Instructor: Prof. Michael P. Harris, CCNA CCAI ITSY 2400 – Operating Systems Security Chapter 7 Physical and Network Topology Security Operating Systems Security - Chapter 7 Physical and Network Topology Security Chapter Overview In this chapter, students begin by learning how to physically secure workstations and servers. Providing locked rooms and configuring screen savers are examples of effective physical security. Students learn about network topologies and how they can be used to enhance security. Students also learn about the different types of network media, and which media offer the best security. Finally, they learn how to combine the network topology and media in a structured wiring and networking design for efficiency and security. Learning Objectives After reading this chapter and completing the exercises, students will be able to: Explain physical security methods for workstations, servers, and network devices Implement a network topology for security Explain network communications media in relation to security Use structured network design for security Lecture Notes Physical Security Limiting physical access reduces the opportunity for attackers to directly access a computer or network device and cause problems. It also reduces the potential for accidents, such as a visitor inadvertently tripping over a tower computer or knocking a keyboard off a table. Physical security further involves the location of computers and network devices in a building, along with the construction quality of that building. Workstation Security Workstation security is related to the purpose and location of a workstation. The workstation used by a server or network administrator might be located in a private office or placed in an office area that can be locked. In a public library or a school computer lab, workstations are sometimes tethered to a desk for security. This is accomplished by using a device lock, such as a cable lock. For good security in an organization, it is important to train workstation users about keeping their systems safe and intact. If it is desirable to leave a computer on while the user is away, there are two effective ways to protect information in the computer. One way is to ensure that the user’s account is password-protected, and to train users to log off before leaving a Michael Palmer, GUIDE TO Operating Systems Security Thompson/Course Technology ©2004 Page 1 of 8 ISBN: 0-619-16040-3 Instructor: Prof. Michael P. Harris, CCNA CCAI ITSY 2400 – Operating Systems Security Chapter 7 Physical and Network Topology Security computer. Another way to protect a workstation is to configure a screen saver with a password (see Figure 7-1 on page 314 of the text), which can be more effective because the user does not have to remember to do anything before leaving her or his desk. NOTE: When configuring a screen saver on a workstation (or server) that shares files over the network, choose a screen saver that is not CPU-intensive. Quick Reference Discuss how to train workstation users about physical security as shown on page 315 of the text. Server Security One of the most common discussions that organizations have about locating servers is whether to centralize them, decentralize them, or use a combination of approaches. The final decision often reflects the political organization of a company. Some companies prefer centralizing the location of their servers in a server farm, to save money on management and resources. In this model, the servers are housed in a computer room or machine room. Server farms can save money, since certain equipmentfor example, power regulation equipment, air conditioning, and backup devicescan server the entire location and need not be purchased for multiple server locations. The disadvantage is the high network traffic into and out of that portion of the network in which the server farm resides. Another disadvantage is that there is a disaster, a tornado for example, all of an organization’s servers may be damaged at the same time. In the decentralized model, the physical security used for servers may vary widely from server to server and department to department. As you plan where to locate servers in your organization, consider implementing the following security measures: Guidelines that specify who can access the location Locked doors that are protected by cipher locks requiring a combination, identification card, or biometrics, such as a fingerprint or palm scan Cameras that monitor entrances and monitor the computer equipment Motion sensors Power regulation devices Fire detection equipment, including smoke and flame sensors Fire suppression equipment, for example, devices that spray inert chemicals to put out the fire but not damage the equipment Configuring Windows Server and Red Hat Linux Screen Savers In addition to ensuring physical security, plan to use screen saver options with passwords for servers. Windows 2000/2003/2008 all offer such screen savers, which you configure in Handson Project 7-1 on page 347 of the text. Red Hat Linux 9.x enables you to lock a screen using the screen saver. Michael Palmer, GUIDE TO Operating Systems Security Thompson/Course Technology ©2004 Page 2 of 8 ISBN: 0-619-16040-3 Instructor: Prof. Michael P. Harris, CCNA CCAI ITSY 2400 – Operating Systems Security Chapter 7 Physical and Network Topology Security Configuring a NetWare Screen Saver NetWare 6.x enables you to configure a screen saver at the console by using the SCRSAVER command. Table 7-1 on pages 317 and 318 of the text lists the parameters associated with the SCRSAVER command. Hands-on Project 7-4 on page 351 enables you to use the SCRSAVER command. NetWare 6.x also offers the SECURE CONSOLE command to provide added security. When you run SECURE CONSOLE, this prevents NLMs from being loaded, if they are not already in a protected system directorysys:system or C:\nwserver. Another advantage of using SECURE CONSOLE is that the system debugger software cannot be accessed from the keyboard, thus preventing an attacker with programming skills from changing the operating system configuration. Securing Network Devices Networks consist of network devices and cable that should be protected from tampering and from damaging environmental conditions. Examples of network devices are: Access servers Chassis hubs Hubs Repeaters Switches Uninterruptible power supplies (UPS) Bridges Firewalls Multiplexers (MUXs) Routers Transceivers A wiring closet is a room used to store telecommunications and networking equipment. To avoid interference, it is important to locate wiring closets away from sources of excessive electromagnetic interference (EMI) and radio frequency interference (RFI). EMI is caused by magnetic force fields that are generated by electric devices such as factory machinery, fans, elevator motors, and air-conditioning units. RFI is caused by electrical devices that emit radio waves at the same frequency used by the network signal transmissions. Sources of RFI include radio and television stations, ballast devices in fluorescent lights, radio transmitters, inexpensively built TV equipment. Quick Reference Discuss the various configurations of wiring closets listed on page 321 of the text. Designing a Network Topology for Security A topology is the physical layout of cable and the logical path followed by network packets sent on the cable. The physical layout is like a pattern in which the cabling is laid in the office, building, or campus; and the total amount of communications cable is often called the cable plant. When a network is designed for security, it is important to take the topology into consideration, because some designs are more reliable and secure than others. Michael Palmer, GUIDE TO Operating Systems Security Thompson/Course Technology ©2004 Page 3 of 8 ISBN: 0-619-16040-3 Instructor: Prof. Michael P. Harris, CCNA CCAI ITSY 2400 – Operating Systems Security Chapter 7 Physical and Network Topology Security Bus Topology The bus topology consists of running cable from one computer to the next, like links in a chain. Like a chain, a network using a bus topology has a starting point and an ending point, and a terminator is connected to each end of the bus cable segment. The terminator is critical on bus networks because it signals the physical end to the segment. A terminator is really an electrical resistor that absorbs the signal when it reaches the end of the network. Without a terminator, the segment violates IEEE specifications, and signals can be mirrored back, or reflected on the same path they just covered. Ring Topology The ring topology is a continuous path for data, with no logical beginning or ending point, and thus no terminators. When it was first developed, the ring topology permitted data to go in one direction only, circling the ring and ending at the transmitting or source node. The ring topology is easier to manage than the bus topology because the equipment used to build the ring makes it easier to locate a defective node or cable problem. The ring topology is more secure than the traditional bus because it has no terminators, and it is harder for someone to tap into the ring without alerting a network administrator. However, the ring topology is more expensive to implement than the traditional bus. Star Topology The star topology is the oldest communications design, with roots in telephone switching systems. The physical layout of the star topology consists of multiple stations attached to a central hub or switch, such as the workstations and server connected to the switch in Figure 7-4 on page 325 of the text. The hub or switch is a central device that joins single cable segments or individual LANs into one network. The star is the most popular topology, and thus there is a wider variety of equipment available for this type of network. This characteristic offers a significant advantage for security, compared to the traditional bus and ring topologies, because there are many more varieties of devices with a full range of built-in security options. A disadvantage is that the hub or switch is a single point of failure; if it fails, all connected stations are unable to communicate. Logical Bus Networks in a Physical Star Layout Modern networks combine the logical communications of a bus with the physical layout of a star. In this network design, each finger radiating from the star is like a separate logical bus segment, but with only one or two computers attached. The segment is still terminated at both ends, but the advantage is that there are no exposed terminators to pose a security risk. Another advantage of the bus-star network design is that you can connect multiple hubs or switches to expand the network in many directions, as long as you follow IEEE network specifications for communication cable distances and the number of devices attached. A backbone is a high-capacity communications medium that joins networks and central network devices on the same floor in a building, on different floors, and across long distances. Michael Palmer, GUIDE TO Operating Systems Security Thompson/Course Technology ©2004 Page 4 of 8 ISBN: 0-619-16040-3 Instructor: Prof. Michael P. Harris, CCNA CCAI ITSY 2400 – Operating Systems Security Chapter 7 Physical and Network Topology Security Communications Media and Network Security Networks use four basic communications media: coaxial cable, twisted-pair cable, fiberoptic cable, and wireless technologies. Coaxial and twisted-pair cables are based on copper wire construction. Fiber-optic cable is glass (usually) or plastic cable. Wireless media are radio, infrared, or microwaves. The most commonly used cabling is twisted-pair. Coaxial Cable Coaxial cable comes in two varieties, thick and thin. Thick coax cable was used in early networks, often as a backbone to join different networks. Because this coax cable, also called thinnet, has a much smaller diameter than thick coax cable, it has been used on networks to connect desktop workstations to LANs (although there are fewer and fewer implementations of thin coax). Thin coax cable is easier and cheaper to install than thick coax, but twisted-pair cable is even easier to install because it has better flexibility. Twisted-Pair Cable Twisted-pair cable is a flexible communications cable that contains pairs of insulated copper wires, which are twisted together for reduction of EMI and RFI, and covered with an outer insulating jacket. There are two kinds of twisted-pair cable: shielded twisted-pair (STP) and unshielded twisted-pair (UTP), as shown in Figure 7-7 on page 328 of the text. UTP cable is the most frequently used network cable because it is relatively inexpensive and easy to install. Fiber-Optic Cable Fiber-optic cable consists of one or more glass or plastic fiber cores, with each core encased in a glass tube, called cladding (see Figure 7-8 on page 329 of the text). The fiber cores and cladding are surrounded by a PVC cover. Signal transmission along the inside fibers usually consists of infrared laser light. Fiber-optic cable comes in two modes: single mode and multimode. Bandwidth Bandwidth is the transmission capacity of a communications medium, which is typically measured in bits per second or in hertz, and is determined by the maximum minus the transmission capacity. Because the data travels by means of optical light pulses (on or off), there are no EMI or RFI problems associated with this type of cable, and data transmission is purely digital instead of analog. Another advantage of fiber-optic cable over coaxial and twisted-pair cable is that it is very difficult for someone to place un authorized taps into the fiber-optic cable; the cable is fragile, and installation requires a high level of expertise. Table 7-2 on page 330 of the text compares the coax, twisted-pair, and fiber-optic cable types. Michael Palmer, GUIDE TO Operating Systems Security Thompson/Course Technology ©2004 Page 5 of 8 ISBN: 0-619-16040-3 Instructor: Prof. Michael P. Harris, CCNA CCAI ITSY 2400 – Operating Systems Security Chapter 7 Physical and Network Topology Security Using Structured Design There are three elements to following a structured design: Following accepted guidelines for cable installation Deploying structured wiring design Implementing structured network design Following Accepted Guidelines for Cable Installation When you install a cable plant, use the following guidelines to ensure a successful network: Install wiring to meet or exceed the maximum bandwidth required for a particular area, based on the anticipated use of software applications, computers, and network resources. Install Category 5 or better UTP cable to the desktop. Install multimode fiber-optic riser cable between floors. This list is continued on pages 331 and 332 of the text. Sometimes cable is run through a plenum, for example the space in a false ceiling through which circulating air reaches other parts of a building. A plenum is an area that is enclosed and in which pressure from air or gas can be greater than the pressure outside the enclosed area, particularly during a fire. Deploying Structured Wiring Design Many networks are now built using structured wiring techniques. Structured wiring can mean different things to different cable installers and network designers. In the context of this book, it refers to installing cable that fans out in a horizontal star fashion from one or more centralized hubs or switches, which are located in telecommunications rooms or wiring closets. Quick Reference Discuss with students the structured wiring requirements listed on page 333 of the text. Implementing Structured Network Design When a building has several levels, multiple levels of horizontal cabling can be connected by vertical wiring to form a structured network. In a structured network, you centralize the network at strategic points, for example, by placing the switches in wiring closets, and then connecting each of those via high-speed links into a main chassis hub or switch in a machine room or at a main cabling demarcation point in a building. Structured networks enable the network administrator to do the following: Centralize or distribute network management Incorporate vertical and horizontal network design using high-speed communications on the backbone Reconfigure the network physically and logically for security and for network trafficflow management Segment the network according to workgroup patterns, and for security Michael Palmer, GUIDE TO Operating Systems Security Thompson/Course Technology ©2004 Page 6 of 8 ISBN: 0-619-16040-3 Instructor: Prof. Michael P. Harris, CCNA CCAI ITSY 2400 – Operating Systems Security Chapter 7 Physical and Network Topology Security Add redundancy Quickly expand the network and introduce new high-speed network options Proactively monitor and diagnose problems (including security) for quick resolution Vertical Wiring Principles The vertical wiring component of a structured network consists of cabling and network equipment that is used between the floors in a building, and that often physically links the telecommunications room or rooms on one floor to adjoining floors. Quick Reference Discuss the vertical wiring principles when planning your network as illustrated on page 335 of the text. Centralized Management In centralized network management, central points are established for critical network functions. For example, network and security monitoring can be performed at a network management. A network management station (NMS) is a computer equipped with network management and monitoring software, and it monitors networked devices that are configured to use SNMP. The devices that it monitors to obtain information about network activity are called network agents. On any system that uses SNMP, you should configure a community name that is used like a password between a network management station and a network agent, such as a server. Hands-on Project 7-6 on pages 352 through 354 of the text enables students to install and configure SNMP in Windows 2000/2003/2008 Server. Hands-on Project 7-7 on pages 354 and 355 of the text shows students how to configure a community name in Red Hat Linux 9.x, and Hands-on Project 7-8 on page 355 of the text teaches students how to load and configure SNMP in NetWare 6.x. With centralized network management and the use of SNMP, much of the network maintenance and security monitoring can be done from a central area. Centralized network management also simplifies activities such as maintenance of servers by implementing a server farm. Using Virtual LANs A virtual LAN (VLAN) is a logical network that consists of subnetworks of workgroups established through intelligent software on switches and routers, and that is independent of the physical network topology. A network can have multiple VLANs, each distinguished by a unique identifier in the TCP frame. VLANs are used to manage network traffic patterns for efficiency and to provide network security by creating logically different LANs within a network. It is important to recognize two potential problems with VLANs: 1) Because the use of VLANs is complex, they are often improperly configured, thus exposing a network to unanticipated security risks. 2) When VLANs are managed by two or more networked devices, those devices are connected by trunks that use the VLAN Trunking Protocol (VTP) Michael Palmer, GUIDE TO Operating Systems Security Thompson/Course Technology ©2004 Page 7 of 8 ISBN: 0-619-16040-3 Instructor: Prof. Michael P. Harris, CCNA CCAI ITSY 2400 – Operating Systems Security Chapter 7 Physical and Network Topology Security Using Network Redundancy for Security Deploying structured wiring and structured networking enables you to deploy network redundancy at key points in the network. Figure 7-12 on page 339 illustrates one way to create the desired redundancy. Discussion Questions 1) Discuss what it takes to implement a stable network topology. 2) Discuss the many reasons organizations use centralized or decentralized management. Additional Activities 1) Pick a classroom that contains networked computers and have students offer written suggestions on how to improve network layout and stability. 2) Have student prepare a summary of the guidelines for acceptable cable installation. Michael Palmer, GUIDE TO Operating Systems Security Thompson/Course Technology ©2004 Page 8 of 8 ISBN: 0-619-16040-3