Wan

Published on December 2016 | Categories: Documents | Downloads: 79 | Comments: 0 | Views: 731
of 6
Download PDF   Embed   Report

Comments

Content

ACL
Dynamic ACLs Lock-and-key is a traffic-filtering security feature that uses dynamic ACLs, which are sometimes called lock-and-key ACLs, are available for IP traffic only. Dynamic ACLs are dependent on Telnet connectivity, authentication (local or remote), and extended ACLs.Users who want to traverse the router are blocked by the extended ACL until they use Telnet to connect to the router and are authenticated. The Telnet connection is then dropped, and a single-entry dynamic ACL is added to the existing extended ACL. This permits traffic for a particular period; idle and absolute timeouts are possible. Benefits of Dynamic ACLs Dynamic ACLs have the following security benefits over standard and static extended ACLs: Use of a challenge mechanism to authenticate individual users Simplified management in large internetworks In many cases, a reduction in the amount of router processing that is required for ACLs Less opportunity for hackers to break into the network Creation of dynamic user access through a firewall, without compromising other configured security restrictions TIME BASED ACL are similar to extended in function but allow access control based on time, you create a time range. Benefits are example more control for administrator to control loging messages or denying access to resources. R3(config)# access-list 101 permit any host 10.2.2.2 eq telnet R3(config)# access-list 101 dynamic router-telnet timeout 15 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255 R3(config)# interface S 0/0/1 R3(config-if)# ip access-group 101 in Reflexive ACLs Reflexive ACLs allow IP packets to be filtered based on upper-layer session information. They generally are used to allow outbound traffic and to limit inbound traffic in response to sessions that originate inside the router. This gives you greater control over what traffic you allow into your network and increases the capabilities of extended access lists. Standard Access Lists Prevent only the PC from accessing the network where S2 is located. Allow access everywhere else. R2#configure terminal R2(config)#access-list 1 deny host 10.1.0.5 R2(config)#access-list 1 permit any R2(config)#interface fastEthernet 0/0 R2(config)#ip access-group 1 out Configure standard named ACLs on the R1 and R3 VTY lines, permitting hosts connected directly to their FastEthernet subnets to gain Telnet access. Deny and log all other connection attempts. Document your testing procedures. ip access-list standard VTY_LOCAL permit 10.1.1.0 0.0.0.255 deny any log line vty 0 4 access-class VTY_LOCAL in Extended Access Lists Prevent pings to the FastEthernet interface 0/0 on R3 from the PC. R1#configure terminal R1(config)#access-list 100 deny icmp host 10.1.0.5 host 5.1.1.1 echo R1(config)#access-list 100 permit ip any any R1(config)#interface fastethernet 0/0 R1(config-if)#ip access-group 100 in

R1(config-if)#^Z Named Access Lists Prevent the PC’s subnet from reaching the web management page on R2. Allow all other traffic. R1#configure terminal R1(config)#ip access-list extended NOWEB R1(config-ext-nacl)#deny tcp any 10.2.0.1 0.0.0.0 eq 80 R1(config-ext-nacl)#permit ip any any R1(config-ext-nacl)#interface fastethernet 0/0 R1(config-if)#ip access-group NOWEB in R1(config-if)#^Z

NETWORK BASELINE Network baselining is the act of measuring and rating the performance of a network in realtime situations. Providing a network baseline requires testing and reporting of the physical connectivity, normal network utilization, protocol usage, peak network utilization, and average throughput of the network usage. Such in-depth network analysis is required to identify problems with speed and accessibility, and to find vulnerabilities and other problems within the network. Once a network baseline has been established, this information is then used by companies and organizations to determine both present and future network upgrade needs as well as assist in making changes to ensure their current network is optimized for peak performance. Steps for Establishing a Network Baseline: Step 1. Determine what types of data to collect. Step 2. Identify devices and ports of interest. Step 3. Determine the baseline duration. Establishing a network performance baseline requires collecting key performance data from the ports and devices that are essential to network operation. This information helps determine the network’s “personality” and provides answers to the following questions: How does the network perform during a normal or average day? Where are the underutilized and overutilized areas? If errors are discovered, where are the most errors occurring? What alert thresholds should be set for the devices that need to be monitored? Can the network deliver the service identified in the Network Policy document?

Troubleshooting Methods
The three main methods of troubleshooting networks are Bottom-up Top-down Divide-and-conquer Bottom-up start with the physical components of the network and move up through the layers of the OSI model until the cause of the problem is identified. is a good approach to use when the problem is suspected to be a physical one. The disadvantage of bottom-up troubleshooting is that it requires you to check every device and interface on the network until you find the possible cause of the problem. Top-down start with the end-user applications and move down through the layers of the OSI model until the cause of the problem has been ideified. Use it when you think the problem is with a software application. The disadvantage of the top-down approach is that it requires you to check every network application until you find the possible cause of the problem. Divide-and-Conquer you select a layer and test in both directions from the starting layer, start by collecting users’

experiences with the problem and document the symptoms. Then, using that information, you decide at which OSI layer to start your investigation. Gathering Symptoms Step 1. Analyze existing symptoms: Analyze symptoms gathered from the trouble ticket, users, or end systems affected by the problem to form a definition of the problem. Step 2. Determine ownership: If the problem is within your system, you can move on to the next stage. If the problem is outside the boundary of your control, such as lost Internet connectivity outside the autonomous system, you need to contact an administrator for the external system before gathering additional network symptoms. Step 3. Narrow the scope: Isolate the geographic area involved, and determine if the problem is at the network’s core, distribution, or access layer. After you’ve identified the problem, analyze the existing symptoms, and use your knowledge of the network topology to determine which devices are probably involved. Step 4. Gather symptoms from suspect devices: Using a layered troubleshooting approach, gather hardware and software symptoms from the suspect devices. Start with the most likely possibility, and use knowledge and experience to determine if the problem is more likely a hardware or software configuration problem. Step 5. Document symptoms: Sometimes the problem can be solved using the documented symptoms. If not, begin the isolating phase of the general troubleshooting process. Useful Troubleshooting Commands ping traceroute {destination} Identifies the path a packet takes through the networks. The destination variable is the hostname or IP address of the target system1 to 3 telnet show ip int brief sh ip route sh protocols

SECURITY Many attackers use this seven-step process : 1. Perform footprint analysis 2. Enumerate information. (monitor network, finding informations like ftpservers and mails, 3. Manipulate users to gain access. 4.Escalate privileges. After attackers gain basic access, they use their skills to increase their network privileges 5. Gather additional passwords and secrets. With improved access privileges, attackers use their talents to gain access to well-guarded, sensitive information. 6. Install back doors. Back doors give the attacker a way to enter the system without being detected. The most common back door is an open listening TCP or UDP port. 7. Leverage the compromised system. After a system is compromised, an attacker uses it to stage attacks on other hosts in the network. Types of Computer Crime Insider abuse of network access Viruses Mobile device theft Phishing, in which an organization is fraudulently represented as the sender Instant-messaging (IM) misuse Denial of service Unauthorized access to information Abuse of a wireless network System penetration Financial fraud

Teleworking (or telecommuting) is when an employee performs his or her job away from a

traditional workplace, usually from a home office

three remote-connection technologies available to organizations to support teleworker services: Traditional private WAN Layer 2 technologies, including Frame Relay, ATM, and leased lines, provide many remote-connection solutions. The security of these connections depends on the service provider. IPsec Virtual Private Networks (VPN) offer flexible and scalable connectivity. Site-to-site connections can provide a secure, fast, and reliable remote connection to teleworkers. This is the most common option for teleworkers, combined with remote access over broadband, to establish a secure VPN over the public Internet. (A less reliable means of connectivity using the Internet is a dialup connection.) telecommuting requires the following components: Teleworker and home office components: The required home office components are a laptop or desktop computer, broadband access (cable or DSL), and a VPN router or VPN client software installed on the computer. Additional components might include a wireless access point. When traveling, teleworkers need an Internet connection and a VPN client to connect to the corporate network over any available dialup, network, or broadband connection. Headquarters and corporate components: Corporate components are VPN-capable routers, VPN concentrators, multifunction security appliances, authentication, and central management devices for resilient aggregation and termination of the VPN connections.

Dialup access is an inexpensive option With speeds up to 56 kbps DSL typically is more expensive than dialup but provides a faster connection. DSL also uses telephone lines, but unlike dialup access, DSL provides a continuous connection to the Internet. DSL uses a special high-speed modem that separates the DSL signal from the telephone signal and provides an Ethernet connection to a host computer or LAN. DSL provides high-speed broadband access at speeds of 200 kbps and higher. Upload and download speeds vary according to the user’s distance from the central office. Cable modem service usually is offered by cable television service providers. The Internet signal is carried on the same coaxial cable that delivers cable television. A special cable modem separates the Internet signal from the other signals carried on the cable and provides an Ethernet connection to a host computer or LAN. Cable is similar to DSL in that it provides broadband access at speeds of 200 kbps and higher. Satellite Internet access is offered by satellite service providers. The computer connects through Ethernet to a satellite modem that transmits radio signals to the nearest point of presence (POP) within the satellite network. Satellite Internet access speeds range from 128 kbps to 512 kbps, depending on the subscriber plan. Types of Broadband Wireless Municipal Wi-Fi WiMAX Satellite Internet

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close