Download Control of Wide Area Networks

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Asynchronous Transfer Mode wikipedia , lookup

Net neutrality law wikipedia , lookup

Internet protocol suite wikipedia , lookup

Wake-on-LAN wikipedia , lookup

IEEE 1355 wikipedia , lookup

Wireless security wikipedia , lookup

Net bias wikipedia , lookup

Computer security wikipedia , lookup

Computer network wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Deep packet inspection wikipedia , lookup

Network tap wikipedia , lookup

Distributed firewall wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Airborne Networking wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Transcript
87-01-45.1 Control of Wide Area Networks
Previous screen
Steven Powell
Frederick Gallegos
Payoff
This article describes the various types of wide area networks and their access methods and
connective devices, communications protocols, network services, and network topologies.
It also describes the automated tools that are currently available for network monitoring,
and provides a brief introduction to the Internet.
Introduction
Local area networks (LANs) have become commonplace in most medium and large
companies. Now, wide area networks (WANs) have become the next communications
frontier. However, WANs are much more complicated than LANs. In most WAN
environments, the more devices an individual has to manage, the more time-consuming is
the process of monitoring those devices. Complexity also increases very rapidly due to the
fact that each new device on the network invariably has to interface with many existing
devices.
In order to get a further understanding of WANs, it is useful to explore the differences
between WANs and LANs. LANs are defined as communications networks in which all
components are located within several miles of each other and communicate using high
transmission speeds, generally 1M-bps or higher. They are typically used to support
interconnection within a building or campus environment.
WANs connect system users who are geographically dispersed and connected by
means of public telecommunications facilities. WANs provide system users with access to
computers for fast interchange of information. Major components of WANs include CPUs,
ranging from microcomputers to mainframes, intelligent terminals, modems, and
communications controllers. WANs cover distances of about 30 miles, and often connect a
group of campuses.
WANs are usually static in nature. Changes to them require rerouting telephone lines
and installing modems. LANs on the other hand can be quickly reconfigured;
communications lines are set up and rerouted more easily and gateways to host computers
can be quickly added.
Types of Wide Area Networks
There are two basic types of WANs: centralized and distributed. Centralized WANs consist
of a mainframe or minicomputer that serves remotely distributed dumb terminals. Network
managers lease communications channels from a common long-distance carrier and tie
together terminals and the central computer using a star (or other) topology. (WAN
topologies are described in more detail later in this article.) Communications is fairly
straightforward; the smart computer polls the dumb terminals to find out if they have
anything to transmit, and then it controls data transmission so that there are no collisions.
Distributed networks provide an environment that allows independent computers to
have equal levels of control in the communications architecture. Distributed networks have
grown as smart computers have increased throughout organizations. Today's packet WAN
technologies are capable of supporting worldwide transmission at rates that are less than
LAN transmission rates. (LANs support transmission rates of 100M-bytes and higher over
relatively short distances.)
Benefits of Wide Area Networks
Previous screen
WANs provide a number of benefits, including:
·
Allowing network expansion and terminal changes to be accomplished through plug-in
connections over wide area locations.
·
Support of a variety of applications and a large number of terminals.
·
Facilitating interconnectivity by means of gateways, bridges, and routers.
·
Distributing terminals to the most convenient locations rather than forcing them to
remain in a more centralized area.
·
Centralized network management and monitoring of use and performance to ensure
maximum reliability and availability.
These benefits help make users more effective in their jobs. Networking over wide
areas also helps reduce or eliminate the expensive costs of gathering teams of people
together. A US manufacturing team can now work closely with a team in Germany using
such services as electronic mail and computer video conferencing.
Elements of Wide Area Networks
WANs differ according to their access methods, connective hardware and software,
communications protocols, types of network services, and network topologies. These
differences affect network installation, growth, and operating costs. In addition, WANs
depend on the network management system for efficient and reliable operation. The
following sections describe these elements.
Access Methods
Connections to remote networks may be accomplished over public data networks or
private lines provided by long-distance and interexchange telephone carriers. The Internet
requires the use of 32-bit addresses, which are administered by the Network Information
Center. Locally administered private networks should encourage use of addresses that are
compatible with Internet addresses to facilitate connection to the Internet.
Connective Devices
Information is transmitted over WANs in packets. In addition to user data, these
packets contain information necessary for network management and protocols that permit
local and remote devices on the network to recognize one another. For example, each
packet contains address information which is necessary to ensure the correct routing of the
packet. Bridges and routers are the primary connective devices used to handle these
transmissions.
Bridges.
A bridge is a hardware and software device used to connect networks using various
media and signalling systems. Bridges operate at the data-link layer of the open systems
interconnection model. Bridges read and filter data packets and frames, passing traffic only
if the address is on the same segment of the network cable as the originating station.
(Frames contain information that is necessary for reassembling the messages contained in
Previous screen
packets after they reach their destination. There are two types of frames: control frames for
link management and information frames for the transfer of information.)
Routers.
A router is a sophisticated hardware and software device that connects local and
wide area networks. It serves packets or frames containing certain protocols, and it routes
packets using network layer protocols. Multiprotocol routers can operate in heterogeneous
environments by simultaneously using multiple protocols.
Protocols
WAN protocols are designed to provide connections for many devices within a wide
area. Their purpose is to support a peer network of terminals, microcomputers, and hosts.
A number of WAN protocols are available, including TCP/IP (which is the combined
acronym for a pair of networking protocols, the Transmission Control Protocol [TCP] and
the Internet Protocol [IP]). The TCP/IP protocols provide the prim ary communications
procedures for the Internet. IBM's Systems Network Architecture (SNA) is designed to
provide communications compatibility among microcomputers, minicomputers, and
mainframes. For example, it can be used to connect IBM token-ring LANs to a host
environment.
Network Services
Frame relay and asynchronous transfer mode (ATM) are technologies used to support
network traffic. Their method of operation is described in the following paragraphs. The
appendix at the end of this article provides a listing of selected vendors of frame relay and
ATM products.
Frame Relay Network Services.
Frame relay is an extremely flexible and cost-effective technology that supports
variable network traffic. Service bandwidth is scalable from 56K bps to 2.048M bps, and it
offers a variable-length frame size from 262 bytes to 8K bytes.
Frame relay allows users to gain the advantages of high-speed circuits without having
to run dedicated links between all the endpoints on a private network. The other major
advantage of frame relay is its minimal packet overhead.
Asynchronous Transfer Mode Network Services.
Asynchronous transfer mode (ATM) refers to a high-bandwidth, low-delay
switching and multiplexing technology. ATM network services provide a foundation for
high-speed data transmission, LAN connectivity, imaging, and multimedia applications.
ATM is based on cell-switching technology that is equally effective at transmitting voice,
video, and data at high speeds. ATM is better suited than packet-switching to real-time
communications (e.g., video) because it uses standard-length cells with small headers
containing packet and address information.
ATM supports transmission speeds of up to 622M-bps. It supports services requiring
both circuit-mode information transfer capabilities (characterized by a constant bit rate) and
packet-mode capabilities (characterized by a variable bit rate).
The Network Management System
Previous screen
Every major business wants to have the most efficient and economical operation of the
corporate network. In order for a business to achieve this, it must effectively manage the
computer and communications resources over the wide area network. Because most
businesses buy their networking products from more than one vendor, network
management systems must be able to support a wide variety of equipment on the same
network. This diversity makes the task of management and troubleshooting more
challenging. (Network management software is discussed later in this article.)
Network Topologies
Although the star topology is the most popular WAN topology, a number of other
network topologies are available. Each of the these topologies has consequences with
respect to reliability and availability.
Star Topology.
The star topology is highly reliable; loss of one node results only in the loss of a
single line. Loss of that line prevents communication between the hub and the affected
node, but all other nodes continue to operate normally.
This topology is more limited with respect to ensuring availability. The network can
only support the level of traffic that can be handled by the hub. In some cases, the hub is
only able to handle one request at a time, which can cause serious delays during peak
workloads.
Ring Topology.
The ring topology uses link segments to connect adjacent nodes; each node is
actively involved in the transmission of tokens to and from other nodes. The loss of a link
causes operation of the entire network to cease. Therefore, this topology is not considered
very reliable.
The ring topology is less effective than the mesh topology at ensuring availability of
network services, but it is more effective than the star topology. Its effectiveness is limited
because each node on the ring must wait to receive the token before transmitting data.
Bus Topology.
The bus topology is also not considered reliable. If the link fails, the entire segment
connected to that link also fails. However, if the node fails, the rest of the network will
continue to operate.
The availability of network resources using this topology depends on the access control
protocol used, the length of the bus, and the transmission load. Under a light load,
availability is virtually assured, but as the load increases so too does the chance of
collisions among transmissions. The chance of collisions also increases with greater bus
length.
Mesh Topology.
This kind of topology is highly reliable, because it provides a diverse set of
transmission routes. If one segment of the line fails, the rest of the line is not affected.
Because of its multiple transmission paths, mesh topology also provides a high level of
availability.
Hybrid Topology.
Previous screen
The hybrid topology is highly reliable; the failure of one node does not affect the
operation of other nodes. It also provides a high degree of availability because it provides a
large number of connections to users.
Tools for Network Monitoring
A number of automated tools can assist the security specialist in identifying risks to
network security. These include:
·
Protocol analyzers.
·
Network monitors.
·
Network management software.
·
General statistical tools.
·
Hybrid tools.
The following sections describe each of these types of tools.
Protocol Analyzers
Protocol analyzers can be used to observe data packets as they travel across a network,
measure rates of line use, and simulate traffic to gauge changes in the network
configuration. They are designed to capture and decode data packets, breaking traffic down
according to the seven-layer OSI reference model. The device is physically connected to the
network segments being monitored. Wandell & Goltermann's DA-30 is an example of a
protocol analyzer.
As described next, a WAN protocol analyzer is a specialized type of protocol analyzer.
WAN Protocol Analyzers
High-speed WAN protocol analyzers can be used to help network and security
specialists plan and maintain multiple LANs linked to WAN services. With their
unparalleled packet-filtering capabilities, these instruments are able to monitor overall
network activity, view organizational data traffic patterns, simulate new circuits, and
pinpoint problems.
WAN analyzers allow the user to track exactly how much of a leased line is being used
for a particular protocol. These analyzers can also capture and store data samples and filter
out specific data packets for scrutiny. WAN analyzers are being developed with capabilities
to provide fault management filters and rule-based judgments, performance trend analysis,
and reports that identify problems and assign responsibility for its diagnosis and tracking.
For efficient monitoring and diagnosis, it is vital that the analyzer be able to filter out
specific packets from the overall data stream. This requires that the analyzer keep pace with
system line speeds so that it does not overlook packets that may be critical to the network.
In practice, most high-speed WAN protocol analyzers do not really filter data at the full rate
of a T1 line. And the filtering and decoding processes further slow down the analyzer's
operation.
Because of this, most vendors of protocol analyzers specify a frame rate for their
products, indicating the number of packets or frames per second that the analyzer can
process. The vendors also specify the size of frames for which rates are given.
Previous screen
Most analyzers come with simulation programs that allow network managers to gauge
the possible effects of specific types of data traffic on WAN circuits. With this software,
sample packets are actually launched onto the network so that the analyzer can measure the
effects of adding different types of protocol loads. (Running simulation applications may
require shutting down network traffic.) Because most analyzers already have sophisticated
packet filtering and time-stamping capabilities, it is relatively easy to add statistical software
for data sampling and analysis. Such statistical packages can generally be run without
interfering with network traffic.
Network Monitors
Network monitors track and statistically analyze traffic on network segments. As with
protocol analyzers, the device is physically connected to the segments being monitored.
Sample products include Network General's Distributed Sniffer System and Concord
Communications Trakker.
Network Management Software
Network management software and workstations are designed to monitor and report on
the conditions of such network elements as bridges, routers, and hubs, typically displaying
information using multicolored icons on a map. These products typically use the Simple
Network Management Protocol (SNMP). A number of products are available, including
Hewlett-Packard's HP-OpenView, Sun Microsystems' SunNet Manager, IBM's
NetView/6000, and E-Comms' E-Commander. Novell's NetWare 4.1 offers reliable
network security and data integrity services.
General Statistical Tools
These tools are designed primarily to provide statistical information about network
performance. They typically track CPU and memory levels of use, free disk space, and
network I/O. Among the available products is Hewlett-Packard's PerfView.
Hybrids
It should be noted that many products are actually hybrids that offer elements of two or
more of the preceding categories of monitoring tools. For example, many network
management stations include the statistical analysis capabilities of network monitors; some
network monitors provide basic protocol analysis capabilities. Among hybrid products that
combine traffic monitoring, protocol analysis, and network mapping are the Distributed
Sniffer System and Trakker (both introduced above), Metrix of Nashua's NetMetrix,
ProTools' Network Control Series, EMC's DataReach, and TimeFinder.
The Internet
The Internet was started in the 1960s by the US Defense Department's Advanced Research
Projects Agency to link the department with its suppliers. Today, the Internet is a
worldwide collection of millions of computers tied together by means of high-speed
communications lines to form an apparently single network. The Internet provides an
electronic forum in which people can share information and ideas, exchange E-mail and
data, use remote computers, and access public-domain information and software.
Corporate customers now represent the fastest growing segment of the overall Internet
user population. They use the Internet for many reasons, including file transfers, electronic
mail, system maintenance, and interactive sessions. For example, one chemical company
Previous screen
uses the Internet to disseminate the results of its research; the company prefers using
Internet because it is available 24 hours a day, every day. An oil company uses the Internet
to transmit maps and land surveys to remote locations for oil and gas exploration; the
Internet is able to reach nearly 130 countries.
Users can connect to the Internet in several ways: dialing in to a personal account on an
Internet-connected computer; connecting through a commercial gateway; or subscribing to a
commercial service.
Personal Accounts
With this first alternative, service is limited to certain levels of access—for example,
access to USENET (an Internet-based news service), E-mail services, or file transfer
protocol (FTP) services. In addition to obtaining an account on one of these systems, the
user must implement a modem and communications package. A monthly connect-time fee
is charged; the telephone carrier also charges the user for any long-distance calls.
With this approach, the computer is not actually on the Internet it is just acting as a
terminal for another computer with a direct Internet connection. The user does not need to
run any Internet-protocol software with this approach. But any files the user transfers to
server accounts using the Internet FTP must be downloaded using the selected
communications software, which can be very expensive. To simplify the downloading
process and reduce connection costs, a software access package (e.g., IBM's TalkLink or
cute FTP for Windows) can be used to obtain an interface to Internet file transfer services.
Commercial Gateways
With this approach, users must obtain an official Internet membership for their systems;
in effect, they become official Internet nodes. This can be accomplished in several ways.
Server Security
Server security involves limiting access to data stored on the server. Although this field is
primarily the responsibility of the network administrator, the process of publishing data to
the Web often requires information systems specialists to take an active hand in installing
and implementing the security policy.
The two primary methods in which information from databases is published to the Web
are the use of static web pages and active dynamic Web page creation. These two methods
require almost completely different security mechanisms.
Static Web Pages
Static Web pages are simply HTML files stored on the server. Many database
specialists consider static page creation the simplest and most flexible method of publishing
data to the Web. In a nutshell, a client program is written to query data from a database and
generate HTML pages that display this information. When published as static Web pages,
Web files can be uploaded to any server; for dynamic creation, however, the Web server
usually must be modified (or new scripts or application software installed). Static pages
have the secondary advantage of being generated by traditional client/server tools such as
Visual Basic or PowerBuilder. Because almost any development system can output text
files, only the necessary HTML codes must be added to make them Web pages. The
creation of the pages, therefore, uses standard methods of database access control such as
database security and login controls.
Once created, the files must be uploaded to the Web server. Protecting the documents
stored there occurs in the same manner that any other Web documents would be secured.
Previous screen
One of the most straightforward ways to protect sensitive HTML documents is to limit
directory browsing. Most FTP and Web servers allow directories to be configured so that
files stored within them may be read but the files may not be listed in the directory. This
technique prevents any user who does not know the exact filename from accessing it.
Access may be permitted by simply distributing the exact filenames to authorized
personnel.
Directories may also be protected using the integrated operating system security. Some
Web servers allow security limitations to be placed on particular folders or directories using
standard operating system techniques (i.e., file attributes) and then use this security to
restrict access. This implementation will vary among Web servers. These security
implementations to gain access to particular files or folders fall under the userauthentication category of security.
Dynamic Page Generation
Favored by large organizations, this method is gaining popularity as the technology to
generate Web pages instantly from a database query becomes more robust. A dynamic Web
page is stored on the Web server with no actual data but instead a template for the HTML
code and a query. When a client accesses the page, the query is executed, and an HTML
page containing the data is generated on the fly. The necessary data is filled into the slots
defined in the template file in much the same way that a mail merge occurs in a wordprocessing program. A program may be active on the Web server to generate the necessary
Web page, or a CGI script might dynamically create it.
One of the first security issues that a WAN security administrator must confront is
setting up access to the database from the Web server. Whether using a CGI script, serverbased middleware, or a query tool, the server itself must have access to the database.
Database Connections
With most of the dynamic connectors to databases, a connection with full access must
be granted to the Web server because various queries will need to access different tables or
views to construct the HTML from the query. The danger is obvious:
A single data source on the server must be given broad access capabilities. This makes
server security crucial. For example, an ODBC data source given full administrator access
could potentially be accessed by any other program on the server.
A program could be designed to retrieve private information from a data source
regardless of whether the program's author is permitted access. This security problem is
most dangerous on a system where users are allowed to upload CGI scripts or programs to
run on the server. To prevent unauthorized access to your data, make sure that the server
that owns the database connector is physically secure and does not permit unrestricted
program execution.
Table Access Control
Standard table access control, if featured in the user authentication system, is more
important on Web applications than on traditional client/server systems. DBAs are often lax
in restricting access to particular tables because few users would know how to create a
custom SQL query to retrieve data from the database. Most access to a database on a
client/serve system occurs through a specifically built client that limits access from there.
Not so with Web-based applications: Client/server development requires substantial
experience, but even some novices can program or modify HTML code, and most user
productivity applications such as word processors or spreadsheets that can access databases
also save documents as HTML pages. Therefore, more solutions will be created by
Previous screen
intermediate users — and so valid security is a must. Remember, a little knowledge can be
a dangerous thing.
User-Authentication Security
Authentication security governs the barrier that must be passed before the user can access
particular information. The user must have some valid form of identification before access
is granted. Logins are accomplished in two standard ways: using an HTML form or using
an HTTP security request.
If a pass-through is provided to normal database access, traditional security controls
can be brought into play. Exhibit 1 shows an example of a standard security login through
Netscape Communications Corp.'s Netscape Navigator browser.
A Schematic Diagram of Different Types of Layers Involving
TCP/IP
The HTML login is simply an HTML page that contains the username and password
form fields. The actual Ids and passwords are stored in a table on the server. This
information is brought to the server through a CGI script or some piece of database
middleware for lookup in a user identification database. This method has the advantage of
letting the DBA define a particular user's privilege. By using a table created by the DBA,
numerous security privileges specific to a particular project can be defined.
Once a login has occurred, a piece of data called a “cookie” can be written onto the
client machine to track the user session. A cookie is data (similar to a key and a value in
an.ini file) sent from the Web server and stored by the client's browser. The Web server
can then send a message to the browser, and the data is returned to the server. Because an
HTTP connection is not persistent, a user ID could be written as a cookie so that the user
might be identified during the duration of the session.
HTML form login security, however, must be implemented by hand. Often this means
reinventing the wheel. Not only must a database table or other file be kept to track users
and passwords, but authentication routines must be performed, whether through CGI script
or via another method. Additionally, unless a secured connection (Please refer to
subsection Secure Socket Layer (SSL), both the username and password are broadcast
across the network, where they might be intercepted.
HTML form login is excellent when security of the data is not paramount yet
specialized access controls are required. Browser login is most useful when it is integrated
with existing database security through some type of middleware. Even with users properly
authenticated, additional security concerns arise.
Session Security
After the user has supplied proper identification and access is granted to data, session
security ensures that private data is not intercepted or interfered with during the session.
The basic protocols of the network do not set up a point-to-point connection, as a telephone
system does. Instead, information is broadcast across a network for reception by a
particular machine.
TCP/IP is the basic protocol for transmission on the Internet. The protocol was never
designed for security, and as such is very insecure. Because data sent from one machine to
another is actually broadcast across the entire network, a program called a “packet sniffer”
can be used to intercept information packets bound for a particular user. Therefore, even
though a user has properly logged onto a system, any information that is accessed can be
intercepted and captured by another user on the network. There is no easy way to prevent
Previous screen
this interception except by encrypting all of the information that flows both ways (see
Exhibit 2).
Need For Web Protection Levels (Encrypted)
Threats
Service
Type
1.
Destru
ction2.
Interfer
ence 3.
Misreprese
ntation
5.
Reputa
tion 6.
Inadver
tent
misuse
7.
Strong
Modifi
cation
or
replace
ment4.
Basic
Adverti Basic
Basic
sing
Secure Internet/Intranet
1.
Basic
Basic
Inform
ational
2.
Basic
Strong
Transa
ctional
Elecro Strong Strong
nical
Comm
erce
Unauth
orizeda
ltering/
downlo
ading8.
No
Level
Unauth
orized
transac
tion9.
No
Level
No
Level
basic
Strong
Basic
No
Level
Basic
Strong
Basic
Basic
Strong
Basic
Basic
Basic
Strong
Basic
Basic
Strong
Strong
Strong
Basic
Strong
Strong
Strong
No
Level
Previous screen
Service Type
Advertising
Threats
1.
Destruction
2.
3.
4.
Interference Modification
Misor
representation
replacement
-------------------------------------------------------------Basic
Basic
Strong
Basic
Secure
Internet/
Intranet
1. Informational Basic
Basic
Strong
Basic
2. Transactional Basic
Strong
Strong
Basic
Elecronical
Commerce
Strong
Strong
Strong
Strong
(table continued)
5.
Reputation
6.
Inadvertent
misuse
7.
8.
9.
Unauthorized Unauthorized Unauthorized
altering/
transaction
disclosures
downloading
-----------------------------------------------------------------Advertising
No Level
No Level
basic
No Level
No Level
Secure
Internet/
Intranet
1.Informational No Level
Basic
Strong
Basic
Basic
2.Transactional Basic
Basic
Strong
Basic
Basic
Elecronical
Commerce
Basic
Strong
Strong
Strong
Strong
Conclusion
Vendors that used to compete with each other in marketing their products are now working
together to provide a common routing protocol. A common routing protocol will give
customers the ability to implement an open computing environment using components from
multiple vendors. Customers will no longer have to rely on a single vendor to meet their
networking requirements, which will provide them greater flexibility and efficiency and
help reduce network operating costs.
Author Biographies
Steven Powell
Steven Powell, PhD, is an associate professor of computer information systems,
College of Business Administration, California State Polytechnic University, Pomona CA.
He has taught and written articles on communications management and controls.
Frederick Gallegos
Previous screen
Frederick Gallegos, CISA, CDE, CGFM, is the EDP audit advisor for the College of
Business Administration, California State Polytechnic University, Pomona CA. He has
taught EDP audit and security classes at the university and has authored articles on
computer security management and control.