Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 7
Physical and Network Topology Security
Operating Systems Security - Chapter 7
Physical and Network Topology Security
Chapter Overview
In this chapter, students begin by learning how to physically secure workstations and servers.
Providing locked rooms and configuring screen savers are examples of effective physical
security. Students learn about network topologies and how they can be used to enhance
security. Students also learn about the different types of network media, and which media
offer the best security. Finally, they learn how to combine the network topology and media
in a structured wiring and networking design for efficiency and security.
Learning Objectives
After reading this chapter and completing the exercises, students will be able to:




Explain physical security methods for workstations, servers, and network devices
Implement a network topology for security
Explain network communications media in relation to security
Use structured network design for security
Lecture Notes
Physical Security
Limiting physical access reduces the opportunity for attackers to directly access a computer
or network device and cause problems. It also reduces the potential for accidents, such as a
visitor inadvertently tripping over a tower computer or knocking a keyboard off a table.
Physical security further involves the location of computers and network devices in a building,
along with the construction quality of that building.
Workstation Security
Workstation security is related to the purpose and location of a workstation. The workstation
used by a server or network administrator might be located in a private office or placed in an
office area that can be locked. In a public library or a school computer lab, workstations are
sometimes tethered to a desk for security. This is accomplished by using a device lock, such
as a cable lock.
For good security in an organization, it is important to train workstation users about keeping
their systems safe and intact. If it is desirable to leave a computer on while the user is away,
there are two effective ways to protect information in the computer. One way is to ensure
that the user’s account is password-protected, and to train users to log off before leaving a
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 1 of 8
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 7
Physical and Network Topology Security
computer. Another way to protect a workstation is to configure a screen saver with a
password (see Figure 7-1 on page 314 of the text), which can be more effective because the
user does not have to remember to do anything before leaving her or his desk.
NOTE: When configuring a screen saver on a workstation (or server) that shares files over the
network, choose a screen saver that is not CPU-intensive.
Quick Reference
Discuss how to train workstation users about physical security as shown on
page 315 of the text.
Server Security
One of the most common discussions that organizations have about locating servers is whether
to centralize them, decentralize them, or use a combination of approaches. The final
decision often reflects the political organization of a company. Some companies prefer
centralizing the location of their servers in a server farm, to save money on management and
resources. In this model, the servers are housed in a computer room or machine room.
Server farms can save money, since certain equipmentfor example, power regulation
equipment, air conditioning, and backup devicescan server the entire location and need not
be purchased for multiple server locations. The disadvantage is the high network traffic into
and out of that portion of the network in which the server farm resides. Another
disadvantage is that there is a disaster, a tornado for example, all of an organization’s servers
may be damaged at the same time. In the decentralized model, the physical security used
for servers may vary widely from server to server and department to department. As you plan
where to locate servers in your organization, consider implementing the following security
measures:
 Guidelines that specify who can access the location
 Locked doors that are protected by cipher locks requiring a combination,
identification card, or biometrics, such as a fingerprint or palm scan
 Cameras that monitor entrances and monitor the computer equipment
 Motion sensors
 Power regulation devices
 Fire detection equipment, including smoke and flame sensors
 Fire suppression equipment, for example, devices that spray inert chemicals to put out
the fire but not damage the equipment
Configuring Windows Server and Red Hat Linux Screen Savers
In addition to ensuring physical security, plan to use screen saver options with passwords for
servers. Windows 2000/2003/2008 all offer such screen savers, which you configure in Handson Project 7-1 on page 347 of the text. Red Hat Linux 9.x enables you to lock a screen using
the screen saver.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 2 of 8
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 7
Physical and Network Topology Security
Configuring a NetWare Screen Saver
NetWare 6.x enables you to configure a screen saver at the console by using the SCRSAVER
command. Table 7-1 on pages 317 and 318 of the text lists the parameters associated with
the SCRSAVER command. Hands-on Project 7-4 on page 351 enables you to use the
SCRSAVER command.
NetWare 6.x also offers the SECURE CONSOLE command to provide added security. When
you run SECURE CONSOLE, this prevents NLMs from being loaded, if they are not already in a
protected system directorysys:system or C:\nwserver. Another advantage of using
SECURE CONSOLE is that the system debugger software cannot be accessed from the
keyboard, thus preventing an attacker with programming skills from changing the operating
system configuration.
Securing Network Devices
Networks consist of network devices and cable that should be protected from tampering and
from damaging environmental conditions. Examples of network devices are:






Access servers

Chassis hubs

Hubs

Repeaters

Switches

Uninterruptible power supplies (UPS)
Bridges
Firewalls
Multiplexers (MUXs)
Routers
Transceivers
A wiring closet is a room used to store telecommunications and networking equipment. To
avoid interference, it is important to locate wiring closets away from sources of excessive
electromagnetic interference (EMI) and radio frequency interference (RFI). EMI is caused
by magnetic force fields that are generated by electric devices such as factory machinery,
fans, elevator motors, and air-conditioning units. RFI is caused by electrical devices that
emit radio waves at the same frequency used by the network signal transmissions. Sources of
RFI include radio and television stations, ballast devices in fluorescent lights, radio
transmitters, inexpensively built TV equipment.
Quick Reference
Discuss the various configurations of wiring closets listed on page 321 of the
text.
Designing a Network Topology for Security
A topology is the physical layout of cable and the logical path followed by network packets
sent on the cable. The physical layout is like a pattern in which the cabling is laid in the
office, building, or campus; and the total amount of communications cable is often called the
cable plant. When a network is designed for security, it is important to take the topology
into consideration, because some designs are more reliable and secure than others.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 3 of 8
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 7
Physical and Network Topology Security
Bus Topology
The bus topology consists of running cable from one computer to the next, like links in a
chain. Like a chain, a network using a bus topology has a starting point and an ending point,
and a terminator is connected to each end of the bus cable segment. The terminator is
critical on bus networks because it signals the physical end to the segment. A terminator is
really an electrical resistor that absorbs the signal when it reaches the end of the network.
Without a terminator, the segment violates IEEE specifications, and signals can be mirrored
back, or reflected on the same path they just covered.
Ring Topology
The ring topology is a continuous path for data, with no logical beginning or ending point,
and thus no terminators. When it was first developed, the ring topology permitted data to go
in one direction only, circling the ring and ending at the transmitting or source node.
The ring topology is easier to manage than the bus topology because the equipment used to
build the ring makes it easier to locate a defective node or cable problem. The ring topology
is more secure than the traditional bus because it has no terminators, and it is harder for
someone to tap into the ring without alerting a network administrator. However, the ring
topology is more expensive to implement than the traditional bus.
Star Topology
The star topology is the oldest communications design, with roots in telephone switching
systems. The physical layout of the star topology consists of multiple stations attached to a
central hub or switch, such as the workstations and server connected to the switch in Figure
7-4 on page 325 of the text. The hub or switch is a central device that joins single cable
segments or individual LANs into one network.
The star is the most popular topology, and thus there is a wider variety of equipment
available for this type of network. This characteristic offers a significant advantage for
security, compared to the traditional bus and ring topologies, because there are many more
varieties of devices with a full range of built-in security options. A disadvantage is that the
hub or switch is a single point of failure; if it fails, all connected stations are unable to
communicate.
Logical Bus Networks in a Physical Star Layout
Modern networks combine the logical communications of a bus with the physical layout of a
star. In this network design, each finger radiating from the star is like a separate logical bus
segment, but with only one or two computers attached. The segment is still terminated at
both ends, but the advantage is that there are no exposed terminators to pose a security risk.
Another advantage of the bus-star network design is that you can connect multiple hubs or
switches to expand the network in many directions, as long as you follow IEEE network
specifications for communication cable distances and the number of devices attached. A
backbone is a high-capacity communications medium that joins networks and central network
devices on the same floor in a building, on different floors, and across long distances.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 4 of 8
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 7
Physical and Network Topology Security
Communications Media and Network Security
Networks use four basic communications media: coaxial cable, twisted-pair cable, fiberoptic cable, and wireless technologies. Coaxial and twisted-pair cables are based on copper
wire construction. Fiber-optic cable is glass (usually) or plastic cable. Wireless media are
radio, infrared, or microwaves. The most commonly used cabling is twisted-pair.
Coaxial Cable
Coaxial cable comes in two varieties, thick and thin. Thick coax cable was used in early
networks, often as a backbone to join different networks. Because this coax cable, also
called thinnet, has a much smaller diameter than thick coax cable, it has been used on
networks to connect desktop workstations to LANs (although there are fewer and fewer
implementations of thin coax). Thin coax cable is easier and cheaper to install than thick
coax, but twisted-pair cable is even easier to install because it has better flexibility.
Twisted-Pair Cable
Twisted-pair cable is a flexible communications cable that contains pairs of insulated copper
wires, which are twisted together for reduction of EMI and RFI, and covered with an outer
insulating jacket. There are two kinds of twisted-pair cable: shielded twisted-pair (STP)
and unshielded twisted-pair (UTP), as shown in Figure 7-7 on page 328 of the text. UTP
cable is the most frequently used network cable because it is relatively inexpensive and easy
to install.
Fiber-Optic Cable
Fiber-optic cable consists of one or more glass or plastic fiber cores, with each core encased
in a glass tube, called cladding (see Figure 7-8 on page 329 of the text). The fiber cores and
cladding are surrounded by a PVC cover. Signal transmission along the inside fibers usually
consists of infrared laser light. Fiber-optic cable comes in two modes: single mode and
multimode.
Bandwidth
Bandwidth is the transmission capacity of a communications medium, which is typically
measured in bits per second or in hertz, and is determined by the maximum minus the
transmission capacity. Because the data travels by means of optical light pulses (on or off),
there are no EMI or RFI problems associated with this type of cable, and data transmission is
purely digital instead of analog.
Another advantage of fiber-optic cable over coaxial and twisted-pair cable is that it is very
difficult for someone to place un authorized taps into the fiber-optic cable; the cable is
fragile, and installation requires a high level of expertise. Table 7-2 on page 330 of the text
compares the coax, twisted-pair, and fiber-optic cable types.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 5 of 8
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 7
Physical and Network Topology Security
Using Structured Design
There are three elements to following a structured design:
 Following accepted guidelines for cable installation
 Deploying structured wiring design
 Implementing structured network design
Following Accepted Guidelines for Cable Installation
When you install a cable plant, use the following guidelines to ensure a successful network:
 Install wiring to meet or exceed the maximum bandwidth required for a particular
area, based on the anticipated use of software applications, computers, and network
resources.
 Install Category 5 or better UTP cable to the desktop.
 Install multimode fiber-optic riser cable between floors.
 This list is continued on pages 331 and 332 of the text.
Sometimes cable is run through a plenum, for example the space in a false ceiling through
which circulating air reaches other parts of a building. A plenum is an area that is enclosed
and in which pressure from air or gas can be greater than the pressure outside the enclosed
area, particularly during a fire.
Deploying Structured Wiring Design
Many networks are now built using structured wiring techniques. Structured wiring can
mean different things to different cable installers and network designers. In the context of
this book, it refers to installing cable that fans out in a horizontal star fashion from one or
more centralized hubs or switches, which are located in telecommunications rooms or wiring
closets.
Quick Reference
Discuss with students the structured wiring requirements listed on page 333 of
the text.
Implementing Structured Network Design
When a building has several levels, multiple levels of horizontal cabling can be connected by
vertical wiring to form a structured network. In a structured network, you centralize the
network at strategic points, for example, by placing the switches in wiring closets, and then
connecting each of those via high-speed links into a main chassis hub or switch in a machine
room or at a main cabling demarcation point in a building. Structured networks enable the
network administrator to do the following:
 Centralize or distribute network management
 Incorporate vertical and horizontal network design using high-speed communications
on the backbone
 Reconfigure the network physically and logically for security and for network trafficflow management
 Segment the network according to workgroup patterns, and for security
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 6 of 8
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 7
Physical and Network Topology Security
 Add redundancy
 Quickly expand the network and introduce new high-speed network options
 Proactively monitor and diagnose problems (including security) for quick resolution
Vertical Wiring Principles
The vertical wiring component of a structured network consists of cabling and network
equipment that is used between the floors in a building, and that often physically links the
telecommunications room or rooms on one floor to adjoining floors.
Quick Reference
Discuss the vertical wiring principles when planning your network as
illustrated on page 335 of the text.
Centralized Management
In centralized network management, central points are established for critical network
functions. For example, network and security monitoring can be performed at a network
management. A network management station (NMS) is a computer equipped with network
management and monitoring software, and it monitors networked devices that are configured
to use SNMP. The devices that it monitors to obtain information about network activity are
called network agents.
On any system that uses SNMP, you should configure a community name that is used like a
password between a network management station and a network agent, such as a server.
Hands-on Project 7-6 on pages 352 through 354 of the text enables students to install and
configure SNMP in Windows 2000/2003/2008 Server. Hands-on Project 7-7 on pages 354 and
355 of the text shows students how to configure a community name in Red Hat Linux 9.x,
and Hands-on Project 7-8 on page 355 of the text teaches students how to load and configure
SNMP in NetWare 6.x.
With centralized network management and the use of SNMP, much of the network
maintenance and security monitoring can be done from a central area. Centralized network
management also simplifies activities such as maintenance of servers by implementing a
server farm.
Using Virtual LANs
A virtual LAN (VLAN) is a logical network that consists of subnetworks of workgroups
established through intelligent software on switches and routers, and that is independent of
the physical network topology. A network can have multiple VLANs, each distinguished by a
unique identifier in the TCP frame. VLANs are used to manage network traffic patterns for
efficiency and to provide network security by creating logically different LANs within a
network. It is important to recognize two potential problems with VLANs:
1) Because the use of VLANs is complex, they are often improperly configured, thus
exposing a network to unanticipated security risks.
2) When VLANs are managed by two or more networked devices, those devices are
connected by trunks that use the VLAN Trunking Protocol (VTP)
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 7 of 8
ISBN: 0-619-16040-3
Instructor: Prof. Michael P. Harris, CCNA CCAI
ITSY 2400 – Operating Systems Security
Chapter 7
Physical and Network Topology Security
Using Network Redundancy for Security
Deploying structured wiring and structured networking enables you to deploy network
redundancy at key points in the network. Figure 7-12 on page 339 illustrates one way to
create the desired redundancy.
Discussion Questions
1) Discuss what it takes to implement a stable network topology.
2) Discuss the many reasons organizations use centralized or decentralized management.
Additional Activities
1) Pick a classroom that contains networked computers and have students offer written
suggestions on how to improve network layout and stability.
2) Have student prepare a summary of the guidelines for acceptable cable installation.
Michael Palmer, GUIDE TO Operating Systems Security
Thompson/Course Technology ©2004
Page 8 of 8
ISBN: 0-619-16040-3