security policy—A document or plan that identifies an organization’s security goals, risks, lev- els of authority, designated security coordinator and team members, responsibilities for each team member, and responsibilities for each employee. In addition, it specifies how to address security breaches. server_hello—In the context of SSL encryption, a message issued from the server to the client that confirms the information the server received in the client_hello message. It also agrees to certain terms of encryption based on the options the client supplied. Depending on the Web server’s preferred encryption method, the server may choose to issue your browser a public key or a digital certificate at this time. session key—In the context of Kerberos authentication, a key issued to both the client and the server by the authentication service that uniquely identifies their session. SFTP (Secure File Transfer Protocol)—A protocol available with the proprietary version of SSH that copies files between hosts securely. Like FTP, SFTP first establishes a connection with a host and then allows a remote user to browse directories, list files, and copy files. Unlike FTP, SFTP encrypts data before transmitting it. social engineering—The act of manipulating personal relationships to circumvent network security measures and gain access to a system. SSH (Secure Shell)—A connection utility that provides authentication and encryption. With SSH, you can securely log on to a host, execute commands on that host, and copy files to or from that host. SSH encrypts data exchanged throughout the session. SSL (Secure Sockets Layer)—A method of encrypting TCP/IP transmissions—including Web pages and data entered into Web forms—en route between the client and server using public key encryption technology. SSL session—In the context of SSL encryption, an association between the client and server that is defined by an agreement on a specific set of encryption techniques. An SSL session allows the client and server to continue to exchange data securely as long as the client is still connected to the server. SSL sessions are established by the SSL handshake protocol. symmetric encryption—A method of encryption that requires the same key to encode the data as is used to decode the ciphertext. TACACS (Terminal Access Controller Access Control System)—A centralized authentica- tion system for remote access servers that is similar to, but older than, RADIUS. Terminal Access Controller Access Control System—See TAC AC S. TGS (Ticket-granting service)—In Kerberos terminology, an application that runs on the KDC that issues ticket-granting tickets to clients so that they need not request a new ticket for each new service they want to access. 662 Chapter 14 NETWORK SECURITY TGT (ticket-granting ticket)—In Kerberos terminology, a ticket that enables a user to be accepted as a validated principal by multiple services. three-way handshake—An authentication process that involves three steps. ticket—In Kerberos terminology, a temporary set of credentials that a client uses to prove that its identity has been validated by the authentication service. Ticket-granting service—See TGS. ticket-granting ticket—See TGT. TLS (Transport Layer Security)—A version of SSL being standardized by the IETF (Inter- net Engineering Task Force). With TLS, IETF aims to create a version of SSL that encrypts UDP as well as TCP transmissions. TLS, which is supported by new Web browsers, uses slightly different encryption algorithms than SSL, but otherwise is very similar to the most recent version of SSL. Transport Layer Security—See TLS. Triple DES (3DES)—The modern implementation of DES, which weaves a 56-bit key through data three times, each time using a different key. war driving—The act of driving while running a laptop configured to detect and capture wire- less data transmissions. WEP (Wired Equivalent Privacy)—A key encryption technique for wireless networks that uses keys both to authenticate network clients and to encrypt data in transit. Wi-Fi Alliance—An international, nonprofit organization dedicated to ensuring the inter- operability of 802.11-capable devices. Wi-Fi Protected Access—See WPA. Wired Equivalent Privacy—See WEP. WPA (Wi-Fi Protected Access)—A wireless security method endorsed by the Wi-Fi Alliance that is considered a subset of the 802.11i standard. In WPA, authentication follows the same mechanism specified in 802.11i. The main difference between WPA and 802.11i is that WPA specifies RC4 encryption rather than AES. WPA2—The name given to the 802.11i security standard by the Wi-Fi Alliance. The only difference between WPA2 and 802.11i is that WPA2 includes support for the older WPA secu- rity method. Chapter 14 663 KEY TERMS Review Questions 1. Which of the following terms refers to a thorough examination of each aspect of a network to determine how it might be compromised? a. Symmetric encryption b. Application gateway c. Security audit d. Social engineering 2. The use of an algorithm to scramble data into a format that can be read only by reversing the algorithm is known as _________________________. a. encryption b. bio-recognition c. DNS spoofing d. flashing 3. Trying a number of possible character combinations to find the key that will decrypt encrypted data is known as a _________________________. a. denial-of-service attack b. dictionary attack c. social engineering d. brute force attack 4. A _________________________ is a password-protected and encrypted file that holds an individual’s identification information, including a public key. a. network key b. digital certificate c. key pair d. session key 5. _________________________ occurs when a hacker forges name server records to falsify his host’s identity. a. DNS spoofing b. Port forwarding c. Public key encryption d. Social engineering 664 Chapter 14 NETWORK SECURITY 6. True or false? Networks that use leased public lines, such as T1 or DSL connections to the Internet, are vulnerable to eavesdropping at a building’s demarcation point, at a remote switching facility, or in a central office. 7. True or false? Proxy servers manage security at the Network layer of the OSI Model. 8. True or false? The Password Authentication Protocol (PAP) encrypts usernames and passwords for transmission. 9. True or false? If routers are not configured to mask internal subnets, users on outside networks can read the private addresses. 10. True or false? Dial-up networking turns a remote workstation into a node on the net- work, through a remote access server. 11. A(n) _________________________ occurs when a system becomes unable to func- tion because it has been deluged with data transmissions or otherwise disrupted data. 12. A(n) _________________________ identifies your security goals, risks, levels of authority, designated security coordinator and team members, responsibilities for each team member, and responsibilities for each employee. 13. A(n) _________________________ is a router that examines the header of every packet of data it receives to determine whether that type of packet is authorized to continue to its destination. 14. In _________________________ encryption, data is encrypted using a single key that only the sender and the receiver know. 15. The _________________________ protocol defines encryption, authentication, and key management for TCP/IP transmissions. Chapter 14 665 REVIEW QUESTIONS This page intentionally left blank Implementing and Managing Networks Chapter 15 After reading this chapter and completing the exercises, you will be able to: ■ Describe the elements and benefits of project management ■ Manage a network implementation project ■ Understand network management and the importance of baselining to assess a network’s health ■ Plan and follow regular hardware and software maintenance routines ■ Describe the steps involved in upgrading network software and hardware I n this book, you have learned the technologies and techniques necessary to design an effi- cient, secure network. In this chapter, you will learn how to put those elements together to plan a network implementation or improve an existing network from start to finish. One of the first steps in implementing a network is devising a plan. Before you can create such a plan, however, you must learn some project management fundamentals. After a network is in place, it requires continual review and adjustment. Therefore, a network, like any other complex sys- tem, is in a constant state of flux. Whether the changes are due to internal factors, such as increased demand on the server’s processor, or external factors, such as the obsolescence of a router, you should count on spending a significant amount of time investigating, performing, and verifying changes to your network. In this chapter, you will build on this knowledge to learn about changes dictated by immediate needs as well as those required to enhance the network’s functionality, growth, performance, or security. Project Management Whether you are designing a network from scratch or making significant changes to an exist- ing network, it’s important to plan carefully before purchasing hardware or software or com- mitting staff time. Project management provides a framework for planning and implementing significant undertakings. Project management is the practice of managing staff, budget, timelines, and other resources and variables to achieve a specific goal within given bounds. The project might be constrained by time, money, or the number of developers who can help you with the project. In the net- working field, for example, you might employ project management when upgrading your servers to Solaris version 10, or when replacing the CAT 3 wiring in your organization’s build- ing with CAT 6 wiring. This section describes some project management techniques that apply specifically to network and other technology implementations. Different project managers have differing philosophies about the best way to ensure that pro- ject goals are met. However, most would agree that project management attempts to answer at least the following questions in roughly the following order: ◆ Is the proposed project feasible? ◆ What needs must the project address? ◆ What are the project’s goals? (What are the standards for success?) ◆ What tasks are required to meet the goals? ◆ How long should tasks take, and in what order should they be undertaken? ◆ What resources are required to accomplish the tasks, and how much will they cost? ◆ Who will be involved and what skills must they possess? ◆ How will staff communicate with others about the project? ◆ After completion, did the project meet the stated need? Most projects can be divided into phases, each of which addresses some of the questions in the preceding list. For example, you might divide a project into four phases: initiation, specifica- tion, implementation, and resolution. In that case, the initiation phase would include deter- mining whether the project is feasible, assessing needs, and determining which staff will be involved. Identifying goals and answering questions about tasks, timelines, costs, resources, staff requirements, and communication methods would occur during the specification phase. Next comes implementation, when the work of the project would take place. Finally, the completion of a project and the analysis of its success would be considered the project’s resolution. Figure 15-1 illustrates how a project can be divided into these four phases. In fact, there are many dif- ferent ways to depict a project’s progress over time, and in many cases the phases overlap. At several points during a project the team might stop to assess its progress. In project plan- ning, a milestone is a reference point that marks the completion of a major task or group of tasks in the project and contributes to measuring the project’s progress. For example, if you were in charge of establishing an e-commerce server, you might designate the completion of the soft- ware installation on your server as being a milestone. Milestones are particularly useful in large projects that have high visibility within the organization. They provide a quick indication of a project’s relative success or failure. Chapter 15 669 PROJECT MANAGEMENT FIGURE 15-1 Project phases The following sections discuss project management steps in more detail.Throughout these sec- tions, the example of a comprehensive network upgrade is used to illustrate project manage- ment concepts as they relate to networking. Determining Project Feasibility Before committing money and time to a project, you must decide whether the proposed pro- ject is possible—that is, whether it’s feasible. Often, and especially in technology-based com- panies, staff become so enamored with gadgetry and the desire for faster network access that they push a project through without realistically assessing its costs and benefits. To formalize the process of determining whether a proposed project makes sense, you can conduct a feasi- bility study. A feasibility study outlines the costs and benefits of the project and attempts to predict whether it will result in a favorable outcome (for example, whether it will achieve its goals without imposing excessive cost or time burdens on the organization). A feasibility study should be performed for any large-scale project before resources are committed to that project. 670 Chapter 15 IMPLEMENTING AND MANAGING NETWORKS Often, organizations hire business consultants to help them develop a feasibility study. The advantage to outsourcing this work is that consultants do not make the same assumptions that internal staff might make when weighing the costs and bene- fits of a proposed project. NOTE Suppose you are the network manager for the Wyndham School District, which consists of nine buildings: one administration building, one high school, two middle schools, and five ele- mentary schools. Some staff have complained to you about the slow performance of the LAN, slow access to the Internet, and client computers that are barely powerful enough to run learn- ing software. You, too, recognize that the district’s technology is outdated. You and other staff perceive that a comprehensive upgrade seems necessary. However, you don’t know whether the school board has sufficient money to allocate to the project, if it’s a priority compared to other expenses, or if students’ and staff productivity will be significantly hampered during such an upgrade. Your feasibility study might consist of rough estimates for the following: ◆ Costs of equipment, connectivity, consulting services ◆ Required staff time for project participation, training, and evaluation ◆ Duration of project ◆ Decrease in productivity due to disruption versus increase in future productivity due to better network and client performance ◆ A conclusion that addresses whether the costs (equipment, staff, decreased produc- tivity) justify the benefits (increased ongoing productivity) If you conclude that the project is feasible, you can move to the next step of project planning: assessing needs. Assessing Needs All the staff in the Wyndham School District might agree that the current e-mail system is too slow and needs to be replaced, or numerous users might complain that the connection between their classroom computers and the LAN’s servers is unreliable. Often a network change project begins with a group of people identifying a need. Before you concur with pop- ular opinion about what portions of the network must be upgraded and how changes must occur, as a responsible network administrator you should perform a thorough, objective needs assessment. A needs assessment is the process of clarifying the reasons and objectives under- lying a proposed change. It involves interviewing users and comparing perceptions to factual data. It probably also involves analyzing network baseline data (discussed later in this chapter). Your goal in performing a needs assessment is to determine the appropriate scope and nature of the proposed changes. A needs assessment may address the following questions: ◆ Is the expressed need valid, or does it mask a different need? ◆ Can the need be resolved? ◆ Is the need important enough to allocate resources to its resolution? Will meeting the need have a measurable effect on productivity? ◆ If fulfilled, will the need result in additional needs? Will fulfilling the need satisfy other needs? ◆ Do users affected by the need agree that change is a good answer? What kind of res- olution will satisfy them? A network’s needs and requirements should be investigated as they relate to users, network performance, availability, scalability, integration, and security. Although only one or a few of these needs may constitute driving forces for your project, you should consider each aspect before drafting a project plan. A project based solely on user requirements may result in unforeseen, negative consequences on network performance, if performance needs are not considered as well. A good way to start clarifying user requirements is to interview as many users as possible. Just as if you were a reporter, you should ask pointed questions. If the answer is not complete or sufficiently specific, follow up your original question with additional questions. The more nar- rowly focused the answers, the easier it is to suggest how a project might address those needs. Besides asking the user what he needs, you may also want to ask why the need should be addressed, what ways he suggests the need can be addressed, what kind of priority he would place on the need being met, and whether it takes precedence over other needs. In the process of interviewing users, you may recognize that not all users have the same needs. In fact, the needs of one group of users may conflict with the needs of another group. In such cases, you must sort out which needs have a greater priority, which needs were expressed by the majority of users, whether the expressed needs have anything in common, and how to address needs that do not fall into the majority. Chapter 15 671 PROJECT MANAGEMENT [...]... become involved in maintaining or troubleshooting the network In addition, you should ensure that the asset management database is regularly updated, either manually or automatically, as changes to network hardware and software occur The information you retain is useful only while it is current Asset management simplifies maintaining and upgrading the network chiefly because you know what the system includes... and from other sources, including reputable Internet bulletin boards, reputable magazines, and other networking professionals Evaluate the costs involved in upgrading Also list the benefits and risks involved in embarking on this NOS upgrade Project plan—Before you have committed significant time and money to the project, devise a project plan This plan should include the following steps, the task assignments... multicasts over a Token Ring network Alternatively, you might patch the application that allows you to centrally control your printers across the network 686 Chapter 15 IMPLEMENTING AND MANAGING NETWORKS TIP If you install new hardware on a Windows Server 2003 server after installing a service pack, you are prompted to insert your original Windows Server 2003 installation CD to obtain the device driver... obtaining the fiber-optic cable, obtaining the connectivity devices compatible with fiber-optic connections, scheduling network downtime during which the upgrade can occur, removing the CAT 5 cabling, installing the fiber-optic cabling, testing the changes, and so on After you have identified tasks, you can assign a duration, start date, and finish date to each task and subtask in the project plan You can also... and the Internet Beneath that goal, you may insert several smaller goals, such as increasing the throughput of its current Internet connection, connecting to a nationwide ISP, and using a proxy server to cache frequently accessed Web pages In addition to being specific, project goals should be attainable The feasibility study should help determine whether you can achieve the project goals within the... project plan in Microsoft Project 674 Chapter 15 IMPLEMENTING AND MANAGING NETWORKS Tasks and Timelines A project should be divided into specific tasks Larger tasks are then broken into even smaller subtasks For example, upgrading the Wyndham School District’s backbone from CAT 5 to fiber-optic cabling represents a large task with numerous subtasks: documenting the current cable plant, obtaining the fiber-optic... originally referred to an organization’s system for keeping tabs on every piece of equipment it owned This function was usually handled through the Accounting Department Some of the accounting-related tasks included under the original definition for asset management, such as managing the depreciation on network equipment or tracking the expiration of leases, apply to asset management in networking... depicting when projects begin and end along a horizontal timeline Figure 15-3 illustrates a simple Gantt chart FIGURE 15-3 A simple Gantt chart PROJECT MANAGEMENT Chapter 15 675 TIP You may be asked to plan a project with seemingly impossible deadlines One technique for making the project fit into a tight time frame is to work backward to create the timeline Begin at the project’s predetermined endpoint... an administrator with several ways to view and analyze the data For example, a popular way to view data is in the form of a map that shows fully functional links or devices in green, partially (or less than optimally) functioning links or devices in yellow, and failed links or devices in red One type of network status map generated by Solarwinds.net’s Orion network management software is shown in Figure... software Be certain to document what you learn about the new technology’s features and idiosyncrasies As you evaluate your results against your predefined test criteria, note where your results show success or failure All of this documentation provides valuable information for your final implementation and for future baselining Testing and Evaluation After completing each major step in a project, you . resolution. In that case, the initiation phase would include deter- mining whether the project is feasible, assessing needs, and determining which staff will be involved. Identifying goals and answering. clarifying the reasons and objectives under- lying a proposed change. It involves interviewing users and comparing perceptions to factual data. It probably also involves analyzing network baseline. making the project fit into a tight time frame is to work backward to create the timeline. Begin at the project’s predetermined endpoint and move toward the beginning of the project, allowing