LECTURE FIVE: NETWORK AND

TELECOMMUNICATIONS
Lecturer : Mr Oguna
Introduction
• Controlling user access to information is just one aspect of working in the
information systems security industry. With those controls in place, you can
focus on building network systems that provide a secure environment to
share and distribute information. In this lesson, you will analyze network
systems and telecommunications.
• The assurance of network system security is dependent upon the design of
an effective and well-rounded data network. The application of specialized
models, topologies, protocols, and services is instrumental in building a
data network from the ground up and employing secure data exchange,
distributing confidential information among network resources. In this
topic, you will identify data network design principles, topologies,
protocols, and services.
Introduction
• The layout of your data network can either be an asset to security or
can increase the system’s vulnerability for unauthorized access. In
addition to improving system security, your design can enhance the
manageability of the data network.
• Effective data network design can also have significant effects on data
transmission time, improving user productivity. Utilizing proper data
network design techniques can increase your ability to efficiently
provide security and convenience to your network users.
Objectives
At the end of the lecture you should be able:
• Identify data network design.
• Identify remote data access to network systems.
• Analyze data network security.
• Apply data network management
5.2 Lecture Outline

5.3.1 Data Network Design

5.3.2 Remote Data Access
5.3.3 Network Security
5.3.4 Data Network Management
5.3.5 End of lecture activities (self –tests)
5.3.6 Summary
5.3.7 Suggestion for further reading
5.4 Data Network Design
• A data network is a collection of hardware and software that allows
the exchange of information between sending and receiving
application processes.
• The TCP/IP model represents a collection of communications
protocols used to govern data exchange on the Internet. It was
developed in the late 1960s from a project sponsored by the Defense
Advanced Research Projects Agency (DARPA) to design the Internet's
protocols.
5.4.1 Network Architecture Components

• A router is a networking device used to connect multiple networks that

employ the same protocol. Routers send data between networks by
examining the network addresses contained in the packets they
process. Routers can also be used as security devices because they can
be configured to limit traffic entering or leaving different networks
• A switch is an interconnecting network device that forwards packets to
the correct port based on Media Access Control (MAC) addresses. A
MAC address is a unique, hardware-level address assigned to network
access devices, such as Ethernet cards, by its manufacturer. Switches
can be used as security devices by shutting down unused ports, by
restricting port use to authorized devices, and by building virtual local
area networks (VLANs) to isolate workgroup traffic on the same switch.
5.4.1 Network Architecture Components

• A gateway is a device, software, or a system that converts data

between incompatible systems. Gateways can translate data between
different operating systems, between different email formats, or
between totally different networks.
• A firewall is a software program or hardware device that protects
networks from unauthorized data by blocking unsolicited traffic.
Firewalls allow incoming or outgoing traffic that has been specifically
permitted by a system administrator, and enable incoming traffic that
is sent in response to requests from internal hosts.
5.4.2 Data Services

• Data services are the functions provided and the

applications that are accessible when connecting devices
to a network. They are combinations of hardware and
software dedicated to managing network functions and
resources. Typically, a data service is defined by its
function.
• There are many different types of network data services,
including file, mail, and print services:
Types of network data services:

• A remote procedure call (RPC) is a process used to cause the execution of a

module, subroutine, or procedure at a remote location. A programmer-
friendly interface language that is used for access.
• Directory services (DS) is a data technology used to provide information about
users and resources in a computer network. Some directory services contain
access control mechanisms such as user identifications and authentication
methods
• Data access services is a function that mediates the access of data over a
network. For example, Microsoft® uses the Common Internet File System
(CIFS) to move data between machines in a network. Unix and Unix-like
operating systems traditionally use a Network File System (NFS) for the same
purpose
Types of network data services:
• Messaging services can be asynchronous or synchronous.Asynchronous messaging is a
function where the sender and receiver are not directly and simultaneously interacting,
and where some delay is included in the communication process.
• Peer-to-peer services is an application that does not use the typical client/server model
for implementation. In peer-to-peer applications, all participants in the application are
considered
• Secure Shell (SSH) is an administrative services protocol that replaces Telnet and
provides a secure, encrypted environment for command line access to devices, such as
routers and switches, for configuration purposes.
• Remote Access Service (RAS) provides access to a computer system or network from a
separate location, often for administrative .
• The protocols listed here have no built-in security mechanisms other than the
identification and authentication (I&A) afforded by the operating system of the machine
being accessed
5.5 Remote Data Access

• Initially, data networks were designed to provide access to shared

resources among users connected directly to the information system.
• Today, businesses and personnel are distributed around the globe.
Remote users still require the same secure access to system resources
and information, but added security measures are critical to ensure
that your network is not compromised by unauthorized users.
• To create availability and integrity for remote users, you need to
effectively provide remote access to a data network.
• Added security measures for remote access users is critical because
their identities cannot be verified by simple passwords alone.
5.5.1 Remote Access Technologies

• Dial-up. Using dial-up can be slow, but the technology is ubiquitous. It

requires the use of a modulator-demodulator (modem) to translate digital
information from a computer into a form that will be accepted by the
analog telephone system.Dial-up services are limited to a 53 kilobit per
second (kbps) transfer rate due to the nature of the telephone systems
supporting the data transfer.
• VPN. Implementing a VPN allows remote access to another network by
transferring information from the remote client over the Internet using
secure transport protocols like Internet Protocol security (IPsec).
• Wireless. The use of wireless networking as a remote access capability can
be seen in two distinct ways.
•
• A direct connection to a local network using 802.11 wireless capabilities.
• A high-speed wireless interface connection to the cellular telephone network.
5.5.2 Remote Access Protocols

• The Serial Line Internet Protocol (SLIP) is a simple communications

protocol that encapsulates IP datagrams carried over dial-up
networks.
• The Point-to-Point Protocol (PPP) is currently used to support dial-up
services. It supports automatic configuration using the associated Link
Control Protocol (LCP).For authentication, early PPP used a two-step
process with no password security known as the Password
Authentication Protocol (PAP). Current implementations use a three-
step protocol with password security known as the Challenge-
Handshake Authentication Protocol (CHAP).
• The Point-to-Point Tunneling Protocol (PPTP) Encapsulates PPP
packets for remote delivery over the Internet to the target network.
Newer protocols, such as IPsec, are preferred over PPTP
5.5.2 Remote Access Protocols

• Extensible Authentication Protocol (EAP) is an authentication protocol

that enables systems to use hardware-based identifiers, such as
fingerprint scanners or smart card readers, for authentication. Users
might need to provide a password in addition to the physical
authentication.
• Wired Equivalent Privacy (WEP) was the first attempt at securing
wireless transmissions over the 802.11 networks. As the name
implies, the level of security provided by WEP was equivalent to a
wired network.
• Wi-Fi Protected Access (WPA) is a security standard that provides
additional encryption capabilities for wireless transmissions.
• WPA2 is the latest advancement in the wireless protection protocols.
 5.6 Data Network Security

• With data access allocated to both local and remote users, and data
networks designed to provide for data integrity, ensuring confidentiality is
the next phase in networking systems and telecommunications
• Enforcing rigorous security protocols and mechanisms is essential for
preventing unauthorized entry and guarding against network attacks.
Because network vulnerabilities can be exploited and compromise system
resources, you need to take necessary measures to secure your data
network.
5.6.1 Network Attacks

• Denial of service (DoS) attacks can be used to target the availability of the
network or network services. DoS attacks may cause excessive use of
network resources.
• A man-in-the-middle attack occurs when an attacker interposes a device
between two legitimate hosts to gain access to their data transmissions.
• While spam usually does not cause a failure, it does cause network over-
utilization by filling networks with unwanted email messages
• A Trojan horse or Trojan program is unauthorized software that
masquerades as legitimate software
• A malicious code attack is a type of attack where an attacker inserts some
type of malicious software, or malware, into a user’s system to disrupt or
disable the operating system or an application
 5.6.2 Network Security Mechanisms

• An access control list (ACL) on a router can protect traffic with rules that either
permit or deny traffic through the router. With a consistent deny all philosophy,
rules can be written to permit access by IP address, protocol type, application
type, and session status.
• Many administrators place hardware-based firewalls between the external and
internal network components to protect the systems.
• An implemented intrusion detection system (IDS) can detect unwanted network
attacks and alert an administrator to such events.IDS devices use a signature file
that contains patterns of activity known to represent an attack.
• Using an intrusion prevention system (IPS) can be helpful in network security. The
IPS is placed inline; it does not monitor traffic, but reacts when intrusions are
identified, and blocks the event
Firewall configuration and deployment

• A hardened server may present itself as a bastion host. By

removing all unnecessary services from the bastion host, the
device becomes less vulnerable to attacks and protects itself.
Servers presented to the Internet should be configured as
bastion hosts for the greatest level of protection.
• Dual-homed firewalls have two network ports. One port
faces the Internet, or the untrusted part of the network, and
the other port faces the trusted part of the network.
Firewall configuration and deployment

• A screening host is a firewall with limited capabilities, such as

a router that protects the trusted part of the network with
ACLs.
• A screened subnet is often called a demilitarized zone (DMZ).
The DMZ is an area in a network where resources are made
available to Internet users. The devices in the screened
subnet are often bastion host devices with specific
applications used by external users and internal users alike.
Some screened subnets are termed extranets because they
provide corporate information systems access to external
customers and partners
5.7 Data Network Management

• A data network should be designed for performance, usability, and

security. But what happens when the data network goes down? Users
are unable to access system resources, productivity decreases, and
the business suffers. Or worse, data could be irrevocably damaged or
lost. To ensure reliability and avert a data-related catastrophe, you
need to effectively manage the data network.
• Once your network design is implemented successfully, you may then
incorporate the controls needed to keep the network operating at
peak efficiency.
Data backup
• A data backup is a second copy of data captured at a point in time
and stored in a secure area as a precautionary safeguard in case of a
disaster. Backups can use a variety of media copy mechanisms and
different methods for selecting the data to back up. These variables
affect the amount of data stored and the amount of time and media
required for the backup.
• Organizations often back up databases to magnetic tape on a regular
basis and then transport the tapes to an offsite, secure storage facility
for protection
 Standardized data backup methods
• A full backup is a method that backs up all selected files. It is used as a
starting point for all backup activities. As the name suggests, all
information is copied to the backup media. When a file is modified, the
archive bit is turned on. The full backup then clears the archive bit, making
it easier to identify files needing backup and those that have not been
modified.
• An incremental backup clears the archive bit and reduces backup time and
media. Incremental backup copies files and databases that have been
modified since the last full backup.
• A differential backup copies all modifications since the last full backup to
the backup media. It does not turn off the archive bit; over a period
between full backups, the amount of media required for a differential
backup continues to grow
 Standardized data backup methods
• Remote journaling is a method wherein real-time copies of database
transactions are stored in journals at a remote location. Journals can be
replayed to transfer a database back to normal conditions. Should a
disaster occur , the latest copy of the database is restored and the
database then reprocesses the remote journal up to the last successfully
completed transaction.
• Electronic vaulting is used to copy modified files to an offsite location. It is
not done in real-time like remote journaling. To restore an electronic vault
after failure recovery, the files are copied back to the failed site over the
network.
SPOF
• A single point of failure is any device, circuit, or process that causes
the unavailability of data upon failure, thus requiring consistent
maintenance and redundancy.
• All RAID forms except for RAID 0 reduce the threat of loss due to disk
failures and provide protection.
• To reduce the damage caused by the loss of a communications circuit
in a data network, a backup circuit should be made available and
installed.
• Server clustering allows servers to work together to provide access,
ensuring minimal data loss from a server failure
• Router redundancy is the technique of deploying multiple routers in
teams to limit the risk of routing failure should a router malfunction.
 5.8 Self – Test Questions
a) A user calls the help desk complaining that there is a strange application on
his computer. Upon further investigation, you discover that he had
downloaded what he thought was a music application, but was actually some
type of unauthorized software. Which attack could this be?
b) Your users cannot access a server and you notice almost 100% network
saturation. Which attack might be underway?
c) Which security protocol is an upgraded version of SSL?
d) Your network has been attacked and you want to check the inline device that
should have identified the intrusion and blocked it. Which network security
mechanisms should you choose?
e) As a starting point for all backup activities, what backup method should be
used?
5.9 Summary
• You identified the technologies and protocols that secure remote data
access to network systems. Understanding network security helps ensure
that you eliminate the risk of exposing network resources to unauthorized
users.
• Adding security measures for remote access users is critical in minimizing
the verification of simple passwords to protect user identity.
• Effectively providing remote access to a data network will help you create
availability and integrity for remote users.
 5.10 Suggestion for further reading

Certified Information Systems Security Professional (CISSP)®: Second Edition

Charles P Fleeger, Security in Computing, Prentice Hall, 3rd Edition.

William Stallings: Cryptography & Network Security Principles and Practice,