Showing posts with label computer network. Show all posts
Showing posts with label computer network. Show all posts

Wednesday, 13 November 2019

Types of WAN Technologies

Types of WAN Technologies 

This post provide you the different Type of WAN Technologies. You will learn about the different WAN Technologies like Leased lines, dial-up, ISDN, Frame Relay, ATM, WAN Ethernet, MPLS and VSAT. There are two main types of WAN Technologies:

  1. Private WAN technologies
    • Leased lines
    • Dial-up
    • ISDN
    • Frame Relay
    • ATM
    • WAN Ethernet
    • MPLS
    • VSAT
  2. Public WAN Technologies   
    • DSL
    • Cable WAN
    • Wireless WAN
    • 3G / 4G mobile data
    • VPN technology

Private WAN Technologies

Following are the main type of Private WAN technologies:

LEASED LINES

When permanent dedicated connections are required, a point-to-point link is used to provide a pre-established WAN communications path from the customer's facilities to the provider's network. Usually, a service provider leases the point-to-point lines, which are called " leased lines ."

Leased lines exist since the early fifties and, for this reason, they are known by different names such as leased circuit, serial link, serial line, point-to-point link and line T1 / E1 or T3 / E3.
The term "leased line" refers to the fact that the organization pays a monthly lease fee to a service provider to use the line. There are leased lines available with different capacities and, generally, the price is based on the bandwidth required and the distance between the two connected points.
In North America, service providers use the carrier system T to define the digital transmission capacity of a serial link of copper media, while in Europe the carrier system E is used, as shown in the illustration. For example, a T1 link supports 1,544 Mb / s, an E1 supports 2,048 Mb / s, a T3 supports 43.7 Mb / s and an E3 connection supports 34,368 Mb / s. To define the digital transmission capacity of a fiber optic network, the transmission rates of the optical carrier (OC) are used.

ADVANTAGES OF LEASED LINES

The advantages of leased lines include the following:

  • Simplicity : point-to-point communication links require minimum installation and maintenance knowledge.
  • Quality : point-to-point communication links generally offer high quality of service if they have adequate bandwidth. Dedicated capacity removes latency or vibration between terminals.
  • Availability : constant availability is essential for some applications, such as electronic commerce. Point-to-point communication links provide the permanent dedicated capability that is needed for VoIP or for video over IP.

DISADVANTAGES OF LEASED LINES

Disadvantages of leased lines include the following:

  • Cost : In general, point-to-point links are the most expensive type of WAN access. When used to connect multiple sites over increasing distances, the cost of leased line solutions can be significant. In addition, each terminal requires an interface on the router, which increases equipment costs.
  • Limited flexibility : WAN traffic is usually variable, and leased lines have a fixed capacity, so that the bandwidth of the line rarely matches the need accurately. Generally, any change in the leased line requires that ISP staff visit the site to adjust capacity.
  • Generally, the layer 2 protocol is HDLC or PPP.

DIAL-UP

When no other WAN technology is available, dial-up WAN access may be required.
For example, a remote location could use a modem and analog dial telephone lines to provide low capacity and dedicated switching connections. When low volume data transfers are required intermittently , dial-up access is convenient.
In traditional telephony, a copper wire is used, which is called a "local loop," to connect the telephone handset at the subscriber's premises to the CO. The signal in the local loop during a call is a continuously changing electronic signal, which is a translation of the subscriber's voice into an analog signal.
Traditional local loops can transport binary computer data through the voice telephone network using a modem. The modem modulates the binary data into an analog signal at the source and demodulates the analog signal into binary data at the destination. The physical characteristics of the local loop and its connection to the PSTN limit the signal speed to less than 56 kb / s.
For small businesses, these relatively low speed dial-up connections are suitable for exchanging sales figures, prices, regular reports and emails.
Using automatic dial-up at night or on weekends to transfer large files and back up data allows you to take advantage of lower non-peak hours (intercity charges). The rates depend on the distance between the terminals, the time of day and the duration of the call.

ADVANTAGES AND DISADVANTAGES OF DIAL-UP

The advantages of modems and analog lines are simplicity, availability and low cost of implementation. The disadvantages are low data speeds and a relatively long connection time. The dedicated circuit has little delay or little vibration for point-to-point traffic, but voice or video traffic does not work properly at these low bit rates.

ISDN

The integrated services digital network (ISDN) is a circuit switching technology that enables the local loop of a PSTN to carry digital signals, resulting in higher capacity switching connections.
ISDN changes the internal connections of the PSTN to transport time-division multiplexed digital signals (TDM) instead of analog signals. TDM allows two or more signals, or bit streams, to be transferred as subchannels in a communication channel. The signals seem to transfer simultaneously; however, physically, the signals take turns in the channel.
In Image, an example of an ISDN topology is shown. The ISDN connection may require a terminal adapter (TA), which is a device used to connect the ISDN basic speed interface (BRI) connections to a router.


ISDN converts the local loop into a TDM digital connection. This change allows the local loop to transport the digital signals, which generates higher capacity switching connections. The connection uses 64 kb / s carrier current (B) channels to carry voice and data, and a delta (D) signaling channel for call setup and other purposes.
TYPES OF ISDN INTERFACES
There are two types of ISDN interfaces:

  • Basic Speed ​​Interface (BRI) : The BRI ISDN is designed for use in homes and small businesses, and provides two 64 kb / s B channels and a 16 kb / s D channel. The BRI D channel is designed for control purposes and is often underused, because it only has to control two B channels.

BRI has a call setup time of less than one second, and the 64 kb / s B-channel provides greater capacity than an analog modem link. If more capacity is required, a second B channel can be activated to provide a total of 128 kb / s. While it is not suitable for video, it allows several simultaneous voice conversations in addition to data traffic.
  • Primary Speed ​​Interface (PRI) : ISDN is also available for larger installations. In North America, PRI provides 23 B channels with 64 kb / s and a D channel with 64 kb / s for a total bit rate of up to 1,544 Mb / s. This includes some additional overhead for synchronization. In Europe, Australia and other parts of the world, PRI ISDN provides 30 B channels and one D channel for a total bit rate of up to 2,048 Mb / s, which includes the overhead for synchronization.

With PRI ISDN , several B channels can be connected between two terminals. This allows video conferencing and data connections with high bandwidth without latency or vibration. However, using several connections over long distances can be very expensive.

FRAME RELAY

Frame Relay is a simple Layer 2 multi-access WAN technology (NBMA) that is used to interconnect a company's LAN .
To connect to several sites using PVC, a single router interface can be used. PVCs are used to transport voice and data traffic between source and destination and support data speeds of up to 4 Mb / s, although some providers offer even higher speeds.
Perimeter routers only require a single interface, even when multiple virtual circuits (VC) are used. The leased line cuts to the perimeter of the Frame Relay network allows cost-effective connections between widely dispersed LANs.
Frame Relay creates PVCs that are identified only by a data link connection identifier (DLCI). PVCs and DLCIs ensure bidirectional communication from one DTE device to another.
For example, in Image, R1 uses DLCI 102 to reach R2, while R2 uses DLCI 201 to reach R1.

 ATM Asynchronous Transfer Mode

Asynchronous transfer mode (ATM) technology can transfer voice, video and data through private and public networks. It is built on a cell-based architecture, rather than a frame-based architecture. ATM cells always have a fixed length of 53 bytes. The ATM cell contains a 5-byte ATM header, followed by 48 bytes of ATM content. Small and fixed-length cells are suitable for transporting voice and video traffic, because this type of traffic does not support delays. Voice and video traffic do not have to wait for larger data packets to be transmitted.
The 53-byte ATM cell is less efficient than larger Frame Relay frames and packets. In addition, the ATM cell has at least 5 bytes of overhead for each 48-byte content.
When the cell transports segmented network layer packets, the overhead is greater because the ATM switch must be able to reset packets at the destination. A typical ATM line needs almost 20% more bandwidth than Frame Relay to transport the same volume of network layer data.
ATM was designed to be extremely scalable and to support link speeds from T1 / E1 to OC-12 (622 Mb / s) and more.
ATM offers PVC and SVC , although PVC is more common with WANs. As with other sharing technologies, ATM allows several VCs in a single leased line connection to the perimeter of the network.

WAN ETHERNET

Originally, Ethernet was developed to be a LAN access technology. However, at that time it was not really suitable as WAN access technology, because the maximum allowed cable length was only up to one kilometer.
However, the latest Ethernet standards using fiber optic cables made Ethernet a reasonable WAN access option. For example, the IEEE 1000BASE-LX standard supports fiber optic cable lengths of 5 km, while the IEEE 1000BASE-ZX standard supports cable lengths of up to 70 km.
Now, service providers offer WAN Ethernet service with fiber optic cabling. The WAN Ethernet service can be known by different names, including Metropolitan Ethernet (MetroE), Ethernet by MPLS (EoMPLS) and the Virtual Private LAN (VPLS) service.
The benefits of WAN Ethernet include the following:

  • Cost and administration reduction : WAN Ethernet provides a layer 2 switching network with high bandwidth that is capable of managing data, voice and video in the same infrastructure.
This feature increases bandwidth and eliminates expensive conversions to other WAN technologies. The technology allows companies to connect several sites in a metropolitan area, with each other and to the Internet, economically.
  • Easy integration with existing networks : WAN Ethernet easily connects to existing Ethernet LANs, reducing costs and installation time.
  • Enhanced company productivity : WAN Ethernet allows companies to leverage IP applications to improve productivity, such as hosted IP communications, VoIP and video transmission and broadcasting, which are difficult to implement in TDM or Frame Relay networks.

MPLS

Multi-protocol tag switching (MPLS) is a high-performance multi-protocol WAN technology that directs data from one router to the next according to short path tags , rather than IP network addresses.
MPLS has several characteristics that define it. It is multiprotocol, which means it has the ability to transport any content, including IPv4, IPv6, Ethernet, ATM, DSL and Frame Relay traffic. Use tags that tell the router what to do with a package. The tags identify the routes between remote routers — instead of between terminals — and while MPLS routes IPv4 and IPv6 packets effectively, everything else is switched.
MPLS is a service provider technology . Leased lines deliver bits between sites, and Frame Relay and WAN Ethernet deliver frames between sites. However, MPLS can deliver any type of package between sites.
MPLS can encapsulate packets of various network protocols. It supports a wide variety of WAN technologies, including T and E carrier links, Carrier Ethernet, ATM, Frame Relay and DSL.
In the example of topology in Image 9, it is shown how MPLS is used. Note that different sites can connect to the MPLS cloud using different access technologies. In the illustration, CE refers to the customer's perimeter, PE is the perimeter router of the provider that adds and removes tags, and P is an internal router of the provider that switches packets with MPLS tags.

VSAT

In all the private WAN technologies analyzed so far, copper or fiber optic media are used. What would happen if an organization needed connectivity in a remote location where there were no service providers offering a WAN service?
A very small opening terminal (VSAT) is a solution that creates a private WAN through satellite communications . A VSAT is a small satellite dish similar to those used for Internet and home television. VSATs create a private WAN while providing connectivity to remote locations.
Specifically, a router connects to a satellite dish that points to a service provider's satellite in a geosynchronous orbit in space. The signals must travel around 35,786 km (22,236 mi) to the satellite and return.

In the example in Image, a VSAT antenna is shown on the roofs of the buildings, which communicates with a satellite dish thousands of kilometers away in space.

Public WAN Technologies  

This section compares the different public WAN technologies : DSL, cable, wireless technology and 3G / 4G mobile data. In addition to security with private virtual networks (VPN).

DSL

DSL technology is a permanent connection technology that uses existing twisted pair telephone lines to transport data with high bandwidth and provides subscriber IP services.
A DSL modem converts an Ethernet signal from the user device into a DSL signal, which is transmitted to the central office.
Several DSL subscriber lines are multiplexed into a single high capacity link using a DSL access multiplexer (DSLAM) at the provider's location. DSLAMs incorporate TDM technology for aggregation of several subscriber lines on a single medium, usually a T3 (DS3) connection. To achieve fast data rates, current DSL technologies use sophisticated coding and modulation techniques.
There is a wide variety of types, standards and emerging DSL standards. Currently, DSL is a popular option for the provision of support to homeworkers by corporate IT departments.
Generally, a subscriber cannot choose to connect to a business network directly, but must first connect to an ISP and then an IP connection to the company is made over the Internet. Security risks are generated in this process, but they can be remedied with security measures.

CABLE WAN Technology

In urban areas, coaxial cable is widely used to distribute television signals. Many cable television providers offer network access. This allows a bandwidth greater than the local conventional telephony loop.
Cable modems provide a permanent connection and have a simple installation. A subscriber connects a computer or a LAN router to the cable modem, which translates the digital signals by broadband frequencies that are used for transmission on a cable television network.
The local cable television office, which is called a “ cable header, ” contains the computer system and databases that are needed to provide Internet access. The most important component located in the header is the cable modem termination system (CMTS), which sends and receives digital cable modem signals in a cable network and is required to provide Internet services to subscribers.
Cable modem subscribers must use the ISP associated with the service provider. All local subscribers share the same cable bandwidth. As more users join the service, the available bandwidth may be below the expected speed.

WIRELESS WAN

To send and receive data, wireless WAN technology uses the radio spectrum without a license. Anyone who has a wireless router and wireless technology on the device they use can access the spectrum without a license.
Until recently, a limitation of wireless access was the need to be within the local transmission range (usually less than 100 ft [30 m]) of a wireless router or a wireless modem with a wired Internet connection . The following advances in wireless broadband technology are changing this situation:

  • MUNICIPAL WI-FI

Many cities began installing municipal wireless networks. Some of these networks provide high-speed Internet access for free or for a price substantially lower than other broadband services. Others are only for the use of the city administration and allow police, firefighters and other municipal employees to perform certain aspects of their work remotely.
To connect to municipal Wi-Fi, a subscriber usually needs a wireless modem, which provides a more powerful radio and directional antenna than conventional wireless adapters. Most service providers provide the necessary equipment for free or for a fee, similar to what happens with DSL modems or cable modems.

  • WIMAX

Global interoperability for microwave access (WiMAX) is a new technology that has just begun to be used. It is described in the IEEE 802.16 standard.
WiMAX provides a high-speed broadband service with wireless access and provides extensive coverage such as a cellular telephone network, rather than small areas of Wi-Fi wireless coverage.
WiMAX works similarly to Wi-Fi, but with higher speeds, over longer distances and for a greater number of users.

Use a network of WiMAX towers that are similar to cell phone towers. To access a WiMAX network, subscribers must subscribe to an ISP with a WiMAX tower within 30 mi (48 km) of its location. To access the base station, they also need some type of WiMAX receiver and a special encryption code.

  • SATELLITE INTERNET

Generally used by users in rural areas, where there is no cable or DSL. A VSAT provides two-way data communications (upload and download).
The upload speed is approximately one tenth of the download speed of 500 kb / s. Cable and DSL have higher download speeds, but satellite systems are about ten times faster than an analog modem.
To access satellite Internet services, subscribers need a satellite dish, two modems (uplink and downlink) and coaxial cables between the antenna and the modem.

3G / 4G MOBILE DATA

Increasingly, cellular service is another wireless WAN technology used to connect users and remote locations where no other WAN access technology is available.
Phones, tablet PCs, laptops and even some routers can communicate over the Internet using mobile data technology. These devices use radio waves to communicate through a mobile phone tower . The device has a small radio antenna, and the provider has a much larger antenna that is located at the top of a tower somewhere at a certain distance from the phone.

Some common terms of the mobile data industry include the following:

  • 3G / 4G wireless : abbreviation for third and fourth generation cellular access. These technologies support wireless Internet access.
  • Long-term evolution (LTE) : refers to a newer and faster technology, which is considered part of the fourth generation (4G) technology.

VPN TECHNOLOGY

When a remote worker or a worker in a remote office uses broadband services to access the corporate WAN through the Internet, security risks are generated. To address security issues, broadband services provide capabilities to use VPN connections to a VPN server , which is usually located on the corporate site.
A VPN is an encrypted connection between private networks through a public network, such as the Internet. Instead of using a dedicated Layer 2 connection, such as a leased line, a VPN uses virtual connections called “ VPN tunnels ,” which are routed over the Internet from the company's private network to the site host or the remote employee. .

VPN BENEFITS

VPN benefits include the following:

  • Cost savings : VPNs allow organizations to use the global Internet to connect remote offices and users to the main corporate site, eliminating the need for dedicated WAN links and expensive modem banks.
  • Security : VPNs provide the maximum level of security through two advanced encryption and authentication protocols that protect data from unauthorized access.
  • Scalability : Because VPNs use the Internet infrastructure in ISPs and devices, it is easy to add new users. Companies can greatly increase capacity, without adding significant infrastructure.
  • Compatibility with broadband technology : Broadband service providers, such as DSL and cable, support VPN technology, so that mobile workers and remote employees can take advantage of their homes' high-speed Internet service to Access corporate networks.
High-speed broadband connections for business use can also provide a cost-effective solution for connecting remote offices. Purpose of WAN
on No comments:
Labels: ,

Monday, 4 November 2019

How to do Route Summarization in EIGRP

How to do Route Summarization in EIGRP

This article is about How to do Route Summarization in EIGRP on Cisco Router. Route Summarization decreases the number of entries in routing updates and reduces the number of entries in local routing tables. Automatic EIGRP summarization for IPv4 is disabled by default as of versions 15.0 (1) M and 12.2 (33) of Cisco IOS. To enable automatic EIGRP summarization, use the auto-summary command in router configuration mode. Use the show ip protocols command to verify the status of automatic summarization. Examine the routing table to verify that automatic summarization works. EIGRP automatically includes summary routes to Null0 to avoid routing loops to destinations that are included in the summary, but do not really exist in the routing table.
EIGRP is a versatile routing protocol that can be adjusted in many ways. Two of the most important adjustment capabilities are to summarize routes and to implement load balancing. Other capabilities are the propagation of a predetermined route, the setting of timers and the implementation of authentication between EIGRP neighbors to increase security. In this article, these additional tuning features and configuration mode commands are discussed to implement them for IPv4 and IPv6.

EIGRP Auto Summary

Before adjusting the EIGRP features, start with a basic EIGRP implementation. In Image, the network topology used in this chapter is shown.


In Images of R1, R2 and R3, the IPv4 interface configuration and EIGRP implementations in R1, R2 and R3, respectively, are shown.



The types of serial interfaces and their associated bandwidths may not necessarily reflect the most frequent types of connections found in networks today. The bandwidths of the serial links used in this topology help explain the calculation of the routing protocol metrics and the best route selection process.
Note: that the bandwidth commands were used on the serial interfaces to modify the default bandwidth of 1544 kb / s. In this chapter, the ISP router is used as the gateway of the Internet routing domain. The three routers run the Cisco IOS, version 15.2.

EIGRP AUTOMATIC SUMMARIZATION

One of the most common EIGRP adjustment methods is to enable and disable automatic route summarization . Route summarization allows a router to group networks and announce them as a large group through a single summarized route. The ability to summarize routes is necessary due to the rapid growth of networks. A border router is a router that is located on the edge of a network. This router must be able to advertise all known networks within its route table to a network router or ISP router connector. Potentially, this convergence can result in very large route tables.
Summarization decreases the number of entries in routing updates and reduces the number of entries in local routing tables. It also reduces the use of bandwidth for routing updates and speeds up searches in routing tables. To limit the number of routing ads and the size of the routing tables, routing protocols, such as EIGRP, use automatic summarization at classy boundaries . This means that EIGRP recognizes the subnets as a single class A, B or C network and creates only one entry in the routing table for the summarized route. As a result, all traffic destined for subnets travels along that route.

How EIGRP AUTO Summary Works

The illustration shows an example of how automatic summarization works.


  • Routers R1 and R2 are configured with EIGRP for IPv4, with automatic summarization. R1 has three subnets in the routing table: 172.16.1.0/24, 172.16.2.0/24 and 172.16.3.0/24.
  • In the class network addressing architecture, all these subnets are considered part of a larger class B network: 172.16.0.0/16.
  • Because EIGRP on router R1 is configured for automatic summarization, when it sends the routing update to R2, it summarizes the three subnets / 24 as a single 172.16.0.0/16 network. This reduces the amount of routing updates that are sent and the number of entries in the IPv4 routing table of R2.
  • All traffic destined for the three subnets travels through the only route. R2 does not maintain routes to individual subnets and no subnet information is discovered.
In an enterprise network, the route chosen to reach the summary route may not be the best choice for the traffic that the individual subnet is trying to reach.The only way that all routers can find the best routes for each individual subnet is for neighbors to send information about the subnets. In this situation, automatic summarization must be disabled. When automatic summarization is disabled, updates include subnet information.

EIGRP AUTO Summary Configuration

Note : Automatic EIGRP summarization for IPv4 is disabled by default starting with versions 15.0 (1) M and 12.2 (33) of the Cisco IOS. In Image, the result of the show ip protocols command on R1 indicates that automatic EIGRP summarization is disabled.

This router runs IOS 15.2; therefore, automatic EIGRP summarization is disabled by default. In following image, the current routing table of R3 is shown. Note that the R3 IPv4 routing table contains all networks and subnets within the EIGRP routing domain.

To enable automatic EIGRP summarization, use the auto-summary command in router configuration mode, as shown in Image 8:
R1 (config) # router eigrp  as-number
R1 (config-router) # auto-summary
The no form of this command is used to disable automatic summarization.

Verification Of EIGRP AUTO Summary Configuration

SHOW IP PROTOCOLS COMMAND

In Image (above), note that the EIGRP routing domain has three classy networks:

  • Class B network 172.16.0.0/16, consisting of subnets 172.16.1.0/24, 172.16.2.0/24 and 172.16.3.0/30.
  • Class C network 192.168.10.0/24, consisting of subnets 192.168.10.4/30 and 192.168.10.8/30.
  • Class C network 192.168.1.0/24, which is not subnetted.

The result of the show ip protocols command on R1, which appears in Image 9, shows that automatic summarization is now enabled. The result also indicates which networks are summarized and in which interfaces.
Note that R1 summarizes two networks in EIGRP routing updates:

  • 192.168.10.0/24 sent by the GigabitEthernet 0/0 and Serial 0/0/0 interfaces
  • 172.16.0.0/16 sent by Serial interface 0/0/1

R1 has subnets 192.168.10.4/30 and 192.168.10.8/30 in the IPv4 routing table.

NETWORK SUMMARY

As indicated in Image 10, R1 summarizes subnets 192.168.10.4/30 and 192.168.10.8/30 and forwards summary address 192.168.10.0/24 to neighbors at Serial 0/0/0 and GigabitEthernet 0 / interfaces 0. Because R1 has no EIGRP neighbors on the GigabitEthernet 0/0 interface, only R2 receives the summary routing update.

As indicated in Image 11, R1 also has subnets 172.16.1.0/24, 172.16.2.0/24 and 172.16.3.0/30 in the IPv4 routing table.
R3 selects R1 as the successor at 172.16.0.0/16, because it has a smaller feasible distance. The S0 / 0/0 interface of R3 that connects to R1 uses a default bandwidth of 1544 kb / s. The link from R3 to R2 has a higher feasible distance, because the S0 / 0/1 interface of R3 was configured with a bandwidth of less than 1024 kb / s.
Note that the summary update of 172.16.0.0/16 is not sent by the GigabitEthernet 0/0 or Serial 0/0/0 interfaces of R1. This is because these two interfaces are members of the same class B network 172.16.0.0/16. R1 sends the routing update not summarized from 172.16.1.0/24 to R2.
Summary updates are only sent via interfaces on different classy main networks.

EIGRP TOPOLOGY TABLE

In Image, routers R1 and R2 send the R3 a summary EIGRP routing update of 172.16.0.0/16.

The routing tables of R1 and R2 have subnets of the 172.16.0.0/16 network, therefore, both routers send to the R3 summarized announcements through a different main network. The result of the show ip eigrp topology all-links command is shown below that was used to view the full EIGRP topology table of R3.
R3 # show ip eigrp topology all-links 
P 172.16.0.0/16 , 1 successors, FD is 2170112, serno 9
  via 192.168.10.5 (2170112/2816), Serial0 / 0/0
  via 192.168.10.9 0/0 (3012096/2816), Serial0 / 0/1
This verifies that R3 received summary route 172.16.0.0/16 from both R1 in 192.168.10.5 and R2 in 192.168.10.9. The first entry through 192.168.10.5 is the successor, and the second entry through 192.168.10.9 is the feasible successor. R1 is the successor because its 1544 kb / s link to R3 gives the latter a better EIGRP cost at 172.16.0.0/16 than that of R2, which uses a slower 1024 kb / s link.
The all-links option shows all updates received, regardless of whether the route qualifies as a feasible successor (FS) or not. In this case, R2 qualifies as FS. R2 is considered an FS because the reported distance (RD) of 2816 is less than the feasible distance (FD) of 2 170 112 through R1.

EIGRP ROUTING TABLE

Examine the routing table to verify that the summary route has been received. In Image, the R3 routing table is shown before automatic summarization.
Automatic summarization disabled
In Image, the R3 routing table is shown with automatic summarization enabled by means of the auto-summary command .
Automatic summarization enabled
Note that with automatic summarization enabled, the R3 routing table now only class B network address 172.16.0.0/16. The next hop successor or router is R1, through 192.168.10.5.
Note : automatic summarization is only an option with EIGRP for IPv4. Classy addressing does not exist in IPv6, therefore, automatic summarization is not necessary with EIGRP for IPv6.

THE NULL INTERFACE

When enabling automatic summarization, it is also necessary to understand the null interface (Null). In following image, the routing table of R1 is shown.

Note that an Null0 output interface is used in the two highlighted inputs. EIGRP automatically included a summary route to Null0 for two classy networks: 192.168.10.0/24 and 172.16.0.0/16.
The Null0 interface is a virtual interface of the IOS that constitutes a route to nowhere , commonly known as “the electronic limbo”. Packets that link a route with an exit interface Null0 are discarded.
EIGRP for IPv4 automatically includes a summary of Null0 routes when the following conditions occur:

  • At least there is a subnet that was learned through EIGRP.
  • There are two or more network commands of the EIGRP router configuration mode.
  • Automatic summarization is enabled.

The purpose of the Null0 route summary is to avoid routing loops to destinations that are included in the summary, but that do not really exist in the routing table.

EIGRP Summary Route

The illustration shows a situation in which a routing loop could occur:


  1. R1 has a default route 0.0.0.0/0 through the ISP router.
  2. R1 sends a routing update to R2 with the default route.
  3. R2 installs the default route of R1 in its IPv4 routing table.
  4. The R2 routing table contains the 172.16.1.0/24, 172.16.2.0/24 and 172.16.3.0/24 subnets in its routing table.
  5. R2 sends a summary update to R1 for network 172.16.0.0/16.
  6. R1 installs the summary route for 172.16.0.0/16 using R2.
  7. R1 receives a package for 172.16.4.10. Because R1 has a route for 172.16.0.0/16 through R2, it forwards the packet to R2.
  8. R2 receives the packet with destination address 172.16.4.10 of R1. The packet does not match any specific route, so that, using the default route in its routing table, R2 forwards the packet back to R1.
  9. The package for 172.16.4.10 comes and goes in a loop between R1 and R2 until the TTL expires and the package is discarded.

EIGRP MANUAL SUMMARIZATION

EIGRP can be configured to summarize routes, whether automatic summarization ( auto-summary ) is enabled or not. Because EIGRP is a classless routing protocol and includes the subnet mask in routing updates, manual summarization may include supernet routes. Remember, a super network is an aggregate of multiple addresses of classy main networks. In following image, two more networks are added to the R3 router with the loopback interfaces: 192.168.2.0/24 and 192.168.3.0/24. Although loopback interfaces are virtual interfaces, in this example they are used to represent physical networks.

The following are the commands to configure the two loopback interfaces and the configuration to enable both interfaces for EIGRP on R3.
R3 (config) # interface loopback 2 
R3 (config-if) # ip add 192.168.2.1 255.255.255.0 
R3 (config-if) # exit 
R3 (config) # interface loopback 3 
R3 (config-if) # ip add 192.168.3.1 255.255.255.0 
R3 (config-if) # exit 
R3 (config) # router eigrp 1 
R3 (config-router) # network 192.168.2.0 
R3 (config-router) # network 192.168.3.0
To verify that R3 sent the EIGRP update packets to R1 and R2, the routing tables of both routers are examined. Then, only the relevant routes are shown. These routing tables of R1 and R2 show these additional networks: 192.168.2.0/24 and 192.168.3.0/24.
R1 # show ip route
D 192.168.1.0/24 [90/2170112] via 192.168.10.6, 00: 47: 39, Serial0 / 0/1
D 192.168.2.0/24 [90/2297856] via 192.168.10.6, 00: 08: 09, Serial0 / 0/1
D 192.168.3.0/24 [90/2297856] via 192.168.10.6, 00: 08: 04, Serial0 / 0/1
R1 #
R2 # show ip route
D 192.168.1.0/24 [90/3012096] via 192.168.10.10, 00: 47: 58, Serial0 / 0/1
D 192.168.2.0/24 [90/3139840] via 192.168.10.10, 00: 08: 28, Serial0 / 0/1
D 192.168.3.0/24 [90/3139840] via 192.168.10.10, 00: 08: 23, Serial0 / 0/1
R2 #
Instead of sending three networks separately, R3 can summarize 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24 networks as a single route.

CONFIGURATION OF EIGRP MANUAL SUMMARY ROUTES

Following figure shows the two manual summary routes that are configured in R3. These summary routes are sent via the Serial 0/0/0 and Serial 0/0/1 interfaces to the EIGRP neighbors of R3.


To determine the summary of these three networks, the same method is used as for determining summary static routes, as shown in Image 20:


  • Step 1 . Write the networks that will be summarized in binary format.
  • Step 2 . To find the subnet mask for summarization, start with the far left bit.
  • Step 3 . From left to right, find all the bits that match consecutively.
  • Step 4 . When there is a column of bits that do not match, stop. This is the summary limit.
  • Step 5 . Count the number of matching bits found on the far left. In the example, it is 22. This number is used to determine the subnet mask of the summarized route: / 22 or 255.255.252.0.
  • Step 6 . To find the network address for the summary, copy the 22 matching bits and add all 0 bits at the end to get 32 ​​bits.

The result is the summarized network address and the mask for 192.168.0.0/22.

EIGRP MANUAL SUMMARIZATION CONFIGURATION

To set the EIGRP manual summarization on a specific EIGRP interface, use the following interface configuration mode command:
Router (config-if) # ip summary-address eigrp  as-number network-address subnet-mask
Below is the configuration to propagate a manual summary route in the Serial 0/0/0 interface of R3. Because the R3 has two EIGRP neighbors, the manual EIGRP summarization must be configured in both Serial 0/0/0 and Serial 0/0/1.
R3 (config) # interface serial 0/0/0
R3 (config-if) # ip summary-address eigrp 1 192.168.0.0
255.255.252.0
R3 (config-if) #

VERIFICATION OF MANUAL SUMMARY ROUTES

It is shown below that, after configuring the summarized route, the routing tables of R1 and R2 no longer include individual networks 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24.
R1 # show ip route
D 192.168.0.0/22 ​​[90/2170112] via 192.168.10.6, 01:53:19, 
Serial0 / 0/1
R1 #
R2 # show ip route
D 192.168.0.0/22 ​​[90/3012096] via 192.168.10.10, 01:53:33, 
Serial0 / 0/1
R2 #
Instead, they show a single summary route: 192.168.0.0/22. Summarized routes reduce the total number of routes in the routing tables, which makes the search process in those tables more efficient.
These routes also require less bandwidth utilization for routing updates, since a single route can be sent instead of several individual routes.

on No comments:
Labels: ,

Monday, 9 September 2019

How to Maintain Network Security Steps

How to Maintain Network Security Steps

This is a brief on "How to Maintain Network Security Steps". After the end of this article you will able to understand the following  Network Security Steps:

  • Security threats and vulnerabilities need to be taken into account when planning the implementation of a network. All network devices must be protected. This includes routers, switches, devices for end users and even security devices. Networks should be protected against malicious software, such as viruses, Trojan horses and worms.
  • Networks must also be protected against network attacks: recognition, access and denial of service. There are several ways to protect the network against network attacks.
  • Authentication, authorization and accounting network security services (AAA or “triple A”) provide the main framework for configuring access control on network devices.
  • To protect network devices, it is important to use strong passwords. In addition, when accessing network devices remotely, it is recommended to enable SSH instead of the Telnet protocol, which is not secure.

1. SECURITY MEASURES FOR NETWORK DEVICES

Whether they are wired or wireless networks, computer networks are increasingly fundamental to everyday activities. Both people and organizations depend on PCs and networks. Intrusions of unauthorized persons can cause costly network interruptions and job losses. Attacks on a network can be devastating and can cause loss of time and money due to damage or theft of important information or assets.

CATEGORIES OF NETWORK SECURITY THREATS

Intruders can access a network through software vulnerabilities, hardware attacks or by deciphering someone's username and password. Typically, intruders who gain access through software modification or exploitation of software vulnerabilities are called hackers.
Once a hacker gains access to the network, four types of threats may arise:

  • Information theft : Unauthorized entry into a computer to obtain confidential information. The information can be used or sold for different purposes.
  • Identity theft: A form of information theft in which personal information is stolen in order to usurp the identity of another person. Identity theft is a growing problem that costs billions of dollars a year.
  • Data loss or manipulation : Unauthorized entry into a computer to destroy or alter data records. Examples of data loss: sending a virus that changes the format of a PC's hard drive. Example of data manipulation: unauthorized entry into a system of records to modify information, such as the price of an item.
  • Service interruption : Prevent legitimate users from accessing services that they should be able to access.

Even in small networks, security threats and vulnerabilities must be taken into account when planning a network implementation.

PHYSICAL SECURITY

When you think about network security, or even computer security, you may think of attackers who exploit software vulnerabilities.
If the network resources are exposed to physical risks, an attacker may deny the use of such resources.
The four kinds of physical threats are as follows:

  1. Hardware threats : physical damage to servers, routers, switches, wiring plant and workstations
  2. Environmental threats : extremes of temperature (too hot or too cold) or extremes of humidity (too wet or too dry)
  3. Electrical threats : voltage spikes, insufficient voltage supply (partial blackouts), power without conditioning (noise) and total power drop
  4. Maintenance threats : poor management of key electrical components (electrostatic discharge), lack of critical spare parts, poor wiring and labeling
Some of these problems must be addressed in the organization's policies. Some of them depend on a good management and administration of the organization.

TYPES OF SECURITY VULNERABILITIES

Three network security factors are vulnerability, threats and attacks .

  • Vulnerability is the degree of weakness inherent in each network and device. This includes routers, switches, desktops, servers and even security devices.
  • Threats include people interested in taking advantage of every security weakness and trained to do so.
Threats are carried out with a variety of tools, scripts and programs to initiate attacks against networks and network devices. Typically, network devices that suffer attacks are terminals, such as servers and desktops.

2. VULNERABILITIES AND NETWORK ATTACKS

Malicious code attacks include various types of PC programs that were created with the intention of causing data loss or damage to them. The three main types of malicious code attacks are viruses, Trojan horses and worms .

VIRUSES, WORMS AND TROJAN HORSES


  • Virus : A virus is a type of malicious software that is associated with another program to execute a specific unwanted function on a workstation.

Note : In general, viruses require a delivery mechanism, a vector, such as a zip file or some other executable file attached to an email, to transport the virus code from one system to another.

  • Trojan horse : it only differs in that the entire application was created in order to appear to be something else, when in reality it is an attack tool.
  • Worms : they are autonomous programs that attack a system and try to exploit a specific vulnerability of the target. Once the vulnerability is exploited, the worm copies its program from the attacking host to the recently attacked system to restart the cycle.

The anatomy of a worm attack is as follows:

  1. Enabling vulnerability : the worm is installed by exploiting known vulnerabilities of the systems, such as naive end users who open executable attachments without checking emails.
  2. Propagation mechanism : After obtaining access to a host, the worm is copied to that host and then selects new targets.
  3. Content : once a host was infected with the worm, the attacker has access to the host, often as a privileged user. Attackers can use a local vulnerability to raise their privilege level to that of administrator.

RECONNAISSANCE ATTACKS

In addition to malicious code attacks, networks may fall prey to various network attacks.
Network attacks can be classified into three main categories:

  • Recognition attacks : unauthorized detection and schematization of systems, services or vulnerabilities.
  • Access attacks : unauthorized manipulation of data, access to the system or user privileges.
  • Denial of service : they consist of deactivating or damaging networks, systems or services. 
  • Reconnaissance attacks

External attackers can use Internet tools, such as the nslookup and whois utilities, to easily determine the IP address space allocated to a particular company or entity. Once the IP address space is determined, an attacker can ping the publicly available IP addresses to identify the addresses that are active. To contribute to the automation of this step, an attacker can use a ping scan tool, such as fping or gping, that systematically ping all network addresses in a given range or subnet. This is similar to reviewing a section of a phone book and calling each number to see who attends.

ATTACKS WITH ACCESS

Access attacks exploit known vulnerabilities of authentication services, FTP services and Web services to gain access to Web accounts, confidential databases and other confidential information. An access attack allows a person to gain unauthorized access to information that they do not have the right to see. Access attacks can be classified into four types: Password attack, Trust exploitation, Port redirection and Man-in-the-middle attack.



One of the most common types of access attacks is password attack . Password attacks can be implemented with packet detection programs to obtain user accounts and passwords that are transmitted as unencrypted text. Password attacks can also refer to repeated attempts to log in to a shared resource, such as a server or router, to identify a user account, password or both. These repeated attempts are called " dictionary attacks " or "brute force attacks."

ATTACKS ON DOS (DENIAL OF SERVICE)

DoS attacks are the best known form of attack and are also among the most difficult to eliminate. Even within the community of attackers, DoS attacks are considered trivial and are frowned upon, since they require very little effort to execute. However, due to ease of implementation and potentially considerable damage, security administrators must pay special attention to DoS attacks.

DoS attacks have many forms. Fundamentally, they prevent authorized persons from using a service by consuming system resources.

3. MITIGATION OF NETWORK ATTACKS

Antivirus software can detect most viruses and many Trojan horse applications, and prevent them from spreading on the network. Antivirus software can be implemented at the user level and at the network level.Staying up to date with the latest advances in these types of attacks can also contribute to a more effective defense against them. Mitigating worm attacks requires the diligence of network and systems administration personnel. The following are the recommended steps to mitigate worm attacks:

  • Containment : contain the spread of the worm within the network. Divide the uninfected parts of the network into sections.
  • Inoculation : start patching all systems and, if possible, examine for vulnerable systems.
  • Quarantine : Track all infected machines within the network. Disconnect or remove infected machines from the network or block them.
  • Treatment : clean all infected systems and apply patches. Some worms may require a complete reinstallation of the central system to clean the system.

BACKUPS, UPDATES AND PATCHES

The most effective way to mitigate a worm attack is to download security updates from the operating system vendor and apply patches to all vulnerable systems.

This is difficult with uncontrolled user systems in the local network. The administration of numerous systems involves the creation of an image of standard software (operating system and accredited applications whose use is authorized in client systems) that is implemented in new or updated systems. However, security requirements change, and updated security patches may have to be installed on systems that are already implemented.

AUTHENTICATION, AUTHORIZATION AND ACCOUNTING

Authentication, authorization and accounting network security services (AAA or “triple A”) provide the main framework for configuring access control on network devices. AAA is a way of controlling who is allowed to access a network (authenticate), control what people can do while they are there (authorize) and observe the actions they take while accessing the network (accounting).

  • Authentication : Users and administrators must prove that they are who they say they are. Authentication can be established using username and password combinations, challenge and answer questions, token cards and other methods.
  • Accounting : Accounting records what the user does, including the elements he accesses, the amount of time he accesses the resource and all the changes that were made.
  • The concept of AAA is similar to the use of a credit card. The credit card identifies who can use it and how much that user can spend, and keeps track of the items in which the user spent money, as shown in the illustration.

FIREWALLS

In addition to protecting the individual computers and servers connected to the network, it is important to control inbound and outbound network traffic. The firewall is one of the most effective security tools available for the protection of internal network users against external threats. The firewall resides between two or more networks and controls traffic between them, in addition to preventing unauthorized access. Firewall products use different techniques to determine what access to allow and what access to deny on a network.

FIREWALL TECHNIQUES

These techniques are as follows:

  • Packet filtering : prevents or allows access based on IP or MAC addresses.
  • Application filtering : prevents or allows access to specific types of applications according to port numbers.
  • URL filtering : prevents or allows access to websites based on specific keywords or URLs.
  • Stateful packet inspection (SPI) : Incoming packets must be legitimate responses to requests from internal hosts. Unsolicited packages are blocked, unless specifically allowed. The SPI may also include the ability to recognize and filter specific types of attacks, such as denial of service (DoS) attacks.

FIREWALLS PRODUCTS

Firewall products can support one or more of these filtering capabilities. In addition, firewalls usually perform network address translation (NAT). The NAT translates an address or group of IP addresses internal and external public IP address sent through the network. This allows you to hide the internal IP addresses of external users.
Firewall products come in different formats.

  • Application- based firewalls: An application- based firewall is a firewall built into a dedicated hardware device, known as a security application.
  • Server- based firewalls: A server- based firewall consists of a firewall application that runs on a network operating system (NOS), such as UNIX or Windows.
  • Integrated firewalls: An integrated firewall is implemented by adding firewall functionalities to an existing device, such as a router.
  • Personal firewalls: Personal firewalls reside on host computers and are not designed for LAN implementations. They may be available by default on the OS or they may come from an external provider.

TERMINAL SECURITY

A network is just as secure as its weakest link. The main threats that are most analyzed in the media are external threats, such as Internet worms and DoS attacks. But the protection of the internal network is as important as the protection of the perimeter of a network. The internal network consists of network terminals. A terminal, or a host, is a computer system or an individual device that acts as a network client. Common terminals are laptops, desktops, servers, smartphones and tablet PCs. If users do not apply security to terminal devices, no security precaution will guarantee a secure network.
The security of terminal devices is one of the most challenging jobs for a network administrator, since it includes human nature. Employees should be trained on the correct use of the network. In general, these policies include the use of antivirus software and host intrusion prevention. The most comprehensive terminal security solutions depend on network access control.

4. DEVICE PROTECTION

A part of network security is to protect the devices themselves, including end devices and intermediaries, such as network devices. When a new operating system is installed on a device, the security settings are set to default values. In most cases, that level of security is insufficient.


On Cisco routers, the Cisco AutoSecure feature can be used to protect the system, as described in the illustration. There are some simple steps that must be followed and that apply to most operating systems:

  • Usernames and default passwords must be changed immediately.
  • Access to system resources should be restricted only to people who are authorized to use those resources.
  • Whenever possible, all unnecessary services and applications should be deactivated and uninstalled.
  • All devices with security patches should be updated as they become available.

SECURE PASSWORDS

To protect network devices, it is important to use strong passwords. The standard guidelines that should be followed are as follows:

  • Use a password length of at least eight characters and preferably ten characters or more. The longer it is, the better the password.
  • Create complex passwords. Include a combination of upper and lower case letters, numbers, symbols and spaces, if allowed.
  • Avoid passwords based on repetition, common dictionary words, sequences of letters or numbers, usernames, family or pet names, biographical information, identification numbers, ancestor names or other easily identifiable information.
  • Enter a password with spelling errors on purpose. For example, Smith = Smyth = 5mYth, or Security = 5security.
  • Change passwords frequently. If a password is compromised without knowing it, the opportunities for the attacker to use it are limited.
  • Do not write down passwords or leave them in obvious places, for example, on your desktop or monitor.

On Cisco routers, the initial spaces for passwords are ignored, but the spaces that follow the first character are not ignored.
Note : One method to create a strong password is to use the space bar in the password and create a phrase composed of many words. This is called a " passphrase ".
Administrators must ensure that strong passwords are used throughout the network. One way to achieve this is to use the same “brute force” attack tools that attackers use as a method to verify password security.

BASIC SECURITY PRACTICES

When implementing devices, it is important to follow all safety guidelines set by the organization. This includes the designation of devices in such a way that it facilitates the tasks of registration and monitoring, but also maintains some type of security. It is not recommended to provide too much information about the use of the device in the host name. There are many other basic security measures that must be implemented.

ADDITIONAL PASSWORD SECURITY

Secure passwords are useful insofar as they are secret. Various measures can be taken to ensure that passwords remain secret. Through the global configuration command service password-encryption , unauthorized persons are prevented from seeing the passwords as unencrypted text in the configuration file. This command causes the encryption of all unencrypted passwords.

Also, to ensure that all configured passwords have a specific minimum length, use the security passwords min-length command of the global configuration mode.

Another way in which hackers discover passwords is simply by brute force attacks, that is, by testing several passwords until one works. It is possible to avoid such attacks if attempts to log in to the device are blocked when a certain number of errors occur within a specific period.

Router (config) # login block-for 120 attempts 3 within 60
This command blocks login attempts for 120 seconds if there are three failed login attempts in 60 seconds.

Example of secure configuration:

Router (config) #service password-encryption
Router (config) #security password min-length 8
Router (config) #login block-for 120 attempts 3 within 60
Router (config) #line vty 0 4
Router (config-vty) # exec-timeout 10 
Router (config-vty) #end
# Show running-config router
-more-
!
line vty 0 4
 password 7 03095A0F034F38435B49150A1819
 exec-timeout 10
 login

MESSAGES

The warning messages are similar to the entry prohibition notices. They are important in order to sue anyone who accesses the system inappropriately in court. Make sure that the warning messages comply with the organization's security policies.

Router (config) # banner motd # message #
EXEC TIMEOUT
Another recommendation is to configure execution timeouts. When configuring the runtime, it instructs the Cisco device to automatically disconnect users on a line after they have been inactive during the runtime timeout value.
Execution timeouts can be configured on console, vty and auxiliary ports.

Router (config) # line vty 0 4
Router (config-vty) # exec-timeout 10
This command disconnects users after 10 minutes.

ACTIVATE SSH

The old protocol to manage devices remotely is Telnet. Telnet is not safe. The data contained in a Telnet packet is transmitted without encryption. Using a tool like Wireshark, it is possible for someone to detect a Telnet session and obtain password information. For this reason, it is especially recommended to enable SSH on devices to obtain a secure remote access method. It is possible to configure a Cisco device to support SSH through four steps:


  1. Step 1 . Make sure the router has a unique host name and configure the network's IP domain name using the ip domain-name domain-name command in global configuration mode.
  2. Step 2 . Unidirectional secret keys must be generated for a router to encrypt SSH traffic. The key is precisely what is used to encrypt and decrypt data. To create an encryption key, use the crypto key generate rsa general-keys modulus module-size command in global configuration mode. AND
Router (config) # crypto key generate rsa general-keys modulus 1024
  1. Step 3 . Create a username entry in the local database using the username secret secret name command of the global configuration mode.
  2. Step 4. Enable incoming SSH sessions by vty using the line vty login local and transport input ssh commands .


The router's SSH service can now be accessed using SSH client software.

on No comments:
Labels: , , ,
Subscribe to: Posts (Atom)