IT207 Network Essentials - Project 2011

INFORMATICS COMPUTER SCHOOL DIT PROJECT (IT207 Network Essentials) < Thai Airways Computer Network Connection >

Name: Lim, Ma. Carmen N. Address: 37 Padua St. BFRV LPC, M.M. Student No.: 0000-7999 Lecturer: Sir Jasper L. Calibo Center: 0535 Country: Republic of the Philippines

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 TABLE OF CONTENTS CHAPTER I: Introduction ------------------------------------------------------------- 3 CHAPTER 2: Network Architecture Topologies & Diagram ----------------- 4 to 6 CHAPTER 3: Network & Server Configuration ------------------------------ 7 to 13 CHAPTER 4: Network & Internetworking Devices ------------------------- 14 to 24 CHAPTER 5: Network Security ----------------------------------------------- 25 to 43 CHAPTER 6: Communication Links ------------------------------------------- 44 to 45 CHAPTER 7: Approximate Budget ------------------------------------------ 46 to 47 Conclusion ------------------------------------------------------------------------------- 48 Bibliography ---------------------------------------------------------------------------------- 49 Acknowledgements ------------------------------------------------------------------------ 50

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 CHAPTER 1: INTRODUCTION This documentation will contain an explanation of the computer network design of Thai Airways, as we all know; this company is providing airline services domestic and international. They are one of the largest and leading companies in that field as of now due to their proficient service that has an affable and cultural manner. Since the company is inclined in travel and tours services, it is understood that they have to put up facilities in every area of their key destinations. Thai Airways is continuously growing; in fact, they now have flight zones in outlandish European countries such as Oslo, Norway as their 59th newest station. If we think of it, the number of base stations the company has is broad and it could probably bewilder an individual on the thought of how they manage and operate them? How? You know what! There is a form of intercommunication between each of their base station and that is computer networking, of which is the practice of linking hardware, software & devices for communication purposes. This write-up will further expand on that topic and expose the computer network structure of our subject company. Thai Airways is making use of technology that could reach into amazing geographical areas, like say, from country to country. However we will only demonstrate a sample of their computer network topology in only a couple of their destinations from the home base because they have loads. It will be a Wide Area Network in a frame relay. Starting from their recent base station Oslo, Norway to Philippines.

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 CHAPTER 2: NETWORK ARCHITECTURE TOPOLOGIES AND DIAGRAM Thai Airways Computer Network is arranged in a WAN (Wide Area Network) Connection in a frame relay setting. It is a telecommunication service designed for cost-efficient data transmission for intermittent traffic between local area networks (LANs) and between end-points in a wide area network (WAN). The network connection has a cloud as the central device that handles other networks that surround it across distant regions. Therefore it applies an extended star network topology to propagate information from point-to-point through routing techniques and a partial mesh topology through assignment of DLCI to direct the flow of data in the network. Extended Star Topology

The Extended Star Topology is a bit more advanced. Instead of connecting all devices to a central unit, we have sub-central devices added to the mix. This allows more functionality for organization and subnetting- yet also creates more points of failure. In many cases it is impractical to use a Star Topology since networks can span an entire building. In this case, the Extended Star Topology is all but necessary to prevent degraded signals.

Whereas the Star Topology is better suited for small networks, the Extended Star Topology is generally better for the larger ones.

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Thai Airways enhances their Extended Star Topology through the use of Data Communications Equipments (DCEs) to direct transmitted data with Data Link Connection Identifier (DLCI) into various existent end-points. Mesh Topology The Mesh Topology is a type of networking where each node must not only capture disseminate its and own

data, but also serve as a relay for other nodes, that collaborate to propagate the data in the network. is, it must

This network topology connects every single node together. This will create the most redundant and reliable network around- especially for large networks.

If any link fails, we (should) always have another link to send data through. So why dont we use it more often?

Simple: how many wires would it take to link a computer to every device on a network of over 100 devices? Now multiply that for every device on the network- not a pleasant number is it? Obviously you should only use this in smaller networks. Alternatively, you could try a Partial-Mesh Topology.

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Network Architecture This is the network architecture of Thai Airways that was virtually designed with Cisco Packet Tracer.

Diagram Inside the Frame Relay Cloud:

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 CHAPTER 3: NETWORK AND SERVER CONFIGURATION

Configuration of Frame Relay

Change the encapsulation Go in interface mode and select the Frame Relay encapsulation on the interface. There are two types of Frame Relay encapsulations: Cisco and IETF. Cisco is the default. The syntax to set your encapsulation is
encapsulation frame-relay [ietf]

Configuring the LMI type The three LMI types are Cisco, Ansi, and Q933a. For IOS 11.2 and higher, the LMI type is automatically detected
frame-relay lmi-type [cisco | ansi | 933a]

Configuring the Frame Relay map configuring a static Frame Relay map, is optional unless you are using subinterfaces. The Frame Relay map will map a Layer 3 address to a local DLCI. This step is optional because inverse-arp will automatically perform this map for you. The syntax for a Frame Relay map is as follows:
frame-relay map protocol address dlci [broadcast] [cisco | ietf]

Configuring subinterfaces If you are using a routing protocol in a hub-and-spoke topology, you will probably want to use subinterfaces to avoid the split-horizon problem. To configure a subinterface, remove the IP address off the main interface and put it under the subinterface.

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Configuring a subinterface involves assigning it a number and specifying the type. The following command creates point-to-point subinterface serial0/0.1 Router(config)#interface serial0/0.1 point-to-point To create a multipoint subinterface, enter multipoint instead: Router(config)#interface serial0/0.1 multipoint Assign IP address to subinterface After entering one of these commands you will be taken to the subinterface configuration mode where you can enter your IP address: Router(config-subif)#ip address 10.0.0.2 255.0.0.0 If you are using a multipoint subinterface, you will need to configure framerelay maps and you cannot rely on inverse-arp. If you are using a point-to-point subinterface, you will need to assign a DLCI to the subinterface. This is only for point-to-point subinterfaces; this is not needed on the main interface or on multipoint subinterfaces. To assign a DLCI to a point-to-point subinterface, enter the following command under the subinterface:
frame-relay interface-dlci dlci

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Now first configure Router1. Fast Ethernet port and hostname is already configured. Open the Command Line Interface (CLI) of Router1 and configure serial port for frame relay encapsulation and further create sub interface for connecting Router2, Router3, Router4. Configure also static route for connecting remaining network. (Configure Router 1)
R1>enable R1#configure terminal R1(config)#interface serial 0/0/0 R1(config-if)#encapsulation frame-relay R1(config-if)#no shutdown R1(config-if)#exit R1(config-subif)#interface serial 0/0/0.102 point-to-point R1(config-subif)#ip address 192.168.1.245 255.255.255.252 R1(config-subif)#frame-relay interface-dlci 102 R1(config-subif)#exit R1(config)#interface serial 0/0/0.103 point-to-point R1(config-subif)#ip address 192.168.1.249 255.255.255.252 R1(config-subif)#frame-relay interface-dlci 103 R1(config-subif)#exit R1(config)#interface serial 0/0/0.104 point-to-point R1(config-subif)#ip address 192.168.1.253 255.255.255.252 R1(config-subif)#frame-relay interface-dlci 104 R1(config-subif)#exit R1(config)#ip route 192.168.1.64 255.255.255.224 192.168.1.246 R1(config)#ip route 192.168.1.96 255.255.255.224 192.168.1.250 R1(config)#ip route 192.168.1.128 255.255.255.224 192.168.1.254 R1(config)#exit

(configure Router 2)
R2>enable R2#configure terminal R2(config)#interface serial 0/0/0 R2(config-if)#encapsulation frame-relay R2(config-if)#no shutdown R2(config-if)#exit R2(config)#interface serial 0/0/0.101 point-to-point R2(config-subif)#ip address 192.168.1.246 255.255.255.252 R2(config-subif)#frame-relay interface-dlci 101 R2(config-subif)#exit R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.245

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011

(configure Router 3)
R3>enable R3#configure terminal R3(config)#interface serial 0/0/0 R3(config-if)#encapsulation frame-relay R3(config-if)#no shutdown R3(config-if)#exit R3(config)#interface serial 0/0/0.101 point-to-point R3(config-subif)#ip address 192.168.1.250 255.255.255.252 R3(config-subif)#frame-relay interface-dlci 101 R3(config-subif)#exit R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.249 R3(config)#

(configure Router 4)
R4>enable R4#configure terminal R4(config)#interface serial 0/0/0 R4(config-if)#encapsulation frame-relay R4(config-if)#no shutdown R4(config-if)#exit R4(config)#interface serial 0/0/0.101 point-to-point R4(config-subif)#ip address 192.168.1.254 255.255.255.252 R4(config-subif)#frame-relay interface-dlci 101 R4(config-subif)#exit R4(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.253 R4(config)#

now verify by doing ping from pc0 to all pc. It should be pinged successfully. Router(config)#interface serial 0/0/0 Enter in interface mode
Router(config-if)#encapsulation frame-relay

Turns on Frame Relay encapsulation with the default encapsulation type of cisco
Router(config-if)#frame-relay lmitype {ansi | cisco | q933a}

Depending on the option you select, this command sets the LMI type to the ANSI standard, the Cisco standard, or the ITU-T Q.933 Annex A standard.
Router(config-if)#frame-relay interface-dlci 110

10

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Sets the DLCI number of 110 on the local interface and enters Frame Relay DLCI configuration mode
Router(config-fr-dlci)#exit

Returns to interface configuration mode

Router(config-if)#frame-relay map ip 192.168.100.1 110 broadcast

Maps the remote IP address (192.168.100.1) to the local DLCI number (110). The optional broadcast keyword specifies that broadcasts across IP should be forwarded to this address. This is necessary when using dynamic routing protocols.
Router(config-if)#no frame-relay inverse arp

Turns off Inverse ARP.

Router#show frame-relay map

Displays IP/DLCI map entries

Router#show frame-relay pvc

Displays the status of all PVCs configured

Router#show frame-relay lmi

Displays LMI statistics

Router#clear frame-relay counters

Clears and resets all Frame Relay counters

Router#clear frame-relay inarp

Clears all Inverse ARP entries from the map table

Router#debug frame-relay lmi

Used to help determine whether a router and Frame Relay switch are exchanging LMI packets properly

11

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Local Area Network Configuration A local area network (LAN) connection is configured through a switch and possibly next to a router as a central endpoint that can be linked to a larger network such as a wide area network (WAN). Before any configuration is done, computing devices that are to be included to a local area network (LAN), which will be attached to a switch, has to be arranged first and have IP Addresses & gateways assigned to it for necessary functions needed by network services or the like later on. Once we have assigned IP Addresses and gateways to computer devices that are attached to a switch via a copper straight-through cable into their fast Ethernet ports, configurations are now ready to be set in switches at the command line interface. Local area network switch configuration 1.) Open the switchs command line interface (CLI) press ENTER once you are there. 2.) Type in the following commands to enable and configure the VLAN database.
Switch>en Switch#VLAN database Switch(VLAN)#VLAN 10 name LAName1 Switch(VLAN)#VLAN 20 name LAName2 Switch(VLAN)#exit

The above command statements are used to name a LAN where computer devices will be connected.

12

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011

Switch>configure terminal Switch(config)#interface fa0/2 Switch(config)#switchport mode access Switch(config)#switchport access vlan 10 Switch(config)#

The above configuration is used to include the interface of fa0/2(fast etherenet 0/2) to the vlan 10 cluster of local area network. Same configuration commands are used for other devices to be included in that local area network connection. After that we shall now exit with this command:
Switch>end Switch(config)#configure terminal Switch(config)#interface fa0/1 Switch(config)#switchport mode trunk Switch(config)#end

3.) When we have granted all computing devices access to a local area network , It is time to configure the router which is attached to a switch via a copper straight through cable. This is done in the routers command line interface (CLI) 4.) open the routers command line interface (CLI) an type in
Router>enable Router#configure terminal Router(config)#interface fa0/0 Router(config)#no shutdown Router(config-if)#interface fa0/0.1 Router(config-subif)#encapsulation dot1q 10 Router(config-subif)#ip address 192.168.1.1 255.255.255.0 Router(config-subif)#end Router#

5.) Close the CLI window now. That was the command to register the router to the switch to link it with the end point devices such as desktops. Configuration ends here.

13

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 CHAPTER 4: NETWORKING AND INTERNETWORKING DEVICES Thai Airways has a Wide Area Network that is in a Frame-Relay connection. This portion of the discourse will identify the devices used for both their WAN & LAN. Wide Area Network (WAN) Frame Relay Devices DCE as in Data Circuit-Terminating Equipments are carrier-owned internetworking devices. The purpose of DCE equipment is to provide clocking and switching services in a network, which are the devices that actually transmit data through the WAN. In most cases, these are packet switches. Modem - (modulator-demodulator) is a device that modulates an analog
carrier signal to encode digital information, and also demodulates such a carrier signal to decode the transmitted information. The goal is to produce a signal that can be transmitted easily and decoded to reproduce the original digital data. Modems can be used over any means of transmitting analog signals, from light emitting diodes to radio.

Packet Switch - is a node in a network which uses the packet switching paradigm for data communication. Packet switches can operate at a number of different levels in a protocol suite; although the exact
PACKET SWITCH

technical details differ, fundamentally they all perform the same function: they store and forward packets.

14

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 One common class of contemporary packet switches are the bridge and network hub, which interconnect multiple network segments at the data link layer.

Another is the router, a device which operates at the internetwork layer, and connects dissimilar kinds of networks, such as serial lines and local area networks.

Generally, packet switches only perform communication-related functions, but in some systems the computers which performed the packet-switching function were also used for data storage and computation.

Originally, packet switches were built around standard minicomputers. Today, almost all packet switches are specialized hardware devices, ranging in size and performance from small local hubs up to the large switching systems used by major Internet service providers. However, software is available which allows a personal computer to function as a low-performance packet switch.

15

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011

Permanent Virtual Circuits (PVCs) are permanently established connections that are used for frequent and consistent data transfers between DTE devices across the Frame Relay network. Communication across a PVC does not require the call setup and termination states that are used with SVCs. PVCs always operate in one of the following two operational states: Data transfer - Data is transmitted between the DTE devices over the virtual circuit. Idle - The connection between DTE devices is active, but no data is transferred. Unlike SVCs, PVCs will not be terminated under any circumstances when in an idle state.

DTE devices can begin transferring data whenever they are ready because the circuit is permanently established.

16

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011

Generic Routing Encapsulation (GRE) Tunnel is a simple IP packet encapsulation protocol. A GRE tunnel is used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers. GRE Mechanism: The Generic Routing Encapsulation (GRE) tunnel keepalive mechanism is slightly different than for Ethernet or serial interfaces. It gives the ability for one side to originate and receive keepalive packets to and from a remote router even if the remote router does not support GRE keepalives. Since GRE is a packet tunneling mechanism for tunneling IP inside IP, a GRE IP tunnel packet can be built inside another GRE IP tunnel packet. For GRE keepalives, the sender pre-builds the keepalive response packet inside the original keepalive request packet so that the remote end only needs to do standard GRE decapsulation of the outer GRE IP header and then forward the inner IP GRE packet. This mechanism causes the keepalive response to forward out the physical interface rather than the tunnel interface. This means that the GRE keepalive response packet is not affected by any output features on the tunnel interface.

17

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011

ATM (asynchronous transfer mode) is a dedicated-connection switching technology that organizes digital data into 53-byte cell units and transmits them over a physical medium using digital signal technology. Individually, a cell is processed asynchronously relative to other related cells and is queued before being multiplexed over the transmission path.

Because ATM is designed to be easily implemented by hardware (rather than software), faster processing and switch speeds are possible. The pre-specified bit rates are either 155.520 Mbps or 622.080 Mbps. Speeds on ATM networks can reach 10 Gbps. Along with Synchronous Optical Network (SONET) and several other technologies, ATM is a key component of broadband ISDN (BISDN).

ATM also stands for automated teller machine, a machine that bank customers use to make transactions without a human teller.

18

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011

Local Area Network (LAN) Devices DTE meaning Data Terminal Equipment are generally considered to be terminating equipment for a specific network and typically are located on the premises of a customer. In fact, they may be owned by the customer.

1841Integrated Service Router is part of the Cisco 1800 Integrated Services Router Series which complements the Integrated Services Router Portfolio.

The Cisco 1841 Integrated Services Router provides the following support:

Wire-speed performance for concurrent services at T1/E1 WAN rates Enhanced investment protection through increased performance and modularity

Enhanced investment protection through increased modularity Increased density through High-Speed WAN Interface Card Slots (two) Support for over 90 existing and new modules Support for majority of existing WICs, VWICs, and VICs (data mode only) Two Integrated 10/100 Fast Ethernet ports Security
o o o o

On-board encryption Support of up to 800 VPN tunnels with the AIM Module Antivirus defense support through Network Admission Control (NAC) Intrusion Prevention as well as stateful Cisco IOS Firewall support and many more essential security features

19

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011

2960-24TT Switch Intelligent Ethernet Switches are a new family of fixed-configuration standalone devices that provide desktop Fast Ethernet and Gigabit Ethernet connectivity, enabling enhanced LAN services for entry-level enterprise, mid-market, and branch office networks. The Catalyst 2960 Series offers integrated security, including network admission control (NAC), advanced quality of service (QoS), and resiliency to deliver intelligent services for the network edge.

2950T-24 Switch Is a member of the Cisco Catalyst 2950 Series switches, and is a standalone, fixedconfiguration, managed 10/100 switch providing user connectivity for small to midsized networks. This wirespeed desktop switch comes with Standard Image (SI) software features and offers Cisco IOS functionality for basic data, video and voice services at the edge of the network.

20

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Desktop Computers is a personal computer that is designed to fit conveniently on top of a typical office desk.

A desktop computer typically comes in several units that are connected together during installation: (1) the processor, which can be in a microtower or minitower designed to fit under the desk or in a unit that goes on top of the desk, (2) the display monitor, (3) and input devices - usually a keyboard and a mouse.

Today, almost all desktop computers include a built-in modem, a CDROM drive, a multi-gigabyte magnetic storage drive, and sometimes a diskette drive. At home, most desktop computer users also purchase a printer.

In businesses and increasingly at home, desktop computers can be interconnected and can share resources such as printers by being connected to a local area network (LAN).

21

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 RJ45 (T568A) Straight- Through Cable The data cables we use to connect computers to a Ethernet switch is straight-through cables.

The RJ45 cable uses only 2-pairs of wires: Orange (pins 1 & 2) and Green (pins 3 & 6). Pins 4, 5 (Blue) and 7, 8 (Brown) are NOT used.

Straight-through cable, as its name suggests, connects pin 1 to pin 1, pin 2 to pin 2, pin 3 to pin 3, and pin 6 to pin 6.

UTP CAT5e Solid Stands for Unshielded Twisted Pair Category 5 Enhanced Cable, Supports networking at Gigabit Ethernet speeds (up to 1000 Mbps) over short distances by utilizing all four wire pairs, and it is backward-compatible with ordinary CAT5.

22

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011

Network Interface Cards (NIC) - an expansion board you insert into a computer so the computer can be connected to a network.

Most NICs are designed for a particular type of network, protocol, and media, although some can serve multiple networks.

Crimping Tool is a tool designed to crimp or connect a connector to the end of a cable.

For example, network cables and phone cables are created using a crimping tool to connect the RJ-45 and RJ-11 connectors to the end of the cable. In the picture to the right, is an example of what a crimping tool looks like. This example shows a tool capable of crimping both RJ11 and RJ-45 connectors.

23

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011

Telecom Device (Other)

Cisco Unified IP Phone 7900 Series - A telephone that converts voice into IP packets and vice versa for voice over IP (VoIP) telephone service. The term usually refers to a telephone with built-in IP signaling protocols such as H.323 or SIP that is used in conjunction with an IP PBX in an enterprise. However, it may also refer to a software-based phone (softphone) that is installed in the user's PC and requires that calls be made from the PC. Internet telephony refers to communications servicesVoice, fax, SMS, and/or voice-messaging applicationsthat are transported via the Internet, rather than the public switched telephone network (PSTN). The steps involved in originating a VoIP telephone call are signaling and media channel setup, digitization of the analog voice signal, encoding, packetization, and transmission as Internet Protocol (IP) packets over a packet-switched network. On the receiving side, similar steps (usually in the reverse order) such as reception of the IP packets, decoding of the packets and digital-to-analog conversion reproduce the original voice stream.

24

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 CHAPTER 5: NETWORK SECURITY Risk Management: The Game of Security It's very important to understand that in security, one simply cannot say ``what's the best firewall?'' There are two extremes: absolute security and absolute access. The closest we can get to an absolutely secure machine is one unplugged from the network, power supply, locked in a safe, and thrown at the bottom of the ocean. Unfortunately, it isn't terribly useful in this state. A machine with absolute access is extremely convenient to use: it's simply there, and will do whatever you tell it, without questions, authorization, passwords, or any other mechanism. Unfortunately, this isn't terribly practical, either: the Internet is a bad neighborhood now, and it isn't long before some bonehead will tell the computer to do something like self-destruct, after which, it isn't terribly useful to you.

This is no different from our daily lives. We constantly make decisions about what risks we're willing to accept. When we get in a car and drive to work, there's a certain risk that we're taking. It's possible that something completely out of control will cause us to become part of an accident on the highway. When we get on an airplane, we're accepting the level of risk involved as the price of convenience. However, most people have a mental picture of what an acceptable risk is, and won't go beyond that in most circumstances. If I happen to be upstairs at home, and want to leave for work, I'm not going to jump out the window. Yes, it would be more convenient, but the risk of injury outweighs the advantage of convenience.

25

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Every organization needs to decide for itself where between the two extremes of total security and total access they need to be. A policy needs to articulate this, and then define how that will be enforced with practices and such. Everything that is done in the name of security, then, must enforce that policy uniformly.

Types And Sources Of Network Threats Now, we've covered enough background information on networking that we can actually get into the security aspects of all of this. First of all, we'll get into the types of threats there are against networked computers, and then some things that can be done to protect yourself against various threats. Denial-of-Service DoS (Denial-of-Service) attacks are probably the nastiest, and most difficult to address. These are the nastiest, because they're very easy to launch, difficult (sometimes impossible) to track, and it isn't easy to refuse the requests of the attacker, without also refusing legitimate requests for service.

The premise of a DoS attack is simple: send more requests to the machine than it can handle. There are toolkits available in the underground community that make this a simple matter of running a program and telling it which host to blast with requests. The attacker's program simply makes a connection on some service port, perhaps forging the packet's header information that says where the packet came from, and then dropping the connection.

26

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 If the host is able to answer 20 requests per second, and the attacker is sending 50 per second, obviously the host will be unable to service all of the attacker's requests, much less any legitimate requests (hits on the web site running there, for example).

Such attacks were fairly common in late 1996 and early 1997, but are now becoming less popular.

Some things that can be done to reduce the risk of being stung by a denial of service attack include

Not running your visible-to-the-world servers at a level too close to capacity

Using packet filtering to prevent obviously forged packets from entering into your network address space.

Obviously forged packets would include those that claim to come from your own hosts, addresses reserved for private networks as defined in RFC 1918, and the loopback network (127.0.0.0).

Keeping up-to-date on security-related patches for your hosts' operating systems.

27

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Unauthorized Access ``Unauthorized access'' is a very high-level term that can refer to a number of different sorts of attacks. The goal of these attacks is to access some resource that your machine should not provide the attacker. For example, a host might be a web server, and should provide anyone with requested web pages. However, that host should not provide command shell access without being sure that the person making such a request is someone who should get it, such as a local administrator. Executing Commands Illicitly It's obviously undesirable for an unknown and untrusted person to be able to execute commands on your server machines. There are two main classifications of the severity of this problem: normal user access, and administrator access. A normal user can do a number of things on a system (such as read files, mail them to other people, etc.) that an attacker should not be able to do. This might, then, be all the access that an attacker needs. On the other hand, an attacker might wish to make configuration changes to a host (perhaps changing its IP address, putting a start-up script in place to cause the machine to shut down every time it's started, or something similar). In this case, the attacker will need to gain administrator privileges on the host.

28

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Confidentiality Breaches We need to examine the threat model: what is it that you're trying to protect yourself against? There is certain information that could be quite damaging if it fell into the hands of a competitor, an enemy, or the public. In these cases, it's possible that compromise of a normal user's account on the machine can be enough to cause damage (perhaps in the form of PR, or obtaining information that can be used against the company, etc.)

While many of the perpetrators of these sorts of break-ins are merely thrillseekers interested in nothing more than to see a shell prompt for your computer on their screen, there are those who are more malicious, as we'll consider next. (Additionally, keep in mind that it's possible that someone who is normally interested in nothing more than the thrill could be persuaded to do more: perhaps an unscrupulous competitor is willing to hire such a person to hurt you.)

Destructive Behavior Among the destructive sorts of break-ins and attacks, there are two major categories. Data Diddling. The data diddler is likely the worst sort, since the fact of a break-in might not be immediately obvious. Perhaps he's toying with the numbers in your spreadsheets, or changing the dates in your projections and plans. Maybe he's changing the account numbers for the auto-deposit of certain paychecks. In any case, rare is the case when you'll come in to work one day, and simply know that something is wrong.

29

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 An accounting procedure might turn up a discrepancy in the books three or four months after the fact. Trying to track the problem down will certainly be difficult, and once that problem is discovered, how can any of your numbers from that time period be trusted? How far back do you have to go before you think that your data is safe? Data Destruction. Some of those perpetrate attacks are simply twisted jerks who like to delete things. In these cases, the impact on your computing capability -- and consequently your business -- can be nothing less than if a fire or other disaster caused your computing equipment to be completely destroyed. Where Do They Come From? How, though, does an attacker gain access to your equipment? Through any connection that you have to the outside world. This includes Internet connections, dial-up modems, and even physical access. (How do you know that one of the temps that you've brought in to help with the data entry isn't really a system cracker looking for passwords, data phone numbers, vulnerabilities and anything else that can get him access to your equipment?)

In order to be able to adequately address security, all possible avenues of entry must be identified and evaluated. The security of that entry point must be consistent with your stated policy on acceptable risk levels.

30

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Lessons Learned From looking at the sorts of attacks that are common, we can divine a relatively short list of high-level practices that can help prevent security disasters, and to help control the damage in the event that preventative measures were unsuccessful in warding off an attack. Hope you have backups This isn't just a good idea from a security point of view. Operational requirements should dictate the backup policy, and this should be closely coordinated with a disaster recovery plan, such that if an airplane crashes into your building one night, you'll be able to carry on your business from another location. Similarly, these can be useful in recovering your data in the event of an electronic disaster: a hardware failure, or a breakin that changes or otherwise damages your data. Don't put data where it doesn't need to be Although this should go without saying, this doesn't occur to lots of folks. As a result, information that doesn't need to be accessible from the outside world sometimes is, and this can needlessly increase the severity of a break-in dramatically. Avoid systems with single points of failure Any security system that can be broken by breaking through any one component isn't really very strong. In security, a degree of redundancy is good, and can help you protect your organization from a minor security breach becoming a catastrophe.

31

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Stay current with relevant operating system patches Be sure that someone who knows what you've got is watching the vendors' security advisories. Exploiting old bugs is still one of the most common (and most effective!) means of breaking into systems. Watch for relevant security advisories In addition to watching what the vendors are saying, keep a close watch on groups like CERT and CIAC. Make sure that at least one person (preferably more) is subscribed to these mailing lists Have someone on staff be familiar with security practices Having at least one person who is charged with keeping abreast of security developments is a good idea. This need not be a technical wizard, but could be someone who is simply able to read advisories issued by various incident response teams, and keep track of various problems that arise. Such a person would then be a wise one to consult with on security related issues, as he'll be the one who knows if web server software version such-and-such has any known problems, etc.

This person should also know the ``dos'' and ``don'ts'' of security, from reading such things as the ``Site Security Handbook.''

32

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Firewalls As we've seen in our discussion of the Internet and similar networks, connecting an organization to the Internet provides a two-way flow of traffic. This is clearly undesirable in many organizations, as proprietary information is often displayed freely within a corporate intranet (that is, a TCP/IP network, modeled after the Internet that only works within the organization). In order to provide some level of separation between an organization's intranet and the Internet, firewalls have been employed. A firewall is simply a group of components that collectively form a barrier between two networks.

A number of terms specific to firewalls and networking are going to be used throughout this section, so let's introduce them all together. Bastion Host A general-purpose computer used to control access between the internal (private) network (intranet) and the Internet (or any other untrusted network). Typically, these are hosts running a flavor of the Unix operating system that has been customized in order to reduce its functionality to only what is necessary in order to support its functions. Many of the general-purpose features have been turned off, and in many cases, completely removed, in order to improve the security of the machine.

33

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Router A special purpose computer for connecting networks together. Routers also handle certain functions, such as routing, or managing the traffic on the networks they connect. Access Control List (ACL). Many routers now have the ability to selectively perform their duties, based on a number of facts about a packet that comes to it. This includes things like origination address, destination address, destination service port, and so on. These can be employed to limit the sorts of packets that are allowed to come in and go out of a given network. Demilitarized Zone (DMZ). The DMZ is a critical part of a firewall: it is a network that is neither part of the untrusted network, nor part of the trusted network. But, this is a network that connects the untrusted to the trusted. The importance of a DMZ is tremendous: someone who breaks into your network from the Internet should have to get through several layers in order to successfully do so. Those layers are provided by various components within the DMZ.

34

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Proxy. This is the process of having one host act in behalf of another. A host that has the ability to fetch documents from the Internet might be configured as a proxy server , and host on the intranet might be configured to be proxy clients . In this situation, when a host on the intranet wishes to fetch the <http://www.interhack.net/> web page, for example, the browser will make a connection to the proxy server, and request the given URL. The proxy server will fetch the document, and return the result to the client. In this way, all hosts on the intranet are able to access resources on the Internet without having the ability to direct talk to the Internet. Types of Firewalls There are three basic types of firewalls, and we'll consider each of them. Application Gateways The first firewalls were application gateways, and are sometimes known as proxy gateways. These are made up of bastion hosts that run special software to act as a proxy server. This software runs at the Application Layer of our old friend the ISO/OSI Reference Model, hence the name. Clients behind the firewall must be proxitized (that is, must know how to use the proxy, and be configured to do so) in order to use Internet services. Traditionally, these have been the most secure, because they don't allow anything to pass by default, but need to have the programs written and turned on in order to begin passing traffic.

35

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011

A sample application gateway

These are also typically the slowest, because more processes need to be started in order to have a request serviced. Figure 5 shows a application gateway.

Packet Filtering Packet filtering is a technique whereby routers have ACLs (Access Control Lists) turned on. By default, a router will pass all traffic sent it, and will do so without any sort of restrictions. Employing ACLs is a method for enforcing your security policy with regard to what sorts of access you allow the outside world to have to your internal network, and vice versa.

36

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 There is less overhead in packet filtering than with an application gateway, because the feature of access control is performed at a lower ISO/OSI layer (typically, the transport or session layer). Due to the lower overhead and the fact that packet filtering is done with routers, which are specialized computers optimized for tasks related to networking, a packet filtering gateway is often much faster than its application layer cousins. Because we're working at a lower level, supporting new applications either comes automatically, or is a simple matter of allowing a specific packet type to pass through the gateway. (Not that the possibility of something automatically makes it a good idea; opening things up this way might very well compromise your level of security below what your policy allows.)

There are problems with this method, though. Remember, TCP/IP has absolutely no means of guaranteeing that the source address is really what it claims to be. As a result, we have to use layers of packet filters in order to localize the traffic. We can't get all the way down to the actual host, but with two layers of packet filters, we can differentiate between a packet that came from the Internet and one that came from our internal network. We can identify which network the packet came from with certainty, but we can't get more specific than that.

37

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Hybrid Systems In an attempt to marry the security of the application layer gateways with the flexibility and speed of packet filtering, some vendors have created systems that use the principles of both. A sample packet filtering gateway

In some of these systems, new connections must be authenticated and approved at the application layer. Once this has been done, the remainder of the connection is passed down to the session layer, where packet filters watch the connection to ensure that only packets that are part of an ongoing (already authenticated and approved) conversation are being passed.

Other possibilities include using both packet filtering and application layer proxies. The benefits here include providing a measure of protection against your machines that provide services to the Internet (such as a public web server), as well as provide the security of an application layer gateway to the internal network.

38

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Additionally, using this method, an attacker, in order to get to services on the internal network, will have to break through the access router, the bastion host, and the choke router.

So, what's best for me? Lots of options are available, and it makes sense to spend some time with an expert, either in-house, or an experienced consultant who can take the time to understand your organization's security policy, and can design and build a firewall architecture that best implements that policy. Other issues like services required, convenience, and scalability might factor in to the final design. Some Words of Caution The business of building firewalls is in the process of becoming a commodity market. Along with commodity markets come lots of folks who are looking for a way to make a buck without necessarily knowing what they're doing. Additionally, vendors compete with each other to try and claim the greatest security, the easiest to administer, and the least visible to end users. In order to try to quantify the potential security of firewalls, some organizations have taken to firewall certifications. The certification of a firewall means nothing more than the fact that it can be configured in such a way that it can pass a series of tests. Similarly, claims about meeting or exceeding U.S. Department of Defense ``Orange Book'' standards, C-2, B-1, and such all simply mean that an organization was able to configure a machine to pass a series of tests.

39

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 This doesn't mean that it was loaded with the vendor's software at the time, or that the machine was even usable. In fact, one vendor has been claiming their operating system is ``C-2 Certified'' didn't make mention of the fact that their operating system only passed the C-2 tests without being connected to any sort of network devices.

Such gauges as market share, certification, and the like are no guarantees of security or quality. Taking a little bit of time to talk to some knowledgeable folks can go a long way in providing you a comfortable level of security between your private network and the big, bad Internet.

Additionally, it's important to note that many consultants these days have become much less the advocate of their clients, and more of an extension of the vendor. Ask any consultants you talk to about their vendor affiliations, certifications, and whatnot. Ask what difference it makes to them whether you choose one product over another, and vice versa. And then ask yourself if a consultant who is certified in technology XYZ is going to provide you with competing technology ABC, even if ABC best fits your needs.

Single Points of Failure Many ``firewalls'' are sold as a single component: a bastion host, or some other black box that you plug your networks into and get a warm-fuzzy, feeling safe and secure. The term ``firewall'' refers to a number of components that collectively provide the security of the system. Any time there is only one component paying attention to what's going on between the internal and external networks, an attacker has only one thing to break (or fool!) in order to gain complete access to your internal networks.

40

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Secure Network Devices It's important to remember that the firewall is only one entry point to your network. Modems, if you allow them to answer incoming calls, can provide an easy means for an attacker to sneak around (rather than through ) your front door (or, firewall). Just as castles weren't built with moats only in the front, your network needs to be protected at all of its entry points. Secure Modems; Dial-Back Systems If modem access is to be provided, this should be guarded carefully. The terminal server , or network device that provides dial-up access to your network needs to be actively administered, and its logs need to be examined for strange behavior. Its passwords need to be strong -- not ones that can be guessed. Accounts that aren't actively used should be disabled. In short, it's the easiest way to get into your network from remote: guard it carefully.

There are some remote access systems that have the feature of a two-part procedure to establish a connection. The first part is the remote user dialing into the system, and providing the correct userid and password. The system will then drop the connection, and call the authenticated user back at a known telephone number. Once the remote user's system answers that call, the connection is established, and the user is on the network. This works well for folks working at home, but can be problematic for users wishing to dial in from hotel rooms and such when on business trips.

41

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Other possibilities include one-time password schemes, where the user enters his userid, and is presented with a ``challenge,'' a string of between six and eight numbers. He types this challenge into a small device that he carries with him that looks like a calculator. He then presses enter, and a ``response'' is displayed on the LCD screen. The user types the response, and if all is correct, he login will proceed. These are useful devices for solving the problem of good passwords, without requiring dial-back access. However, these have their own problems, as they require the user to carry them, and they must be tracked, much like building and office keys.

No doubt many other schemes exist. Take a look at your options, and find out how what the vendors have to offer will help you enforce your security policy effectively.

Crypto-Capable Routers A feature that is being built into some routers is the ability to use session encryption between specified routers. Because traffic traveling across the Internet can be seen by people in the middle who have the resources (and time) to snoop around, these are advantageous for providing connectivity between two sites, such that there can be secure routes.

42

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Virtual Private Networks Given the ubiquity of the Internet, and the considerable expense in private leased lines, many organizations have been building VPNs (Virtual Private Networks). Traditionally, for an organization to provide connectivity between a main office and a satellite one, an expensive data line had to be leased in order to provide direct connectivity between the two offices. Now, a solution that is often more economical is to provide both offices connectivity to the Internet. Then, using the Internet as the medium, the two offices can communicate. The danger in doing this, of course, is that there is no privacy on this channel, and it's difficult to provide the other office access to ``internal'' resources without providing those resources to everyone on the Internet. VPNs provide the ability for two offices to communicate with each other in such a way that it looks like they're directly connected over a private leased line. The session between them, although going over the Internet, is private (because the link is encrypted), and the link is convenient, because each can see each others' internal resources without showing them off to the entire world. A number of firewall vendors are including the ability to build VPNs in their offerings, either directly with their base product, or as an add-on. If you have need to connect several offices together, this might very well be the best way to do it.

43

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 CHAPTER 6: COMMUNICATION LINKS

This section of the documentation will identify the different communication links present in Thai Airways wide area network (WAN) frame relay (FRAS) connection. 1.] IP multicast (Multiplexed Broadcast) is a technique for one-to-many

communication over an IP infrastructure in a network. It scales to a larger receiver population by not requiring prior knowledge of who or how many

receivers there are. Multicast uses network infrastructure efficiently by requiring the source to send a packet only once, even if it needs to be delivered to a large number of receivers. The nodes in the network take care of replicating the packet to reach multiple receivers only when necessary. The most common transport layer protocol to use multicast addressing is User Datagram Protocol (UDP). By its nature, UDP is not reliablemessages may be lost or delivered out of order. Reliable multicast protocols such as Pragmatic General Multicast (PGM) have been developed to add loss detection and retransmission on top of IP multicast. IP multicast is widely deployed in enterprises, commercial stock exchanges, and multimedia content delivery networks. A common enterprise use of IP multicast is for IPTV applications such as distance learning and televised company meetings.

44

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 2.) Point to -Multipoint In a multipoint topology the hub can send to one or more systems based on an address. Frame Relay is the most common technology to implement this scheme, and it is typically used as a WAN (Wide Area Network) technology. All the remote connection points are connected to a single Frame Relay switch or router port, and communication between sites is managed by that central point. In hub and spoke, all spokes or only one spoke hears a given transmission. In point to multipoint, any number of remote stations can be accessed. Frame Relay Point to Multipoint Element: Data Link Communications Protocol (DLCI) is a Frame Relay 10 bit wide link-local virtual circuit identifier used to assign frames to a specific PVC or SVC. Frame Relay networks use DLCIs to statistically multiplex frames. DLCIs are preloaded into each switch and act as road signs to the traveling frames. 3.] Private Link is a link that is either owned by a specific entity or a link that is only accessible by a specific entity. More frequently, organizations worldwide are deploying private Frame Relay networks. In private Frame Relay networks, the administration and maintenance of the network are the responsibilities of the enterprise (a private company). All the equipment, including the switching equipment, is owned by the customer.

45

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 CHAPTER 7: APPROXIMATE BUDGET Rows that are highlighted in red and marked in orange are the services opted by our subject company Thai Airways.

Pacnet Frame Relay Costing (Philippine Peso Currency Based) Standard Monthly Charges Speed Access Charges PVC Charges
CIR 0 0 0 0 0 0 0 BURST 64 Kbps 128 Kbps 256 Kbps 384 Kbps 512 Kbps 1 Mbps 2 Mbps PER SITE (AED) 23,842.52 PHP 34,680.02 PHP PC Hardware 56,355.04 PHP 60,690.04 PHP 67,192.55 PHP 91,035.06 PHP 91,035.06 PHP LOCAL & A BAND 13,005.01 PHP 29,261.27 PHP INTRA-UAE
61,773.79 PHP 108,375.08 PHP
173,400.12 PHP

Desktop

Costs

42,266.28 PHP 48,768.78 PHP 58,522.54 PHP 74,778.80 PHP 84,532.56 PHP

222,168.90 PHP 265,518.93 PHP 292,612.70 PHP 330,543.98 PHP

Thai Airways Frame Relay Service

Pacnet Frame Relay Installation Charges (Philippine Peso Currency Based) Speed Access Link (AED) PVC (AED)
64 Kbps & 128 Kbps 256 Kbps & Relay 1 Mbps Thai Airways Frameup toInstallation 2 Mbps Up to 34 Mbps 28,177.52 PHP 47,685.03 PHP 86,700.06 PHP 130,050.09 PHP 2,167.50 PHP 2,167.50 PHP 2,167.50 PHP 2,167.50 PHP

Cost of Network Hardware Devices (LAN) Equipment / Device Price Cisco 1841 Integrated Services Router 24,195.76 PHP Cisco 2960-24TT Switch 33,400.98 PHP Cisco 2950T 24 Switch 17,255.74 PHP RJ-45 5.00 PHP CAT5e Cable 24.50 PHP Rhino CEROS - Network Interface Card (NIC) 1,518.95 PHP Crimping Tool 220.00 PHP Cisco Unified IP Phone 7900 Series 10,676.02 PHP TOTAL 87,296.95 PHP

46

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 Qube PC Desktop Promo Package

Specifications:
LED Qube 16" Wide Screen LCD Monitor DVI Mouse Keyboard Multimedia Speaker CPU: Processor: AMD Athlon II 240 (2.8G) X2 Dual Core AM3 (= Core 2 Duo 45nm) Motherboard:Foxconn A76ML-K 3.0 AMD 760G Chipset (up to 1GB Built-in Video) Support Phenom II - AM3 - DDR3 Productivity Suite: Open Office (Full Version with CD) Memory: 1GB DDR3 1333MHz Memory (1x1GB) Hard Drive: 500GB 7200RPM Hard Drive SATA 3.0 3X faster Optical Drive: Samsung 22x Dual Layer DVD-RW Drive Sata Media Drive: USB Card Reader

Power: Free Surge Protector Qube Premium A Chassis - Black w/ 700w PSU & Hi Def. Sound Support

TOTAL

12,799.00 PHP -

SOFTWARE COSTS Software Item Windows HPC Server 2008 Enterprise R2 Installation CD
Cafe Manila Server Cafe Manila Client (for every client workstation) TOTAL

Price
17,719.60 PHP 3000 PHP 300 PHP 21,019,60 PHP

47

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 CONCLUSION At this moment, we have reached the end of this documentation for Thai Airways Network Connection. In the previous pages, it was discussed that they are operating their communications under a Frame-Relay Wide Area Network Type. Viewers probably have an idea of how that type of connection works its way around propagating data from point to point. Flipping through the pages of this documentation made it clear how frame relays internally function by delving deep to its intimate devices. Having a clear identification of the technology involved in this wide area connection type, we should now have a deeper understanding of its logical design. Viewers should have enough knowledge on how to link its nodes by now, be it in real time or packet tracer. As a whole, its hoped that this paper work has introduced readers the intricate concepts of frame relay. Aside from its purpose, readers should be aware of its benefits in the computer networking aspect, like below to name a few: This sort of networking set up is cost efficient in financial terms. This wide area network connection type is more practical than leased lines as it needs lesser devices for its operations. Frame relay can support voice & video data other than text & images. Can direct data flow directly to designated networks in its radius.

May this documentation continue to aide viewers and budding network technicians in the future and may it encourage improvements.

48

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011 BIBLIOGRAPHY & REFERENCE MATERIAL

CHAPTER 2: Network Architecture
(http://learn-networking.com/network-design/a-guide-to-network-topology) (http://en.wikipedia.org/wiki/Mesh_networking) CHAPTER 3: Network & Server Architecture (http://goo.gl/GDn6p)

CHAPTER 4: Networking and Internetworking Devices

(http://docwiki.cisco.com/wiki/Frame_Relay#Frame_Relay_Devices) (http://en.wikipedia.org/wiki/Packet_switch) (http://en.wikipedia.org/wiki/Serial_communication) (http://www.cisco.com/en/US/products/ps5875/index.html) (http://www.softchoice.com/catalog/en-us/hubs-switches-cisco-catalyst-2960-24tt-switch-WSC2960-24TT-L-N48913) (http://www.cisco.com/en/US/products/hw/switches/ps628/ps627/index.html) (http://searchenterprisedesktop.techtarget.com/definition/desktop-computer) (http://www.topwebhosts.org/tools/rj45-wiring.php) (http://compnetworking.about.com/od/ethernet/g/cat5-cables.htm)

CHAPTER 5: Network Security (http://www.interhack.net/pubs/network-security/networksecurity.html#SECTION00060000000000000000) CHAPTER 6: Communication Links

(http://en.wikipedia.org/wiki/Link_%28telecommunications%29) (http://en.wikipedia.org/wiki/Multicast) (https://learningnetwork.cisco.com/thread/4892) (http://en.wikipedia.org/wiki/Data_link_connection_identifier) (http://www.inetdaemon.com/tutorials/networking/lan/topology.shtml)

CHAPTER 7: Approximate Budget

(http://goo.gl/3udpj)

49

0000-7999 (I-DIT)

IT207 Network Essentials - Project 2011

ACKNOWLEDGEMENTS

God almighty for giving me the ability & skills to complete this task; My Parents who finance my schooling; Everyone who supports me; Informatics Festival Mall for the quality education & making it possible to materialize this project; Pisong Print & Pa-Book Bind sa kanto for the hardcopy. And so so

50

0000-7999 (I-DIT)