* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download THE BRITISH COMPUTER SOCIETY THE BCS PROFESSIONAL EXAMINATIONS
Survey
Document related concepts
Asynchronous Transfer Mode wikipedia , lookup
Net neutrality law wikipedia , lookup
Internet protocol suite wikipedia , lookup
Wireless security wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Deep packet inspection wikipedia , lookup
Distributed firewall wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Transcript
THE BRITISH COMPUTER SOCIETY THE BCS PROFESSIONAL EXAMINATIONS BCS Level 6 Professional Graduate Diploma in IT March 2014 Examiners’ Report NETWORK INFORMATION SYSTEMS General comments on candidates’ performance The standard of answers was generally very good, with nearly all candidates choosing to answer question A2 and/or B4, with many obtaining excellent marks. Where candidates failed to achieve marks, it was usually because they failed to attempt an answer to that part of the question which had higher marks allocated. Question choice is important, and if no attempt can be made at a part worth many marks, it may be better to choose a question that can be answered adequately but more fully. Very few candidates attempted question A1 and few of those passed. However one or more candidates obtained at least 80% of the marks available for each question on the paper. Once again some candidates quoted large amounts of knowledge that was not relevant to the question, and once again no credit could be given for this. A large number of candidates chose to illustrate parts of their answers with diagrams, even though diagrams were not directly requested. This was a good strategy, often conveying knowledge in the subject and clarifying their written descriptions, and those who did so in a relevant manner tended to be amongst the group of candidates who obtained high marks. A1. You are a young researcher and you are given the task to create a new web search engine similar to Google. a) Provide a diagram of how the creators of a new web search engine could distribute their systems over multiple nodes and data centres, and explain the interlinking. (7 marks) b) List the main types of distributed network configurations that are used to support distributed systems. In your answer refer to standard networks and the wireless variants of them. (6 marks) c) Explain how the distributed network configurations, you have listed in b) above, differ from each other. (12 marks) Answer Pointers. A1a) Because of the large volume of data (links and hyperlinks) the only possible approach is a distributed system. 4 marks for relevant diagram and 3 marks for explaining the interlinking between the nodes and the Internet. A1b) - Local area networks (LANs) Personal area networks (PANs) Wide area networks (WANs) Metropolitan area networks (MANs) Wireless local area networks (WLANs) Wireless metropolitan area networks (WMANs) Wireless wide area networks (WWANs) Internetworks 1 mark for each mentioned network (up to 6). A1 c) PANs are a subcategory of local networks in which the various digital devices carried by a user are connected by a low-cost, low-energy network. Wired PANs are not of much significance because few users wish to be encumbered by a network of wires on their person, but wireless personal area networks (WPANs) are of increasing importance due to the number of personal devices such as mobile phones, tablets, digital cameras, music players and so on that are now carried by many people. (LANs) • LANs carry messages at relatively high speeds between computers connected by a single communication medium, such as twisted copper wire, coaxial cable or optical fibre. No routing of messages is required within a LAN and the system bandwidth is shared between the computers connected to a small LAN. Larger local networks, such as those that serve a campus or an office building, are composed of many segments interconnected by switches or hubs. In local area networks, the total system bandwidth is generally high and latency is low. (WANs) WANs carry messages at lower speeds between nodes that are often in different organizations and may be separated by large distances. They may be located in different cities, countries or continents. The communication medium is a set of communication circuits linking a set of dedicated computers called routers. They manage the communication network and route messages or packets to their destinations. In most networks, the routing operations introduce a delay at each point in the route, so the total latency for the transmission of a message depends on the route that it follows and the traffic loads in the various network segments that it traverses. (MANs) This type of network is based on the high bandwidth copper and fibre optic cabling recently installed in some towns and cities for the transmission of video, voice and other data over distances of up to 50 kilometres. A variety of technologies have been used to implement the routing of data in MANs, ranging from Ethernet to ATM. The DSL (Digital Subscriber Line) and cable modem connections now available in many countries are an example. DSL typically uses ATM switches located in telephone exchanges to route digital data onto twisted pairs of copper wire (using high frequency signalling on the existing wiring used for telephone connections) to the subscriber’ s home or office at speeds in the rang e 1–10 Mbps. (WLANs) W LANs are designed for use in place of wired LANs to provide connectivity for mobile devices, or simply to remove the need for a wired infrastructure to connect computers within homes and office building s to each other and the Internet. They are in widespread use in several variants of the IEEE 802.11 standard (Wi-Fi), offering bandwidths of 10–100 Mbps over ranges up to 1.5 kilometres. (WMANs) The IEEE 802.16 WiMAX standard is targeted at this class of network. It aims to provide an alternative to wired connections to home and office buildings and to supersede 802.11 Wi-Fi___33 networks in some applications. (WWANs) Most mobile phone networks are based on digital wireless network technologies such as the GSM (Global System for Mobile communication) standard, which are used in most countries of the world. Mobile phone networks are designed to operate over wide areas (typically entire countries or continents) through the use of cellular radio connections; their data transmission facilities therefore offer wide area mobile connections to the Internet for portable devices. The cellular networks mentioned above offer relatively low data rates – 9.6 to 33 k bps – but the ‘ third generation’ (3G) of mobile phone networks is now available, with data transmission rates in the rang e of 2–14.4 Mbps while stationary and 348 k bps while moving (for example in a car). The underlying technology is referred to as UMTS (Universal Mobile Telecommunications System). Internetworks an internetwork is a communication subsystem in which several networks are linked together to provide common data communication facilities that overlay the technologies and protocols of the individual component networks and the methods used for their interconnection. Internetworks are needed for the development of extensible, open distributed systems. The openness characteristic of distributed systems implies that the networks used in distributed systems should be extensible to very large numbers of computers, whereas individual networks have restricted address spaces and some may have performance limitations that are incompatible with their largescale use. In internetworks, a variety of local and wide area network technologies can be integrated to provide the networking capacity needed by each group of users. Thus internetworks bring many of the benefits of open systems to the provision of communication in distributed systems. 2 marks for each explained network (up to 12). Examiner’s Comments This question was designed to enable candidates to apply their knowledge and skills for solving particular hands-on problem and some were able to build on their theoretical knowledge and provide relevant solutions based on distributed system architectures. The key to this question is the understanding that it needs to be a distributed system which most of the candidates successfully identified. The problems are in identifying the answer pointers in the second part of the question. Most candidates were trying to explain clientserver architecture, which is an application design and not a variety of a distributed network configuration. A2. a) Explain what you understand by Web Services. (6 marks) b) Identify and explain the core technologies that are used by Web Services. (12 marks) c) With regard to Web services, explain how we ensure Confidentiality Authentication Network Security (7 marks) Answer Pointers A2 a) Web Services are self-contained, modular, distributed, dynamic applications that can be described, published, located, or invoked over the network to create products, processes, and supply chains. These applications can be local, distributed, or Web-based. (2 marks) They are using XML-based information exchange systems that use the Internet for direct application-to-application interaction. (2 marks) Web services use open protocols and standards used for exchanging data between applications or systems such as TCP/IP, HTTP, Java, HTML, and XML. (2 marks) A2b) - XML-RPC is the simplest XML based protocol for exchanging information between computers and is a protocol that uses XML messages to perform Remote Procedure Calls - RPCs. Requests are encoded in XML and sent via HTTP POST where the XML responses are embedded in the body of the HTTP response. XML-RPC is platform-independent. - SOAP is an XML-based protocol for exchanging information between computers and it is a communication protocol for communication between applications. SOAP defines its own format for sending messages and it is designed to communicate via Internet. SOAP is platform and language independent, extensible and allows you to get around firewalls - WSDL is an XML-based language for describing Web services and how to access them. WSDL stands for Web Services Description Language and it is an XML based protocol for information exchange in decentralized and distributed environments. WSDL is the standard format for describing a web service. how to access it and what operations it will perform. - UDDI is an XML-based standard for describing, publishing, and finding Web services. UDDI stands for Universal Description, Discovery and Integration and it is a specification for a distributed registry of Web services. UDDI is platform independent, open framework and it can communicate via SOAP, CORBA, Java RMI Protocol. UDDI is an open industry initiative enabling businesses to discover each other and define how they interact over the Internet. (3 marks for each explanation) A2c) Confidentiality XML-RPC and SOAP run primarily on top of HTTP, which has support for Secure Sockets Layer (SSL), where the Communication can be encrypted. The big problem is that a single web service may consist of a chain of applications. For example one large service might tie together the services of three other applications. In this case, SSL is not adequate; the messages need to be encrypted at each node along the service path, and each node represents a potential weak link in the chain. Currently, there is no agreedupon solution to this issue, but one promising solution is the W3C XML Encryption Standard. This standard provides a framework for encrypting and decrypting entire XML documents or just portions of an XML document. (3 marks for relevant explanation) Authentication The problem here is to identify the user and establish if client (the user) is authorised to use the service? The following options exist without having a set standard: HTTP includes built-in support for Basic and Digest authentication, and services can therefore be protected in much the same manner as HTML documents are currently protected. SOAP Security Extensions: Digital Signature (SOAP-DSIG). DSIG leverages public key cryptography to digitally sign SOAP messages. This enables the client or server to validate the identity of the other party. The Organization for the Advancement of Structured Information Standards (OASIS) is working on the Security Assertion Markup Language (SAML). (2 marks for relevant explanation) Network Security There is currently no easy answer to this problem, and it has been the subject of much debate. For now, if you are truly intent on filtering out SOAP or XMLRPC messages, one possibility is to filter out all HTTP POST requests that set their content type to text/xml. Another alternative is to filter for the SOAP Action HTTP header attribute. Firewall vendors are also currently developing tools explicitly designed to filter web service traffic. (2 marks or relevant explanation) Examiner’s Comments This question was the most popular one with most people attempting answers for this question. Most answers were relevant, with some good explanations. One candidate scored full marks and many others obtaining over 80% of the marks for this question. A few candidates demonstrated knowledge of the syllabus but gave points which were not relevant to this question. A3. A company operates from three buildings; buildings A and B are next to each other in a city and the third, building C, is located 200 miles away. The company has its operations organised in such a way that the work process in building A generates very high communication traffic between the networked computers. However the communication traffic in the other two buildings is relatively low. The company has an application which must run across a Local Area Network address space. Two public class B network addresses with IDs of 150.72.0.0 and 151.72.0.0 are given to the company. Assuming that the number of computers is appropriate for your design and all computers are using public IP addresses within the assigned network IDs, you are required:a) with the aid of a diagram, to describe appropriate Local Area network (LAN) architecture for inclusion in the network of buildings A and B. In your answer explain the distribution of addresses, use of hubs, routers etc and show the connection to the Internet. Your answer should also identify any restrictions that you may need to impose on the number of computers in each building. (11marks) b) to produce a simple routing table for one of the routers on the diagram you provided in answer to a) above, and explain the purpose and the usage of the fields in the table. (8 marks) c) to suggest a way of building a single Wide Area Network based on the existing LAN architecture and the Internet, and explain the issues you considered. (6 marks) Answer Pointers A3 a) Since we have two remote sites we need to use both network IDs – one for each side. Furthermore let us choose the first network ID to be associated with the site with 2 buildings - 150.72.0.0. The design must include several separate sub-networks – one sub-network per building so that the operations can be separated to prevent the heavy communication traffic from spilling over from one building LAN to the other. In the example below we will be using 4 separate subnets, which means that the number of computers in each sub-net must be less than 214 = 16 384. The net mask for all subnets will be 255.255.192.0.A possible architecture is shown below. Computer 1 150.72.0.1 Computer 2 150.72.0.2 Building 1 Net Mask 255.255.192.0 150.72.63.255 Router 1 ……………. 150.72.128.1 Computer n 150.72.x.x 150.72.254.255 150.72.128.2 Router 2 Internet Computer 1 150.72.64.1 Computer 2 150.72.64.2 Building 2 Net Mask 255.255.192.0 150.72.128.3 150.72.127.255 Router 3 ……………. Computer n 150.72.x.x 11 marks for this or similar diagram with all addresses assigned. b) Example of routing table at Router 3 is shown below: Destination Network ID 150.72.64.0 150.72.0.0 150.72.128.0 default Mask 255.255.192.0 255.255.192.0 255.255.192.0 any Next Hop 150.72.128.1 150.72.128.2 150.72.128.2 150.72.128.2 Each routing table has the three columns – Destination Network ID, Network Mask and Next Hop. For each line in the table starting from the first the router takes the destination address from each packet and applies the mask (logical AND between the mask and the destination IP address). The result is compared to the Destination Network ID field and in case of match sends the packet to appropriate address in the Next Hop field on the same row. In case match is found no further matching is attempted. 8 marks for this explanation. c) Wide Area Network (WAN) on the basis of VPN An extranet is a computer network that allows controlled access from the outside for specific business or educational purposes. Segments of the 150.72.63.255 Building 1 LAN ID: 150.72.0.0 Net Mask 255.255.192.0 Router 1 150.72.128.1 150.72.254.255 150.72.128.2 Router 3 151.72.254.255 Router 2 Internet Building 3 LAN ID: 151.72.0.0 Net Mask 255.255.0.0 150.72.128.3 Building 2 LAN ID: 150.72.64.0 Net Mask 255.255.192.0 Router 3 150.72.127.255 All buildings are in on single VPN – Virtual Private Network thus forming Wide Area Network Internet, like VPN-based extranets, are also WANs in themselves. VPN over the Internet is the cheapest option. Other possible ways of building WAN is to have leased lines for connection or dedicated other means for communication between the two remote sites. Examples of such technologies over dedicated lines are: SONET, ATM, Frame Relay. (6 marks for this or similar drawing and explanation) Examiner’s Comments This question was clearly selected by candidates who really had a good understanding of what is an IP address, how the computers in a network can be assigned IP address, how a network could be divided into sub-networks and various other issues concerning IP configuration of the networks. Relatively few people showed detailed knowledge of routers (which is essential when building networks for multiple sites). Generally speaking, the level of knowledge of the people attempting this question was higher than for the other questions. Many candidates obtained over 80% of the marks for this question. B4 a) Describe the function of each of the following networking devices: i) ii) iii) Repeater Bridge Switch (4 marks) (4 marks) (4 marks) b) Explain why it might be possible to improve the performance of a network by replacing a network hub with a switch. (6 marks) c) Unlike the devices in section (a), a router is often described as a layer 3 device. Describe how a router meets the definition of a layer 3 device, contrasting it with the function of a switch. (7 marks) ANSWER POINTERS Nearly all candidates chose to answer the question, and in general the answers were good, although part c) was generally answered less thoroughly than other parts. Considering the reference to layer 3 in the question, candidates could have referenced the OSI model directly or at least describe layer 3 (network layer) and its purpose. Some candidates did this but many failed to do so. The word “networking” is given in this question to make plain we are speaking of network repeaters, network hubs etc. In part a) there is a progression of ideas in the 3 parts of this question, which candidates should be able to develop and use to guide their answers. A repeater is a device used to repeat the signal onto a new network link, used to deal with the cable length limits in networks, especially Ethernet networks, but wireless repeaters are now common too. The repeater is a solution to the problem of signal attenuation. The repeater does nothing more than retransmit the signal on the new link. A Network bridge allows two or more communication networks, or two or more network segments to create an aggregate network. Bridging is different from routing which allows the networks to communicate independently as separate networks (layer 3). Bridging is a layer 2 aggregation. On multiplexed networks, a bridge could contain traffic within the segments except where access is required to devices on the other side of the bridge. Many candidates suggested bridging is obsolete, but this is incorrect as bridges are still extremely useful for connecting similar networks on different media, such as Wi-Fi to Ethernet. A switch takes the segmentation a step further by creating a multi-port network bridge that processes and routes data at the data link layer (layer 2). Now every device can potentially be connected on its own network segment and traffic segmentation keeps the links quieter and potentially more private. Part b) introduced the concept of a hub, and the segmentation is again at the heart of the question, but candidates should understand the difference between a hub and a switch. Thus a description of a hub as a device for connecting multiple physical network segments together and making them act as a single network segment. Like a switch, a hub has multiple I/O ports, in which a signal introduced at the input of any port appears at the output of every port except the original, just as a repeater would work. This is in contrast to the segmented nature of a switched network described above, and essentially a hub is a physical layer (layer 1) multiport repeater, as opposed to the layer 2 data link multiport segmentation (multiport bridging) of a switch. Note that more marks are given for the description of the hub than the difference, as a correct description of the hub and switch (in part a) are essential to demonstrating the difference. Part c) brings out the OSI model in the question, and the answer should describe how switches create multiport segmentation at layer 2, with traffic being switched between segments based on an internal table of hardware addresses (MAC addresses) for each segment, whereas a router will look at the network packet header and will choose which interface to route the packet onto based on a lookup table of routes, e.g. IP network routes. This part of the question could be illustrated with a diagram, and with reference to IP packets and Ethernet frames, although the concepts can be generalised to other network technologies. As the OSI model is explicitly mentioned, marks were given for description of the network layer as opposed to the data link layer within the model and for the description, which must describe the principles of routing and the tables used by switches and routers. Examiner’s Comments This question was generally answered well with many candidates quite clear on each of these devices. Some candidates pointed out that repeaters were largely obsolete now, but that is true primarily for Ethernet repeaters and other candidates quite rightly pointed out that wireless repeaters are still very much in use. Likewise candidates often suggested bridging was obsolete, not recognising the utility of a bridge in joining two similar networks over different media such as Wi-Fi to Ethernet bridges found in Wi-Fi access points. Where candidates understood the nature of a switch, they tended to answer part b) fully too. Part c) clearly referred to the OSI model and particularly the difference between data link and network layers. Many candidates understood this, but many others did not consider what is provided at each layer, which would have guided then to answering that part fully. In particular, mention of network layer addressing (IP addresses) was important. B5. A weather research company is developing a network of weather monitoring stations that need to report back readings at each of their station sites to a central server. There will be hundreds of such small stations located voluntarily on networks of other companies, organisations and individuals. All such stations will be located where there are Internet connections, but in the majority of cases the Internet connection is not maintained by the weather research company. Data is transferred to the server on a regular basis over these Internet connections using SOAP web services. a) In this scenario, what are the advantages of using SOAP web services to report data as opposed to other data transfer mechanisms such as SFTP, or CORBA? (8 marks) b) The research company must ensure that data updates come from their devices and are not maliciously inserted or tampered with by any third parties. Describe a suitable means for ensuring such transfers are secure. Your answer should take into account the possibility of the data stream being analysed over extended periods using packet capture software. (11 marks) c) The data is processed and formatted by the company to be released on their web server to paying clients. One of the pages to be provided is a map generated from the source data that is shaded in the region of each weather station to indicate the temperature of that area. Hotter recordings are shaded red or orange or yellow and cooler recordings shaded green or blue. What web accessibility issues should they consider with this map to ensure that all users of the service can make use of the data presented? (6 marks) Answer Points This question included a section (part c) examining HCI issues. This has always been on the syllabus for NIS, but was not previously examined. I am pleased to note that everyone who attempted this question gained some marks for their answer to part c, although only a few candidates gained full marks for noting the accessibility issue and, importantly, providing the solution – which is to present the data in an alternative accessible format. Part a) required the candidates to understand the nature of SOAP as encapsulating the data within XML and transferring it between web servers. This has the major advantage of not requiring special configuration over firewalls to allow additional services to be used, because HTTP is the one protocol that is almost always allowed to cross firewalls. A candidate may note that a web proxy might still be required, but SOAP will continue to work over such proxies as the XML data is being transferred by HTTP. Failing HTTP, SMTP can also be used – the other best supported protocol. Both CORBA and SFTP would require access to ports that may be blocked on the firewall and the nature of the scenario makes it clear that in most cases, reconfiguration of the firewall is going to be hard or impossible as the company does not control these networks. 6 marks will be given for correct understanding of the SOAP protocol as above, but 2 marks are reserved for specifically noting this operational issue in the scenario and thus recognising the attraction of SOAP over the alternatives. Part b) is open ended, but a candidate must recognise that a simple plain text password exchange is unsuitable as the password can be read from the network. Reliance on IP addresses is also inappropriate because of the risk of network address translation being used to maliciously insert data apparently from the data monitor IP address. Thus a candidate should describe an encryption scheme. The simplest such scheme would rely on a pre-shared secret with the data monitor that is used to encrypt the data, but this too is vulnerable to attack because the question specifies a long period of observation, and as the data is repetitive, even if some randomisation is added, such as a timestamp. It is quite possible an attacker could recover the encryption key in time. The best answers then will look at public key cryptography, perhaps advocating SSL/TLS or a similar scheme (a natural choice accompanied with SOAP). SSL/TLS is not required though, if another solution is offered by, e.g., encrypting the whole message or a message digest signed by the private key of the data logger that would thus be guaranteed by this when the digest is decrypted by the logger’s public key. Although open ended, the division of marks is such that half the marks are given for understanding the need of a suitable encryption scheme, and half are used for a correct description of the scheme. As stated above, part c) is the first time this paper has asked an HCI question although it has always existed on the syllabus. To prevent candidates being disadvantaged by this in their preparation, the marks in the section are kept relatively low. The question relies on a candidate to recognise that users of the web based system may be colour blind or blind, or else may be using text only services. As such, there must be an alternative presentation of the data. In addition to the colouration, actual figures should be available on the map, and a text only representation of the data on the map should also be available. This could be served automatically to text only browsers, but should also be provided through a clear link. Reference may be made to the web content accessibility guidelines, although there is no need to quote the guidelines exactly. The point is to consider all users of the system and not just the usual case. Examiner’s Comments There were some very good answers to this question, and it was clear that a very large proportion of candidates understood the benefits of SOAP in the answer to part a). This was good, although for full marks candidates needed to contrast these with CORBA and SFTP which needed some consideration of the scenario and not just listing SOAP benefits. SFTP is clearly a very different solution, and transfer of data would have to be set up in a very different manner. However it was gratifying that the majority of candidates were able to answer this section well. In part b), some candidates again tripped up by not considering the example, but simply listing general security measures. In this scenario, encryption of the data is required and the ability for an attacker to see the data over a long period makes symmetric encryption, on its own, susceptible to attack. Thus a scheme such as SSL is idea, especially as SOAP can utilise it. Understanding that and then describing how SSL would ensure the security was what was required here. A noted above, part c) was the first time we put an HCI based question into the exam. Many candidates considered the question and produced wellreasoned replies earning many of the marks, but in some cases the solutions were impractical, and in other cases the problem was described but no suitable solutions offered.