identifying Ring Topologies
The most famous token-passing LAN protocol is
IBM’s ring topology, known as Token Ring (see
Figure 4.32).
Each LAN computer is connected to a media
access unit (MAU). Each MAU is connected to both
an upstream MAU and downstream MAU to form a
backbone loop. Network traffic can be transmitted
in either direction. This bidirectional loop is
referred to as the ring. A network ring topology has
the advantage of built-in redundancy. If the ring
breaks, all traffic will travel through the ring in the
opposite direction, thereby avoiding the break
point. The individual workstations are then
connected into the ring by using a star topology.
The telecommunications companies use the ring technology in their fiber-optic networks. This design allows the
redundant path necessary to create a fault-tolerant network.
Page 2
CMPC 323
CIS Audit
Identifying Meshed Networks
The important network links can have alternate path connections to
increase redundancy. The meshing of star networks is a common
method of providing redundancy similar to the approach used by a
ring topology. The principal difference is that a meshed network is a
series of point-to-point connections between critical backbone
connections. The router determines which link to use based on
predefined routing criteria. A network administrator defines the best
link and the alternate path link to use if the best link is down. There
are essentially two types of meshed networks:
Full mesh A fully meshed network has alternate connections for every major
backbone point on the network (see Figure 4.33). The primary obstacle to this
design is the cost of implementation.
Partial mesh When you cannot afford a full mesh network, you may decide to
implement a partial mesh for the most critical links (see Figure 4.34).
Occasionally, the critical link may not be determined by the overall value of
traffic. The additional link may be determined by the ability of the sponsor to
pay the additional cost. A partial mesh is better than no redundancy at all.
LAN Equipment Purpose
Router (layer 3) Connects to separate subnetworks or adapts a connection to different transmission media. Routers
decide whether the traffic needs to pass along another route or should just stay in the original subnetwork. This relieves
traffic congestion across the network. Examples include LAN 1–to–LAN 2 and LAN-to-WAN circuits. Routers can also
convert between Ethernet, Token Ring, and telephone company communication protocols.
Switch (layer 2) Provides intelligent process of creating discreet communication on each port. Same function as the PBX
telephone switch, which creates the illusion of private communication lines for each user. Network VLANs are similar to
administrator-designated group conference calling. Requires a router (layer 3 router function) to communicate with a
different subnetwork or between VLANs.
Bridge (layer 2) Connects two separate networks by using the same network addressing in one subnet. Intelligent bridge
is the same as layer 2 switch.
Hub (layer 1) Connects individual cables to share data between ports. Amplifies and retimes the tiny electrical signals.
Similar to an electrical junction box for networking cables.
Repeater (layer 1) Designed to boost the signal strength across a cable to overcome distance limitations.
Wi-Fi transmitter (layer 1)Short-range wireless transmitter/receiver to connect laptops and PDA devices to the LAN.
(May be integrated into an all-in-one router offer- ing both layer 1 and layer 3 functions.)
Page 3
CMPC 323
CIS Audit
NETWORK SERVICES
Domain Name System
Computers like to use hexadecimal numbers, network
administrators like to use IP addresses, and all of us who run
computers like to refer to machines by name. Names are so
much easier to remember. Even names can get confusing, so
the Internet is designed to allow fully qualified domain
names. A fully qualified domain name (FQDN) is what you
see on the left side in the URL portion of the browser as you
surf the Internet. Have you ever wondered how the web
browser finds the website you typed? The answer is by using
the Domain Name System (DNS). Routers have tables of IP addresses, along with the routes to take to reach those
addresses. DNS servers are a layer 7 software application that contains a list of alias names and their associated IP
addresses. DNS is how you end up reaching a website without knowing its IP address. DNS offers additional flexibility.
You can change the IP address without having to tell everyone about the address change. Just keep the DNS server
updated with your new IP address. If DNS fails, you will not be able to access the target or you will resort to typing the IP
address (if known). Figure 4.38 shows the process of DNS looking at the company name and responding to your request.
A major problem with traditional DNS is the lack of security. Network productivity is essentially shut down if the DNS
server is lost or attacked. Attackers can poison DNS by using fake servers or injecting fake DNS updates. This is the same
problem discussed with layer 3 routing-table updates. The preferred method is to implement Secure DNS (S-DNS) by
using ACLs and digital certificates. Name-lookup services and DNS updates would be accepted only from DNS servers
able to continually verify their identity. Trust is destroyed upon the first failure in an ongoing challenge-response
process.
Dynamic Host Configuration Protocol
For years, the job of a network administrator entailed
the tedious task of configuring IP addresses on each
computer. Manual settings are still the best choice for
network servers; however, the user workstation is
another matter.
Dynamic Host Configuration Protocol (DHCP) can
automatically configure the IP address, subnet mask,
and DNS settings on a computer. DHCP is an improved
version of the original BOOTP using RARP. Both DHCP
and BOOTP have the same operational design. The theory of operation is simple. Figure 4.39 shows how DHCP works.
Here are the steps: 1. A computer on your network is set up as the DHCP server. For remote dial-up, the better access
servers will have this ability built in to support the modems. The DHCP server will be configured by your network
administrator with a pool of IP addresses eligible for dynamic allocation. 2. The DHCP server listens on the network for
an IP packet containing a type 67 code in the header. (Don’t worry, that level of detail is not on your exam.) 3. A
Page 4
CMPC 323
CIS Audit
computer is booted on your network without an IP address. During the boot process, the computer recognizes that an IP
is needed. The computer sends out a type 67 request asking for any DHCP server to assign it an IP address. The request
contains the MAC address of the computer asking for an IP. 4. The requesting computer waits several seconds for a
response. 5. Your DHCP server recognizes the type 67 request and responds with a type 68 reply addressed to the MAC
address of the sender. 6. If the reply is received in time, the computer will accept the IP address and configuration
settings. Then it will finish bootup and begin talking on the
network.
Every idea in the world has its Achilles heel. DHCP is no
different. DHCP is implemented on OSI layer 2. This means
that the DHCP mechanism is dependent on making a
broadcast with its MAC address. Routers will not pass
broadcasts because the resulting traffic is undesired on all
other occasions. Remember, the router has two jobs: one
is routing, and the second is providing insulation from
unnecessary traffic. The DHCP server needs to be located
on the same subnet to hear the computer making a DHCP
request.
Expanding the Network
Modern routers can connect high-speed LANs to remote
places for the purpose of creating a wide area network
(WAN). Figure 4.42 shows what a WAN might look like.
Remote access is a popular feature. WANs are similar to a
LAN; however, the implementation is different. Special
equipment is necessary to adapt the transmission signal to
telephone and radio equipment. Figure 4.42 shows the basics
of expanding a network. Setting up a WAN requires planning.
Let’s start with the most important component, which is
information. The first thing you need is the customer
requirements. What do they intend to connect to the
network? Questions should be asked about who will be
connecting to the network. Will the users be employees, business partners, or clients? Once again, you ask questions
about their intended usage while on the network. What controls are planned? Hopefully, the client will be able to
impress the auditor with answers that are well thought out.
Your client might want to have dial-in access to the network for their users. This can be accomplished in two ways:
Individual modems An individual modem can be connected to a computer on the network. This is a simple method that
is adored by every hacker in the world. Individual modem connections bypass the majority of network security controls.
Your monitoring tools may think this is just an ordinary internal computer with free rein over the attached subnet—or
worse, the whole network. A hacker can easily find modems by using automated dialling tools or checking a list of
Page 5
CMPC 323
CIS Audit
known modems posted at hacker sites. Insecure modems are still a threat to security. A sharp auditor will investigate
the compliance of dial-in modems to their security policy.
Network access server An access server can be used with a modem pool. It can be a slick product from Cisco or a PC
configured with special software such as Microsoft Remote Access Service (RAS). The access server should have special
monitoring and security controls.
It is safe to assume that the remote connection will be attached to one of the routers. You should encourage the
practice of separating remote connections into their own subnet. This promotes separation of duties with the benefit of
simplifying the implementation of security controls. Remote router connections will probably need a firewall if the
connection is wireless or could involve someone besides the organization’s employees.
Using Telephone Circuits
High-speed telephone circuits such as T1 (1.54Mbps) and T3 (44.5Mbps) use a channel service unit (CSU) instead of a
regular modem. The CSU is a special device used by the telephone company and designed for connection to their
equipment. Telephone circuits like this can be divided or combined by using a multiplexor.
A multiplexor converts one high- speed telephone port into many lower-speed ports, or combines several lower-speed
lines to appear as one high-speed line. Multiplexors are invisible to the user.
The telephone company will provide whatever service the client is able to afford. In some areas, the services may be
limited. High-speed services such as Digital Subscriber Line (DSL) are available in only limited areas. The limitation is
based on cost: Your telephone company will invest in areas that have enough demand to warrant the business cost. In
rural areas, people have few choices. These are known as last-mile service areas, where the phone company will lose
money. The world of telephone circuits is based on several generations of telephone company equipment. The older
generation is based on the Integrated Services Digital Network (ISDN). The newest generation is built by using Dense
Wave Multiplexing (DWM) with multiple lasers over fiber optics with Asynchronous Transfer Mode (ATM). Each
generation of technology has intrinsic advantages and disadvantages. Let’s run down the list. We suggest you pay
attention because these details may be of value. The following are various ways you can connect to your network via a
wired route.
Page 6
CMPC 323
CIS Audit
Dedicated Telephone Circuits
Dedicated telephone circuits are billed by location with actual usage billed by distance. The user is charged a monthly
fee plus any long-distance charges.
Plain old telephone service (POTS) POTS is available almost everywhere. This is the regular telephone line capable of
data transmission up to 56Kbs. POTS is based on using half of an ISDN circuit. POTS is the only circuit that is considered
to be “off” when not in use. Trans- mission is halted when you hang up the phone. All the other telephone circuits we
discuss are always live and transmitting.
Integrated Services Digital Network (ISDN) ISDN is the foundation of POTS. Therefore, you should be able to get ISDN
almost anywhere. The basic rate interface (BRI) bandwidth starts at 128K per line. It can be used as one 128 K/bps
channel or divided into two 56 K/bps circuits. Optional ISDN speeds on a primary rate interface (PRI) can go up to 1.544
Mbps. You can run up to 23 channels of data, voice, and video over ISDN. In Europe and Australia, the PRI speeds are
2.048 Mbps, equal to 30 channels. Most video conference sets use ISDN. The ISDN circuit is always on and live.
Primary trunk line (T1) T1 is a dedicated trunk line equal to 28 POTS circuits. The user is charged by the mile for basic T1
service. Telephone PBX systems are usually connected by one or more T1 trunks running back to the telephone
company’s central office. The administrator can provision (divide) the trunk into whatever variety of factional service
they desire for voice, video, or data. T1 lines never shut down. In North America, T1 speeds are 1.544Mbps each, and
2.048Mbps in Europe.
Digital Subscriber Line (DSL) DSL is usually the least-expensive high-speed circuit using a higher frequency over a
standard telephone line. This allows your standard voice telephone line to simultaneously carry DSL higher-speed traffic
without conflict. DSL is substantially limited by distance. It is available only in high-density areas where the phone
company can make a profit. Speeds range from 368Kpbs to 1.544Mbps. The DSL circuit is always on and live. If you turn
off DSL equipment, the phone company disables your circuit.
Wireless Access Solutions
The basic network concepts are identical for developing a network solution sans wire. Wireless is used when the wiring
costs are prohibitive or the wires would defeat the intended purpose. Each wireless system requires a minimum of two
antenna systems. The antenna stations have both transmitting and receiving capabilities.
The following are various ways you can connect to your network via wireless access:
Wi-Fi radio This is the most common type of wireless access. The design uses a layer 1 transmitter/receiver to support a
signal range of up to 1,500 feet. It uses digital spread spectrum or frequency hopping over a private radio channel. It is
commonly used by the military and private companies operating mobile fleets. Large-scale Wi-Fi may use cellular
service. Smaller- scale use includes Wi-Fi hot spots.
It’s relatively simple to construct a wireless LAN. Several vendors offer low-cost wireless access points (APs), which are
similar to a wireless hub or router. The AP is connected to a wired net- work and broadcasts connectivity to handheld
devices. Usually the range of an AP is 300 feet, equivalent to 100 meters. Users can move freely within the 300-foot
broadcast range without losing any connectivity. The individual broadcast area (range) is also known as a cell. This is
Page 7
CMPC 323
CIS Audit
comparable to the design of cellular telephone networks. The effective range can be increased by combining APs and
their multiple cells (service range). Wireless LANs (WLANs) are based on the IEEE 802.11 standard.
Station (STA) The station, or Independent Basic Service Set (IBSS), is a wireless device on the end of the network, such as
PDA, laptop, or mobile phone.
Access point (AP) This is a wireless transmitter/receiver that provides basic network services, usually within 300 feet,
equivalent to 100 meters. Higher-power transmitters with longer ranges are entering the marketplace. The AP and STA
compose a basic WLAN.
Cell The individual AP broadcast range is known as the
cell, or span of coverage. Multiple AP cells are linked
together to increase the range and allow roaming
within the building or between buildings. The
relationship is shown in Figure 4.44.
A group of wireless devices uses an ad hoc arrangement when communicating directly with each other in a peer-to-peer
relationship without an AP. The terminology ad hoc is based on the dynamic master-slave relationship between devices.
Ad hoc networks have a short broad- cast range, which is also referred to as the piconet, or personal area network
(PAN). Bluetooth is the most common ad hoc network for providing connectivity between a cell phone and a wireless
headset.
Pico means one trillionth or very small. Bluetooth technology creates an ad hoc network of one master and one to seven
slaves, up to a total of eight devices. This teeny network provides short-range direct-link interconnectivity.
The lack of effective security is an enormous drawback in wireless networking.
Satellite radio This is the next most common method. The signal is bounced off a low-orbit satellite in space. Obviously,
the service area is huge. Very popular for remote communications or linking to numerous field locations, satellite is
heavily used in trucking fleets, ships, and retail chain operations. The transmission speeds are lower, and cost is an issue
unless you buy a large volume of air time. Private uplinks are available for telephone, data, fax, and video applications.
Satellite data-phones are common for emergency response. Transmission speeds are 9.6bps to 4MBps, with specialized
hardware required. Satellite communication has a 2- to 5-second transmission delay due to signal propagation delay. For
example, the Iridium satellites are less than 500 miles up compared to 23,000 miles for geosynchronous satellites.
Microwave Microwaves are used in short-distance runs—1 to 30 miles— across cities and over mountain ranges.
Microwave service has been around for 50 years. The only drawbacks are the clear line of sight required for transmission
and the construction cost. Connection speeds range from 1MBps to 100MBps. The primary advantage is no recurring
transmission costs aside from equipment purchase and regular maintenance. Severe weather and fog can disrupt
signals.
Laser Lasers are being used as an alternative to microwaves. Lasers also work to connect two offices by using the
unobstructed aerial space to cross above public roads. It is similar to fiber optics without the fiber cable. Transmission
speeds from are from 1MBps to 100MBps. Severe weather and fog can disrupt signals.
Page 8
CMPC 323
CIS Audit
It is strongly recommended that every land-based wireless connection have a firewall installed between the wired
network and the wireless equipment. Many implementations of wireless encryption still contain holes in security.
Motivated hackers can access radio connections by using technology available in the amateur radio community. Laser
access may be more difficult, but hackers have proven it is possible.
It is important that we address the subject of short-range wireless networking for use with radio frequency identification
tags. This is an area that will increase as more organizations attempt to implement automated tracking.
Wireless RFID Systems
Radio frequency identification (RFID) is a hot topic. RFID uses a tiny tag, which contains silicon chips and antennas that
enable the tag to be detected by scanners. The original purpose was to protect inventory from department store
shoplifters. Later RFID was expanded to include planting tags in boxes for better warehouse control. The security and
privacy issues regarding RFID are increasing every day. As an IS auditor, you are expected to have a basic understanding
of RFID. You will encounter an increasing number of issues regarding RFID implementations. Citizens are growing more
concerned about their privacy. Passive RFID tags are regularly used in inventory control and for implant in live animals.
These tags may be covertly read at a distance. Newer tags are built into the product and are not detectable. The user
could be scanned as they walk through a building. RFID tags in adult products or medical prescription packages could
lead to interesting conversations about privacy. Under President Bill Clinton’s administration, the U.S. Food and Drug
Administration and other government agencies have approved the use of RFID tags for human implant. There are
multiple human implant vendors on the market today. The ads for human implant claim RFID tags are safe and
nonremovable. One vendor claims that the intended purpose is to protect newborn infants by tracking your baby in the
hospital. Other advertised uses include prisoner identification or the identification of elderly individuals unable to
provide information for themselves. This new RFID situation poses an increasing variety of privacy concerns. Another
type of RFID uses a transponder to transmit a signal. The RFID transponder uses an internal power source to respond to
queries by an antenna in the area. A common example is the toll tag used by a toll road authority for the electronic
collection of usage fees. A variety of organizations including law enforcement collect surveillance data on common
citizens by using active RFID toll tags along with automobile satellite services and cell phone records. Government
researchers have determined RFID tags can be easily cloned without the user’s or recipient’s knowledge. Any RFID signal
you can read can be duplicated. The implications may be either good or evil depending on the desire of individuals. You
can expect more controversy as the issues develop.
Page 9
CMPC 323
CIS Audit
Page 10