File - Eric Chavez MD MMI
advertisement
1 FINAL EXAM CIS 313 FINAL EXAM Eric M Chavez MD Northwestern University Summer 2013 2 FINAL EXAM 1. I would use multimode fiber cable to connect the router to the three core switches and between one core switch and the three servers if the distance between these devices is more than 55 meters. This same type of fiber cable can be used to connect two core switches to the four distribution switches if the distance between the devices is more than 55 meters. Multimode fiber can transmit data at 10 Gbps. The distance between the devices will determine the core diameter and the modal bandwidth of the fiber cable that I choose. Fiber cable with a core diameter of 62.5 microns and modal bandwidth of 160 MHz.km can transmit data a maximum of 220 meters. Fiber cable with a core diameter of 62.5 microns and a modal bandwidth of 200 Mhz.km can cover a distance of up to 275 meters. Fiber cable with a core diameter of 50 microns and a modal bandwidth of 500 MHz.km can transmit data up to 550 meters. (Most fiber cable in the U.S. is 65 micron cable.) I could use Cat6 UTP cabling to connect any of these core devices if the distance between them is less than 55 meters. This cabling can transmit data up to 10 Gbps for a distance of up to 55 meters and is cheaper and easier to repair than multimode fiber. In general, fiber cable can transmit data farther but not necessarily faster than UTP cable. I will use Cat5e UTP cabling to connect the four peripheral distribution switches to each of the end-user network devices (240 personal computers in this diagram). This cabling is less expensive and more durable, and it can carry data transmissions of up to 1 Gbps for a maximum of 100 meters which should be sufficient. 2. I will separate the physical network into four VLANs. VLAN10 will be a DMZ network that contains the router, three core switches, and the three servers connected to the core switches. VLAN20 will contain two distribution switches and 115 network devices in engineering. VLAN30 will contain a distribution switch and 35 network devices in accounting/HR/management. VLAN40 will contain a distribution switch and 90 network devices in sales. Network Name VLAN10 (core DMZ) VLAN20 (engineering) VLAN30 (acct/HR/mngt) VLAN40 (engineering) Network ID 172.16.10.0 172.16.20.0 Subnet Mask 255.255.255.0 255.255.255.0 Broadcast Address 172.16.10.255 172.16.20.255 172.16.30.0 255.255.255.0 172.16.30.255 172.16.40.0 255.255.255.0 172.16.40.255 3 FINAL EXAM 3. Network Name VLAN10 VLAN20 VLAN30 VLAN40 Address Range 172.16.10.1-172.16.10.254 172.16.20.1-172.16.20.254 172.16.30.1-172.16.30.254 172.16.40.1-172.16.40.254 Default Gateway 172.16.10.1 172.16.20.1 172.16.30.1 172.16.40.1 DNS Server Address 172.16.10.5 172.16.10.5 172.16.10.5 172.16.10.5 4. A DNS hosting service will run the Domain Name System server. This is needed to translate domain names which are alphabetic and easy for humans to remember into IP addresses which are numbers that the computers use to route packets of information around the network. This will be important so that users in different departments can connect with the core servers and with each other. An authentication service will be needed to provide security to the network. Authentication services are used to verify the credentials of users using usernames and passwords or other means of identification such as biometrics. Authentication services limit access to network resources to those individuals that have privileges to those resources. Dynamic Host Configuration Protocol services will be necessary so that devices connected to the network can receive IP addresses so that data can be routed correctly around the network. Network Address Translation service makes the translation between external IP addresses and internal IP addresses. This will allow computers inside the company network communicate with computers outside the company network via the Internet and vice versa. This also allows the company to have fewer public IP addresses on the Internet which saves money. File sharing services will allow users to store information on the network and will allow other users to access information that has been stored on the network. This will be essential as users in the business will need to access database records stored on a central server or other storage device. Email services provide the necessary protocols to package and route electronic messages among different computers on the network Directory services store, organize, and provide access to information in a directory such as usernames, email addresses, telephone numbers, physical addresses, employee identification numbers, departments, etc. These services are necessary to locate information about the employees of the company. 4 FINAL EXAM Print server services allow multiple users to share common printers. World Wide Web services allow users in the company to access information on the Internet. Simple Network Management Protocol services allows the network administrators to monitor and map network availability, performance, and error rates and respond to problems. 5. I would recommend a wireless network based on the IEEE 802.11n standard. 802.11n networks can operate in the 5 GHz band or the 2.4 GHz band and can reach transmission speeds of up to 300-600 Mbps. (Actual throughput is more like 100 Mbps.) When operating in the 5 GHz band, 802.11n equipment can transmit data in 11-24 nonoverlapping channels (usually 11 in the U.S.). This allows for access points to be placed closer together without mutual channel interference. This will allow more wireless users to access network resources and will maintain a high level of throughput in the network. Equipment in the 802.11n standard is backward compatible with older wireless equipment and devices. 802.11n access points can utilize MIMO and can transmit on more than one channel at a time. This greatly increases transmission speed. The number of access points needed depends on the area to be covered, the physical obstacles in the environment, and the number of wireless users expected. A general rule is that one access point can cover a radius of about 30 meters. Care must be taken to place the access points systematically to minimize interference and dead zones. Adjacent access points should be assigned different operational channels to avoid mutual channel interference. Access points in congested areas with a large number of users should be adjusted to operate at a higher bandwidth. For security, the wireless network should employ the 802.11i security standard otherwise known as WPA2. This is the strongest security standard currently available for wireless networks and it uses AES-CCMP 128-bit encryption. This security protocol should be operated in 802.11X mode or enterprise mode which uses an EAP to secure transmissions between a wireless host and an access point. Other security measures include the use of virtual private networks, periodically scanning the network for rouge access points, and separating the wireless network into a DMZ with firewalls. If the CIO wants to wait on deploying a wireless network, we could consider using equipment in the 802.11ac standard. This standard is not scheduled to be ratified until 2014 with equipment to follow. 802.11ac networks are expected to reach transmission speeds of up to 1 Gbps. 5 FINAL EXAM 6. Using server virtualization would help to maximize the efficiency of the physical servers. Fewer physical servers would be needed. This would lead to a cost savings as fewer physical servers would need to be purchased, installed (cabling, racks), and maintained (cooled and updated). There would be less energy costs with fewer physical servers. The size of the room needed to store the servers would be smaller. Virtual servers can be updated faster through management software. The entire system would have more flexibility and potentially more scalability since management software can make changes to many virtual servers quickly rather than having to modify many different physical servers or purchase and install new physical servers. There may be some older applications that the business needs that run only on older operating systems. Having virtual servers would allow the business to buy the most modern severs and still use older applications that could run on virtual machines. Security would be enhanced since there is less physical hardware to protect. A disaster recovery plan would be easier to implement since there would be less physical hardware to replace. Copies of the virtual machines could be kept. In case of disaster the copies could be restored on new physical servers and the business would be up and running again quickly. 7. A security plan must begin with a risk analysis. In risk analysis, a business must determine what the major threats to its assets are and how much a security breach of those assets would cost. Then the business decides what security countermeasures are necessary to protect those assets and how much the security measures would cost. If the security measures cost more than the assets are worth, then it may not be economically advisable to implement the security measures and more advisable to assume risk of a potential loss. Risk analysis is a process of balancing the economic costs of loss due to threats and the costs of implementing security measures. Three major security principles are comprehensive security, defense in depth, and access control. In comprehensive security a business must assess all potential weaknesses in the network and attempt to close off all potential areas where an attacker could gain entry into the system. An attacker only needs to find only one weakness to exploit in order to gain entry. A comprehensive security plan must attempt to come as close as possible to protecting all possible weaknesses. In defense in depth, it is important to set up multiple layers of defense in all areas of weakness. An attacker may be able to break through one area of defense but will probably get discouraged and stop trying if he has to break through multiple layers of defense. In access control, network managers limit who has access to network resources and limit permissions when using resources. Users who have access and permissions to network resources can potentially do damage. Limiting access and permissions can help protect the resources. Network managers must balance access and security since a major point of having a network is so that multiple users can access shared resources. 6 FINAL EXAM Three ways to address network security are authentication, firewalls, and encryption. With authentication a user must prove his identity in order to gain access to network resources. This can be done through passwords or biometric measurements. This helps to limit access and permissions. Firewalls are installed in network systems to scan and examine arriving data packets. Packets that are found to be provable attack packets are discards and not allowed to enter the network. Other packets are allowed to pass through. Encryption is a means of scrambling data messages so that eavesdroppers cannot read the messages. With encryption, authenticated users have keys to encrypt and decrypt data packets. 8. Businesses must have a response plan for network security breaches. These can be broken down into the stages of detecting an attack, stopping the attack, repairing the damage, and potentially punishing the attacker. Once the attacks have been recognized action should be taken immediately since the longer an attacker has access to the network the more damage he can do. Some responses may be reconfiguring the firewalls to block the attacker, finding a rouge wireless access point and disabling it, or discovering an evil twin access point and disabling it. The encryption algorithms may need to be changed, or the encryption keys may need to be modified. A more robust authentication system may need to be implemented using stronger passwords, access cards, biometrics, digital certificate authentication, or two-factor authentication. If the attacks are coming from the wireless network, managers should ensure that the wireless network is set to use the strongest security measure which is WPA2 operating in enterprise mode which offers 128-bit AES-CCMP encryption. Other security measures to implement would be setting up virtual local area networks which can help to separate network resources. In this way if an attacker were able to gain access to one virtual network he would not have access to all network resources. This can be especially important in setting up a DMZ or demilitarized zone virtual network with added protection for the most important network resources such as the core servers and for the network resources most vulnerable to attack such as the wireless LAN. 9. Security policies should be written and followed in order to protect data from unauthorized users. Policies may include plans for how to protect sensitive data by limiting access to certain network resources. This can be accomplished through authentication measures which require a user to identify himself with a strong password, biometrics, or access cards. This authentication can be strengthened by using digital certificates and two-factor authentication. Sensitive data should be encrypted when transmitted so that unauthorized users cannot intercept and read it. This can be accomplished by using a cryptographic standard such as SSL/TLS or IPsec. Servers that contain sensitive data should be encrypted so that an unauthorized individual within the organization cannot read the data on them even if they have access to the servers. Encryption is especially important when sensitive data is located on a mobile device such as a laptop, tablet computer, smart phone, or USB drive. All of these devices should use encryption technology for data storage since a very common security 7 FINAL EXAM breach is a lost device. No sensitive data should be transmitted via email without first being encrypted. It may be necessary to establish a policy that all employees attend training on security policies so that they understand how to protect sensitive data. Employees should be educated on how to identify and avoid falling prey to social engineering scams such as email attachments from unknown senders, unknown website links, and phishing. An inventory of sensitive data should be kept and updated at regular intervals. It is difficult to determine when data has been compromised with a security breach if good inventory records are not kept. Data storage devices and network services that allow access to sensitive databases should be audited at regular intervals to check for access by unauthorized users. A policy against peer-topeer file sharing should be implemented. Peer-to-peer file sharing software may expose the business network to unauthorized users. An IT help desk should be set up to respond to questions and reports about possible security breaches. If the company uses cloud computing with remote storage or processing of sensitive data, a service level agreement with the cloud computing company should clearly spell out how sensitive data will be protected. Employees who use networked applications such as Google Docs and many others should not use them when working with sensitive data unless they can ensure that the data is encrypted during transmission and storage. 10. I would recommend that the company use the global Internet as its WAN link to the remote offices and for the mobile users. Use of the Internet is cheaper than using leased lines from the Public Switched Data Networks. In addition to being more expensive, leased lines take more planning to set up and incur a greater cost in labor because they have to be managed carefully by network personnel. Another advantage to using the Internet is that all of the company’s computers can be connected to it and so are all of the computers of the companies that we will be doing business with. The main issues with using the Internet are security and reliability or quality of service. Security can be addressed by establishing a virtual private network (VPN). A virtual private network is a cryptographically secured transmission path through an untrusted environment, in this case the Internet. The two most common security standards for VPNs are IPsec and SSL/TLS. Virtual private networks can be set up as site-to-site or as remote-access. Site-to-site VPNs can be established between the headquarters and the two remote offices. Remote-access VPNs can be set up for the 60 mobile users and for all other employees to have remote access to email and the corporate intranet. For the site-to-site VPNs we will use IPsec gateways which will establish secured tunnel connections through the Internet between the two remote offices and the headquarters. IPsec can be centrally managed and operating in tunnel mode will be transparent to users since the gateways manage digital certificates. The mobile users will use SSL/TLS standard for security when connecting to the headquarters via a VPN for email and other applications that are SSL/TLS-aware because this standard is inexpensive and already included in web browsers. If the remote users need access to applications that are not SSL/TLS-aware then we might consider installing a SSL/TLS gateway which can webify some applications that they need access to. Instead of setting all of this up internally we may wish to contract with an IP carrier which can provide IP service over the Internet with VPN and quality of service guarantees to connect the remote offices to the headquarters.
