1.2 Apply and implement secure network administration principles
All web applications such as Web servers, News servers, email servers etc. need to be configured as secure as possible. This can be achieved by
Removing all unnecessary services. These are the services that are installed but not used. For example, you might have installed TFTP, but not using it. It is better to remove the application or service that is not used as it may provide an opportunity to a hacker to abuse the resource.
Remove all unnecessary protocols: These are the protocols that are installed but not used. For example, you might have installed Novell Netware protocol but not necessary. It is preferable to remove that protocol.
Enable server and application logs: The logs provide an opportunity to look into the activity on the server over the past few hours or days. Check for any unusual activity such as failed login attempts etc.
Secure router configuration: Before a router is put on a network make sure you set a username and password for it. Also, the password should be complex and difficult to crack. Make sure you check all default settings and change them according to requirement.
Access control lists (ACLs): ACL resides on a router, firewalls or computers and decides who can access the network and who cannot. That means it enable or deny traffic. It specify which user or group of users are allowed what level of access on which resource. It makes use of IP addresses and port numbers.
Port Security: It deals more with switches and the restriction of MAC addresses that are allowed to access particular physical ports.
802.1X: It is an IEEE standard that is known as port-based Network Access Control (PNAC). It works on Data Link Layer. It connect hosts to a LAN or WLAN. It also allows you to apply a security control that ties physical ports to end-device MAC addresses, and prevents additional devices from being connected to the network.
Flood Guards: It can be implemented on some firewalls and other devices. It tracks network traffic to identify scenarios such as SYN, ping, port floods, etc. By reducing this tolerance, it is possible to reduce the likelihood of a successful DoS attack. If it looks that an resource is being overused, then the flood guard comes in to picture.
Loop protection: To avoid loops, many network administrators implement Spanning Tree Protocol in their switches. Loop protection should be enabled on the switch to prevent the looping that can occur when a person connects both ends of a network cable to the same switch
Implicit deny: It requires that all access is denied by default and access permissions are granted to specific resources only when required. An implicit deny clause is implied at the end of each ACL, and it means that if the provision in question has not been explicitly granted, then it is denied.
Log Analysis: Log analysis is used to determine what happened at a specific time on a particular system.
1.3 Distinguish and differentiate network design elements and compounds
DMZ (DeMilitalized Zone): It is a place separate from the LAN where servers reside that can be reached by users on the Internet. If a company intends to host its own servers to be accessed from public Internet, a DMZ is most preferred solution. The network segment within the DMZ is secured by two firewalls, one interfacing with the public Internet, and the other interfacing the internal corporate network. Thus, a DMZ provides additional layer of security to internal corporate network. The type of servers that are hosted on DMZ may include web servers, email servers, file servers, DNS servers, etc.
Subnetting: IP addresses can be manipulated to logically create sub networks .Each of this sub network is a distinct portion of a single network. Some advantages are efficient use of IP address space, reducing collision and traffic and increasing security.
VLAN: Just like subnetting VLAN is used to logically segment a network or part of a network. Some advantages are better organization of network, reducing collision, increase in performance and security. This does not require any change in physical location of the workstations. Users from different corner of the network like different floors in a building or even different buildings can belong to same VLAN as it is just logical segmentation.
NAT (Network Address Translation): It is primarily used to hide internal network from external network, such as the Internet. A NAT basically translates the internal IP addresses to external IP addresses and vice-versa. This functionality assures that external users do not see the internal IP addresses, and hence the hosts.
Telephony: It is the collection of methods by which telephone sevices are provided to an organization or the mechanism by which organization uses telephone services for either voice and/or data communications. Traditionally it included POTS or PSTN services with modems but new it has expanded to PBX, VoIP and VPN.
NAC (Network Access Control): NAC provides network security by setting the rules by which connections to a network are governed. Computers attempting to connect to a network are denied access unless they comply with rules including levels of antivirus protection, system updates, and so on...effectively weeding out those who would perpetuate malicious attacks. The client computer continues to be denied until it has been properly updated, which in some cases can be taken care of by the NAC solution automatically. This often requires some kind of preinstalled software (an agent) on the client computer, or the computer is scanned by the NAC solution remotely.
Virtulization: A workstation can have multiple operating systems installed on it but can run only one OS at a time but by running virtualization software same workstation can run Windows server along with windows 7 and Linux or any other operating system at the same time. This will allow a developer to test a code on various environments at the same time and he can also move code from one operating system to another with basic copy paste. Each virtual desktop will typically need full network access. Configuring permissions for each virtual desktop can be tricky for administrator. Remote administration often uses virtual desktop to work on a workstation without knowledge of user sitting on the workstation.
Cloud Computing: It is used to offer on-demand services it increase capabilities of a person’s computer or an organization’s network. Some cloud computing services are free like email services and some are paid services like data storage.
Cloud computing services are generally broken down into three categories of services:
Software as a Service (SaaS): when users access applications over the Internet that are provided by a third party it is SaaS. There is no need to install the application on the local computer mostly these services run with in web-browser. Example: webmail.
Infrastructure as a Service (IaaS): A service that offers computer networking, storage, load balancing, routing, and VM hosting. More and more organizations are seeing the benefits of offloading some of their networking infrastructure to the cloud.
Platform as a Service (PaaS): This service provide software solutions to organizations like application development in a virtual environment without the cost or administration of a physical platform. Its main use is for easy-to-configure operating systems and on-demand computing.
Copyright © Anand Software and Training Private Limited.