Beruflich Dokumente
Kultur Dokumente
25
#Static Routing
A router with manually configured routing tables is known as a static router. A network administrator,
with knowledge of the internetwork topology, manually builds and updates the routing table,
programming all routes in the routing table. Static routers can work well for small internetworks but do
not scale well to large or dynamically changing internetworks due to their manual administration.
#Dynamic Routing
A router with dynamically configured routing tables is known as a dynamic router. Dynamic routing
consists of routing tables that are built and maintained automatically through an ongoing communication
between routers.
The ability to scale and recover from internetwork faults makes dynamic routing the better choice for
medium, large, and very large internetworks.
A good example of a dynamic router is a computer with Windows 2000 Server and the Routing and
Remote Access Service running the Routing Information Protocol (RIP) and Open Shortest Path First
(OSPF) routing protocols for IP and RIP for IPX.
(b) What is VLSM & CIDR ? Why we use loopback address in the
Practical networking operation? 3
# VLSM
Variable Length Subnet Mask (VLSM) is a numerical masking sequence, or IP address subset, based on
overall network requirements.
# CIDR
Classless inter-domain routing (CIDR) is a set of Internet protocol (IP) standards that is used to
create unique identifiers for networks and individual devices.
#loopback
I strictly use loopbacks for management of routers. Theory behind that is that a loopback is always
available (unless your router is dead), Loopback interfaces are always up, so will be reachable if
any interface on the router is connected to the rest of the network.
negotiated.
# BPDU
BPDU Guard feature is used to protect the Layer 2 Spanning Tree Protocol (STP) Topology from
BPDU related attacks. ... When a BPDU Guard enabled port receive BPDU from the connected
device, BPDU Guard disables the port and the port state is changed to Errdisable state.
# Internet security infrastructure
Thus, network infrastructure security is clearly a pressing need, especially in light of recent
national attacks, as the attacks have the potential for affecting the entireInternet infrastructure,
which may have serious consequences on the securityand economic vitality of the society.
#DMZ
A DMZ (demilitarized zone) on a home router refers to a DMZ Host. ... A home router
DMZ host is a host on the internal network that has all UDP and TCP ports open and exposed,
except those ports otherwise
forwarded.
#Loop guard
Loop guard and UDLD are two ways to protect your fiber cables from causingloops in the
network. In short, loop guard is a spanning-tree optimisation,
# router in stack
This is a stack router for javascript application used which depends on history package
When using any combination of these commands within a policy the commands are
evaluated in the following order:
1. set ip next-hop
2. set interface
1. Source-based transit provider selection: Internet service providers (ISPs) and other
organizations can use PBR to route traffic originating from different sets of users through
setting the ToS values in the IP packet headers in routers at the periphery of the network
and then leveraging queuing mechanisms to prioritize traffic in the network’s core or
backbone. This setup improves network performance by eliminating the need to classify
the traffic explicitly at each WAN interface in the network’s core or backbone.
3. Cost savings: An organization can direct the bulk traffic associated with a specific
activity to use a higher-bandwidth, high-cost link for a short time and to continue basic
connectivity over a lower-bandwidth, low-cost link for interactive traffic. For example, a
dial-on- demand Integrated Services Digital Network (ISDN) line could be brought up in
response to traffic destined for a finance server; PBR would select this link.
#Public/Private Keys
We generate a cipher key pair. One key is the
private key, the other is the public key.
The private key remains secret and should be
protected.
The public key is freely distributable. It is related
mathematically to the private key, but you cannot
(easily) reverse engineer the private key from the
public key.
Use the public key to encrypt data.
Only someone with the private
key can decrypt.
(One key is used to encrypt the document, a different key is used to decrypt it.)
@Digital signature
a digital code (generated and authenticated by public key encryption) which is
attached to an electronically transmitted document to verify its contents and the
sender's identity.
Private Key Protection: The storage of private keys in a secure location is mandatory when
dealing with PKI. Many people take private keys for corporate CAs completely offline, store them in a
secure place, and only use them when they need to generate a new key.
A DoS attack can be done in a several ways. The basic types of DoS attack include:
1. Ineffective services
2. Inaccessible services
3. Interruption of network traffic
4. Connection interference
3. Secret key : It is also an input to the algorithm. Exact substitution and transformations depends on
the key.
4. Cipher-text : Scrambled message produced as O/P. It depends upon plaintext and secret key. For a
same message two different key will produce two different cipher-texts.
5. Decryption algorithm : reverse of encryption. Its I/P is ciphertext and same secret key and
generates the original plaintext.
@What is Firewall?
In computing, a firewall is a network security system that monitors and controls incoming and outgoing
network traffic based on predetermined security rules.
Manage the switches in a secure manner. For example, use SSH, authentication mechanism, access list,
and set privilege levels.
Restrict management access to the switch so that untrusted networks are not able to exploit management
interfaces and protocols such as SNMP.
Always use a dedicated VLAN ID for all trunk ports.
Be skeptical; avoid using VLAN 1 for anything.
Disable DTP on all non-trunking access ports.
Deploy the Port Security feature to prevent unauthorized access from switching ports.
Use the Private VLAN feature where applicable to segregate network traffic at Layer 2.
Use MD5 authentication where applicable.
Disable CDP where possible.
Prevent denial-of-service attacks and other exploitation by disabling unused services and protocols.
Shut down or disable all unused ports on the switch, and put them in a VLAN that is not used for normal
operations.
Use port security mechanisms to provide protection against a MAC flooding attack.
Use port-level security features such as DHCP Snooping, IP Source Guard, and ARP security where
applicable.
Enable Spanning Tree Protocol features (for example, BPDU Guard, Loopguard, and Root Guard).
Use Switch IOS ACLs and Wire-speed ACLs to filter undesirable traffic (IP and non-IP).
(b) Recommendatations for securing Layer 2 Networks ?
(c) You can configure these types of secure MAC addresses:
(d)
(e) •Static secure MAC addresses—These are manually configured by using the switchport
port-security mac-address mac-address interface configuration command, stored in the
address table, and added to the switch running configuration.
(f)
(g) •Dynamic secure MAC addresses—These are dynamically learned, stored only in the
address table, and removed when the switch restarts.
(h)
(i) •Sticky secure MAC addresses—These can be dynamically learned or manually configured,
stored in the address table, and added to the running configuration. If these addresses are
saved in the configuration file, the interface does not need to dynamically relearn them when
the switch restarts. Although sticky secure addresses can be manually configured, we do
not recommend it.
@What is IP Spoofing
IP spoofing, also known as IP address forgery or a host file hijack, is a hijacking
technique in which a cracker masquerades as a trusted host to conceal his identity,
spoof a Web site, hijack browsers, or gain access to a network.