1 2001 Autumn Technical Engineer Examination (Network)(Afternoon Part 2) Questions must be answered in accordance with the following: Question Nos. Q1 to Q2 Question Selection Select one of the above two Examination Time 14:30-16:30 (120 minutes) Instructions: 1. Use an HB pencil. If you need to change an answer, erase your previous answer completely and neatly. Wipe away any eraser debris. 2. Mark your answers in accordance with the instructions below. (1) Examinee Number Write your examinee number in the space provided, and mark the appropriate space below each digit. (2) Date of Birth Write your date of birth (in numbers) exactly as it is printed on your examination admission card, and mark the appropriate space below each digit. (3) Answers In the Selection column, circle the numbers of the questions that you are choosing to do. Any question that is not circled will not be scored. If you circle all four questions, only the first three will be scored. (4) Write each answer in the space specified for that question. (5) Write your answers clearly and neatly. Answer that is difficult to read will receive a lower score. Do not open the exam booklet until instructed to do so. In q uiries about the exam q uestions will not be answered. 2 3 [List of Question Contents] Question No. Theme Questions Q1 Re-construction of a network using IP- VPN service [Description] Sub-Question 1 (1) Basic knowledge regarding IP-VPN service (2) Reason why leased lines are used for access lines Sub-Question 2 (1) Names of sites which require the study of the band width of the leased lines (2) Effect of adding sites on the existing network Sub-Question 3 (1) Problems resolved by installing a server for the integrated application program in the main office (2) Reason why increased traffic between the plant and main office affects other sites Sub-Question 4 (1) Basic knowledge regarding connections for data transfer (2) Port numbers sent by the PORT command (3) Details of changes made to the IP address of an ISDN router (4) Reason why communication was disconnected by an ISDN router (5) Information useful in troubleshooting when IPsec is not used Sub-Question 5 (1) Reliability problems solved by the new network (2) Reason why communication with the main office is not possible if the IPsec function is implemented using PCs in regional sales offices (3) Features and associated reasons behind IP address planning when using IP-VPN service Q2 Safety measures for a system connected to the Internet [Description] Sub-Question 1 Basic knowledge regarding duplexing ISPs Sub-Question 2 (1) Reason why the reply packet is returned to the same firewall (2) Hardware that should be checked using ping in order to detect routing failures Sub-Question 3 (1) Basic knowledge regarding duplexing mail systems (2) Reason why implementing processing to prevent illegal relays is simple Sub-Question 4 (1) Basic knowledge regarding RAID (2) Reason why a load balancing device is not used for distribution to an application server (3) Zone information managed by DNS server 2 Sub-Question 5 (1) Basic knowledge regarding use of housing services offered by an Internet data center (2) Role of a UPS when switching to an in-house power generator (3) Tasks that should be indicated in an operation management manual in order to operate an electronic commerce system (4) New issues that Company Y should consider to prevent system failure when using the housing service of an Internet data center [Illustration] Sub-Question 5 (1) Completing the configuration of an electronic commerce system when using the housing service of an Internet data center 4 Q1. Read the following description of re-constructing a network using IP-VPN service and answer Sub-Questions 1 through 5. Company A mainly sells customized PCs to corporations. Since the scope of the business is rather large, Company A has a regional sales offices in charge of each region and branch offices that oversee them. For their salesmen and designers, corporate customers order PCs with optimum specifications to do their jobs. When a salesman receives an order, he sends to the plant the customization specifications as requested by the customer. A PC is assembled according to the customization specifications. The assembled PC is sent to a distribution center and shipped on the specified day of delivery to the customer who placed the order. [Overview of the Previous System] Company A used to run separate business application programs (hereafter referred to as “distributed business APs”) on servers located at its branch offices and plants. The distributed business AP on each server was used with a corresponding client application program (hereafter referred to as a “terminal AP”) which ran on PCs. They were connected via TCP/IP communication lines. The distributed business APs at branch offices were used for order entry and business activity reports, while the distributed business AP at plants was used for production control. In addition, the terminal AP used by salesmen to make business activity reports was accessing through FTP to the distributed business AP used to make business activity reports which ran on servers at branch offices. [Background Behind New System Development] A year ago, the Planning Department of Company A began sales of PCs to individuals using a Web page-based online sales system installed in the main office. Even in the case of PCs sold to individuals, there were many cases where PCs needed to be customized to meet the requirements of individual customers. In the case of sales to individuals, customers wanted to be able to access the status of their order at any time from the PC order placement to its delivery. This service is called a “tracking service”. Salesmen also wanted this service in order to quickly respond to inquiries about delivery and so forth from corporate customers. 5 Although the distributed business AP was developed by the Information System Department at the main office, there were many problems because many additional functions had been repeatedly added. Maintenance personnel were used to take care of problems at branch offices and plants, but many times they could not solve problems and the Information System Department had to take care of it. This was a hindrance to the development work being performed by Information System Department. [Overview of the Current System] Six months ago, Company A got rid of the distributed business APs and distributed servers that it had been using, and began running a newly developed business application program (hereafter referred to as an “integrated business AP”) on a new server located in the main office. The integrated business AP included a function for linking with the nonstore sales system and a function for tracking service, while also implementing all the business functions of the old distributed business APs. The new server could be used from a PC using TCP/IP. It was decided to aim at quick development of the current system and to continue the use of the previous system. Fig. 1 shows the configuration of the current system network. Internet ISDN Main Office W FW Router Router PC PC Research Lab PC PC PC PC RAS Router PCPC Router Leased Line Leased Line Leased Line Leased Line Branch Office Plant PCPC Router PCPC Distribu- tion Center Regional Sales Office 1 ISDN Router ISDN Router Regional Sales Office 5 S PC PC FW: Firewall (details of configuration of firewall omitted) RAS: Remote Access Server W: Web server for nonstore sales system S: Server for the integrated business AP N ote: Dotted lines indicate separate sites. … … … … … … … … Fig. 1 Configuration of Current Network 6 Salesmen in regional sales offices also have demands. Business activity reports are made by accessing the integrated business AP using a terminal AP for making such reports as in the past. Since terminal APs other than this have been abolished with the operation of the integrated business AP, it was decided to use the integrated business AP using PC browsers. A salesman can therefore use a browser to find out the status of a PC order at any time up to its delivery. [Reconstruction of the Current Network] Business at Company A has increased steadily using the integrated business AP. With this increased business, more working hours are spent referencing the specifications and design documents. The traffic between the plant and the main office has seen particularly dramatic growth. This has caused longer response times at multiple sites on the network and is hindering business. However, the communication bandwidth between the main office and branch offices is sufficient and there are no problems here. The Information Systems Department was assigned to study the reconstruction of the current network for better network reliability and expandability to handle increased traffic and the addition of new sites in the future. The Information Systems Department, with Mr. T as a leader, has collected the requirements of the new network and presented its findings to a communication service provider. As a result, Mr. K, an engineer working for the communication service provider, has proposed IP-VPN service using MPLS (Multi-Protocol Label Switching). It was decided to study with him the suitability of IP-VPN service for the new network. Fig. 2 shows the configuration of the new network using IP-VPN service as proposed by Mr. K. Internet Main Office W FW Route r Research Lab Route r PC Leased Line Branch Office Regional Sales Office 1 ISDN Router ISDN Router S PC PC PC PC Leased Line Leased Line Leased Line Regional Sales Office 5 PC PC PC ISDN PC PC Route r PC PC Route r PC PC IP- VPN Router Plant Distribu- tion center Fig 2. Configuration of New Network 7 The following is a conversation between Mr. T and Mr. K. Mr. T: First, please tell me about the packet transfer method used with IP-VPN. Mr. K: The router connected to the leased lines in Fig. 2 are called “customer edge routers”. (Hereafter referred to as CERs.) When using IP-VPN service, the communication service provider’s provider edge routers (hereafter referred to as PERs) are connected to customer CERs via leased lines having the required bandwidth. This leased line is called an “access line”. An IP packet arriving at a PER from a CER is given a/an a at the PER based on its destination address. Inside the IP-VPN network, routing between the sending PER and destination PER is performed based on a . a is removed by b at the transfer destination, restored to a regular c , and transferred to d . Mr. T: Inside the IP-VPN network, packets having a different format than IP packets are transferred, right? Mr. K: Yes, that’s right. Mr. T: Can security be achieved when using IP-VPN service? Mr. K: Of course it can. At the sending PER, it is possible to know which IP packets came from which customer. This does not arrive at the CERs of other customers. In other words, the sending PER identifies the sending customer, and determines the destination PER according to the destination IP address in the received IP packet. If the sending customer is different, that IP packet is transferred to e CER even if the destination IP address in the IP packet received from the customer exactly matches that of the sending PER. This allows security equivalent to communications to be achieved using conventional leased lines. Mr. T: Please tell me about the case of future expansion stated in your proposal. Mr. K: For example, imagine that you are going to establish a new distribution center. In your current network configuration, this means connecting the new distribution center to the plant using a leased line. In this case, it is also necessary to study the bandwidth of existing leased lines between f and g and between g and h . In contrast, in the new network configuration being proposed, expansion will be easy because the effect on the existing network of adding sites can be i just by studying the bandwidth of existing access lines between f and IP-VPN. Mr. T further continued his investigation on the assumption that a new network would be configured using IP-VPN service because it allows for communication security and can be done at low cost. 8 [Connecting the Regional Sales Offices to the Main Office] Mr. K’s proposal was that regional sales offices and the main office be connected over the Internet. Mr. T investigated the method of the connection with Mr. K. Mr. K: Connections to regional sales offices shall be made with the main office which has the Information Systems Department. Since the main office and each regional sales office are physically separated, connections which use ISDN in the current network will be switched to connections that use the Internet. Mr. T: Although I think it is appropriate to connect regional sales offices to the main office, the proposals from other communication service providers suggest using IP-VPN service at regional sales offices as well. Why doesn’t the proposal from your company suggest IP- VPN service be used at the regional sales offices? Mr. K: We feel that the frequency of use of the network by regional sales offices is low. We therefore thought that IP-VPN service was inappropriate because it is not very cost effective to use leased lines as the access lines with regional sales offices. Mr. T: Can anything besides leased lines be used as the access lines? Mr. K: Nothing can be used except leased lines. Mr. T: Although security is achieved under IP-VPN, I’m very concerned about security when communications are made over the Internet. Is there anything we can do? Mr. K: Security for communications over the Internet between the regional offices and main office can be achieved at the IP layer by using IPsec to safely transfer IP packets. When using IPsec, the sender encrypts IP packets and the receiver decrypts encrypted IP packets. Figure 3 shows a basic overview of using IPsec packets as currently being proposed. IP packet before encryption N ew IP heade r ESP header IP header TCP header TCP data Supplemental ESP data ESP Authentica- i tion data Target of encryption Target of identification ESP: Encapsulating Security Payload Fig. 3 Overview of IPsec Packets Used at Company A 9 Mr. K: The IP packet before encryption and the newly added supplemental ESP data are encrypted. The ESP header, which differs from a TCP header, and encrypted data are the target of falsification detection. Mr. T: Are there any problems with reduced communication throughput due to encryption overhead or Internet congestion? Mr. K: The main business being conducted by regional sales offices is producing business activity reports. The terminal AP used for making business activity reports uses FTP to connect to the integrated business AP and download a report template. Then report data created by a salesman is sent to the integrated AP. Since the amount of data sent with FTP is small, we think that it is not a big problem. Mr. T performed a file transfer test using IPsec and FTP over the Internet. [Connection Test between Regional Sales Offices and the Main Office] First, Mr. T made preparations to perform a connection test using FTP over the Internet between each regional sales office and the main office. Although the FTP server used for the test possessed an IPsec function, in preparation for trouble analysis, the IPsec function was not used. Company A uses a private, in-house IP address. In order to connect to the Internet, Mr. T set the packet filter for ISDN routers used on the current network for use under an Internet connection. The table gives an excerpt of the contents of packet filters for ISDN routers used for the connection test. Table: Contents of Packet Filters of ISDN Routers Used in the Connection Test (Excerpt) Direction Sender’s IP address Destination IP address SYN bit ACK bit Sender's port no. Destination port no. Communicati on operation Out-bound Internal External On Off 1,024 or greater 25 Connect Out-bound Internal External On Off 1,024 or greater 110 Connect In-bound External Internal On Off Any Any Disconnect In-bound External Internal Off On 80 1,024 or more Connect Out-bound Internal Internal On Off Any Any Disconnect 10 In addition, it was possible to use the Internet from multiple PCs which possessed a private IP address by assigning a single global IP address to each of the ISDN routers used in the test. Mr. T downloaded files from an FTP server located in the DMZ of the firewall from a regional sales office using a browser. Next, he tried downloading the files using the terminal AP for making business activity reports. However, he could not download files from the FTP server using the terminal AP for making business activity reports. Mr. T reported the results of this test to Mr. K and decided to find out the causes of problems and their solutions. Mr. T: I was able to download files when using the browser in a regional sales office. However, download failed when attempting to use the terminal AP for making business activity reports. Here is the packet monitoring data between the FTP server and the FTP client obtained from the DMZ of the firewall. Looking at this data, it appears that the TCP connection from the regional sales office was disconnected, but I don't understand the cause. Mr. K: Judging from the monitoring results, the TCP connection was disconnected by the ISDN router. I will explain using Fig. 4, which shows an overview of FTP active mode. FTP client P : 3201 P: 3200 FTP server P: 21 P: 20  Establish connection for control  Transfer PORT <IP address, Port No.> command  Transfer RETR <file path> command  Establish connection for data transfer  Transfer files  Connection for data transfer disconnected  Connection for control disconnected Note: “P” indicates the Port No. Fig. 4 Overview of FTP Active Mode [...]... appropriate words/phrases for boxes text (2) In 80 words or less, explain the reason why leased lines are used for access lines from a security perspective when PERs are used Sub-Question 2 Answer the following questions regarding expandability of the current network and new network f h (1) Fill in the appropriate site names for boxes through in the text i (2) Fill in the appropriate words or phrases... times the current levels in three years is being created Manager H has asked the Information Systems Department to investigate the systems which can handle electronic commerce on a scale of 100 billion yen per month based on the business plan created Section Manager G of the Information Systems Department has asked Mr F, who is in charge of Internet infrastructure, to do the study Figure 1 shows the... boxes a through d in the text Sub-Question 2 Answer the following questions regarding the duplexing ISPs as illustrated in Fig 2 (1) Explain in 100 words or less the reason for the underlined part (a) in the text (2) Explain in 40 words or less which piece of hardware should be subjected to a ping check when using the load balancing device to detect route failures between Company Y and the ISP Sub-Question... listed under [Issues related to EC system operation] Explain in 60 words or less for each issue (4) If IDC housing services are to be used, EC system operation is separated into that part carried out by Company Y and that part consigned to the IDC Explain in 100 words or less new problems which Y should consider to prevent failures 23 ... (1) Explain in 40 words or less the problem which was resolved by abolishing the servers used for the distributed business AP and installing a server for the integrated business AP in the main office (2) Explain in 60 words or less why an increase in traffic between the plant and the main office adversely affected other sites Be sure to explain this from a network configuration perspective including... load increase or failure occurrences were included In the last six months, Company Y has experienced the following four problems regarding the Internet (1) Internet connections were lost due to the ISP (2) Service stopped due to a failure of the Web server of the EC system (3) Incidents occurred which caused stoppage of mail service and loss of mail (4) There was damage due to a virus that infected the... together an improvement plan with the following four points as essential features and reported it to Section Manager G [Proposed System Improvements] (1) Connect with two ISPs (hereafter duplexing ISPs’) (2) Implement safety measures for main servers such as the EC system server, mail server, etc (3) Adopt a configuration for the EC system that can handle sharp load increases (4) Perform a virus check on... operate an autonomous system, and the second is to connect to two ISPs using static routing just as has been done so far 15 However, since the operation of the first type of system is difficult from a technical standpoint, and may have to take social responsibilities, it had best be avoided Mr F: Well, then, tell me about the second method a Mr B: In this method, used to send and receive packets is... route to ISP-1 occurs If NAT is performed on the firewall at this time, (a) reply packets are returned to the same firewall through the same ISP Mr F: I understand The method shown in Fig 2 looks good (2) Safety measures for the EC system and DNS server Mr B: In order to handle future increases in load, a three-layer configuration should be used for the EC system with the addition of an application server... affected Sub-Question 4 Answer the following questions regarding the connection test between the regional sales offices and the main office j in the text (1) Fill in the appropriate words or phrases for box (2) What is the port no sent by the PORT command in line in Figure 4 (3) ISDN routers not only convert the IP header, but the IP address as well Explain in 100 words or less specifically what is converted . 1 2001 Autumn Technical Engineer Examination (Network)(Afternoon Part 2) Questions must be answered in accordance with the following: Question. and mark the appropriate space below each digit. (2) Date of Birth Write your date of birth (in numbers) exactly as it is printed on your examination admission card, and mark the appropriate. regarding IP-VPN service (2) Reason why leased lines are used for access lines Sub-Question 2 (1) Names of sites which require the study of the band width of the leased lines (2) Effect of adding