the carriers, such as phone companies, cable companies, and network providers. WANs use serial connections of various types to provide access over large geographic areas. The Hierarchical Network Model: Access layer (Grants user access to network devices), Distribution layer (policy-based connectivity), Core layer (the backbone) CSU/DSU (Channelized Service Unit/Data Service Unit) provides the clocking for T1 or T3. The Demarc refers to the point of last responsibility for the service provider. The Local Loop (Last Mile) refers to the physical line connecting the CPE to the providers nearest Central Office (CO). By default, a serial interface will utilize HDLC for encapsulation. Other supported encapsulation types: SDLC, PPP, LAPB, Frame-Relay, X.25, ATM. Encap must identical on both sides of a point-to-point link. Customer Premise Equipment (CPE). High-Level Data-link Control (HDLC) is a WAN encapsulation protocol used on dedicated point-to-point serial lines. HDLC provides no authentication PPP Encapsulation Point-to-Point Protocol (PPP) is an encapsulation protocol that can be used on: Dedicated point-to- point serial lines, Asynchronous dial-up links, ISDN PPP has four components: Physical: standard for physical serial HDLC: encap packets into frames over serial lines. LCP for establishing, maintaining, and terminating point-to-point links. NCP allows multiple Layer-3 protocols (such as IP and IPX) to be encapsulated into frames. A circuit-switched a dedicated circuit between nodes before users communicate. If the circuit carries computer data, the usage may not be efficient. PPP, ISDN--The advantages of modem and analog lines are simplicity, availability, and low cost. Packet switching splits traffic data into packets that are routed over a shared network. Frame Relay has no error or flow control. The simplified handling of frames leads to reduced latency, and reduce jitter. Leased line - HDLC, PPP--permanent dedicated connection (point-to-point link is used to provide a pre-established WAN communications path from the CPE through the provider network Cell relay Asynchronous Transfer Mode (ATM) Serial links can be clocked considerably faster than parallel links, and achieve a higher data rate, because of two factors that affect parallel communications: clock skew and crosstalk. TDM shares available transmission time on a medium by assigning timeslots to users. TDM divides the bandwidth of a single link into separate channels or time slots. TDM transmits two or more channels over the same link by allocating a different (time slot) for the transmission of each channel. In effect, the channels take turns using the link. Statistical time-division multiplexing (STDM) uses a variable time slot length allowing channels to compete for any free slot space. PPP supports several features that HDLC does not: Authentication forcing the sender/receiver to identify themselves with a username and password. PPP supports PAP & CHAP. Compression efficiency on slow links. PPP supports: Stac and Predictor. Multilink allows multiple channels to be trunked together to combine the bandwidth. The bundled channels are treated as one logical channel. Callback provides security and billing services. Allows a client to first dial a PPP server, disconnect, and then have the PPP server call the client back. Error Control. PAP (Password Authentication Protocol) sends passwords in clear text, two-way handshake. Sent-username and password must match remote username and password. The calling host is in control of the frequency and timing of login requests. This is undesirable, because the access server must respond to all login requests, even the repeated attempts of a hacker (brute-force attacks) CHAP (Challenge Handshake Authentication Protocol) uses MD5 hash. The username must be the hostname and pass of the remote router must be the same on both routers. 1. The client initiates the call, requesting callback by using the callback option during the PPP LCP negotiation phase. 2. The callback server acknowledges the callback request if its configuration shows that callback is enabled. 3. The callback client and server participate in authentication via CHAP or PAP this is required for callback.4.The callback server identifies the callback dial string based on an LCP option field or the username of the authenticated host matched to a dialer map statement.5.The initial call is disconnected if the server is configured for callback AND any one of the following is true: 1.callback string found, 2.callback secure is configured 6. The callback server uses the dial string to initiate the callback. If the return call fails, no additional calls are attempted. (Callback is not negotiated on the return call.)7. User authentication is repeated once the return call connects. 8. The connection is established and data exchange proceeds. Note that the answering router will maintain the initial call if: the server is not configured to accept a callback, OR, callback is not being enforced and the user is not properly configured for callback (e.g. callback string not found). Multilink PPP (MLP) is an LCP option that provides load balancing over multiple interfaces including ISDN, synchronous, and asynchronous. MLP works by splitting packets into fragments, not by load balancing complete packets to a destination. Two ATM interface types exist: The Network-to-Network Interface (NNI) is used to describe how Frame Relay networks from different providers connect to each other. The DTE-DCE connection at the local loop, between the CPE and the CO, is known as the User-to-Network Interface (UNI). Virtual channels can be permanent (PVC) or switched (SVC), and one-way. Frame-relay circuits can either be permanent (PVC), or switched (SVC). A permanent virtual circuit is always kept active, and is the most common virtual circuit. A switched virtual circuit is created only when traffic needs to be sent, and is torn down when communication is complete. Virtual circuits are identified with Data Link Connection Identifiers (DLCIs). Frame-Relay switches make decisions based on DLCIs, whereas Ethernet switches make decisions based on MAC. Frame-Relay CIR: Bandwidth is provided on a best effort basis in Frame-Relay. The Frame provider and customer agree on a Committed Information Rate (CIR), which is not always a guarantee of bandwidth. The provider will give a best effort to meet the CIR, which is measured in bits per second. At times, bandwidth speeds can burst (Be) above the CIR. Speeds above the CIR are certainly not guaranteed, and if the Frame Network becomes congested, any data exceeding the CIR becomes Discard Eligible, and is at risk of being dropped. The broadcast keyword is commonly used with the frame-relay map command to allow broadcast forwarding, simplify OSPF configuration for nonbroadcast networks over Frame Relay Frame Relay is a Non Broadcast Multiple Access Physical interfaces: With a hub and spoke topology, Split Horizon will prevent the hub router from propagating routes learned from one spoke router to another spoke router. Point-to-point subinterfaces: Each subinterface is on its own subnet, so Broadcast propagation and Split Horizon rules are not a problem. Multipoint subinterfaces: All participating subinterfaces would be in the same subnet. Broadcasts and routing updates are also subject to the Split Horizon Rule and may pose a problem. Frame-Relay Encapsulation Types On Cisco routers, two possible Frame encapsulations can be configured on the routers serial ports. Cisco the default, and proprietary, Frame-Relay IETF the standardized Frame-Relay Frame-Relay Local Management Interface (LMI) LMI is the type of signaling used between your router and your providers Frame-Relay switch. LMI provides status updates of Virtual Circuits between the Frame switch and the router. Cisco,ANSI,Q.933a LMI type is auto-sensed on Cisco routers, but can be manually set if desired. LMI is responsible for managing the connection and maintaining the status between devices. LMI includes a keepalive mechanism, to verify the health of the link. A multicast mechanism, which provides one to many delivery. Addressing extensions, which can tie DLCIs to devices, thereby giving them global, rather than local, significance (uncommon). A status mechanism, which provides an ongoing status of the DLCIs known to the switch. 0-15, 1008-1023--reserved for special purposes 16-1007, LMI - local management interface 0x0 - added/inactive 0x2 - added/active 0x4 - deleted (not on FR) Active - is active, routers can exchange data Inactive - local connection to the FR switch is working but remote router connection to the FR switch is not. Deleted - no LMI is being received from the FR switch or that there is no service between the CPE and FR switch. Inverse ARP asks the remote station for its Layer 3 address. Then used to build a frame relay map. The broadcast option allows broadcasts and multicasts to be forwarded to that address, so that routing protocols such as OSPF can form neighbor relationships. Step 1. Perform footprint analysis (reconnaissance) Step 2. Enumerate information. Step 3. Manipulate users to gain access. Step 4. Escalate privileges. Step 5. Gather additional passwords and secrets Step 6. Install backdoors Step 7. Leverage the compromised system. The overall security challenge facing network administrators is balancing two important needs: keep networks open to support business requirements protect private, personal, and business information. A security policy meets these goals: Informs users, staff, and managers of their requirements for protecting information assets Specifies the mechanisms through which these requirements can be met Provides a baseline from which to acquire, configure, and audit computer systems for compliance When discussing network security, 3 factors are vulnerability, threat, attack. Vulnerability: it is the degree of weakness which is inherent in every network and device - Routers, switches, desktops, and servers. Threats: They are the people interested in taking advantage of each security weakness. Attack: The threats use a variety of tools, and programs to launch attacks against networks. There are 3 primary vulnerabilities: TechnologicalConfigurationSecurity policy The four classes of physical threats are: HardwareElectricalMaintenance,Enviro There are 4 primary classes of threats to networks: UnstructuredStructuredInternalExternal There are four primary classes of attacks. ReconnaissanceAccessDoSWorms, Viruses, and Trojan Horses. ACLs: 1. Enhance security (Limit host access, Restrict certain areas of the network), 2. Manage bandwidth 3. Restrict services. Any command = 1s. Host command = 0s. Dynamic ACLs: Reduction of the opportunity for network break-ins by network hackers. Creation of dynamic user access through a firewall, without compromising other configured security restrictions. Network administrators use reflexive ACLs to allow IP traffic for sessions originating from their network while denying IP traffic for sessions originating outside the network. Standard ACL: Identified by numbers 1 - 99 and 1300 - 1999, Filter traffic based on source IP address Extended ACL: Identified by number 100 -199 & 2000 2699; Filter traffic based on Source IP Destination IP Protocol Port #. 1. Traditional private WAN Layer 2 technologies, including Frame Relay, ATM, and leased lines, provide many remote connection solutions. 2. IPsec Virtual Private Networks (VPNs) offer flexible and scalable connectivity. Site-to-site connections can provide a secure, fast, and reliable remote connection to teleworkers. This is the most common option for teleworkers, combined with remote access over broadband, to establish a secure VPN over the public Internet. (A less reliable means of connectivity using the Internet is a dialup connection.) 3. The term broadband refers to advanced communications systems capable of providing high-speed transmission of services, such as data, voice, and video, over the Internet and other networks. Dialup access - Dialup is the slowest option, and is typically used by mobile workers in areas where high speed connection are not available. DSL - DSL also uses telephone lines. DSL uses a special modem that separates the DSL signal from the telephone signal and provides an Ethernet connection to a host computer or LAN. Cable modem - The Internet signal is carried on the same coaxial cable that delivers cable TV. A special cable modem separates the Internet signal from the other signals and provides an Ethernet connection to a host computer or LAN. Satellite - The computer connects to a satellite modem that transmits radio signals to the nearest point of presence within the satellite network. DSL vs Cable The advantage that DSL has over cable technology is that DSL is not a shared medium. Each user has a separate direct connection to the DSLAM. Adding users does not impede performance unless the DSLAM Internet connection on the other side becomes saturated. VPN creates a private network over a public network infrastructure while maintaining confidentiality and security. VPNs use cryptographic tunneling protocols to provide protection against packet sniffing, sender authentication, and message integrity. Cost savings - Organizations can use Internet infrastructure to connect remote offices and users to the main corporate site. Security - Advanced encryption and authentication protocols protect data from unauthorized access. Scalability - Organizations, big and small, are able to add large amounts of capacity without adding significant infrastructure. The 3 foundation of a secure VPN are the followings: Data confidentiality - A common security concern is protecting data from eavesdroppers or unauthorized sources. Data integrity - Data integrity guarantees that no tampering or alterations occur to data while it travels between the source and destination. Authentication - Authentication ensures that a message comes from an authentic source and goes to an authentic destination. VPN Tunneling PPP carries the message to the VPN device, where the message is encapsulated within a Generic Route Encapsulation (GRE) packet. Local address is any address that is used on, and appears within, our internal network. Global address is any address that is used and appears on an external public network. Inside address is associated with a native network host. Outside address is associated with a foreign network host Inside local address assigned to a host on our native network. The address is likely not a publicly routable IP address (i.e. not part of the registered address space). Inside global address that represents one or more native hosts (i.e. inside local IP addresses) to the outside world (i.e. on foreign networks). Outside local address of a foreign host as it appears on our native network. Not necessarily a legitimate address, it's allocated from an address space routable within our internal network. Outside global address of a foreign host as it appears on foreign networks. This address is necessarily a publicly routable one. NOTE: In most cases, the "outside local" and "outside global" addresses are identical. NAT Benefits Eliminates readdressing overhead Conserves addresses through application port-level multiplexing Protects network security. Drawbacks NAT increases delay due to translation of every packet going out to or in from public network Loss of functionality, particularly with any protocol or application that involves sending IP address information, as part of its payload. 3 types of NAT currently available Static NAT translation Dynamic NAT translation Overloading NAT or Port Address Translation (PAT) Static NAT is designed to allow one-to-one mapping of local and global addresses. Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device (server usually) needs to be accessible from outside the network. Dynamic NAT is designed to map a private IP address to a public address. Maps an unregistered IP address to a registered IP address from a pool of registered IP addresses. PAT Features PAT uses unique source port numbers on the inside global IP address to distinguish between translations. PAT / Overloading is a form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. Known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.
NAT Implementation Overview Define NAT inside and outside interfaces. Define what you're trying to accomplish with NAT. Configure NAT in order to accomplish what you defined above. Determine which of the following features you need to use: Static NAT, Dynamic NAT Overloading. There are two main mechanisms for dynamic configuration of IP parameters: RARP - Reverse Address Resolution Protocol DHCP - Dynamic Host Configuration Protocol Major DHCP Features: Auto Allocation, Manual Allocation, Dynamic Allocation, Server(s) configured to provide IP information to clients on locally connected subnets: IP address pool(s) + exclusions & reservations Subnet mask Default gateway IP of DNS server, IP of WINS server, domain suffix Clients lease IP information for a configured period; Clients attempt to renew once half the lease time has expired; Allocation can be done automatically, manually or dynamically. IPv6 Advanced Features Larger address space: Global reachability and flexibility
-and-play
Simpler header
A simpler and more efficient header means: -bit aligned fields and fewer fields -based, efficient processing
rding rate with better scalability x:x:x:x:x:x:x:x, where x is a 16-bit hexadecimal field
2031:0:130F:0:0:9C0:876A:130B Unicast: One to one Global Link local (FE80::/10)