When installing smoothwall, the green interface is commonly used to protect the iptables firewalls.

Network Security, Firewalls,

and VPNs

Lesson 6

Firewall Implementation Options

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

1

Ethernet Color Standards

URL of above graphics: https://www.joncamfield.com/oss/schooltools/Reference/EthernetCabling.htm

T-568A Standard

T-568B Standard

Crossover Cable

Diagram of Wiring

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Network Topologies

Network topology: is the name given to the way in which the devices (called nodes) are physically connected in a network.

The network topology chosen typically dictates:

the type of cabling used in the network

The scalability of the network

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Bus Topology

Nodes are connected to a main (bus) cable. If data is being sent sent between nodes then other nodes cannot transmit. If too many nodes are connected then the transfer of data slows dramatically as the nodes have to wait longer for the bus to be clear.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Bus Topology (cont)

Advantages:

The simplest and cheapest to install and extend.

Well suited for temporary networks with not many nodes.

Very flexible as nodes can be attached or detached without disturbing the rest of the network.

Failure of one node does not affect the rest of the bus network.

Simpler than a ring topology to troubleshoot if there is a cable failure because sections can be isolated and tested independently.

Disadvantages:

If the bus cable fails then the whole network will fail.

Performance of the network slows down rapidly with more nodes or heavy network traffic.

The bus cable has a limited length and must be terminated properly at both ends to prevent reflected signals.

Slower than a ring network as data cannot be transmitted while the bus is in use by other nodes.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Ring Topology

In a ring topology, the nodes are connected in a ring and data travels in one direction using a control signal called a 'token'.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Ring Topology (cont)

Advantages:

Not greatly affected by adding further nodes or heavy network traffic as only the node with the 'token' can transmit data so there are no data collisions.

Relatively cheap to install and expand.

Disadvantages:

Slower than a star topology under normal load.

If the cable fails anywhere in the ring then the whole network will fail.

If any node fails then the token cannot be passed around the ring any longer so the whole network fails..

The hardest topology to troubleshoot because it can be hard to track down where in the ring the failure has occurred.

Harder to modify or expand because to add or remove a node you must shut down the network temporarily.

In order for the nodes to communicate with each other they must all be switched on.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Star Topology

In this type of network, a central computer (server) usually forms the main node and the subsidiary nodes are connected to it and to each other through a switch or hub.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Star Topology (cont)

Advantages:

The most reliable because the failure of a node or a node cable does not affect other nodes.

Simple to troubleshoot because only one node is affected by a cable break between the switch and the node.

Adding further nodes does not greatly affect performance because the data does not pass through unnecessary nodes.

Easily upgraded from a hub to a switch for higher performance. Easy to install and to expand with extra nodes.

Disadvantages:

Uses the most cable which makes it more expensive to install than the other two topologies.

The extra hardware required such as hubs or switches further increases the cost.

As the central computer controls the whole system, the whole system will be affected if it breaks down or if the cable link between it and the switch fails.

If the switch, the link to the server or the server itself fails then the whole network fails.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Network Topologies Summary

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

IEEE

IEEE stands for the "Institute of Electrical and Electronics Engineers".

composed of computer scientists, software developers, information technology professionals, physicists, and medical doctors, in addition to IEEE's electrical and electronics engineering core.

For this reason the organization no longer goes by the full name, except on legal business documents, and is referred to simply as IEEE.

The IEEE is dedicated to advancing technological innovation and excellence. It has about 425,000 members in about 160 countries.

The IEEE is one of the leading bodies to produce standards relating to networking.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

IEEE 802 Standards

IEEE 802 refers to a family of standards dealing with local area networks (LAN), wide-area networks (WAN) and metropolitan area networks (MAN).

The 802 number is the name of the IEEE committee that deals with networking standards

Various subcommittees have been created to deal with specific standards. They are denoted by 802.x where x is the number of the subcommittee.

For instance, 802.11 deals with WiFi.

802 typically deals with OSI layers 2 and 1.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.1

802.1 Bridging and Network Management

802.1q Virtual Local Area Networks (VLAN)

In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers.

Traffic is marked (or tagged) to be a part of a specific VLAN

Traffic stays within its own VLAN and must be routed to other VLANs.

In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.1x

802.1x Port Based Security

It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802

802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server.

The supplicant is a client device (such as a laptop) that wishes to attach to the LAN

The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized.

The authentication server determines if the supplicants credentials provided to the authenticator are valid. If they are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.1x (cont)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.1x Process

On detection of a new supplicant, the port on the switch (authenticator) is enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as the Internet Protocol (and with that TCP and UDP), is dropped.

To initiate authentication the authenticator will periodically transmit EAP-Request Identity frames to a special Layer 2 address on the local network segment. The supplicant listens on this address, and on receipt of the EAP-Request Identity frame it responds with an EAP-Response Identity frame containing an identifier for the supplicant such as a User ID. The authenticator then encapsulates this Identity response in a RADIUS Access-Request packet and forwards it on to the authentication server. The supplicant may also initiate or restart authentication by sending an EAPOL-Start frame to the authenticator, which will then reply with an EAP-Request Identity frame.

The authentication server sends a reply (encapsulated in a RADIUS Access-Challenge packet) to the authenticator, containing an EAP Request specifying the EAP Method (The type of EAP based authentication it wishes the supplicant to perform). The authenticator encapsulates the EAP Request in an EAPOL frame and transmits it to the supplicant. At this point the supplicant can start using the requested EAP Method, or do an NAK ("Negative Acknowledgement") and respond with the EAP Methods it is willing to perform.

If the authentication server and supplicant agree on an EAP Method, EAP Requests and Responses are sent between the supplicant and the authentication server (translated by the authenticator) until the authentication server responds with either an EAP-Success message (encapsulated in a RADIUS Access-Accept packet), or an EAP-Failure message (encapsulated in a RADIUS Access-Reject packet). If authentication is successful, the authenticator sets the port to the "authorized" state and normal traffic is allowed, if it is unsuccessful the port remains in the "unauthorized" state. When the supplicant logs off, it sends an EAPOL-logoff message to the authenticator, the authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.2 Logical Link Control

Defines Logical Link Control (LLC), which is the upper portion of the data link layer of the OSI Model.

The LLC sublayer presents a uniform interface to the user of the data link service, usually the network layer.

Beneath the LLC sublayer is the Media Access Control (MAC) sublayer, which is dependent on the particular medium being used (Ethernet, token ring, FDDI, 802.11, etc.).

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.3 Ethernet

A group of standards that define the physical network media and bandwidth of the network.

Bandwidth: The amount of data that can be transmitted over a given period of time. Examples: 100Mbps or 1Gbps

Type of cable supported: Twisted Pair Cabling (Cat5,6), Fiber optic cable (multimode and single mode) and coax.

Cat 6:1Gbps at 100M, 10Gbps at 33M

Implements Carrier Sense Multiple Access with Collision Detection (CSMA/CD)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.4 Token Bus

Network implementing the token ring protocol over a "virtual ring" on a coaxial cable.

Disbanded and standard withdrawn

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.5 Token Ring

Defines the MAC layer for token ring networks.

Initially token ring was a proprietary technology of IBM

Maximum bandwidth 15Mbps.

No current research being conducted.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.6 MAN

A Metropolitan Area Network (MAN) is computer network larger than a local area network, covering an area of a few city blocks to the area of an entire city.

MAN links between local area networks have been built with wireless links using either microwave, radio, or infra-red laser transmission.

Most companies rent or lease circuits from common carriers because laying long stretches of cable is expensive.

Some wired technologies used in MANs include

Fiber Distributed (FDDI): provides a 100 Mbit/s optical standard for data transmission in local area network that can extend in range up to 200 kilometers (120 mi). Although FDDI logical topology is a ring-based token network, it did not use the IEEE 802.5 token ring protocol as its basis; instead, its protocol was derived from the IEEE 802.4 token bus timed token protocol.

Asynchronous Transfer Mode (ATM):developed to meet the needs of the Broadband Integrated Services Digital Network, as defined in the late 1980s, and designed to unify telecommunication and computer networks.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.11 WiFi

Standards relating to communication via radio frequency.

Standard Bandwidth Frequency Distance

802.11a 54Mbps 5Ghz 30M

802.11b 10Mbps 2.4Ghz 100M

802.11g 54Mbps 2.4Ghz 100M

802.11n 600Mbps 2.4/5Ghz 250M

802.11ac 6.77Gbps 2.4/5Ghz 250M

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.11 Privacy

Wired Equivalent Privacy (WEP)

Designed to approximate wired hub-based Ethernet environment.

Key entered into both the access point and the clients.

All participants in the WiFi LAN.

Uses a stream cipher to protect data

Key length is the initialization vector (IV) plus the WEP key

128 bit WEP = 104b key + 24 bit IV

64 bit WEP = 40b key + 24b IV

Because RC4 is a stream cipher, the same traffic key must never be used twice. The purpose of an IV, which is transmitted as plain text, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. The way the IV was used also opened WEP to a related key attack. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5000 packets.

Depending on the amount of network traffic, and thus the number of packets available for inspection, a successful key recovery could take as little as one minute.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.11 Privacy (Cont)

WiFi Protected Access (WPA) replaced WEP.

Firmware upgrade

Improved implementation of RC4

Improved implementation of Ivs. (TKIP)

TKIP employs a per-packet key, meaning that it dynamically generates a new 128-bit key for each packet and thus prevents the types of attacks that compromised WEP.

WPA2 replaced WPA

Uses AES encryption instead of RC4

WPA2 is mandatory for a device to bear the WiFi trademark.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

802.15 Bluetooth

Bluetooth

Low power, short distances

Operates at the ISM (Industry, Scientific, Medical) band at 2.45Ghz

10Meter range

721Kbps bandwidth

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Wireless Radio Technologies

Direct Sequence Spread Spectrum (DSSS): Spreads transmissions over a larger frequency band.

The signal is less susceptible to interference at any specific frequency

A pseudo-random noise code is modulated with the signal during transmission.

The resulting signal resembles white noise.

The receiver filters out the noise.

Uses

802.11b

US GPS

Bluetooth

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Wireless Radio Technologies

Frequency Hopping Spread Spectrum (FHSS): a method of transmitting radio signals by rapidly switching a carrier among many frequency channels, using a pseudorandom sequence known to both transmitter and receiver.

Uses

Military communication

Federal Aviation Administration (FAA)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Wireless Radio Technologies

Orthogonal Frequency Division Multiplexing (OFDM): a signal that is subdivided into frequency sub bands.

Each of these sub bands can be broadcast together without interference.

The basic idea of OFDM is to split a high bandwidth transmission into several lower bandwidth transmissions.

Uses

Digital TV broadcasts

802.11a, 802.11g, 802.11n, 802.11ac

ADSL

LTE, LTE Advanced

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Wireless Radio Technologies

Frequency Division Multiple Access: Subdivides a frequency band and assigns an analog conversation to each sub-band.

Only used in analog cellular

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Wireless Radio Technologies

Code Division Multiple Access (CDMA)

Similar to DSSS

It spreads each call over a wide spectrum and and is tagged with pseudo-random noise code to differentiate the calls

CDMA2000 Is a family of 3G access that uses CDMA channel access (typically, far east)

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Wireless Radio Technologies

Universal Mobile Telecommunications System Time0Dvision Duplexing (UMTS TDD): a third generation mobile cellular system

data transfer rates of 2 Mbps at 5Mhz

data transfer rates of 42 Mbps for HSPA+

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Data Center

Data center is a facility used to house computer systems and associated components, such as telecommunications and storage systems.

Hot Sites: “proactive” hot site allows you to keep servers and a live backup site up and running in the event of a disaster

Warm Sites: A “preventative” warm site allows you to pre-install your hardware and pre-configure your bandwidth needs. Then, if disaster strikes, all you have to do is load your software and data to restore your business systems.

Cold Sites: A “recovery” cold site is essentially just data center space, power, and network connectivity that’s ready and waiting for whenever you might need it.

Page ‹#›

Network Security, Firewalls, and VPNs

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com

All rights reserved.

Different Types of Networks

Local Area Networks (LAN) = room/building

Campus Area Network (CAN) = a complex of adjacent buildings

Metropolitan Area Networks (MAN) = a city

Wide Area Networks (WAN) = a large geographic area (across metropolitan, regional, national or international boundaries)