Network Plus 2005 In Depth
.pdf662 Chapter 14 NETWORK SECURITY
security policy—A document or plan that identifies an organization’s security goals, risks, levels of authority, designated security coordinator and team members, responsibilities for each team member, and responsibilities for each employee. In addition, it specifies how to address security breaches.
server_hello—In the context of SSL encryption, a message issued from the server to the client that confirms the information the server received in the client_hello message. It also agrees to certain terms of encryption based on the options the client supplied. Depending on the Web server’s preferred encryption method, the server may choose to issue your browser a public key or a digital certificate at this time.
session key—In the context of Kerberos authentication, a key issued to both the client and the server by the authentication service that uniquely identifies their session.
SFTP (Secure File Transfer Protocol)—A protocol available with the proprietary version of SSH that copies files between hosts securely. Like FTP, SFTP first establishes a connection with a host and then allows a remote user to browse directories, list files, and copy files. Unlike FTP, SFTP encrypts data before transmitting it.
social engineering—The act of manipulating personal relationships to circumvent network security measures and gain access to a system.
SSH (Secure Shell)—A connection utility that provides authentication and encryption. With SSH, you can securely log on to a host, execute commands on that host, and copy files to or from that host. SSH encrypts data exchanged throughout the session.
SSL (Secure Sockets Layer)—A method of encrypting TCP/IP transmissions—including Web pages and data entered into Web forms—en route between the client and server using public key encryption technology.
SSL session—In the context of SSL encryption, an association between the client and server that is defined by an agreement on a specific set of encryption techniques. An SSL session allows the client and server to continue to exchange data securely as long as the client is still connected to the server. SSL sessions are established by the SSL handshake protocol.
symmetric encryption—A method of encryption that requires the same key to encode the data as is used to decode the ciphertext.
TACACS (Terminal Access Controller Access Control System)—A centralized authentication system for remote access servers that is similar to, but older than, RADIUS.
Terminal Access Controller Access Control System—See TACACS.
TGS (Ticket-granting service)—In Kerberos terminology, an application that runs on the KDC that issues ticket-granting tickets to clients so that they need not request a new ticket for each new service they want to access.
KEY TERMS |
Chapter 14 663 |
TGT (ticket-granting ticket)—In Kerberos terminology, a ticket that enables a user to be accepted as a validated principal by multiple services.
three-way handshake—An authentication process that involves three steps.
ticket—In Kerberos terminology, a temporary set of credentials that a client uses to prove that its identity has been validated by the authentication service.
Ticket-granting service—See TGS.
ticket-granting ticket—See TGT.
TLS (Transport Layer Security)—A version of SSL being standardized by the IETF (Internet Engineering Task Force). With TLS, IETF aims to create a version of SSL that encrypts UDP as well as TCP transmissions. TLS, which is supported by new Web browsers, uses slightly different encryption algorithms than SSL, but otherwise is very similar to the most recent version of SSL.
Transport Layer Security—See TLS.
Triple DES (3DES)—The modern implementation of DES, which weaves a 56-bit key through data three times, each time using a different key.
war driving—The act of driving while running a laptop configured to detect and capture wireless data transmissions.
WEP (Wired Equivalent Privacy)—A key encryption technique for wireless networks that uses keys both to authenticate network clients and to encrypt data in transit.
Wi-Fi Alliance—An international, nonprofit organization dedicated to ensuring the interoperability of 802.11-capable devices.
Wi-Fi Protected Access—See WPA.
Wired Equivalent Privacy—See WEP.
WPA (Wi-Fi Protected Access)—A wireless security method endorsed by the Wi-Fi Alliance that is considered a subset of the 802.11i standard. In WPA, authentication follows the same mechanism specified in 802.11i. The main difference between WPA and 802.11i is that WPA specifies RC4 encryption rather than AES.
WPA2—The name given to the 802.11i security standard by the Wi-Fi Alliance. The only difference between WPA2 and 802.11i is that WPA2 includes support for the older WPA security method.
664 Chapter 14 NETWORK SECURITY
Review Questions
1.Which of the following terms refers to a thorough examination of each aspect of a network to determine how it might be compromised?
a.Symmetric encryption
b.Application gateway
c.Security audit
d.Social engineering
2.The use of an algorithm to scramble data into a format that can be read only by reversing the algorithm is known as _________________________.
a.encryption
b.bio-recognition
c.DNS spoofing
d.flashing
3.Trying a number of possible character combinations to find the key that will decrypt encrypted data is known as a _________________________.
a.denial-of-service attack
b.dictionary attack
c.social engineering
d.brute force attack
4.A _________________________ is a password-protected and encrypted file that holds an individual’s identification information, including a public key.
a.network key
b.digital certificate
c.key pair
d.session key
5._________________________ occurs when a hacker forges name server records to falsify his host’s identity.
a.DNS spoofing
b.Port forwarding
c.Public key encryption
d.Social engineering
REVIEW QUESTIONS |
Chapter 14 665 |
6.True or false? Networks that use leased public lines, such as T1 or DSL connections to the Internet, are vulnerable to eavesdropping at a building’s demarcation point, at a remote switching facility, or in a central office.
7.True or false? Proxy servers manage security at the Network layer of the OSI Model.
8.True or false? The Password Authentication Protocol (PAP) encrypts usernames and passwords for transmission.
9.True or false? If routers are not configured to mask internal subnets, users on outside networks can read the private addresses.
10.True or false? Dial-up networking turns a remote workstation into a node on the network, through a remote access server.
11.A(n) _________________________ occurs when a system becomes unable to function because it has been deluged with data transmissions or otherwise disrupted data.
12.A(n) _________________________ identifies your security goals, risks, levels of authority, designated security coordinator and team members, responsibilities for each team member, and responsibilities for each employee.
13.A(n) _________________________ is a router that examines the header of every packet of data it receives to determine whether that type of packet is authorized to continue to its destination.
14.In _________________________ encryption, data is encrypted using a single key that only the sender and the receiver know.
15.The _________________________ protocol defines encryption, authentication, and key management for TCP/IP transmissions.
This page intentionally left blank
Chapter 15
Implementing and
Managing Networks
After reading this chapter and completing the exercises, you will be able to:
■Describe the elements and benefits of project management
■Manage a network implementation project
■Understand network management and the importance of baselining to assess a network’s health
■Plan and follow regular hardware and software maintenance routines
■Describe the steps involved in upgrading network software and hardware
In this book, you have learned the technologies and techniques necessary to design an efficient, secure network. In this chapter, you will learn how to put those elements together to plan a network implementation or improve an existing network from start to finish. One of the first steps in implementing a network is devising a plan. Before you can create such a plan, however, you must learn some project management fundamentals. After a network is in place, it requires continual review and adjustment. Therefore, a network, like any other complex system, is in a constant state of flux. Whether the changes are due to internal factors, such as increased demand on the server’s processor, or external factors, such as the obsolescence of a router, you should count on spending a significant amount of time investigating, performing, and verifying changes to your network. In this chapter, you will build on this knowledge to learn about changes dictated by immediate needs as well as those required to enhance the network’s
functionality, growth, performance, or security.
Project Management
Whether you are designing a network from scratch or making significant changes to an existing network, it’s important to plan carefully before purchasing hardware or software or committing staff time. Project management provides a framework for planning and implementing significant undertakings.
Project management is the practice of managing staff, budget, timelines, and other resources and variables to achieve a specific goal within given bounds. The project might be constrained by time, money, or the number of developers who can help you with the project. In the networking field, for example, you might employ project management when upgrading your servers to Solaris version 10, or when replacing the CAT 3 wiring in your organization’s building with CAT 6 wiring. This section describes some project management techniques that apply specifically to network and other technology implementations.
Different project managers have differing philosophies about the best way to ensure that project goals are met. However, most would agree that project management attempts to answer at least the following questions in roughly the following order:
Is the proposed project feasible?
What needs must the project address?
What are the project’s goals? (What are the standards for success?)
What tasks are required to meet the goals?
How long should tasks take, and in what order should they be undertaken?
What resources are required to accomplish the tasks, and how much will they cost?
PROJECT MANAGEMENT Chapter 15 671
Assessing Needs
All the staff in the Wyndham School District might agree that the current e-mail system is too slow and needs to be replaced, or numerous users might complain that the connection between their classroom computers and the LAN’s servers is unreliable. Often a network change project begins with a group of people identifying a need. Before you concur with popular opinion about what portions of the network must be upgraded and how changes must occur, as a responsible network administrator you should perform a thorough, objective needs assessment. A needs assessment is the process of clarifying the reasons and objectives underlying a proposed change. It involves interviewing users and comparing perceptions to factual data. It probably also involves analyzing network baseline data (discussed later in this chapter). Your goal in performing a needs assessment is to determine the appropriate scope and nature of the proposed changes.
A needs assessment may address the following questions:
Is the expressed need valid, or does it mask a different need?
Can the need be resolved?
Is the need important enough to allocate resources to its resolution? Will meeting the need have a measurable effect on productivity?
If fulfilled, will the need result in additional needs? Will fulfilling the need satisfy other needs?
Do users affected by the need agree that change is a good answer? What kind of resolution will satisfy them?
A network’s needs and requirements should be investigated as they relate to users, network performance, availability, scalability, integration, and security. Although only one or a few of these needs may constitute driving forces for your project, you should consider each aspect before drafting a project plan. A project based solely on user requirements may result in unforeseen, negative consequences on network performance, if performance needs are not considered as well.
A good way to start clarifying user requirements is to interview as many users as possible. Just as if you were a reporter, you should ask pointed questions. If the answer is not complete or sufficiently specific, follow up your original question with additional questions. The more narrowly focused the answers, the easier it is to suggest how a project might address those needs. Besides asking the user what he needs, you may also want to ask why the need should be addressed, what ways he suggests the need can be addressed, what kind of priority he would place on the need being met, and whether it takes precedence over other needs.
In the process of interviewing users, you may recognize that not all users have the same needs. In fact, the needs of one group of users may conflict with the needs of another group. In such cases, you must sort out which needs have a greater priority, which needs were expressed by the majority of users, whether the expressed needs have anything in common, and how to address needs that do not fall into the majority.