Файловый архив студентов. Файловый архив студентов.
1271 вуз, 4663 предмет.
/ Регистрация
FAQ Обратная связь Вопросы и предложения
Добавил:
Upload Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз:
Российский государственный педагогический университет им. А.И. Герцена
Предмет:
[НЕСОРТИРОВАННОЕ]
Файл:

Network Plus 2005 In Depth

.pdf
Скачиваний:
85
Добавлен:
12.02.2015
Размер:
17.39 Mб
Скачать

562 Chapter 12 TROUBLESHOOTING NETWORK PROBLEMS

Network Monitor—A network monitoring program that comes with Windows Server 2003 (as well as with Windows NT and Windows 2000 Server).

ohmmeter—A device used to measure resistance in an electrical circuit.

optical time domain reflectometer—See OTDR.

OTDR (optical time domain reflectometer)—A performance testing device for use with fiber-optic networks. An OTDR works by issuing a light-based signal on a fiber-optic cable and measuring the way in which the signal bounces back (or reflects) to the OTDR. By measuring the length of time it takes the signal to return, an OTDR can determine the location of a fault.

promiscuous mode—The feature of a network adapter that allows it to pick up all frames that pass over the network—not just those destined for the node served by the card.

protocol analyzer—A software package or hardware-based tool that can capture and analyze data on a network. Protocol analyzers are more sophisticated than network monitoring tools, as they can typically interpret data up to Layer 7 of the OSI Model.

runt—A packet that is smaller than the medium’s minimum packet size. For instance, any Ethernet packet that is smaller than 64 bytes is considered a runt.

site selection—The process of determining optimal locations for access points on a wireless network.

spectrum analyzer—A tool that assesses the characteristics (for example, frequency, amplitude, and the effects of interference) of wireless signals.

supported services list—A document that lists every service and software package supported within an organization, plus the names of firstand second-level support contacts for those services or software packages.

TDR (time domain reflectometer)—A high-end instrument for testing the qualities of a cable. It works by issuing a signal on a cable and measuring the way in which the signal bounces back (or reflects) to the TDR. Many performance testers rely on TDRs.

time domain reflectometer—See TDR.

tone generator—A small electronic device that issues a signal on a wire pair. When used in conjunction with a tone locator, it can help locate the termination of a wire pair.

tone locator—A small electronic device that emits a tone when it detects electrical activity on a wire pair. When used in conjunction with a tone generator, it can help locate the termination of a wire pair.

voltmeter—A device used to measure voltage (or electrical pressure) on an electrical circuit.

REVIEW QUESTIONS

Chapter 12 563

Review Questions

1._________________________ assign unique identifying numbers to each problem, in addition to identifying the caller, the nature of the problem, the time necessary to resolve it, and the nature of the resolution.

a.Call tracking systems

b.Jabbers

c.NETMONs

d.TDRs

2.A _________________________ is a software-based tool that continually monitors network traffic from a server or workstation attached to the network.

a.change management system

b.jabber

c.network monitor

d.call tracking system

3.A _________________________ is a record of how the network operates under normal conditions.

a.ghost

b.runt

c.fox and hound

d.baseline

4.Which of the following is a device that handles electrical signals improperly, usually affecting the rest of the network?

a.Runt

b.Ghost

c.Jabber

d.Giant

5.A _________________________ is a tool that can be used to assess the quality of a wireless signal.

a.runt

b.spectrum analyzer

c.jabber

d.protocol analyzer

564Chapter 12 TROUBLESHOOTING NETWORK PROBLEMS

6.True or false? The time frequency with which a problem occurs can reveal subtle network problems.

7.True or false? An excellent way to learn more about the causes of a problem is to recreate the symptoms.

8.True or false? Physical connectivity problems typically result in software application anomalies, the inability to use a single application, poor network performance, and software licensing errors.

9.True or false? Whether you are a one-person network support team or one of 100 network technicians, you should always record the symptoms and cause (or causes) of a problem and your solution.

10.True or false? Any Ethernet packet that is larger than 64 bytes is considered a runt.

11.A(n) _________________________ is a document that lists every service and software package supported within an organization, plus the names of firstand secondlevel support contacts for those services or software packages.

12.A(n) _________________________ is a process or program that provides support personnel with a centralized means of documenting changes to the network.

13.A(n) _________________________ cable is useful for quickly and easily verifying that a node’s NIC is transmitting and receiving signals properly.

14.A(n) _________________________ is a device that emits a tone when it detects electrical activity on a wire pair.

15.Resistance is measured in _________________________.

Chapter 13

Ensuring Integrity

and Availability

After reading this chapter and completing the exercises, you will be able to:

Identify the characteristics of a network that keep data safe from loss or damage

Protect an enterprise-wide network from viruses

Explain networkand system-level fault-tolerance techniques

Discuss issues related to network backup and recovery strategies

Describe the components of a useful disaster recovery plan and the options for disaster contingencies

As networks take on more of the burden of transporting and storing a day’s work, you must pay increasing attention to the risks involved. You can never assume that data is safe on the network until you have taken explicit measures to protect the information. In this book,

you have learned about building scalable, reliable enterprise-wide networks as well as selecting the most appropriate hardware and network operating systems to operate your network. But all the best equipment and software cannot ensure that server hard drives will never fail or that a malicious employee won’t sabotage your network.

Methods for protecting data evolve quickly as networks change and new threats, such as computer viruses, are released. This chapter provides a broad overview of measures that you can take to ensure that your data remain safe. The far-reaching topic of network security is covered in the next chapter.

What Are Integrity and Availability?

NET+

Before learning how to ensure integrity and availability, you should fully understand what

3.11these terms mean. Integrity refers to the soundness of a network’s programs, data, services, devices, and connections. To ensure a network’s integrity, you must protect it from anything that might render it unusable. Closely related to the concept of integrity is availability. Availability of a file or system refers to how consistently and reliably it can be accessed by authorized personnel. For example, a server that allows staff to log on and use its programs and data 99.99% of the time is considered to be highly available, whereas one that is functional only 98% of the time is less available. To ensure high availability, you need a well-planned and wellconfigured network, as well as data backups, redundant devices, and protection from malicious intruders who could potentially immobilize the network.

A number of phenomena may compromise both integrity and availability, including security breaches, natural disasters (such as tornadoes, floods, hurricanes, and ice storms), malicious intruders, power flaws, and human error. Every network administrator should consider these possibilities when designing a sound network. You can readily imagine the importance of integrity and availability of data in a hospital, for example, in which the network stores patient records and also provides quick medical reference material, video displays for surgical cameras, and perhaps even control of critical care monitors.

If you have ever supported computer users, you know that they sometimes unintentionally harm data, applications, software configurations, or even hardware. Networks may also be intentionally harmed by users unless network administrators take precautionary measures and pay regular, close attention to systems and networks so as to protect them. This section reminds you of commonsense approaches to data integrity and availability. Later in this chapter, you will learn about more specific or formal (and potentially more expensive) approaches to data protection.

WHAT ARE INTEGRITY AND AVAILABILITY?

Chapter 13 567

NET+

Although you can’t predict every type of vulnerability, you can take measures to guard against

3.11most damaging events. Following are some general guidelines for protecting your network:

Allow only network administrators to create or modify NOS and application system files.

Pay attention to the rights assigned to regular users (including the groups “users” or “everyone” and the user name “guest”). Bear in mind that the worst consequence of applying overly stringent file restrictions is an inconvenience to users. In contrast, the worst consequence of applying overly lenient file restrictions could be a failed network.

Monitor the network for unauthorized access or changes. You can install programs that routinely check whether and when the files you’ve specified (for example, server.exe on a NetWare server) have changed. Such monitoring programs are typically inexpensive and easy to customize. They may even enable the system to page or e-mail you when a system file changes.

Record authorized system changes in a change management system. You have learned about the importance of change management when troubleshooting networks. Routine changes should also be documented in a change management system. Recording system changes enables you and your colleagues to understand what’s happening to your network and protect it from harm. For example, suppose that the remote access service on a Linux server has stopped accepting connections. Before taking troubleshooting steps that may create more problems and further reduce the availability of the system, you could review the change management log. It might indicate that a colleague recently installed an update to the Linux NOS. With this information in hand, you could focus on the update as a likely source of the problem.

Install redundant components. The term redundancy refers to an implementation in which more than one component is installed and ready to use for storing, processing, or transporting data. Redundancy is intended to eliminate single points of failure. To maintain high availability, you should ensure that critical network elements, such as your connection to the Internet or your file server’s hard disk, are redundant. Some types of redundancy—for example, redundant sources of electrical power for a build- ing—require large investments, so your organization should weigh the risks of losing connectivity or data against the cost of adding duplicate components.

Perform regular health checks on the network. Prevention is the best weapon against network downtime. By establishing a baseline and regular network monitoring, you can anticipate problems before they affect availability or integrity. For example, if your network monitor alerts you to rapidly rising utilization on a critical network segment, you can analyze the network to discover where the problem lies and perhaps fix it before it takes down the segment.

Check system performance, error logs, and the system log book regularly. By keeping track of system errors and trends in performance, you have a better chance of correcting problems before they cause a hard disk failure and potentially damage your system files. By default, all NOSs keep error logs (on a Linux server, for example, a file

568 Chapter 13 ENSURING INTEGRITY AND AVAILABILITY

NET+

3.11

called “messages” located in the /var/log directory collects error messages from system services, such as DNS, and other programs also save log files in the /var/log directory). It’s important that you know where these error logs reside on your server and understand how to interpret them.

Keep backups, boot disks, and emergency repair disks current and available. If your file system or critical boot files become corrupted by a system crash, you can use the emergency or boot disks to recover the system. Otherwise, you may need to reinstall the software before you can start the system. If you ever face the situation of recovering from a system loss or disaster, you must recover in the quickest manner possible. For this effort, you need backup devices and also a backup strategy tailored to your environment.

Implement and enforce security and disaster recovery policies. Everyone in your organization should know what she is allowed to do on the network. For example, if you decide that it’s too risky for employees to download games off the Internet because of the potential for virus infection, you should inform them of a ban on downloading games. You might enforce this policy by restricting users’ ability to create or change files (such as executable files) that are copied to the workstation during the downloading of games. Making such decisions and communicating them to staff should be part of your IT policy. Likewise, key personnel in your organization should be familiar with your disaster recovery plan, which should detail your strategy for restoring network functionality in case of an unexpected failure. Although such policies take time to develop and may be difficult to enforce, they can directly affect your network’s availability and integrity.

These measures are merely first steps to ensuring network integrity and availability, but they are essential. The following sections describe what types of policies, hardware, and software you can implement to achieve availability and integrity, beginning with virus detection and prevention.

Viruses

NET+

Strictly speaking, a virus is a program that replicates itself with the intent to infect more com-

3.10puters, either through network connections or through the exchange of external storage devices (such as floppy disks, CD-ROMs, or CompactFlash cards). Viruses are typically copied to a computer’s storage device without the user’s knowledge. A virus may damage files or systems, or it may simply annoy users by flashing messages or pictures on the screen or by causing the computer to beep. In fact, some viruses cause no harm and can remain unnoticed on a system indefinitely.

Many other unwanted and potentially destructive programs are called viruses, but technically do not meet the criteria used to define a virus. For example, a program that disguises itself as something useful but actually harms your system is called a Trojan horse (or simply, Trojan), after the famous wooden horse in which soldiers were hidden. Because Trojan horses do not replicate themselves, they are not considered viruses. An example of a Trojan horse is an executable file that someone

VIRUSES

Chapter 13 569

NET+

sends you over the Internet, promising that the executable will install a great new game, when

3.10in fact it erases data on your hard disk or mails spam to all the users in your e-mail program’s address book.

In this section, you will learn about the different viruses and other malicious programs that may infect your network, their methods of distribution, and, most important, protection against them. Viruses can infect computers running any type of operating system—Macintosh, NetWare, Windows, Linux, or UNIX—at any time. As a network administrator, you must take measures to guard against them.

Types of Viruses

Many thousands of viruses exist, although only a relatively small number cause the majority of virus-related damage. Viruses can be classified into different categories based on where they reside on a computer and how they propagate themselves. Often, creators of viruses apply slight variations to existing viruses to make their version undetectable by antivirus programs. The result is a host of related, albeit different, viruses. The makers of antivirus software must then update their programs to recognize the new variations, and the virus creators may again alter their viruses to render them undetectable. This cycle continues, ad infinitum. No matter what their variation, all viruses belong to one of the following categories:

Boot sector virusesBoot sector viruses position their code in the boot sector of a computer’s hard disk so that when the computer boots up, the virus runs in place of the computer’s normal system files. Boot sector viruses are commonly spread from external storage devices to hard disks. This may happen, for example, if a floppy disk is left in the drive when a computer boots up and the computer is configured to boot first from a floppy disk when a floppy disk is present (rather than from the hard disk). Boot sector viruses vary in their destructiveness. Some merely display a screen advertising the virus’s presence when you boot the infected computer. Others do not advertise themselves, but stealthily destroy system files or make it impossible for the file system to access at least some of the computer’s files. Examples of boot sector viruses include “POLYBOOT-B” (also known as “WYX.B” or “WYX-B”), “Michelangelo,” and the “Stoned” virus, which was widespread in the early 1990s (in fact, it disabled U.S. military computers during the 1991 Persian Gulf War), and persists today in many variations. Until you disinfect a computer that harbors a boot sector virus, the virus propagates to every external disk to which that computer writes information. Removing a boot sector virus first requires rebooting the computer from an uninfected, write-protected disk with system files on it. Only after the computer is booted from a source other than the infected hard disk can you run software to remove the boot sector virus.

Macro virusesMacro viruses take the form of a macro (such as the kind used in a word processing or spreadsheet program), which may be executed as the user works with a program. For example, you might send a WordPerfect document as an attachment to an e-mail message. If that document contains a macro virus, when the recipient opens the document, the macro runs, and all future documents created or

570 Chapter 13 ENSURING INTEGRITY AND AVAILABILITY

NET+

3.10

saved by that program are infected. Macro viruses were the first type of virus to infect data files rather than executable files. They are quick to emerge and spread because they are easy to write, and because users share data files more frequently than executable files. Although the earliest versions of macro viruses were annoying but not harmful, currently circulating macro viruses may threaten data files. Examples of macro viruses include “Corner.A” and its variants, “Jerk.A” and its variants, and “Tristate.A” and its variants. Symptoms of macro virus infection vary widely but may include missing options from application menus; damaged, changed, or missing data files; or strange pop-up messages that appear when you use an application.

File-infected virusesFile-infected viruses attach themselves to executable files. When an infected executable file runs, the virus copies itself to memory. Later, the virus attaches itself to other executable files. Some file-infected viruses attach themselves to other programs even while their “host” executable runs a process in the background, such as a printer service or screen saver program. Because they stay in memory while you continue to work on your computer, these viruses can have devastating consequences, infecting numerous programs and requiring that you disinfect your computer, as well as reinstall virtually all software. Symptoms of virus infection may include damaged program files, inexplicable file size increases, changed icons for programs, strange messages that appear when you attempt to run a program, or the inability to run a program. Examples of file-infected viruses include “Vacsina” and “WoodGoblin” (both of which are dangerous because they overwrite files on a computer’s hard disk), and “Harmony.A,” which is harmless but increases the size of and adds a message to all executable files on a hard disk installed with a Windows operating system.

WormsWorms are not technically viruses, but rather programs that run independently and travel between computers and across networks. They may be transmitted by any type of file transfer, including e-mail attachments. Worms do not alter other programs in the same way that viruses do, but they may carry viruses. Because they can transport (and hide) viruses, you should be concerned about picking up worms when you exchange files from the Internet, via e-mail, or through disks. Examples of worms include W32/Klez (and its variants), which spreads via e-mail attachments, and W32Lovesan.worm, which spreads through unprotected TCP and UDP ports on Windows computers when a user is connected to a network. Symptoms of worm infection may include almost any type of anomaly, ranging from strange pop-up messages to file damage.

Trojan horse—As mentioned earlier, a Trojan horse (or Trojan) is not actually a virus, but rather a program that claims to do something useful but instead harms the computer or system. Trojan horses range from being nuisances to causing significant system destruction. Virus detection programs recognize known Trojan horses and eradicate them. Examples of Trojan Horses include JS/NoClose, which runs a JavaScript routine to generate HTML windows or applications that the user cannot close, and “Helvis,” which collects all the e-mails in a user’s inbox and outbox and sends them to an address associated with the virus writer. The best way to guard

NET+

3.10

VIRUSES

Chapter 13 571

against Trojan horses is to refrain from downloading an executable file whose origins you can’t confirm. Suppose, for example, that you needed to download a new driver for a NIC on your network. Rather than going to a generic “network support site” on the Internet, you should download the file from the NIC manufacturer’s Web site. Most important, never run an executable file that was sent to you over the Internet as an attachment to a mail message whose sender or origins you cannot verify.

Network virusesNetwork viruses propagate themselves via network protocols, commands, messaging programs, and data links. Although all viruses can theoretically travel across network connections, network viruses are specially designed to take advantage of network vulnerabilities. For example, a network virus may attach itself to FTP transactions to and from your Web server. Another type of network virus may spread through Microsoft Outlook messages only. Because network viruses are characterized by their transmission method, their symptoms may include almost any type of anomaly, ranging from strange pop-up messages to file damage.

Bots—Another virus category defined by its propagation method is a bot. In networking, the term bot (short for robot) means a program that runs automatically, without requiring a person to start or stop it. One type of bot is a virus that propagates itself automatically between systems. It does not require an unsuspecting user to download and run an executable file or to boot from an infected disk, for example. Many bots spread through the IRC (Internet Relay Chat), a protocol that enables users running IRC client software to communicate instantly with other participants in a chat room on the Internet. Chat rooms require an IRC server, which accepts messages from an IRC client and either broadcasts the messages to all other chat room participants (in an open chat room) or sends the message to select users (in a restricted chat room). Virus bots take advantage of IRC to transmit data, commands, or executable programs from one infected participant to others. (Consequently, a virus-spreading bot can also be considered a worm or Trojan.) After a bot has copied files on a client’s hard disk, these files can be used to damage or destroy a computer’s data or system files, issue objectionable content, and further propagate the virus. Bots are especially difficult to contain because of their fast, surreptitious, and distributed dissemination.

Virus Characteristics

Viruses that belong to any of the preceding categories may have additional characteristics that make them harder to detect and eliminate. Some of these characteristics include the following:

Encryption—Some viruses are encrypted to prevent detection. Most virus-scanning software searches files for a recognizable string of characters that identify the virus. However, an encrypted virus may thwart the antivirus program’s attempts to detect it.

Stealth—Some viruses hide themselves to prevent detection. Typically, stealth viruses disguise themselves as legitimate programs or replace part of a legitimate program’s code with their destructive code.

Соседние файлы в предмете [НЕСОРТИРОВАННОЕ]
Помощь Обратная связь Вопросы и предложения Пользовательское соглашение Политика конфиденциальности