Campus Area Networks or Corporate Area Networks (CANs)

Campus area networks or corporate area networks (CANs) are combinations of interconnected local area networks inside a limited geographical area.

Metropolitan Area Networks (MANs)

Metropolitan area networks (MANs) are widespread combinations of interconnected local area networks inside a medium-sized geographical area. This designation is applied to networks that operate between LANs and WANs and most likely connect different LANs to a WAN.

Wireless Local Area Networks (WLANs)

Wireless local area networks (WLANs) are local area networks of more than two devices that are connected by wireless radio communication methods. These networks may also interconnect through a wireless access point, which also attaches the LAN to a wide area network, such as the Internet.

Storage Area Networks (SANs)

Storage area networks (SANs) are a network of dedicated storage devices configured for the express purpose of providing consolidated data storage. These devices act in a transparent manner so that they appear to be an integral part of the network’s server(s).

Layer 1: Physical

This layer is concerned with the transmission media used to move data. Functions associated with this layer include moving the data onto the transmission media, providing electrical or light signals, the mechanical compatibility between the communications port and the media, and activation and deactivation of the physical connection.

Layer 2: Data Link

This layer involves controlling how the data is packaged and moved between communication points. At this layer, the data is formatted into frames suited for transmission. Components at this level also add error detection and correction functions to the frames, as well as media access protocols and specific information about transmission to specific nodes on the same network segment.

Layer 3: Network

Elements of the network layer are responsible for controlling the routing of data packets between different communication nodes, network segments, or media types. This includes multiplexing and demultiplexing signals as they pass from one media type to another, assembling and disassembling message packets, and establishing, maintaining, and terminating connections.

Layer 4: Transport

The transport-level components are responsible for providing an orderly end-to-end flow of data that includes sequencing of data packets and providing basic error-recovery functions and flow control.

Layer 5: Session

This layer of the model is dedicated to setting up and managing sessions between applications as well as providing parameters such as security. Activities conducted by components at this level include stopping and starting data transfers, controlling the flow of data between applications, and providing network failure recovery options. This layer deals with management of transmission security options such as authentication and tunneling protocols.

Layer 6: Presentation

The elements of this level are tasked with controlling how the data looks to the user at the destination end. Functions provided by components at this level include visually formatting and presenting data, dealing with data compression and encryption functions, and starting/stopping control of sessions.

Layer 7: Application

The highest level of abstraction for the OSI model is concerned with the network handling of data for end-user applications. Services such as email and the web browser are application examples where the application layer is functioning. At this level of the model, user IDs and passwords are authenticated and user services are provided.

Bus Topology

In the bus topology, the nodes, or stations, of the network connect to a central communication link. Each node has a unique address along the bus that differentiates it from the other users on the network. Information can be placed on the bus by any node. The information must contain the network address of the node, or nodes, for which the information is intended. Other nodes connected to the bus will ignore the information.

Ring Topology

In a ring network configuration, the communication bus is formed into a closed loop. Each node inspects the information on the network as it passes by. A repeater, built into each the network adapter of each node, will regenerate every message not directed to it and send it to the next appointed node. The originating node eventually receives the message back and removes it from the ring.

Ring topologies tend to offer very high data-transfer rates but require additional management overhead. The additional management is required for dependability. If a node in a ring network fails, the entire network fails. To overcome this, ring designers have developed rings with primary and secondary data paths as depicted in Figure 12.4. If a break occurs in a primary link, the network controller can reroute the data onto the secondary link to avoid the break.

Star Topology

In a star topology, the logical layout of the network resembles the branches of a tree. All the nodes are connected in branches that eventually lead back to a central unit. Nodes communicate with each other through the central unit.

The central station coordinates the network’s activity by polling the nodes, one by one, to determine whether they have any information to transfer. If so, the central station gives that node a predetermined slice of time to transmit. If the message takes longer to transmit than the time allotted, the message will be chopped into small packets of information that are transmitted over several polling cycles.

Mesh Topology

The mesh network design offers the most basic network connection scheme and the most extensive management scheme. In this topology, each node has a direct physical connection to all the other nodes in the network. Mesh topologies are employed in two very large network environments—the public telephone system and the Internet, as well as in small, wireless piconet communication networks that include Bluetooth and ZigBee networks.

Piconets are small, short-range networks of devices grouped together to communicate on the same channel. One of the devices operates at the master device, or coordinator, while the other devices operate as slaves. The role of master device can circulate through the network with different devices assuming that role as it becomes available.

Objectives

• Describe the purpose of IPsec.
• Create a Connection Security rule.
• Explore the options of creating a Connection Security rule.
• Define “integrity and confidentiality” as they apply to IPsec.

Resources

• Customer-supplied desktop/laptop hardware system
• Windows 10 Professional installed (This procedure will also work successfully on PCs running Windows 10 Home Edition.)
• An account with administrative privileges

Discussion

Internet Protocol Security (IPsec) is an open standard using a suite of protocols for encrypting and authenticating IP communication that is commonly used in VPNs.

Protocols in this suite include:

• Authentication Headers (AH) provide data integrity and origin authentication to protect against replay attacks (attacks where a recorded transmission is replayed by an attacker to gain access). Encapsulating Security Payloads (ESP) offers origin authentication as well as encryption. ESP encrypts and encapsulates the entire TCP/UDP datagram within an ESP header that does not include any port information. This means that ESP won’t be able to pass through any device using port address translation (PAT).
• Security Associations (SAs) offer a number of algorithms and frameworks for authentication and key exchange.
• Internet Key Exchange (IKE) is the protocol used to set up a security association in IPsec.

Unlike SSL, IPsec operates at Layer 3 in the OSI model and secures everything in a network. IPsec also differs from SSL in that it is implemented on a client system, whereas SSL is built into a browser. All of this combined leads to a safer environment for transferring data, usually at a faster rate. There are two modes of IPsec:

• Transport mode – The IP payload is encapsulated only.
• Tunnel mode – The entire IP packet is encapsulated.

Connection Security includes authenticating two computers prior to communication and then ensuring the confidentiality between them. Windows employs IPsec to achieve Connection Security.

Procedure

In this procedure, you will discover how and where IPsec is configured. You will create a new Connection Security rule, and explore the options associated with IPsec. This procedure is intended to instruct you on how to create an IPsec communication; however, you will not be able to test it in this environment.

Creating a New Connection Security Rule

1. Right-click Connection Security Rules in the left pane and select New Rule to launch the New Connection Security Rule Wizard, as shown in Figure 12.8.

Depending on the Rule Type selected, there are anywhere from four to seven steps. Each step has multiple options from which to choose.

2. Record the Rule Types in Table 12.2. Pay special attention to the definitions of each.

Isolation

Authentication exemption

Server-to-server

Tunnel

Custom

3. Select each radio button next to the Rule Types to explore the different steps necessary for each. When finished, select the radio button associated with Isolation.

   The Rule Type specifies some basic settings based on the intended use of the rule. The Isolation rule will restrict access based on the authentication type and the network profile.

4. Click the Next button to proceed to the Requirements window.

   The choices here include:

   • Request authentication, but do not require.
   • Require authentication for inbound and outbound.
   • Require inbound, request outbound. A hybrid of the previous two options.

5. Read the definition of each and select Request Authentication For Inbound And Outbound Connections, as illustrated in Figure 12.9.

   

6. Click Next to view the Authentication Method window.

   Although four options are listed, the two involving Kerberos V5 are restricted to connections made within an Active Directory forest.

7. Select the radio button next to Advanced to make the Customize button available, as shown in Figure 12.10.

   

8. Click the Customize button to launch a separate Customize Advanced Authentication Methods window, as shown in Figure 12.11.

   

In this window, you can customize a list of authentication methods to fit your needs. Explore the window carefully.

9. Click the Add button located under First Authentication Methods: The Add First Authentication Method window will appear, as shown in Figure 12.12.

This Add First Authentication Method window offers four possible authentication methods from which to choose:

• Kerberos V5
• NTLMv2
• Certificate
• Preshared key (not recommended)

10. After exploring the options, click Cancel to exit the window. Click Cancel in the Customize Advanced Authentication Methods window as well.
11. You should be returned to the New Connection Security Rule Wizard – Authentication Method window. Select the radio button next to Default and then click Next. You will be directed to the Profile window.

These selections relate to the network connections in place on the computer. While a standalone computer in a networked office may not need to worry about using a Public network, a traveling laptop will need to ensure integrity and confidentiality over the Internet.

12. Leave all three check boxes selected, as shown in Figure 12.13, and click Next to move to the Name window.

    

13. Enter Request IPsec Rule under Name. Leave the Description (Optional): blank, as shown in Figure 12.14.

    

14. Click Finish to save the rule. You are brought back to the Windows Firewall With Advanced Security window. The new rule is now located in the middle pane, as illustrated in Figure 12.15.

    

Notice the right pane. The Actions panel has changed and more options are available.

To create an IPsec connection, another computer would configure a Connection Security rule using the same process. Any time the computers want to transfer information, an IPsec connection needs to be completed.

Recall that you selected the Request Authentication, Not Required option. Therefore, you can still connect to anyone else without a secure connection.

15. Select the rule in the middle pane to highlight it. In the right pane, click the Properties entry, as shown in Figure 12.16.

Each tab allows you to adjust the settings you selected in the New Connection Security Rule Wizard.

16. Explore each tab, and then click the Cancel button to exit the Properties window.

Lab Questions

1. What protocols are used in the IPsec standard?
2. At which level of the OSI model does IPsec operate?
3. With regard to authentication, what are the three options for Requirements?
4. Describe the difference between “integrity” and “confidentiality” as it relates to IPsec.
5. Define Connection Security.

Lab Answers

1. The protocols in this suite include:
   • Authentication Headers (AH) provide data integrity and origin authentication to protect against replay attacks (attacks where a recorded transmission is replayed by an attacker to gain access).
   • Encapsulating Security Payloads (ESP) offers origin authentication as well as encryption. ESP encrypts and encapsulates the entire TCP/UDP datagram within an ESP header that does not include any port information. This means that ESP won’t be able to pass through any device using port address translation (PAT).
   • Security Associations (SAs) offer a number of algorithms and frameworks for authentication and key exchange.
   • Internet Key Exchange (IKE) is the protocol used to set up a security association in IPsec.

2. Unlike SSL, IPsec operates at Layer 3 in the OSI model and secures everything in a network. IPsec also differs from SSL in that it is implemented on a client system, whereas SSL is built into a browser.
3. All of this combined leads to a safer environment for transferring data—usually at a faster rate. The options include:
   • Request authentication, but do not require.
   • Require authentication for inbound and outbound.
   • Require inbound, request outbound. A hybrid of the previous options.

4. The IPsec standard uses a suite of protocols to accomplish its goal of securing data. AH gives integrity while ESP provides both integrity and confidentiality.
   • Integrity – Confirms that the data packets have not been tampered with. Prevents man-in-the-middle attacks.
   • Confidentiality – Confirms that the data packets cannot be viewed by a malicious user.
   • Prevents network sniffers from viewing data.

5. Connection Security authenticates two computers prior to communication and then ensures the confidentiality between them. Windows employs IPsec to achieve connection security.