CHAPTER 1: Network Fundamentals 16 can save their work to a dedicated server in a central location. This would keep everyone’s files on one or more servers, allowing their work to be kept secure and regularly backed up. Decentralized (Distributed) When a decentralized network model is used, a network’s resources are distributed through different areas of the network, and administration is shared by designating responsibility to system administrators or individual users. For example, printers may be scattered throughout an organization, with managers of each office being responsible for assigning permissions to user accounts to use specific printers. By sharing administrative burdens in this way, certain resources can now be managed by other members of the organization. A decentralized network model has a variety of servers, equipment, and other resources distributed across the geographical area making up the net- work. Although a network administrator may be able to access them over the computer network, such network components aren’t readily accessible physically. As such, a network administrator must rely on people who are designated as system administrators in those locations. These people must be properly trained on the system and responsible enough to take matters like security seriously. If not, something as simple as changing a backup tape could be problematic or even disastrous. Even if an organization initially decides on having a centralized network, decentralizing the network may be the only viable option if cost factors or other issues come into play. For example, if a company had a slow network connection between buildings, users might find logging into the network, saving data to a server, or accessing network resources slow. One solution would be to put a server in each building, so computers would be able to be authenticated and quickly access data on the server that’s closest to them. By distributing servers in this instance, network performance would improve, because users wouldn’t have to authenticate or necessarily use the slow con- nection to the other server. Once your network model has been selected, you can then deploy your client systems, servers, and resources accordingly. There are multiple logical topologies you will need to select from such as peer-to-peer, client/server, VPNs, and VLANs. Peer-to-Peer Years ago, most computers on a network weren’t very powerful. Hard disks, memory, printers, and other components making up a computer system were expensive, creating a need for dedicated servers that other computers Logical Networking Topologies 17 accessed to store data and access necessary resources. These dedicated servers could be mainframes or high-end computers with additional memory, storage space, and processing power. As technology progressed, computer workstations came to be as powerful (or in many cases more powerful) than the servers of years past, making peer-to-peer networks a viable solution for smaller networks. In a peer-to-peer network, computers on the network act as equals, with each workstation providing access to resources and data. This is a simple type of network, where computers are able to communicate with one another, and share what is on or attached to their computer with other users. It is also one of the easiest types of architectures to create. Individual users have responsibility over who can access data and resources on their computer. OSes such as Windows XP and Windows Vista allow accounts to be set up that will be used when other users connect to their computer. Accounts, passwords, and permissions are saved in a local HEAD OF THE CLASS… Centralized Access Control Even when servers and resources are distributed throughout a network, it does not mean that access control can’t be centralized. Centralized access control is when users achieve access to the network through a central point of authentication. Users log onto the network through some form of authentication, such as a username and password, which is passed to a server that processes their request for access. The server compares this information to a corresponding account that’s stored in a database, and determines whether the user has correctly identified himself or herself, and what this person is authorized to access. The server sends back data that authorizes the user, allowing them to use specific resources on the network. Because users acquire access to resources through one source, it saves them from having to log onto each server. Early versions of network OSes required users to determine which server they wanted to use, and then enter the username and password for their account on that server. Using centralized access control, the users only need to be authenticated once to be able to access resources on any server they are given permissions and rights to use. Another benefit of centralizing access control is that administration of accounts can be done for an entire network through one control system. For exam- ple, on networks using Windows 2000 Server or 2003 Server, user accounts and information are stored in Active Directory, while Novell NetWare networks use Novell Directory Services (NDS) or eDirectory. Using ConsoleOne in NetWare or the Microsoft Management Console (MMC) in Windows, a network administrator has the ability to connect to the directory containing user information, and control which folders a user can access, password requirements, when the user can log onto the network, and numerous other conditions and controls. Rather than making changes to each server, the administrator only needs to make changes to an account one to affect a user’s access throughout the network. Because of this, centralized access control is often used in enterprises, where there are large num- bers of computers and user accounts that need to be managed. CHAPTER 1: Network Fundamentals 18 database, which is used to determine what someone can do when connecting to the computer. For example, one account may allow a user to send print jobs to your printer, while another account may allow the user to access files in certain directories but not print. Because peer-to-peer networks are generally small, creating one can be as simple as installing network adapters into each computer, attach- ing a network cable to the adapter, and connecting the other end to a hub or switch. If a wireless network is being created, then even the cables aren’t necessary, as wireless adapters and a wireless router are all that’s needed. Once this is done, each computer is configured to use the network adapter that’s installed, and a protocol is configured to allow communication between the computers. In cases where OSes such as Windows XP or Vista are used, this configuration can be done through a wizard program, which takes you step by step through the configuration process. One important issue with peer-to-peer networks is security. Each computer on this type of network may allow or deny access to other com- puters, as access to data and resources are controlled on each machine. For example, a user could share a folder on his or her computer, allowing other users to access the files in that folder. Because users can have the ability to control access to files and resources on their computers, net- work administration isn’t controlled by one person. However, problems may exist where users grant access to data and resources based on friend- ship with another person instead of a person’s need to perform their job. As such, peer-to-peer networks are generally used in situations where security isn’t a major concern, as in the case of some home networks or small businesses. Client/Server In looking at the peer-to-peer network model, when one computer requests data or other services from another computer, it acts as a client, while the other computer delivering that data or service acts as a server. These roles seem obscured because both computers act in either of these roles. In the Client/Server model, these roles are clearer because it involves dedicated servers that provide services and data to clients, without making similar requests of them. The Client/Server model consists of high-end computers serving clients on a network, by providing them with specific services upon request. Years ago, each server generally performed a single role, such as: Logical Networking Topologies 19 File server, which allow clients to save data to folders on its hard drive. Print server, which redirect print jobs from clients to specific printers. Application server, which allow clients to run certain programs on the server, and enables multiple users to access common applications across the network. Database server, which allow authorized clients to view, modify, and/or delete data in a common database. Today, computers are more powerful and network OSes are more effec- tive, so each server may act in several different roles. For example, a server may be a web server for the local intranet, but also allow users to access a database and store files in an area of its hard drive. The services provided by the server will vary greatly depending on how it’s been configured and what’s been installed. The software that’s installed largely dictates the roles a dedicated server can perform. First and foremost, the server needs to have a net- work OS such as Windows Server 2003, Windows Server 2008, or Linux installed on it. These server OSes provide features specifically for ser- vicing clients, and can respond more efficiently to a greater number of client requests than standard OSes such as Windows XP or Windows Vista. Once a high-end computer has server software installed, the services provided by it need to be configured and other programs may need to be installed. Many of the server’s functions are dependent on the server soft- ware installed on it. For example, a server that acts as a SQL Server is a data- base server, but needs to have a program like Microsoft SQL Server installed on it. In the same way, a Web server on a Windows Server 2003 server would need Internet Information Services (IIS) configured. By installing server soft- ware on the dedicated server, you define the role that server will play on your network. Although a dedicated server may play a variety of roles, you should determine whether the load placed on the server is too great, causing per- formance to decrease. Some services provided by a server may be accessed frequently, creating a larger workload for the server. Rather than creating a burden for the server, the server will be dedicated to performing a sin- gle role, or at least a decreased number of roles. For example, an e-mail server may be accessed frequently by users of the network who want to check for messages. Because it is used so often, many organizations will CHAPTER 1: Network Fundamentals 20 have one server performing only this role to avoid it from being bogged down and have users finding it slow to access their e-mail. In the same way, if the service is essential to a business, such as Web server being necessary for a business that sells products on the Internet, that server will be dedicated to only that role. The more a server is dedicated to a specific or limited number of functions, the better its performance and the less chance there will be of everything becoming unavailable if one server fails. At the beginning of this chapter, we explained that a network exists when two or more computers are connected together so they can share various resources. Although this defines the basic nature of a network, it doesn’t provide an understanding of the different sizes and shapes a network can take as it’s designed and developed. Having this understanding is important in determining the scope and physical layout of computers, cables, and other network components. It is also vital when considering the type of media that will be used, and whether additional components are necessary to expand your network. Virtual Private Network A VPN provides users with a secure method of connectivity through a public internetwork such as the Internet. Most companies use dedicated connec- tions to connect to remote sites, but when users want to send private data over the Internet they should provide additional security by encrypting the data using a VPN. DAMAGE AND DEFENSE Only Use Servers as Servers Although dedicated servers are designed to serve clients, many of the server OSes have the ability to be used as if they were clients. For example, Windows servers have always had the same GUI as other versions of Windows for standalone computers or network workstations. This means you could install and use Microsoft Office, games, or any number of other software products. However, it is unwise to use a server as if it were any other client machine on your network. Every time you run software on a computer, memory, processing, and other resources are used, which could otherwise be used for responding to client requests, and you run the risk of crashing the server. Think of the num- ber of times a program has locked up your computer, and then think of the implications of what would happen if hundreds of users had been accessing it as a server and were now unable to do their work. The reason you have a server is for it to act as a server. Unless you are perform- ing work on the server related to how it functions as a server, it is not advisable to use it for other purposes. Logical Networking Topologies 21 What is a VPN? When a VPN is implemented properly, it provides improved wide area security, reduces costs associated with traditional WANs, improves produc- tivity, and improves support for users who telecommute. Cost savings are twofold. First, companies save money using public networks (such as the Internet) instead of paying for dedicated circuits (such as point-to-point T1 circuits) between remote offices. Second, telecommuters do not have to pay long-distance fees to connect to Remote Access Servers (RAS). They can sim- ply dial into their local ISPs and create a virtual tunnel to the office. A tunnel is created by wrapping (or encapsulating) a data packet inside another data packet and transmitting it over a public medium. Tunneling requires three different protocols: Carrier Protocol The protocol used by the network (IP on the Inter- net) that the information is traveling over. Encapsulating Protocol The protocol, such as Point-to-Point Tun- neling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), IPSec, or Secure Shell (SSH), that is wrapped around the original data. Passenger Protocol The original data being carried. Essentially, there are two different types of VPNs: site-to-site and remote access. Site-to-Site VPN Site-to-site VPNs are normally established between corporate offices that are separated by a physical distance extending further than normal LAN media covers. VPNs are available as software (such as Windows VPN, available on Windows 2003 and 2008) and hardware (firewalls such as Cisco PIX or ASA and Nokia/Checkpoint) implementations. In general, software implementa- tions are easier to maintain. However, hardware implementations are con- sidered more secure, because they are not impacted by OS vulnerabilities. For example, suppose that Company XYZ has offices in Boston and Phoenix. As shown in Figure 1.1, both offices connect to the Internet via a T1 con- nection. They have implemented VPN-capable firewalls in both offices and established an encryption tunnel between them. The first step in creating a site-to-site VPN is selecting the security pro- tocols to be used. Common protocols associated with VPN transmission security are PPTP, L2TP, SSH, and IPSec. PPTP and L2TP are used to establish a secure tunnel connection between two sites. Once a tunnel is established, encryption protocols are used to CHAPTER 1: Network Fundamentals 22 secure data passing through the tunnel. As data is passed from one VPN to another, it is encapsulated at the source and unwrapped at the destination. The process of establishing the VPN and wrapping and unwrapping the data is transparent to the end user. Most commercially available firewalls come with a VPN module that can be set up to easily communicate with another VPN-capable device. Microsoft has implemented site-to-site VPN tools on the Windows 2003 platform using either RRAS or the newest rendition of Microsoft’s Proxy server, Microsoft ISA Server 2006 (www.microsoft.com/forefront/edgesecurity/ isaserver/en/us/default.aspx). Whichever product or service is used, it is important to ensure that each end of the VPN is configured with identical protocols and settings. Remote Access VPN A remote access VPN, known as a private virtual dial-up network (PVDN), differs from a site-to-site VPN in that end users are responsible for FIGURE 1.1 A Site-to-Site VPN Established between Two Remote Offices. NOTES FROM THE FIELD… Issues with Site-to-Site VPNs A common mistake that network security professionals make is setting up a site-to-site VPN, then disregarding other types of security. Access control (such as Windows NTFS permissions) should also be implemented so that users on remote networks cannot access the local network freely. Logical Networking Topologies 23 establishing the VPN tunnel between their workstation and their remote office. An alternative to connecting directly to the corporate VPN is connect- ing to an enterprise service provider (ESP) that ultimately connects users to the corporate VPN. In either case, users connect to the Internet or an ESP through a point of presence (POP) using their particular VPN client software (Figure 1.2). Once the tunnel is set up, users are forced to authenticate with the VPN server, usually by username and password. A remote access VPN is a great solution for a company with several employees working in the field. The remote access VPN allows these employ- ees to transmit data to their home offices from any location. RRAS offers an easy solution for creating a remote access VPN. VPNs will be covered in depth in Chapter 9. Virtual Local Area Network VLANs allow network administrators to divide the network by designat- ing certain ports as part of a logical network. Although several computers or devices can be connected to the same physical network, they can be all FIGURE 1.2 A Remote-Access VPN Solution Using Regular Internet POPs. CHAPTER 1: Network Fundamentals 24 separated logically through the use of a VLAN. VLAN databases can provide important details to any individual who is trying to discern the logical breakup of the network. VLANs logically divide the network and affect the traffic and security of a switched network. Configuring VLANs The first thing that might come to mind when we mention VLANs or Virtual LANS is that somehow they don’t exist physically. They do exist and they are very commonly used in the enterprise or corporate computing networks to segment networks. In the past, to separate or segment networks, separate pieces of hardware such as hubs or switches were used. It became very clear that when hubs and switches only come in predefined capacities such as 5, 8, 12, 24, or even 36 ports, potentially we could be wasting resources by not fully utilizing all the ports on these devices. In addition, as companies expand and spread into different locations, it became difficult to have people in the same departments on the same LAN segments. Someone envisioned being able to reconfigure one physical device into multiple logical segments and VLANs were born. PHYSICAL NETWORKING MODELS Just as size defines a network, so does the way it’s laid out. The topology of a network is the physical layout of computers, hubs, routers, cables, and other components. It provides a map of where things are, and how the network is configured. Although networks are often unique to one another, the topology of each network will share characteristics with one another. Networks will either use one of the topologies we’ll discuss, or in many cases a combination of them: Bus Star Ring Mesh Point-to-point Point-to-multipoint Hybrid Wireless Physical Networking Models 25 BUS Bus topologies are one of the most straightforward networks and are easy to set up and install. As shown in Figure 1.3, all of the computers in a bus topology are connected together using a single cable, which is called a trunk, backbone, or segment. Coaxial cable is commonly used for the trunk, which is the same cable that’s used to connect to your TV to receive cable televi- sion. The computers are attached to the cable segment using T-connectors, which get their name because they’re shaped like the letter T. Because all of these computers use the same cable, only one computer can send packets of data (which are electronic signals) onto the network at a time. When a computer sends a packet of data onto the trunk, it is sent in both directions so that every computer on the network has the chance to receive it. Each of the computers on this type of topology listen to the network traffic, so that they can determine whether any packets being sent over the network are intended for them. When a computer listens to the network, any packets that aren’t addressed to it are ignored, while any specifically addressed to it are accepted. The exception to this is when a broadcast is made, which are packets that are destined for every computer on the network. Because the topology is linear, when data is sent over the trunk, it runs the length of the cable. To prevent data signals from staying on the cable indefinitely, the cable needs to be terminated at each end so electronic sig- nals are absorbed when they reach the cable’s end. The terminator absorbs the signal, so that the cable is clear for other computers to send packets on the network. Without termination, a computer would send packets to another computer over the trunk, and they would bounce back and forth along the length of the cable until the network was brought down. To prevent the signal from bouncing up and down the cable, terminators are attached at both ends of the cable. Without termination, the entire network fails. Bus topologies have several bene- fits to organizations. Although we mentioned that they are easy to set up, they are also a passive topology. In other words, when a computer is FIGURE 1.3 A Bus Topology. Exam Warning One of the testable items on the Network+ exam is being able to identify a topology based on either the description given, or by looking at a picture of a topology. Make sure that you know each of the topologies covered in this section, and can identify them simply by looking at them before taking the exam. . either case, users connect to the Internet or an ESP through a point of presence (POP) using their particular VPN client software (Figure 1.2). Once the tunnel is set up, users are forced to authenticate. Network VLANs allow network administrators to divide the network by designat- ing certain ports as part of a logical network. Although several computers or devices can be connected to the same physical. 1.2 A Remote-Access VPN Solution Using Regular Internet POPs. CHAPTER 1: Network Fundamentals 24 separated logically through the use of a VLAN. VLAN databases can provide important details to