Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
CH/S6CA/Nov. 2008 SOHO NETWORK MANAGEMENT AND SECURITY Network Monitoring Aim: To ensure that the network can function properly and continuously. The following could be monitored: i. Memory utilization: including the physical memory and virtual memory ii. Bandwidth utilization: see if congestion occurs, indicating the host causing congestion, and the time of the congestion. iii. CPU performance: E.g. CPU utilization iv. Hard disk performance: E.g. Hard disk throughput, disk space used. v. Connectivity between hosts: can tested by using ping. Simple Network Management Protocol (SNMP) i. SNMP formforms part of the internet protocol suite ii. SNMP exposes management data in the form of variables on the managed systems, which describe the system configuration. These variables can then be queried (and sometimes set) by managing applications, e.g. the Network Management System(NMS).. iii. A software called agent is installed in network-attached devices or managed devices and will report the condition of the managed devices to the NMS. iv. Basic SNMP operations inside: a. Get – allow NMS to retrieve information of monitored devices via the agent. b. Set – allow NMS to set values on monitored devices. c. Trap – is used by the agent to inform NMS on abnormal event happened in the monitored device. Troubleshooting Network problems may be caused by the following factors: i. Connectively – loosen cables, loosen network card ii. Hardware problems – hardware failure or conflict with others iii. Configuration problems – wrong IP address, wrong subnet mask, wrong configured firewall / router. Commands used to solve network problems: i. ping – test whether a host is reachable. ii. netstat – display connections, network statistics, etc. iii. traceroute – determine the route taken by a packet from the source to the destination. Disaster Recovery The process of resuming access to data and other resources after natural of human disasters. Disaster recovery planning involves the following steps: i. Evaluating the existing risks in a corporation. ii. Determining the importance of different data. SOHO NETWORK MANAGEMENT AND SECURITY page 1 CH/S6CA/Nov. 2008 iii. Developing the recovery strategy according to the importance of data. Measures to prevent data loss: i. Perform backup ii. Using Fault-tolerant system (E.g. RAID) iii. Using Uninterrupted Power Supply (UPS) iv. Using Anti-virus software, etc. Backup Backup and Restore i. Backup is the process of making a copy to the data or files. ii. When data loss event happens, such copy is restored so as to prevent data loss. Examples of software used in backup: i. CA ARCserve ii. EMC Legato Networker, etc. Strong media used for backup: i. Magnetic Tape ii. Optical disks: DVD-ROM, etc. iii. Hard disk, etc. Network Backup Server i. A server used to provide online backup and restore server. ii. Advantage (over traditional backup) iii. a. Automatic (without changing tapes or DVD-ROMs) b. Huge storage capacity – can support a number of servers. Disadvantage: a. Expensive Fault-Tolerance Measures to make sure that a system will continue to operate even if failures occur If its operating quality decreases at all, the decrease is proportional to the severity of the failure, as compared to a naively-designed system in which even a small failure can cause total breakdown. Fault-Tolerance Backup Redundant Array of Independent Disks (RAID) i. Provide redundancy on data in storage devices to achieve fault-tolerance. ii. Common used RAID: RAID 0, RAID 1, RAID 5 SOHO NETWORK MANAGEMENT AND SECURITY page 2 CH/S6CA/Nov. 2008 RAID 1 (Mirror set without parity) i. When data is written into disk 0, an exact copy will be created into another disk, disk 1. ii. The copy in disk 1 is called the “mirror”. iii. When disk 0 fails, data can be restored from disk 1. iv. When disk 1 fails, data can be restored from disk 0. v. Minimum number of disks required = 2. RAID 5 (block-level striping with parity) i. Striping – spreading out blocks of each file across multiple disks. ii. Assuming 4 disks are used for RAID 5. When data is written to the disks, the data will be broken into 3 pieces, and write to 3 of the 4 disks, e.g. Disk 0, 1, 2 (striping). A parity used for error correction is calculated, created and written in the remaining disk (E.g. Disk 3). iii. The parity bits are distributed on all disks in turns. iv. When any one of Disks A, B or C breaks, (E.g. C breaks) the data can be reconstructed by combining data segments in A and B, together with the parity in D. v. When Disk D breaks, the data can be restored by combining the segments from Disks A, B and C. vi. When any two disks break at the same time, all data will be lost. vii. Minimum disks required = 3. viii. RAID 5 provides better performance than RAID 1. RAID 0 (Striping without Fault Tolerance) i. Split data evenly across disks ii. Can increase performance iii. If one disk fails, all data will be lost. iv. Minimum disks required = 2. RAID can be implemented using hardware, software or both. Uninterruptible Power Supply (UPS) UPS is an electric device which is used to provide continuous power supply to computer equipments even if their normal power is not available. SOHO NETWORK MANAGEMENT AND SECURITY page 3 CH/S6CA/Nov. 2008 Grandfather, father and son principle (a backup method) When the transaction file and master file are used to produce a new master file, this new master file is called the son and the old master file is called the father. The process is then repeated using the next transaction file and the son master. However, this time round the newest master file is called the son. The master file which was used to produce this latest son is called the father and the original master in file now becomes the grandfather. The grandfather, father and son files are called generations of files. The above process need 5 tapes to maintain as follows: For tapes A, B, C, D and E. Day of week Son Father Grandfather Today Yesterday Mon Tue Master Files A B A Transaction Files D E D Wed Thu Fri C B A A C B B A C D E E D D E The whole Grandfather-Father-Son process is shown in the following system flowchart: Grandfather (father) Master file Father Father (son) 1st updating process Son Master file updating process New master file Transaction file 1 2nd Transaction file 2 Security Threats Malicious Code (Malware) i. Programs that are designed to do bad things ii. Include: virus worm, Trojan Horse, Spyware, etc. Unauthorized Access Interception i. The packet was intercepted (E.g. deleted, modified or read) by someone during transmission. ii. Can be accomplished using sniffer – software or hardware used to log or intercept network traffic. SOHO NETWORK MANAGEMENT AND SECURITY page 4 CH/S6CA/Nov. 2008 Malicious Code Virus – Malicious program which can i. duplicate itself and ii. infect other program Worm – Malicious program which can i. duplicate itself and ii. spread over the network automatically. Trojan Horse – Malicious program which can i. appears to be normal and ii. but performs malicious activity when it is running. Spyware – Malicious program which can i. collect users’ personal information (E.g. collecting web surfing pattern) ii. deliver unwanted advertisements (also known as Adware) iii. redirect the browser to a specific URL, etc. A single malicious program can have nature on virus, worm, Trojan Horse and / or spyware. Measures against Malicious Code Using anti-virus program authentication access control / user right control packet filtering public and private key encryption Wired Equivalent Privacy (WEP) Using IPSec and VPN Installing Intrusion Detection System Anti-virus Program An anti-virus program is utility program used to i. detect, stop and eliminate virus; and ii. recover files infected by virus. An anti-virus program consists of: i. Scanning engine a. The program that does the actual virus scanning / detecting work SOHO NETWORK MANAGEMENT AND SECURITY page 5 CH/S6CA/Nov. 2008 b. ii. Need to be updated from time to time as a new scanning engine can improve scanning performance. Signature File a. The file contains details of features of existing viruses. b. It is used by the scanning engine to identify virus. c. It is necessary to update the file even more frequently so as to cover information / features of new virus. Authentication and Access Control Authentication i. A process to identify and prove the identity of a user / party. ii. E.g. Logon system. Access Control i. It is the mechanism used to prevent unauthorized access of resource. ii. E.g. Access right of a file / folder can be set to let users read / fully control the file / folder. Firewall A firewall is placed between an organization and the rest of the Internet. If an organization has multiple Internet connection, a firewall must be placed at each, and all the organization’s firewalls must be configured to enforce the organization’s security policy. The primary mechanism used to build a firewall is known as a packet filter. Packet Filter i. A packet filter can embedded in a router. ii. It consists of software the uses the contents of packets to determine which packets are allowed to pass through the router and which packets will be discarded. iii. It operates by examining fields in the header of each packet. iv. For TCP/IP, a packet filter specification usually includes a frame type of 0800 (for IP), an IP source address or destination address (or both), a datagram type, and a protocol port number. SOHO NETWORK MANAGEMENT AND SECURITY page 6 CH/S6CA/Nov. 2008 v. The ability to selectively allow packets for a particular service means that a manager can allow traffic to one service, while blocking service to others. (e.g. allow Web traffic while blocking traffic to FTP) To be secure, an Internet firewall needs at least three systems: i. A packet filter restricts data that arrive from the Internet. ii. A separate packet filter restricts data that leave the organization’s intranet. iii. A secure computer system in the firewall runs application software. (secure host) A secure host runs special application programs known as application-layer gateways that provides secure Internet services. Virtual Private Network (VPN) A corporation with multiple geographic sites can use one of two approaches to building a corporate intranet: i. ii. Private Network Connections a. The corporation leases data circuits to connect its sites. Each leased connection extends from a router at one site to a router at another site. b. Advantage: complete privacy Public Internet Connections a. Each site contracts with a local ISP for Internet service. Data sent from one site to another across the global Internet. b. Advantage: lower cost A corporation may create a Virtual Private Network so that it uses the global Internet to transfer data among corporate sites, but also takes additional steps to ensure that the corporate sites and data cannot be accessed by outsiders. A VPN is usually implemented in software. First the organization obtains an Internet connection for each of its sites. SOHO NETWORK MANAGEMENT AND SECURITY page 7 CH/S6CA/Nov. 2008 Second, the organization chooses a router at each site to run VPN software. Third, the organization configures the VPN software in each router to know about the VPN routers at each of the other sites. Disadvantage: i. slower connection, ii. increase data size during transmission iii. complicated configuration Tunneling i. To keep information completely hidden as data pass across the Internet from one site to another, VPN software uses an IP-in-IP tunnel. ii. Suppose a computer X at site 1 creates a data signal for a computer Y at site 2. The data is forwarded through site 1 to router R1 . VPN software on R1 encrypts the original data and encapsulates it in a new data from transmission to router R2. SOHO NETWORK MANAGEMENT AND SECURITY page 8 CH/S6CA/Nov. 2008 As the figures shows, the original data, including the header which has the source and the destination addresses, are encrypted and encapsulated in an IP data packet. IPsec A set of cryptography protocols which allow users to choose between two basic options: i. Authentication – i.e. validate the data senders and recipients ii. Confidentiality – i.e. encrypt the data content Intrusion Detection System (IDS) An Intrusion detection system (IDS) is a system that monitors all packets arriving at a site and notifies the site administrator if a security violation is detected. It can be configured to detect attacks such as i. Port scanning – An outsider tries successive TCP protocol port numbers to determine the ports on which the site has a server. ii. SYN flood – To make a computer unusable, an outsider sends TCP segments that appear to request a new TCP connection; when the receiving machine tries to complete the connection, the outsider does not respond. Public Key Infrastructure (PKI) PKI covers the use of public key cryptography and digital certificates as the accepted means of authentication and access control over the Internet. Public-key cryptography, also known as asymmetric cryptography, is a form of cryptography in which the key used to encrypt a message differs from the key used to decrypt it. In public key cryptography, a user has a pair of cryptographic keys—a public key and a private key. The private key is kept secret, while the public key may be widely distributed. Incoming messages would have been encrypted with the recipient's public key and can only be decrypted with his corresponding private key. The keys are related mathematically, but the private key cannot be practically derived from the public key. . SOHO NETWORK MANAGEMENT AND SECURITY page 9 CH/S6CA/Nov. 2008 Digital certificate i. A digital certificate is a digital document that uses the binding of a public key to an individual or other entity. ii. It allows verification of the claim that a specific public key does in fact belong to a specific individual. iii. A Hongkong Post e-Cert contains a public key, the name of the holder, an expiration date, a certificate serial number and subscriber reference number.. Digital signature i. A digital signature is the electronic signature of a signer. ii. It is generated by the transformation of the electronic record using asymmetric cryptography and a hash function. iii. A person having the initial untransformed electronic record and the signer's public key can then determine:a. whether the transformation was generated using the private key that corresponds to the signer's public key; and b. whether the initial electronic record has been altered since the transformation was generated. Wired Equivalent Privacy (WEP) It is an algorithm used to secure wireless WiFi network to provide confidentiality comparable to that of a traditional wired network. Two methods of authentication can be used with WEP: Open System authentication and Shared Key authentication. i. Open System authentication. The Wireless LAN client need not provide its credentials to the Access Point during authentication. ii. Shared Key authentication a. The client station sends an authentication request to the Access Point. b. The Access Point sends back a clear-text challenge. c. The client has to encrypt the challenge text using the configured WEP key, and send it back in another authentication request. d. The Access Point decrypts the material, and compares it with the clear-text it had sent. Depending on the success of this comparison, the Access Point sends back a positive or negative response. Reference: Computer Networks and Internets with Internet Applications, Douglas E. Comer. http://en.wikipedia.org/ http://www.hongkongpost.gov.hk/support/concept/index.html SOHO NETWORK MANAGEMENT AND SECURITY page 10