480 | Chapter 8: Network+ Exam Study Guide purposes. Most cable modems support bandwidths from 1.5 to 3 Mbps for Internet access. The cable modem usually supports up to 10 Mbps data speeds for the LAN. The actual Internet access speed depends on the utilization of the shared cable signals in the area. The available bandwidth is always shared with other users in the area and may vary from time to time. In the periods of peak usage, the speed may be low compared to the periods when usage is low. Both broadband and baseband are signaling technologies. In simple terms, the broadband technology supports transmission of multiple signals, while the baseband technology supports transmission of only one signal at a time. Most computer networks employ the base- band technology. The broadband technology is used for cable TV. Plain Old Telephone System/Public Switched Telephone Network (POTS/PSTN) POTS and PSTN are the traditional methods of Internet access. These are dial-up methods; the user has to dial the telephone number of the ISP to authenticate and get Internet connectivity. The telephone line is connected to a modem that is further connected to a serial or USB port of the user’s computer. Most computers have built-in modems that can be directly connected to the telephone line. In case the model is connected to an external port such as the serial or the USB port, its software driver must also be installed. POTS and PSTN provide a maximum data transfer speed of 56 Kbps. There are several ISPs that offer dial-up Internet access. Depending on the area in which the user lives, one must be careful while selecting the ISP. Most ISPs provide added features, such as free email accounts and access to newsgroups, and some even offer small web site for the user. Satellite In such areas where DSL or cable is not available, satellite Internet is the only option for high-speed Internet access. For this reason, it is commonly used in rural areas. The signals travel from the ISP to a satellite and then from the satellite to the user. The data transmission speeds vary from 512 Kbps (upload) to 2 Mbps (download). Major drawbacks of satellite Internet access are that it is expensive, and it offers low transfer speeds compared to DSL and cable. Satellite Internet access suffers from propagation delays or latency problems. Latency refers to the time taken for the signal to travel from the ISP to the satellite and back to the user. The signals have to travel to a satellite located in the geosta- tionary orbit that is about 35,000 Km away. This means that the signals have to travel approximately 70,000 Km before they reach the user. Latency also depends on atmospheric conditions. This might be a problem for businesses or home users that rely on real-time applications. Wireless Wireless Internet access is used by portable devices such as laptop computers, PDAs, mobile phones, and other handheld devices. A wireless Internet service Protocols and Standards | 481 Network+ Study Guide provider (WISP) usually creates hotspots at airports, hotels, coffee shops and other places where people are likely to visit and connect to the Internet. The WISP installs one or more wireless Access Points (APs) near the hotspot to share the Internet connection. Most of the newer handheld and portable devices include a built-in wireless adapter. A wireless connection is automatically detected and configured in most cases. Anyone who is in the close proximity of the AP can connect to the Internet almost immediately. Remote Access Protocols and Services Remote Access refers to connecting to and accessing the shared resources located on the remote network. All major network and desktop operating systems have built-in support for remote access. There are several different techniques to estab- lish remote access connections. There are also a variety of standards and protocols used for encryption and authentication to provide security for Remote Access Services. In this section, we will take a look at different remote access protocols and services. Remote Access Service (RAS) RAS is Microsoft’s implementation of remote access protocols and standards. It is available on all Windows Server operating systems. Microsoft renamed it as Routing and Remote Access Service (RRAS) in Windows 2000 Server and later operating systems. A Remote Access Server is configured to provide connectivity to remote clients that support remote access protocols. This server acts as a gateway for the organization’s internal network. The Remote Access Server authenticates the remote clients before they are allowed access to resources located on other internal servers. Serial Line Internet Protocol (SLIP) SLIP is an older remote access protocol that provides point-to-point connections over TCP/IP using serial connections. It was mainly used on Unix platforms. Security is a main concern with SLIP because all usernames and passwords are transmitted in clear text. It does not support any methods for encryption or secure authentication. Besides this, it does not ensure guaranteed delivery of data because of the absence of any error detection, correction, or packet-sequencing mechanisms. In most major network operating systems, Point-to-Point Protocol (PPP) has replaced SLIP. Point-to-Point Protocol (PPP) PPP is the standard protocol for remote access due to its clear advantages over SLIP and added security features. It is a protocol suite that includes several proto- cols. It is a cross-platform protocol and works with all major operating system environments, including Windows, Unix/Linux, NetWare, and Mac OS. PPP allows encryption of remote user credentials during the authentication process. It also allows administrators to select an appropriate LAN protocol for use over the remote connection. Administrators can choose from NetBEUI, NetBIOS, IPX/SPX, AppleTalk, or TCP/IP. PPP supports several protocols for 482 | Chapter 8: Network+ Exam Study Guide authentication, such as PAP, SPAP, CHAP, MS-CHAP, and EAP. The adminis- trator can configure multiple protocols, depending on the requirements of remote clients. PPP Over Ethernet (PPPoE). PPPoE is a combination of PPP and Ethernet protocols. It encapsulates the PPP information inside an Ethernet frame. This enables multiple users on a local Ethernet network to share the remote connection through a common device. For example, multiple users can share the same Internet connec- tion through the cable modem simultaneously. Although all users on the Ethernet network share a single physical connection to the remote network, PPPoE allows administrators to configure individual authen- tication for each user. PPPoE also enables administrators to track connection statistics (such as the connection time) of individual users. Virtual Private Networking As the name suggests, a Virtual Private Network (VPN) provides a secure means of communication between remote users of an organization, between different loca- tions of an organization, or between distinct organizations. The communication takes place using a public network such as the Internet. VPN provides a cost- effective way to provide connectivity to remote users of the organization. This technology saves costs for those organizations that have a large number of tele- commuting employees. These employees can connect to internal resources of the organization from anywhere because of the global availability of the Internet. All employees need to do to connect to the organization’s network is to simply connect to the local ISP. VPN technologies employ secure authentication and data transmission protocols that work by creating a tunnel in the publicly accessible network (Internet). The tunneling protocols encapsulate authentication and other data within other packets before transmitting over the Internet. VPN is composed of the following components: VPN Client The remote user who wants to establish a connection to the organization’s network. VPN Server A server running Remote Access Service; authenticates connection requests from the remote client. Carrier Protocols Used to transfer data from one point to another over the Internet. Encapsulating Protocols (tunneling protocols) Used to wrap the original data before it is transmitted over the Internet. PPTP, L2TP, IPSec, and Secure Shell (SSH) are examples of encapsulating protocols. VPN can be implemented in one of the following ways: Protocols and Standards | 483 Network+ Study Guide Remote Access VPN This is also known as Private Virtual Dial-up Network (PVDN). This type of VPN provides remote access to remote users over the Internet. The remote user is responsible for creating the tunnel and starting the communication. Remote Access VPN is a great solution for an organization that has a large number of users spread across different locations. By using VPN technolo- gies, organizations can save on costs involved in having users directly dial in to the organization’s internal network. Site-to-Site VPN This is also called an Intranet and is established between different offices of the same organization spread across multiple physical locations. This can be a very cost-effective solution because the organization does not have to main- tain dedicated WAN connections between physically separated locations. Software-based VPNs require proper planning and secure implementations, as these are prone to the vulnerabilities of the operating system. Hardware implementations are expensive but are generally more secure than their soft- ware counterparts. As noted earlier, VPN essentially depends on a tunneling protocol to successfully and securely transmit data from one location to another using the Internet. The choice of tunneling protocol depends on the solution chosen to implement a VPN. The tunneling process is usually transparent to the end user, who only has to provide appropriate credentials to gain access to internal resources of the orga- nization. The only requirement is that each end of the tunnel must be able to support the selected tunneling protocol. Tunneling protocols are discussed later in this chapter. Remote Desktop Protocol (RDP) RDP is used in Microsoft’s Windows networks to provide a connection to a server running Microsoft Terminal Services. With Terminal Services, clients connect and run applications on the terminal server as if they are located on the local computer. Terminal Services either run in Remote Administration Mode or in Application Server Mode. With Windows Server 2003 and later operating systems, the Remote Administration Mode has been replaced with the Remote Desktop feature. Clients for Terminal Services include most versions of Windows and other oper- ating systems such as Unix/Linux and MAC OS. Windows XP Professional and Windows Server 2003 have built-in remote desktop clients. RDP uses TCP port number 3389 by default. Security Protocols Network security depends on effective use of security protocols. A variety of protocols are available for implementing security in networks, and administrators must select appropriate protocols in order to provide a secure working environ- ment. Some of the security protocols covered on the Network+ exam are covered in this section. 484 | Chapter 8: Network+ Exam Study Guide IP Security (IPSec) Internet Protocol Security (IPSec) is a standardized framework used to secure IP communications by encrypting and authenticating each IP packet in a data stream. This protocol ensures confidentiality and authentication of IP packets so that they can securely pass over a public network, such as the Internet. IPSec is considered to be an “open standard” because it is not bound to a particular appli- cation, authentication method, or encryption algorithm. IPSec is implemented at the Network layer (Layer 3) of the OSI model. It is made up of the following two components: Authentication Header (AH) The AH secures data or payload by signing each IP packet to maintain its authenticity and integrity. Encapsulating Security Payload (ESP) The ESP protocol also ensures authenticity and integrity of data but adds confidentiality to the data using encryption techniques. AH and ESP can either be used together or separately. When AH and ESP are used together, the sender and receiver of data can be assured of complete secu- rity. IPSec can be implemented in any of the following modes: Transport mode When implemented in transport mode, only the payload (the actual message or data) inside the IP packet is encrypted during transmission. The transport mode is generally implemented in host-to-host communications over VPNs or inside a LAN. Tunnel mode When implemented in tunnel mode, the entire IP packet is encrypted. The added security comes at the cost of transmission speed. Tunnel mode IPSec is implemented in gateway-to-gateway VPNs. IPSec authentication. As noted earlier, IPSec ensures authenticity, integrity, and confidentially of data. IPSec uses the Internet Key Exchange (IKE) mechanism to authenticate the two ends of the tunnel by providing a secure exchange of shared secret keys before the transmission starts. Both ends of the transmission use a password known as a preshared key. Both ends exchange a hashed version of the preshared key during IKE transmissions. Upon receipt of the hashed data, it is recreated and compared. A successful comparison is required to start the transmission. IPSec can also be used for digital signatures. A digital signature is a certificate issued by a third-party Certificate Authority (CA) to provide authenticity and non- repudiation. Non-repudiation means that the sender cannot deny that he sent the data and can be held responsible for the sent data or message. Point-to-Point Tunneling Protocol (PPTP) PPTP is a popular tunneling protocol used to implement VPNs. PPTP uses TCP port 1723, and It works by sending a regular PPP session using Generic Routing Protocols and Standards | 485 Network+ Study Guide Encapsulation (GRE) protocol. PPTP is easy to configure and supports all major network and desktop operating systems such as Windows, Unix/Linux, and MAC. Due to its low administrative costs, PPTP is the choice of many administra- tors for VPNs that require medium security. It is commonly used in Microsoft networks, as is Microsoft Point-to-Point Encryption (MPPE), which is used for encrypting data. Following are some of the limitations of PPTP: • It cannot be used if the RAS servers are located behind a firewall. • It works only in IP networks. • When used alone, PPTP does not provide encryption for authentication data. Only the transmissions after the initial negotiations are encrypted. Layer 2 Tunneling Protocol (L2TP) L2TP is another tunneling protocol that is widely supported by most vendors in the IT industry. It uses the Data Link layer (Layer 2) of the OSI model to carry data from one point of the tunnel to another over the Internet. This protocol uses UDP port 1701 for transport. L2TP offers combined benefits of the PPTP and the L2F (Layer 2 Forwarding) protocol from Cisco. It was considered a major improvement over PPTP but still lacks encryption capabilities when used alone. A combination of L2TP and IPSec is generally used to provide secure transmissions for VPN connections. L2TP/IPSec can be used behind firewalls, provided UDP port 1701 is opened for incoming and outgoing packets. Besides this, both ends of the communications must support the L2TP/IPSec protocols. Some of the advantages of using a L2TP/IPSec combination over PPTP for imple- menting VPNs include the following: • L2TP/IPSec requires two levels of authentication: computer or network hard- ware authentication, and user-level authentication. • IPSec provides confidentiality, authentication, and integrity for each packet. This helps prevent replay attacks. PPTP provides only data confidentiality. • IPSec establishes security associations during the transmission of the user- level authentication process. This ensures that the authentication data is not sent unencrypted. • L2TP/IPSec supports use of RADIUS and TACACS+ for centralized authenti- cation, while PPTP does not. • L2TP/IPSec can be used on top of several protocols such as IP, IPX, and SNA, while PPTP can only be used with IP. Secure Socket Layer (SSL) SSL is an encryption protocol popularly used for Internet-based transactions such as online banking and e-commerce. This protocol is based on public key encryp- tion mechanisms. SSL provides end-to-end security for Internet communications by using encryption. In typical implementations, only the server component is required to use public keys for authentication. For example, when you access a secure server on the Internet that uses SSL, the address of the web site begins with https://, while the addresses of unsecure web sites begin with http://. 486 | Chapter 8: Network+ Exam Study Guide When both the client and the server need to authenticate each other, the SSL communications start with the following steps: • Both the client and the server negotiate the encryption algorithm. • The client and the server exchange session keys using public key-based encryption. • The client and the server authenticate each other using certificates. • Communications start, and all traffic is encrypted using a symmetric cipher. The client and the server negotiate a common encryption algorithm and a hashing algorithm. For end-to-end security using SSL, a Public Key Infrastructure (PKI) is required. Both the server and the client must be SSL-enabled to communicate over a secure channel. Transport Layer Security (TSL) is the successor of Secure Socket Layer (SSL) but can be scaled down to the SSL mode for backward- compatibility. Wired Equivalent Privacy (WEP) WEP is a security protocol used mainly for IEEE 802.11 wireless networks. Because wireless networks communicate using radio signals, they are susceptible to eavesdropping. Eavesdropping refers to the monitoring and capturing of signals as they travel over network media. WEP is designed to provide a comparable privacy (confidentiality) to a wired network. When sending data over radio frequencies, a WEP-enabled client adds a 40-bit secret key to the data while it is passed through an encryption process. The resulting data is called cipher text.On the receiving end, the data is decrypted using the secret key to recover the plain text. Initial implementations of WEP used a 40-bit encryption key and were not consid- ered very secure. It was still better than not using WEP at all. Soon, a number of tools appeared that could crack the WEP keys. A later version of WEP uses 128- bit encryption keys, which is more secure than the earlier version. Wi-Fi Protected Access (WPA) WPA is used for secure access to wireless networks, and it overcomes many weak- nesses found in WEP. It is backward-compatible with wireless devices that support WEP, but use of large encryption keys makes it a better choice than WEP. The following are some of the features of WPA: • It provides enhanced data encryption security by using a Temporal Key Integ- rity Protocol (TKIP). TKIP scrambles encryption keys using a hashing algo- rithm. At the receiving end, the hash value of the key is passed through an integrity check to ensure that the key has not been tampered with during transmission. • WPA uses several variations of Extensible Authentication Protocol (EAP) and public key cryptography. Protocols and Standards | 487 Network+ Study Guide WPA can also be used in personal mode or a preshared key mode. Each user must know and use a paraphrase to access the wireless network. A paraphrase is a short text message that is configured on all wireless devices. In other words, it is the secret key shared by all wireless devices on a network. The preshared key mode is less secure than the standard mode but allows small offices or home networks to secure wireless transmissions. This is particularly useful for small organizations that cannot afford the cost of implementing PKI. 802.1x 802.1x is a secure authentication protocol standard used in wired and wireless networks to provide port-based access control. This standard was mainly devel- oped to provide enhanced security to WLANs. 802.1x provides secure point-to- point connection between a WAP and a host computer. This protocol is based on Extensible Authentication Protocol (EAP) and is usually implemented in closed wireless networks to provide authentication. The authentication process uses the following two components: Supplicant Supplicant refers to the software component installed on the user’s computer that needs access to a wireless access point. Authenticator Authenticator refers to a centralized wireless access point. The authenticator forwards the authentication request to the authentication server, such as a RADIUS server. When a user (the supplicant) wants access to a wireless network, the 802.1x protocol sends the request to an access point (authenticator). After the communi- cation begins, the supplicant is placed into an unauthorized state. There is an exchange of EAP messages between the authenticator and the supplicant, wherein the authenticator requests the credentials of the supplicant. After receiving the credentials, the authentication request is sent to the authentication server, such as the RADIUS server. The authentication server either accepts the credentials of the supplicant and grants access, or rejects it, thereby rejecting the connection request. If the connection is accepted, the user is placed into an authorized state. Authentication Protocols Authentication is the process of verifying the credentials of a user. In the case of remote access, the user connecting remotely must present one or more sets of credentials to get access to the Remote Access Server. Once the Remote Access Server authenticates the user, further access to network resources is governed and limited by the permissions set on the resources and are applicable to the remote user. The following are commonly used authentication protocols for remote access: Challenge Handshake Authentication Protocol (CHAP) The CHAP authentication protocol is very commonly used for remote access. When the remote link is established, the user is sent a challenge text. The remote user responds with a shared secret in encrypted form using an MD5 488 | Chapter 8: Network+ Exam Study Guide hashing algorithm. The user is authenticated only if the secret matches the one stored on the Remote Access Server. CHAP periodically verifies the iden- tity of the user by sending challenge text at random times during the connection. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) MS-CHAP is Microsoft’s implementation of the CHAP authentication protocol used on Windows systems. It is a password-based authentication mechanism that is more secure than CHAP. MS-CHAP is an earlier version of MS-CHAPv2 that supports only one-way authentication. MS-CHAPv2 supports two-way authentication in which both client and server authenti- cate each other using encrypted passwords. Password Authentication Protocol (PAP) PAP is the oldest and most basic form of authentication in which the user- name and password are transmitted in clear text over the dial-up network. The transmissions are unencrypted and insecure. Extensible Authentication Protocol (EAP) EAP is the most secure of all authentication mechanisms. It enables the use of a variety of encryption methods for remote access, VPN, and wired and wire- less LANs. It supports the use of smart cards for secure authentication. Shiva Password Authentication Protocol (SPAP) SPAP is used for authentication to Shiva Remote Access Servers. This protocol is more secure than PAP but not as secure as CHAP, MS-CHAP, or EAP. Remote Authentication Dial-in User Service (RADIUS) RADIUS is used to provide centralized authentication for remote users connecting to the internal network of an organization through simple dial-up, VPN, or wire- less connection. When a remote user needs access to the internal resources of an organization, he must provide his credentials to the Network Access Server (NAS). The NAS, in turn, sends the user’s credentials to the RADIUS server for authentication. If the RADIUS server authenticates the user, the connection request is accepted; otherwise, it is refused. A RADIUS server can either work as a standalone server to authenticate all connection requests coming from outside users, or it can be a part of a distrib- uted RADIUS setup. Larger organizations deploy multiple RADIUS servers to distribute the authentication load among multiple RADIUS servers. RADIUS servers support several popular protocols such as PAP, PPP, CHAP, and EAP. When a remote or wireless user sends a connection request, the RADIUS authen- tication process takes place as follows: 1. When the user attempts to connect to the RAS server, he is asked to supply his credentials, which in most cases are the username and password. 2. The RAS server encrypts the credentials of the user and forwards the request to the RADIUS server. 3. The RADIUS server makes an attempt to verify the user’s credentials against a database. Network Implementation | 489 Network+ Study Guide 4. If the user’s credentials match those stored in the centralized database, the server responds with an access-accept message. If the user’s credentials do not match the stored credentials, the server sends an access-reject message. 5. The RAS server acts upon receipt of access-accept or access-reject messages and grants or denies a connection to the remote user appropriately. 6. If the connection is granted, the RADIUS server may also be configured to automatically assign an IP address to the remote client. Kerberos Kerberos is a cross-platform authentication protocol used for mutual authentica- tion of users and services in a secure manner. Kerberos v5 is the current version of this protocol. The protocol ensures the integrity of data as it is transmitted over the network. It is widely used in all other major operating systems, such as Unix and Cisco IOS. The authentication process is the same in all operating system environments. Kerberos protocol is build upon Symmetric Key Cryptography and requires a trusted third party. Kerberos works in a Key Distribution Center (KDC)—which is usually a network server—used to issue secure encrypted keys and tokens (tickets) to authenticate a user or a service. The tickets carry a timestamp and expire as soon as the user or the service logs off. The following steps are carried out to complete the authentication process: 1. The client presents its credentials to the KDC for authentication by means of username and password, smart card, or biometrics. 2. The KDC issues a Ticket Granting Ticket (TGT) to the client. The TGT is associated with an access token that remains active until the time client is logged on. The TGT is cached locally and is used later if the session remains active. 3. When the client needs to access the resource server, it presents the cached TGT to the KDC. The KDC grants a session ticket to the client. 4. The client presents the session ticket to the resource server, and the client is granted access to the resources on the resource server. The TGT remains active for the entire active session. Kerberos is heavily depen- dent on synchronization of clocks on the clients and servers. Session tickets granted by the KDC to the client must be presented to the server within the estab- lished time limits; otherwise, they may be discarded. Network Implementation This section of the Study Guide focuses on the implementation of the network. Implementing a network is certainly not the job of a single network technician or administrator. It involves several steps that start from planning. Making a good network implementation plan requires that the responsible team of administra- tors considers all aspects of implementation, such as the organization’s requirements, choice of network operating system, application support, security issues, and disaster recovery plans. [...]... business continuity plan should be in place Do not wait for a real disaster to occur Data backup Data backup is one of the fundamental elements of a disaster recovery plan Backed-up data is copied to another media such as magnetic tapes or compact disks (CDs or DVDs), which are safely and securely stored at an offsite location The administrators must decide what data to back up and at what frequency, depending... using adapter teaming to provide link redundancy: Adapter fault tolerance This solution requires two network adapters One of the adapters is configured as primary and the other as secondary In case the primary adapter fails, the secondary adapter takes over Adapter load balancing This solution not only provides fault tolerance but also improved performance So long as both adapters are working, they share... also does not cause any delays in transmissions There are certain limitations also The firewall can inspect the header of the packet but does not read the contents of the packet Another drawback is that if a certain application opens a port dynamically and does not close it, the open port remains as a security risk to the network Application layer firewalls Application layer firewalls work at the Application... delete all data and other files from his system as soon as he leaves the company The action may trigger as soon as the administrator deletes or disables the programmer’s account from the network Another programmer may write a code that waits for a specific date such as April 1st (the April Fools’ day) to trigger it Fault Tolerance and Disaster Recovery Disk fault tolerance Hard disks are the main storage... protecting the tapes from physical damage and theft of the stored data Aside from this, procedures and guidelines must be in place to describe how the data can be restored with minimal delays Large organizations usually have dedicated backup operators who are proficient in backup and restoration functions Offsite storage is an excellent way to secure tapes Large organizations can also have alternate sites,... critical network services or is critical to the functioning of the business is equipped with hot spares In organizations where server downtimes are not acceptable, hot spares are a necessity Hot, warm, and cold sites Alternate sites are critical to all organizations that do not want any delay in restoration of data after a disaster strikes An alternate site is a temporary facility away from the original... measuring and analyzing the physical and behavioral characteristics of a person This is done with the help of advanced biometric devices, which can read or measure and analyze fingerprints, scan the eye retina and facial patterns, and/ or measure body temperature Handwriting and voice patterns are also commonly used as biometrics Biometric authentication provides the highest level of authenticity about... The last full backup tape and all incremental tapes after the full backup are required to completely restore data Differential backup This method backs up all the data that has changed after the last full backup It does not change the archive bits, and thus does not disturb any scheduled incremental backups Since it does not use the archive bits, if differential backup is taken more than once after a. .. stored at a safe and secure offsite location Offsite storage helps protect critical data stored on tapes in the event of a disaster If backup tapes are not stored offsite, they are vulnerable to destruction along with other equipment when a disaster strikes Organizations may store tapes at another location or can engage a third-party professional organization for the purpose It is important that administrators... Application layer (Layer 7) of the OSI model They are also known as Application firewalls or Application layer gateways This technology is more advanced than packet filtering, as it examines the entire packet to allow or deny traffic Proxy servers use this technology to provide Application-layer filtering to clients Application-layer packet inspection allows firewalls to examine the entire IP packet and, . the Application layer (Layer 7) of the OSI model. They are also known as Application firewalls or Appli- cation layer gateways. This technology is more advanced than packet filtering, as it examines. LAN. The actual Internet access speed depends on the utilization of the shared cable signals in the area. The available bandwidth is always shared with other users in the area and may vary from. 4 87 Network+ Study Guide WPA can also be used in personal mode or a preshared key mode. Each user must know and use a paraphrase to access the wireless network. A paraphrase is a short text message