NET 102 - Networking Essentials II
Chapter 11, Wide Area Networks; Chapter 12, Network
Policies and Procedures
This lesson discusses other features of networks, and
features of wireless networks. Objectives important to this lesson:
- WAN concepts
- WAN connections
- Internet Connectivity
- Remote access
- WAN troubleshooting
- Network design, documentation, and policies
- Risk management
- Security policies and assessments
Chapter 11, Wide Area Networks
Area Networks are needed to connect LANs that are separated by long
distances to each other.
of making phone call: the caller may own the wiring of a site, the instrument being used, and connectivity devices at that site, but
they will not own anything past their own
site. The person making a call is "leasing" the use of
the infrastructure of one or more companies for that connection.
Someone who leases the use of equipment like this can be called a subscriber.
(If you have an account with a cable TV service, for example, you are a subscriber on their network.)
material presents a list of WAN terms that may appear on a
- CPE - Customer Premises
Equipment is owned by a service subscriber.
For instance, I own my cable modem, so it is a CPE device. For someone
who leases a cable modem from their
service provider, it would not be a CPE device.
- Demarcation point - This is sometimes called
the point of
demarcation, or just the demarc.
It is the boundary between what the subscriber owns, and what the
service provider owns.
The telephone demarc at my home is a box mounted on an outside wall. I
own the wiring from there into my home, and all the devices inside my
home. The point is responsibility:
who pays for fixing something that breaks or fails. As the text
explains, a network demarc is the box at which the service provider's
- Telco - a telecommunication
service provider. Historically, this role has been filled by telephone
- Local loop - the infrastructure that connects a demarc to
the closest switching point (also called a switching office,
office) of the telco.
- Central Office - can also be called a CO, a switching office,
or a Point of
which has nothing to do with Post Office Protocol).
This is an access
point to the
service provider's network. As noted above, a subscriber connects to
the central office through a local loop.
- Toll network - a trunk line inside the service
provider's network. Remember that a trunk line carries traffic from
- DCE - Data Communication
Equipment, or Data Channel Equipment, or Data Circuit-terminating
Equipment, generally means devices that provide access to communication
channels, like modems or CSU/DSUs.
Think of this as necessary eqipment to connect to the ISP's data
- DTE - Data Terminal Equipment
generally means computers or terminals. This would typically be CPE equipment.
- ISP - Internet Service
Providers sell or grant access to their networks and the Internet.
general, you should be able to categorize equipment as belonging to the subscriber or to the service provider.
discussion continues with a short list of WAN connection types that begins to drown us in
- Dedicated - also called leased lines,
or point-to-point lines. These are hotline
connections from one subscriber location,through the provider's
network, to another subscriber location. Very costly, due to constant
up time and wide bandwidth.
- Circuit-switched -
Connections must be established for each session, like dialing a phone
call. The text says that, typically, the provider is a phone company,
but phone companies are generally the telecommunications providers in
all cases. Cheaper, but better suited for short ("bursty")
- Packet-switched -
This is like having VPN service on a larger network. The subscriber
gets data transport service over a provider's data network that is
shared by other subscribers. Bandwidth may vary from transmission to
transmission, depending on the number of other users.
of our Cisco books lists
the ones most used on Cisco networks. Of these, Frame Relay, HDLC,
and PPP are
the ones most commonly configured on serial interfaces:
- PSTN - Circuit
switching is used, which means a circuit is established for each new
call and it stays in effect for the length of the call. The local part
of the circuit uses Plain Old Telephone Service (POTS), but the WAN
part typically uses digital signals and fiber optic lines.
- Frame Relay - like X.25, but with less
overhead for correcting line noise. Has dynamic bandwidth allocation
and congestion control (helpful in packet-switched connections),
- ISDN -
Uses existing digital phone lines for data and voice. May used as a
backup connection for sites using Frame Relay or T1 lines.
- HDLC - High-level Data-Link
Control. A data-link protocol, without a header marking for the network
layer protocol being used. Each vendor has its own proprietary version
of HDLC: each version works only with that vendor's equipment.
- PPP - Can be
used regardless of
the make of the equipment being used. This protocol runs on Layer 2,
but it is compatible with several Network layer protocols. Supports
encryption, but the protocols mentioned on Testout (PAP and CHAP) are
not used much any more.
- ATM - Asynchronous Transfer Mode can
be both a LAN and WAN protocol. It maps to the first three layers of
the ISO-OSI model. It is listed in your text as another topology type,
due to its unusual features:
- Uses 53 byte blocks called cells.
- Uses virtual channels.
- Can use most media: fiber optic, STP, or UTP
- Uses Internetworking Units (IWUs) to connect networks
- MPLS - Multiprotocol Label Switching was developed specifically to support TCP/IP connections over WANs; adds a label and other fields after the header in a frame, providing more information
- MPLS label - identifies MPLS traffic
- Cost of Service - rates the importance of the frame
- S - set to 1 if this is the first of several MPLS packets
- Time to Live - limit on the number of hops allowed
- SONET - Synchronous
Optical NETwork (SONET) is a United States version of Synchronous
Digital Hierarchy (SDH) which is a European standard. Both systems use
fiber optic lines for WAN connections. A notable characteristic is the
use of dual, counter rotating fiber optic rings. This method is called FDDI, a form of token ring system.
Rings need not be wired as physical rings.
A star wired ring is the most common type.
Several workstations may be connected to Multistation Access
Units (MSAUs), which act like concentrators. The MSAUs are
connected together by way of special ports called Ring Inand Ring Out. You
connect the Ring In port of one MSAU to the Ring Out port of another
MSAU. This allows you to extend the circle to include more MSAUs and
more workstations as necessary.
FDDI is a fiber optic ring standard. This is an ANSI standard, not an IEEE
standard, but it makes use of the IEEE 802.2 and 802.5 standards. It is
very fast, and has high capacity, making it useful for three main
- Backbones -
connections to other networks that need to be fast and wide
- Computer room networks - fast connections between
- High data rate LANs - connections for users of
data intensive applications like CAD
uses two rings that are counter
rotating. This means that traffic travels clockwise on one ring and counterclockwise on the other, making reconfiguration simple. If a break occurs
between two workstations, the rings cross over at those workstations,
turning the two rings into one, longer loop.
TestOut summarizes several ways to get access to the Internet through
common Internet service providers.
How does a home user connect? Lots of technologies exist, but your choices are limited by your location.
- Dial-up service - once very popular, still available, uses the Public Switched Telephone Network, also called Plain Old Telephone Service; requires the use of a modem (modulator/demodulator) to turn the digital signal of a computer to an analog signal for the PSTN
- The text lists several generations of modem standards by their V.x numbers. They were established by the CCITT, which was mainly French, which explains the various standards ending in bis, which means revised. Know that modems evolved from 300 bps through 14.4 kbps, 28.8 kbps, and 56.6
kbps, where they have topped out. The book has somewhat different
numbers. It depends on whether you call a kilobyte 1000 bytes or 1024
bytes. Both definitions are used by the industry.
- ISDN - After three paragraphs of history, the text tells us that an Integrated Services Digital Network
connection gives you a digital connection to the telephone company's
digital network, eliminating the need for a modem, as such. It uses a
terminal adapter instead, which you can think of as a digital modem or
adapter. ISDN is limited by distance: you can't get it unless your location is within 18,000 feet of a central office that offers it.
- DSL - digital subscriber lines
come in several types: symmetric, asymmetric, and very high bit rate
are listed in the text. Like ISDN, you can't get this option unless you
are within 18,000 feet of a central office that offers this service,
which it will not do unless the telephone cable to your location is up
to the task. A DSL connection requires a phone jack, a DSL modem, and a
patch cable to a NIC in your computer.
- Cable modem - uses a cable modem that looks like a DSL modem, except for the coaxial jack; uses Digital Over Cable Service Interface Specification (DOCSIS) protocol
- Satellite systems - available for the most remote locations, may be one way (download only) or two way service
- Cellular WAN - the text discusses two main types: cellular modems for laptops use Mobile Data Service, typically through a cellular provider; WiMAX is also called 802.16, and is a long range wireless service (3 to 30 miles) made available in communities
- the text is referring to fiber connecttions from telephone companies,
as opposed to cable system fiber, both of which are available in some
- BPL - Broadband over Power Line is a newer technology that has not performed as well as the established methods
The text moves on, in this chapter that seems like it will never end, to remote access, which is not the same thing as just using the Internet. Remote access means accessing your organization's assets
from a remote location, The methods discussed vary by their cost, their
bandwidth, and their level of security. The author's list also varies
in purpose from line to line:
- Dial-up to an ISP
- this a about creating a dial-up connecction to an Internet Service
Provider, which requires a modem, and does not by itself grant access
to your company's network
- Private dial-up - still using a modem, making a connection through the PSTN to some kind of server that provides gateway access to the network you are seeking; the text mentions Microsoft's Remote Access Server (RAS) as an example of a product that will allow a server to provide access through a modem connection
- Virtual Private Network - the text spends little time on this item which is a more valid way to get a secure connection; using VPN software, you get an encrypted connection to your desired network, which might be done by any of the methods above, or by using a broadband connection to access the Internet, and then your network gateway
- Dedicated connection
- this method is always on, typically thhrough a leased line from a data
carrier (probably a cable or telephone company), which may be a T1 or
any other grade of connection we have discussed; the author includes
cable and DSL connections in this discussion
- Remote terminal - a remote terminal program lets you run a session on a remote system as though your computer were on that system; this does not belong on the list because this is a way to do something but not a way to connect to the distant network: it relies on a dial-up, Internet, or dedicated line to function
- Voice over IP (VoIP) - does not belong on this list, but the author covers three protocols that are commonly used for VoIP: Real-time Transport Protocol (RTP) defines VoIP packets, Session Initiation Protocol (SIP), and H.323 provide session set up and packet delivery services.
Another section in TestOut discusses making a secure connection. Know the definitions of these words. A user who has presented proper credentials to a system and been identified as a known person is a user who has been authenticated. Note that authenticated and authorized are two different things. This leads to the next set of bullet points:
- Authentication - the process by which users prove their identities to a system
- Authorization - The process of granting or denying permissions to authenticated users.
- Acccounting - The process by which a system maintains records of the actions of users.
The material also discusses methods to control remote connections to a network. Management of large numbers of switches and routers may be easier with Terminal Access Controller Access Control System (TACACS),
which has a horrible name, but it provides a central database of user
IDs and passwords. This is also a security risk, so it must be
protected. It also provides the ability to require that specific
commands to the devices can only be performed by specific IDs. Another
text also recommends that if we must use SNMP, use SNMPv3 instead, because it supports authentication requirements.
RADIUS servers are also discussed. This note is taken from my Wireless Networking class:
The text explains the use of a RADIUS server. The acronym stands for Remote Authentication Dial In User Service.
It was invented in 1992 for remote users dialing in across plain
telephone service. It is now used across the Internet, as well as in
internal wireless access to a local WLAN, so Remote and Dial In are not always accurate regarding the present use. To use RADIUS, a client for it must be installed on the AP involved in the process. The connection steps shown below assume a wireless client is making a connection:
- The wireless device in a RADIUS scenario is called a supplicant. It makes a request to connect to an AP (Access Point).
- The AP requests a user ID and password from the supplicant. The AP is called the authenticator.
- The supplicant provides its information, and the AP creates an authentication request, which it sends to the RADIUS server. The request contains information to identify the AP, as well as the supplicant's provided user name and password, which are encrypted.
- The RADIUS server verifies that the AP sending the request is an approved AP. If it is, then the data from the supplicant is decrypted.
- The RADIUS server passes the user name and password to an appropriate database, such as Active Directory, for authentication.
- If the user information is correct, the RADIUS server sends an authentication acknowledgment to the AP, along with information about approved services. If the user information is not correct, the RADIUS server sends an authentication reject message to the AP.
- If tracking is enabled, an accounting database is updated in either case.
- The AP receives the message from the RADIUS server and proceeds to allow or deny access to the WLAN.
between the supplicant and the authenticator must be secure, so they
are required to be compliant with a guideline called the Extensible Authentication Protocol (EAP). This is not a protocol. It is a guideline that may be met by several different protocols.
Review the WAN troubleshooting material in TestOut and note its use of common system commands to use on Cisco routers.
Chapter 12, Network Policies and Procedures
Chapter 12 addresses concepts that are explored further in
other courses. It begins with an exploration of the needs a new network
might be designed to meet. Think about what the network must do, what
physical topologies make sense for this network, and what logical
topologies will provide rapid service and protection. Review this lesson from the NET 226 class on this subject.
Policies are not documents. They are rules about what is allowed to happen on a network. Consider this list of definitions from a lesson in ITS 305:
- Policies - rules about the conduct of our organization with regard
to particular actions (we will limit ourselves to particular models
chosen by the IT department); how we will approach the expectation
- a method or process that may be proceddural or technical (orders are
to be placed by approved requesters within each work area); what steps
are to be followed to assure general compliance with policy
- Baselines -
standards from which other standards are developed; we might have a
baseline standard that all PCs will come from one vendor contract with
a minimum feature set, and specific standards for advanced models for
IT system developers
- Procedure - a detailed set of steps to
follow to be in compliance (requests are to be made to your manager,
who will forward approved requests to your authorized requester);
variations or limitations that apply to specific work areas, to be
followed if they apply to your area
- Guidelines - a suggested
addition to any of the items above that is recommended but optional
(submit your requests two weeks before the end of a quarter to allow
processing time); do this to make it work better
- Taxonomy -
a set of definitions of how terms are used in our organization; this
can also mean naming standards for objects in our organization, used in
Active Directory or a management program; naming systems can be based
on location, use, categorization, department or division ownership, or
other concepts important to your organization
The author for that course
goes on to talk about growing a library of these documents being like
growing a tree. Like a tree, the parts of your business need to grow, to reach maturity, to produce fruit or nuts or seeds, and to be cut away to
make room for new growth when they are no use any longer. The pieces of
your policy framework should be expected to do the same. We need new
rules about new products, new problems, and new changes to the environment.
TestOut also discusses management of assets. It begins with
considerations about obtaining, using, and retiring assets for a
network, but it also discusses asset management in the context of risk management.
Let's consider some vocabulary:
- Asset - information, property, people or anything else that we care about
- Threat - a potential form of loss or damage; many threats are only potential threats, but we plan for them because they might happen
- Threat agent - a vector for the threat, a way for the threat to occur; could be a person, an event, or a program running an attack
- Vulnerability - a weak spot where an attack is more likely to succeed
- Exploit - a method of attack
- Probability of occurrence - the odds that a particular threat will exploit a particular vulnerability successfully
- Impact - the kind (e.g. money, productivity, customer confidence) and scale (usually expressed in dollars) of loss that an occurrence would have on an organization; a high score here means we should concentrate some of our limited budget on a particular asset
- Risk -
The text for Tactical Perimeter Defense defines this twice, the first
time using words it defines later in its list. It is easier to
understand the long definition after you look at the items above this
one. It says risk is the probability that a particular threat will exploit a vulnerability causing harm to an organization.
The second version says that we can quantify risk by saying it is the probability of an occurrence multiplied by the impact of that occurrence. Isn't it nice to be able to do math?
- Control - A process that we put in place to reduce the impact and/or probability of a risk.
The effects and the causes of risk are concern for everyone in an organization. The systems, the users, the policies, and the threat agents all affect whether there will be a successful attack on our organization.
The following material is selected from my notes for the text mentioned above:
text returns to the concept of risk assessment on page 26. It poses a
good question that has more than one answer. How shall we count the valueof an asset? This is easier to answer once we choose between two points of view:
- Quantitative Risk Assessment -
Every asset must be given a currency value of some sort that can be
used in the measure of its impact on the organization. Several methods
of assigning this value are discussed.
- Replacement cost
- What would it cost us to replace this asset if it were compromised or
destroyed in an attack? If a partial loss is possible, what would be
the value of each part of it?
- Purchase cost - What did the asset cost to acquire it or develop it?
- Depreciated cost - If the asset loses value over time, at what rate is it lost, and what is it worth now?
- Qualitative Risk Assessment -
In this method, every asset is given a relative value, not a currency
value, which means that each must be measured against the others in
terms of its worth to the organization
text continues with a discussion that leads to a complicated
calculation. You need to pay attention to each step. The text presents
the concepts in a different order than I have seen before. I think this
one is clearer:
- Asset Value (AV):
the value that an asset has for the next several calculations; this
value may be different depending on the context of its use
- Exposure Factor (EF): the percentage of the value that would be lost in a single successful attack/exploit/loss; this accommodates the idea that an entire asset is not always lost to an attack
- Single Loss Expectancy (SLE): this is a number that can be obtained by multiplying AV times EF.
SLE = AV * EF
- Frequency of Occurrence: this number tells you how many attacks to expect in some time period; this is ambiguous if we are not told whether this is the rate for all such attacks, or the rate for all such successful attacks
We generally assume that the number given is the rate at which successful attacks occur.
- Annualized Rate of Occurrence (ARO):
often, known frequency of occurrence may be expressed in days or hours,
but the executive you report to may want the numbers expressed in years.
This is understandable if, for example, we are talking about
establishing a yearly budget for IT Security. Reporting is often done
based on calendar or fiscal years, which is another argument for making
- Annualized Loss Expectancy (ALE):
the final number stands for the currency value of our expected loss for
a given asset in one year; provided you have calculated the numbers so
far, ALE equals SLE times ARO.
ALE = SLE * ARO
Risk Management Strategies
The text lists four major strategies for managing risk in your environment. Here are five:
- defense (avoidance) -
make every effort to avoid your vulnerabilities being exploited; make
the attack less possible, make the threat less likely to occur; avoid
risk by avoiding the activity associated with the risk, and by
providing an active defense against it
- transferal (transference) - in general, letting someone else worry about it
In the ITIL model, this is included in the definition of a service:
service is a means of delivering value to customers by facilitating
outcomes customers want to achieve without the ownership of specific
costs and risks."
reader might misunderstand this statement, thinking that the customer
does not pay anything. That is not the case. An IT service provider
would assume the costs and risks of an operation in return for the customer's payment for the service. This can be done in-house or by outsourcing.
- mitigation (mitigation) - this method seeks to reduce the effects of
an attack, to minimize and contain the damage that an attack can do;
Incident Response plans, Business Continuity plans, and Disaster
Recovery plans are all part of a mitigation plan
- acceptance (acceptance) -
this counterintuitive idea makes sense if the cost of an incident is
minimal, and the cost of each of the other methods is too high to
accept; the basic idea here is that it costs less just to let it happen
in some cases, and to clean up afterward
- termination (not listed
in the text) - instead of accepting the risk of leaving the asset open
to attack, the owner may choose to remove the asset from the
environment that holds the risk of attack; it is arguable that any
environment can be totally safe, but it may be possible to move the
asset to an environment that presents different, lesser risks; if this
is not possible, the owner may choose to stop offering a service, stop
presenting data to the public, or otherwise stop exposing such an asset
This is another set of notes from the same course:
- Business Impact Analysis - The green highlight
on this bullet is to show that this step should be done when times are
good and we can examine our systems performing normally.
can plan for what to do, you have to figure out what is normal for your
business, what can go wrong, and what can be done to minimize the
impact of incidents and problems/disasters (see the bullets below).
- What are the business's critical functions? Can we construct a prioritized list of them?
- What are the resources (IT and other types as well) that support those functions?
- What would be the effect of a successful attack on each resource?
- What controls should be put in place to minimize the effects of an incident or disaster? (Controls are proactive measures to prevent or minimize threat exposure.)
- Incident Response Planning - The red highlight
on this bullet is to acknowledge that the plans made in this step are
used when there is an emergency for one or more users. (Shields up, red
alert? Why were the shields down?)
The text is consistent with the ITIL guidelines that call a single occurrence of a negative event an incident. An incident response plan is aprocedure that would be followed when a single instance is called in, found, or detected.
example, a user calls a help desk to report a failure of a monitor that
is under warranty. (Note that this is an example of an IT incident, not an
IT security incident. What further details might make this part of a
security incident?) There should be a common plan to follow to repair
or replace the monitor. Incident Response Plans (Procedures) may be
used on a daily basis.
- Business Continuity Planning - The orange highlight is meant to indicate that these plans are not concerned with fighting the fire, but with conducting business while the fire is being put out.
Business continuity means keeping the business running, typically while the
effects of a disaster are still being felt. If we have no power, we run
generators. If we cannot run generators (or our generators fail), we go
where there is power and we set up an alternate business site. Or, if
the scope of the event is small (one or two users out of many) maybe we
pursue incident management for those users and business continuity is
not a problem.
- Disaster Recovery Planning - The yellow highlight here is to indicate that the crisis should be over and we are cleaning up the crime scene with these plans.
A disaster requires widespread effects
that must be overcome. A disaster might be most easily understood if
you think of a hurricane, consequent loss of power, flooding that
follows, and the rotting of the workplace along with the ruined
computers and associated equipment.
A disaster plan is what we do to restore the business to operational status after the
disaster is over. There may be specific plans to follow for disasters
under the two bullets above, but the disaster recovery plan is used
after the crisis, unless this term is applied differently in your working environment.
- By the way, in ITIL terms, a series of incidents may lead us to discover what ITIL calls a problem, something that is inherently wrong in a system that might affect all its users. When a problem knocks out a critical service, we have a disaster. The organization you work for may use all three terms, or any two of them to mean different scopes of
trouble. You need to know the vocabulary to use in the setting where
you work, and you need to call events by the names they use.
The text also mentions analysis of the incident and our response. Analysis of the incident should begin during the incident, to lead us to a good solution. Analysis after the incident can examine what actually happened, whether the steps we took were effective, and what we should recommendor require to avoid such an event in the future.
TestOut continues its discussion of security concerns:
- Acceptable use policy
- This policy must contain specific exammples of general principles,
such as only using company assets for company business, not breaking any laws or company rules, and not exposing company data to corruption or theft.
- E-mail policy - This one must tell users what is acceptable and unacceptable regarding e-mail, such as no spam, no chain e-mail, and limits to allowed personal use of e-mail.
- System access policy - This policy is about how and when users
may access the organization's systems. User ID and password rules
belong here, as well as authentication procedures for particular
- Physical security and clean desk policy - Many organizations handle data they consider to be sensitive, so there will be rules about access to doors, rooms, and data processing locations. This is physical security. A clean desk policy states that company data should never be exposed by being left open on a desk. This includes hard copy files and computer access, which leads to a policy about locking a computer before you walk away from your desk.
- Corporate mobility policy - Mobile device policies include wireless access methods and rules about use inside and outside the corporate buildings. It may also include rules about the acceptable and unacceptable use of personal devices accessing corporate data or e-mail. As the text mentions, there is a trend toward allowing this through a policy.
- Social networking policy
- Social networks were not meant for thee display of company data when
they were created. People have done enough of that kind of posting that
some organizations prefer to have their own pages on social network
sites, managed by an office of information, and to have policies that
forbid employees to post any data about company operations or staff.
This is reasonable, given that such sites are commonly used by hackers
when they are looking for background information before an attack
TestOut also discussses security measures that should be used
when granting new permissions to staff when they are new hires, and
removing permissions from staff when they leave our organization.
The last topic in this chapter covers looking for
vulnerabilities that might be exploited in our organization. Make note
of the common technical items to examine, such as unprotected ports and
devices, as well as the exploits that use social engineering. This
one is an entire subject in itself. They may be the nicest or meanest
thieves you will ever meet. These are some techniques used by talented
- authority - pretend to be someone who has the right to make the request
- intimidation - in an oppressive environment, it may be easy to use fear of what would happen if the request is not granted
- consensus/social proof - tell a believable lie that others have granted this request in the past
- scarcity - tell the victim that you are short on time, or you have to get this before it can't be done
- urgency - tell the victim that you need this right now, and that you will complete the red tape later
- familiarity/liking - act like one of the family, especially one who appreciate the work the victim does for the company
- trust - use details about the organization to make it seem like you are a part of it