Computer Network Mangment - Essay Example

SECURITY ASPECTS OF NETWORK College February 25, 2008 INTRODUCTION In the given scenario, Pay land is going to use LAN's and WAN's for interconnection in all its offices. This paper adopts a problem solving approach to the scenario. So this paper proceeds with discussing the problems encountered in the implementation of a LAN and a WAN. Then solutions to each problem are suggested with the use of relevant technologies. A Local Area Network (LAN) can provide access to microcomputer-based software and hardware to users that otherwise might need to move from workstation to another to use needed applications. PROBLEMS IN LAN IMPLEMENTATION While Wi-Fi networks are often seen as simple and inexpensive to deploy, there are plenty of hidden costs and complexities lurking under the surface. Problems with radio frequency interference and site surveys often plague enterprises deploying wireless local area networks. Wireless LAN deployments are often expensive for companies because RF surveys, which help ensure proper network coverage, can cost as much as $1,000 per access point, Interference is also becoming a problem for many businesses Having high quality of service over Wi-Fi networks will be increasingly important, particularly when it comes to voice and eventually video data, because that technology was not intended for those uses. Third-party vendors are developing products that can help IT managers both configure access points and control them, ensuring better coverage. Company's products enable IT managers to bypass costly RF surveys. Instead, they can use low-cost, commoditized access points. With Sputnik's firmware, these access points configure themselves, and are controlled from a central management console. So instead of installing a few costly access points from vendors such as Cisco Systems Inc., Sifry said, an enterprise could mount a larger number of inexpensive access points and forgo the RF survey. Carriers are particularly interested in wide area wireless technology because it can help to boost cell phone coverage within buildings. The No. 1 reason enterprise customers switch carriers is poor service, Sly said, and this product can help carriers keep their customers, but it also gives them a presence inside the enterprise. SANTA CLARA, Calif. -- While Wi-Fi networks are often seen as simple and inexpensive to deploy, there are plenty of hidden costs and complexities lurking under the surface. Now, a number of new vendors are poised to remedy those problems. Panelists at the Pulver.com Wireless Internet Summit said that problems with radio frequency interference and site surveys often plague enterprises deploying wireless local area networks. Wireless LAN deployments are often expensive for companies because RF surveys, which help ensure proper network coverage, can cost as much as $1,000 per access point, said Albert Lew, director of product management for Burlington, Mass.-based wireless LAN vendor Legra Systems Inc. IT departments usually lack the expertise to do these surveys themselves, he said. Interference is also becoming a problem for many businesses, said Tyler Burns, product marketing manager with Ottawa-based wireless products manufacturer IceFyre Semiconductor Inc. He noted that the growing popularity of Wi-Fi, and the numerous technologies that compete with it, are taking up much of the space in the 2.4 GHz RF band. Having high quality of service over Wi-Fi networks will be increasingly important, particularly when it comes to voice and eventually video data, because that technology was not intended for those uses, said Warren Sly, director of marketing for Bellevue, Wash.-based in-building wireless infrastructure company RadioFrame Networks Inc. Third-party vendors, such as San Francisco-based Sputnik Inc., are developing products that can help IT managers both configure access points and control them, ensuring better coverage. Dave Sifry, CTO and co-founder of Sputnik, said that his company's products enable IT managers to bypass costly RF surveys. Instead, they can use low-cost, commoditized access points. With Sputnik's firmware, these access points configure themselves, and are controlled from a central management console. So instead of installing a few costly access points from vendors such as Cisco Systems Inc., Sifry said, an enterprise could mount a larger number of inexpensive access points and forgo the RF survey. Sly said that enterprises may soon be able to avoid deploying their own access points altogether. He said RadioFrame sells a mountable box that provides not only Wi-Fi connectivity but also multiple types of wide area wireless coverage. It is currently available through Nextel Communications Inc. Carriers are particularly interested in wide area wireless technology because it can help to boost cell phone coverage within buildings. The No. 1 reason enterprise customers switch carriers is poor service, Sly said, and this product can help carriers keep their customers, but it also gives them a presence inside the enterprise. In time, Lew said, Wi-Fi networks will become aware of RF interference and self-adjust to avoid interference. However, that technology is still a ways off. SANTA CLARA, Calif. -- While Wi-Fi networks are often seen as simple and inexpensive to deploy, there are plenty of hidden costs and complexities lurking under the surface. Now, a number of new vendors are poised to remedy those problems. Panelists at the Pulver.com Wireless Internet Summit said that problems with radio frequency interference and site surveys often plague enterprises deploying wireless local area networks. Wireless LAN deployments are often expensive for companies because RF surveys, which help ensure proper network coverage, can cost as much as $1,000 per access point, said Albert Lew, director of product management for Burlington, Mass.-based wireless LAN vendor Legra Systems Inc. IT departments usually lack the expertise to do these surveys themselves, he said. Interference is also becoming a problem for many businesses, said Tyler Burns, product marketing manager with Ottawa-based wireless products manufacturer IceFyre Semiconductor Inc. He noted that the growing popularity of Wi-Fi, and the numerous technologies that compete with it, are taking up much of the space in the 2.4 GHz RF band. Having high quality of service over Wi-Fi networks will be increasingly important, particularly when it comes to voice and eventually video data, because that technology was not intended for those uses, said Warren Sly, director of marketing for Bellevue, Wash.-based in-building wireless infrastructure company RadioFrame Networks Inc. Third-party vendors, such as San Francisco-based Sputnik Inc., are developing products that can help IT managers both configure access points and control them, ensuring better coverage. Dave Sifry, CTO and co-founder of Sputnik, said that his company's products enable IT managers to bypass costly RF surveys. Instead, they can use low-cost, commoditized access points. With Sputnik's firmware, these access points configure themselves, and are controlled from a central management console. So instead of installing a few costly access points from vendors such as Cisco Systems Inc., Sifry said, an enterprise could mount a larger number of inexpensive access points and forgo the RF survey. Sly said that enterprises may soon be able to avoid deploying their own access points altogether. He said RadioFrame sells a mountable box that provides not only Wi-Fi connectivity but also multiple types of wide area wireless coverage. It is currently available through Nextel Communications Inc. Carriers are particularly interested in wide area wireless technology because it can help to boost cell phone coverage within buildings. The No. 1 reason enterprise customers switch carriers is poor service, Sly said, and this product can help carriers keep their customers, but it also gives them a presence inside the enterprise. In time, Lew said, Wi-Fi networks will become aware of RF interference and self-adjust to avoid interference. However, that technology is still a ways off. SOLUTIONS TO PROBLEMS The development and implementation of the LAN requires the use of systems analysis techniques. In addition, it needed a good deal of awareness and understanding of the current information technology, commitment and perseverance, in order to be able to conceptualize this innovation, visualize the end, and grasp the momentum when this change could be implemented. Managers, librarians, and staff, as well as other administrators in the organization, must be aware of the potential of information technology (IT). These include some understanding of the technology itself, besides understanding all relevant ramifications in a process of this nature. It is also necessary to have commitment strong enough to overcome possible drawbacks and changes that occur in these projects. Political acumen becomes mandatory. Managers must have a good deal of information about the environment in and out of the library. Such information will be extremely valuable to determine the right time to pursue the implementation of a well-thought project, such as HL' LAN. In some instances, external pressure may become the driving force to implement change in the library, even though IT awareness and understanding is a prerequisite to conceptualizing the innovation, to visualize it, and having the commitment to develop and implement it. Most issues, problems and implications in IT innovation are the same related to managers' responsibilities -- planning, organizing, staffing, controlling, allocating resources, budgeting, etc. Some of the most sensitive issues come from staffing, organizing, budgeting, and clients' demands and expectations. Library work flow will change with IT, higher levels of use may occur in departments and services, requiring staff reallocation. Training staff to accommodate to these new pressures and coping with techno stress, technophobia, or resistance to change is one of the most enduring and critical tasks. Training library users becomes more intensive and extended when IT is accessible. Coping with budget allocations and increasing demands from staff and the public becomes a skill that demands accurate knowledge of constituencies including accurate information on the enrollment figures, number of teachers, degrees held, conferred degrees, information seeking patterns, library use patterns, and substantial knowledge about their clout in the organization. DISASTER RECOVERY - STEPS BIA: Identifies the financial, operational and service impacts that may result from a disruption in daily business or organization's operations. PREVENTION: Addresses the plans and issues that deal with reducing the possibilities of a disruption occurring and minimizing exposures RESPONSE: The reaction to an incident or emergency including assessing the damage or impact, and typical issues include emergency response procedures, crisis management, and crisis communication RESUMPTION: Implementing the restoration of the most time-sensitive, essential business operations as quickly as possible and includes the transfer of business operations and resources from temporary facilities to permanent facilities RECOVERY: Implementing expanded recovery operations for less time-sensitive business operations RESTORATION: Implementing the repair or relocation of the primary site and the restoration of normal business operations at the primary site DEBRIEFING: Reviewing and correcting plans based on experiences learned VIRTUAL PRIVATE NETWORKS The VPN is a data network connection that makes use of the public telecommunication infrastructure, but maintains privacy through the use of a tunneling protocol and security procedures. It is called "virtual" because it depends on the use of virtual connections - that is temporary connections, but consists of packets routed over various machines on an ad-hoc basis. It is an implementation of a private network on top of the Internet technology infrastructure using modern switching or routing hardware, encryption, authentication, packet tunneling and firewalls. A well-designed VPN should incorporate Security, Reliability, Scalability, Network management, Traffic control, Policy management Advantages of a VPN Reduces operational costs versus a traditional WAN Extends geographic connectivity Improves security Reduces transit time and transportation costs for remote users Provides global networking opportunities Provides faster ROI (Return On Investment) than a traditional WAN Disadvantages of a VPN VPNs require an in-depth understanding of public network security issues and proper deployment of precautions. The availability and performance of an organization's wide-area VPN (over the Internet in particular) depends on factors largely outside of their control. VPN technologies from different vendors may not work well together due to immature standards. VPN needs to accommodate protocols other than IP and existing ("legacy") internal network technology. FIREWALL A firewall is a system for protecting the confidentiality, integrity, and availability of data held on networked computers and, increasingly in this age of electronic business, corporate reputation. Strictly speaking, the term "fire wall" means a fireproof barrier designed to prevent fire spreading from one part of a building to another. From the computer security perspective, "firewall" is a good metaphor for the barrier placed between a trusted and an untrusted network such as the Internet. Indeed, firewalls can provide a security barrier between any networks, external or internal, where the flow of traffic needs to be controlled. Rather like a security guard posted on the front door, a firewall acts by inspecting the electronic messages that attempt to pass through it. Using rules set up by the Network Administrator, the firewall either permits or denies access. Thus, a firewall might be set up to permit all traffic of a certain type (say e-mail) but to deny all other requests. It might also be configured to deny all messages of a specified type, except for those emanating from a specified network address(s). Firewalls are designed to protect against active attempts of various types to breach network security. A key benefit is that a firewall focuses security administration at a single point, thereby simplifying the implementation of security policy, the tracking of data, and auditing. A firewall will also gather evidence of attacks, potentially allowing an organization to pursue legal action. A firewall also has its limitations. It's unable to protect against malicious insiders; completely new (unknown) threats; attacks from network connections that don't pass through it; social engineering attacks; and the result of being wrongly set up. Furthermore, firewalls are not primarily designed to protect against virus attack. Although some do offer virus protection, detecting a virus in a random packet of data passing through a firewall is very difficult. Finally, firewalls do not run themselves; they need to be actively managed. A firewall must be configured to implement correctly a sensible security policy (one that is in line with the organization's needs, which might change), its software needs to be updated in line with vendor updates, and the firewall log needs to be reviewed frequently for signs of attempted attacks. To obtain assurance that a firewall provides adequate protection, the auditor should: Consider whether the security policy is a good match for the organization's needs; Consider whether the firewall system is a suitable design for enforcing the security policy; Consider whether the firewall is correctly set up to implement the security policy; and finally.. Review evidence that suitable testing confirms that the firewall is operating as documented. A firewall should be viewed more as an overall approach to security rather than a set of components. Nevertheless, a firewall usually comprises: A dedicated computer: this is the firewall's hardware component. It might be a router, PC or server placed at the network junction where firewall security is needed, its task being to scan all the inbound and outbound network traffic to determine which requests are permissible and which should be blocked. In a commercial environment (as opposed to a home PC) this critical function is placed on a dedicated machine, separated from the rest of the network, and all inbound/outbound traffic is forced to pass through it; Software: special "packet filtering" software examines each packet of data within each network transmission. The filter determines whether the packet has been transmitted from an acceptable source and whether the packet carries requests for legitimate information in a properly secured manner; Security policy: in addition to its hardware and software components, a firewall also relies on a set of rules or "security policy", set up and maintained by the Network Administrator. This is a simple explanation and more complex firewall configurations are possible. FAULT TOLERANCE SYSTEM One of the design goals for Pay land is fault tolerance. Pay land implements fault tolerance in several ways: Robust communication infrastructure Transactions Hot backup server Robust Communication Infrastructure The Pay land server and client communications have been designed and tested for robustness. Pay landd is a forking server which allows it to handle multiple requests simultaneously, each in a separate process. This approach prevents one hanging or problematic connection from preventing other requests from getting serviced. Additionally, messages between the client and server are handled with a timeout select in non-blocking read and write loops in order to prevent hangs due to dropped connections. The use of strong security for authentication and encryption can prevent third parties from hijacking or eavesdropping on the communications. Transactions Pay land uses a database backend for data persistence. Each request performs its work within a transaction, which is committed or rolled-back as a unit depending on the success or failure of the request. This approach ensures that all requests are atomic, even if the client, server or database is interrupted at any point in the request. Hot Backup Server Pay land can be configured to employ a hot backup server. Such a configuration would also require the use of a synchronous multi-master replicated database such as pgcluster. If a Pay land client detects that the primary Pay land server or its database is unavailable, it will automatically forward the request to the backup Pay land server if one is configured. OTHER SECURITY MEASURES Working with a VPN (virtual private network). A VPN is basically an encrypted tunnel through which your data can pass. A VPN connects two endpoints, usually the system you're on and a corporate server. VPNs allow companies to extend their network out to geographically dispersed systems -- in other words, remote and home offices. Using a smart card. Smart cards usually look similar to a calculator, and are designed to generate one-use passwords. They usually have a keypad and a small LCD display. You punch in your assigned PIN and then the smart card displays a password. You generally have about 30 seconds to log in using special software and enter your newly generated password. Each time you log in to the system, you have to use a newly generated password. Installing a firewall. Different companies have different policies regarding the use of firewalls. Some may suggest that you install personal firewalls only on the system with which you work, and others may demand that you set up a network firewall (doubly so if they find out you're wireless). Firewalls act like a choke point. They can be set up to reject or accept different kinds of traffic such as e-mail, Web, FTP (File Transfer Protocol), and telnet, and they can disallow network connections from individual machines or networks. Some firewalls can be configured to filter out certain content, such as adult-oriented material. What these filter out depends largely on the company's policies. Installing and keeping an up-to-date virus scanner or shield. Virus scanners not only protect you from picking up the latest destructive computer viruses, but they can keep you from spreading them unwittingly to your coworkers. Regularly scanning and removing spy ware tools, cookies, and other programs. Spy ware tools can be added to your system without your knowledge just by visiting Web sites or accepting e-mails from unknown companies. The primary use of spy ware is to send information about your online habits back to a collection unit. Information that can be collected includes e-mail addresses, URLs, and even passwords and credit card numbers. (One of the best programs available for getting rid of spy ware is Spybot Search and Destroy. Best of all, it's free.) Implementing physical security for your systems. By physical security, most companies aren't talking about locking the door to your office. They want you to have boot passwords for all computers, screen-saver passwords, and other precautions. All of these physical security measures are meant to make it harder for your equipment to be stolen or broken in to. If you travel a lot, there are systems you can place on a laptop that will sound an alarm if the laptop moves more than 20 feet away from you. This is more than handy if someone tries to snatch your laptop bag while you're waiting in an airport security line. Start with physical security. Enable boot and screen-saver passwords on your desktop and laptop computers. By doing so, all information on those systems stay somewhat safe if they are stolen or broken into. Make regular backups of client data, and make sure that the backups are encrypted. Also, if the backups are on removable media, such as tapes or CDs, place those backups in a locking and fireproof file cabinet or safe, or even in a secure off-site location. If you're in the IT business, consider using more industrial-strength tools, such as encryption keys for e-mail and SSH (secure shell), instead of telnet when connecting to a remote machine. Encrypt anything confidential about your client. Many Web consultants have access to their client's system passwords, e-commerce settings, and even banking information. If any of this information falls into the wrong hands, it could mean untold grief for you. Use professional-grade deletion software to clean up files on computer systems. Just deleting files or sending them to the trash or recycle bin often does not completely remove files. Part or all of deleted files can stay on a computer system for years and years. You wouldn't want an old laptop you sell to someone else to give away your customer's secrets, right Although most of these security measures may seem like a pain or hassle, they're all part of what a professional consultant does to safeguard his or her client's data. Remember, safeguarding client data is the same thing as safeguarding repeat business. CONCLUSION IT implementation generally has special staff needs. Levels of required IT expertise will vary according to the innovation. Managers will have to identify staff members with expertise and allow time for these to pursue further training, or resort to hiring trained people. Even this requires considerable effort in assessing the need and building a need for new hiring to upper management Clearly, the issues, problems and implications of developing and implementing a LAN, or any innovation are far from simple and straight forward. The ones mentioned in this paper are just a summary of those perceived as critical. Many other issues must be taken in consideration depending on the library, the staff and the environment in each organization. The management must be versed on the necessary techniques to assess the needs and determine the feasibility of any innovation in the workplace and its impact on staff and the users combined with political savvy. REFERENCES Ortiz, Daniel and Quintana, Debbie A., "New information technology in Puerto Rican Academic Libraries: Potential and barriers for its implementation," in Proceedings of the 4th International Conference on New Information Technology, Budapest, December 1-3, 1991, edited by Ching-chih Chen. West Newton, MA: MicroUse Information, 1991. pp. 145-158 http://www.copleyassoc.com APPENDIX Example Fault tolerance system configuring Pay land with a hot backup server using pgcluster: For this example we will assume that we have two head nodes called primary and backup. Unpack and install Pay land on both the primary and backup nodes. Follow the installation instructions for Preparation and Install Prerequisites with the exception that pgcluster will need to be installed in the place of postgresql (pgcluster is a repackaging of postgresql with patches for replication). PGCluster is a synchronous multi-master replication system based on postgres. PGCluster 1.3c is based on PostgreSQL 8.0.1. PGCluster is available at: # Follow the INSTALL_PGCLUSTER instructions for installing pgcluster. # The following are some of the highlights: [root] useradd postgres [root] cd /usr/local/src [root] wget http://hiroshima.sraw.co.jp/people/mitani/jpug/pgcluster/src/1_3/pgcluster-1.3.0c.tar.gz [root] tar -zxvf /tmp/pgcluster-1.3.0c.tar.gz [root] chown -R postgres.postgres pgcluster-1.3.0c [postgres] cd /usr/local/src/pgcluster-1.3.0c [postgres] ./configure --enable-thread-safety [postgres] make [root] make install [root] chown -R postgres /usr/local/pgsql [postgres] /usr/local/pgsql/bin/initdb -D /usr/local/pgsql/data [postgres] vi /usr/local/pgsql/data/pg_hba.conf host all all /32 trust host all all /32 trust # This example configure pgcluster with a pgcluster and a replication server on the # the primary node, and a pgcluster on the backup node. This was found through testing # to be the most stable configuration. No load balance server is used. [postgres@primary,backup] vi /usr/local/pgsql/data/cluster.conf: primary.emsl.pnl.gov 8001 8101 8201 ssh -x read_write # A single replication server is configured on the primary node only [postgres@primary] vi /usr/local/pgsql/etc/pgreplicate.conf: sst.emsl.pnl.gov 5432 7101 7201 # Rsync and openssh have to be installed allowing non-interactive ssh connections # Install openssh [root] cd /usr/local/src [root] wget http://mirror.mcs.anl.gov/openssh/portable/openssh-3.9p1.tar.gz [root] tar -zxvf openssh-3.9p1.tar.gz [root] cd openssh-3.9p1 [root] LIBS=-lcrypt ./configure --prefix=/usr --sysconfdir=/etc/ssh [root] make [root] make install [root] vi /etc/ssh/ssh_config # ForwardX11 no [root] vi /etc/ssh/sshd_config RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys [root] /etc/init.d/ssh restart [postgres] cd /.ssh [postgres] ssh-keygen -t rsa # No pass phrase [postgres] cp id_rsa.pub authorized_keys [postgres] cat >> authorized_keys # Test ssh to/from both hosts to ensure non-prompting operation and clear known_hosts # Test rsync # The following is how you startup the replicated database on the two servers # The Pay land server should be in a quiesced state (or not started yet) # Start the pgcluster and the replication server on the primary [postgres@primary] /usr/local/pgsql/bin/pg_ctl -D /usr/local/pgsql/data -o "-i" start [postgres@primary] /usr/local/pgsql/bin/pgreplicate -D /usr/local/pgsql/etc -l # Start the pgcluster on the backup [postgres@backup] /usr/local/pgsql/bin/pg_ctl -D /usr/local/pgsql/data -o "-i" start # The following is how you stop the replicated database on the two servers # The Pay land server should be in a quiesced state (or already shut down) # Stop the replication server on the primary, then the pgcluster [postgres@primary] /usr/local/pgsql/bin/pgreplicate -D /usr/local/pgsql/etc stop [postgres@primary] /usr/local/pgsql/bin/pg_ctl -D /usr/local/pgsql/data stop # Stop the pgcluster on the backup [postgres@backup] /usr/local/pgsql/bin/pg_ctl -D /usr/local/pgsql/data stop # The following is how you recover the replicated database on the primary # The Pay land server should be in a quiesced state (or shut down on primary and backup) # If the pgcluster on the backup is not already running then start it # [postgres@backup] /usr/local/pgsql/bin/pg_ctl -D /usr/local/pgsql/data -o "-i" start # Start the replication server on the primary [postgres@primary] /usr/local/pgsql/bin/pgreplicate -D /usr/local/pgsql/etc -l # Start the pgcluster on the primary in recovery mode [postgres@primary] /usr/local/pgsql/bin/pg_ctl -D /usr/local/pgsql/data -o "-i -R" start # The following is how you recover the replicated database on the backup # The Pay land server should be in a quiesced state (or shut down on primary and backup) # If the pgcluster and replication server on the backup are not already running then start them # [postgres@primary] /usr/local/pgsql/bin/pg_ctl -D /usr/local/pgsql/data -o "-i" start # [postgres@primary] /usr/local/pgsql/bin/pgreplicate -D /usr/local/pgsql/etc -l # Start the pgcluster on the backup in recovery mode [postgres@backup] /usr/local/pgsql/bin/pg_ctl -D /usr/local/pgsql/data -o "-i -R" start ....Now back to the Pay land installation.... Continue following the Pay land installation instructions for Configuration, Compilation, Perl Module Dependencies, and Installation. In General Setup, when you edit the Pay land client config file (i.e. /usr/local/Pay land/etc/Pay land.conf), uncomment the server.backup property and specify the name of the backup host. server.backup = backup The Database Setup has partly been done during the pgcluster setup above. The databases should already have been initialized on both the primary and the backup. The /usr/local/pgsql/data/pg_hba.conf should already have been modified to define the hosts for both the primary and backup servers. Start up the replicated databases. [postgres@primary] /usr/local/pgsql/bin/pg_ctl -D /usr/local/pgsql/data -o "-i" start [postgres@primary] /usr/local/pgsql/bin/pgreplicate -D /usr/local/pgsql/etc -l [postgres@backup] /usr/local/pgsql/bin/pg_ctl -D /usr/local/pgsql/data -o "-i" start Create the Pay land user on the primary only. [postgres@primary] /usr/local/pgsql/bin/createuser Pay land Shall the new user be allowed to create databases y Shall the new user be allowed to create more new users n Create the Pay land database as the Pay land user on the primary only. [Pay land@primary] /usr/local/pgsql/bin/createdb Pay land Perform the Bootstrap step on the primary only. [Pay land@primary] /usr/local/pgsql/bin/psql Pay land < bank.sql Startup the Pay land server daemons on both the primary and the backup. [Pay land@primary,backup] /usr/local/Pay land/sbin/Pay landd Proceed as normal, with the Initialization and Customization steps. Note: Only the non-interactive clients will automatically switch to use the hot backup. The Pay landsh client and the web-based gui will not do so. Also, 3rd party applications that communicate with the Pay land server may not automatically fail-over such as the Maui Scheduler and the Moab Cluster Manager. Read More