Redundant Links Implementing redundant links at the core layer ensures that network devices can find alternate

Redundant Links Implementing redundant links at the core layer ensures that network devices can find alternate

soffix

  • $14.99


Redundant Links Implementing redundant links at the core layer ensures that network devices can find alternate

Redundant Links
Implementing redundant links at the core layer ensures that network devices can find alternate paths to send data in the event of a failure. When Layer 3 devices are placed ate the core layer, these redundant links can be used for load balancing an addition to providing backup.
Security at the Network Edge
Many of the security risks that occur at the access layer of the network result form a poorly secured end devices. User error and carelessness account for a significant number of network security breaches.
Three types of common security risks that occur at the access layer are as follows:
‚ÄĘ Viruses
‚ÄĘ Worms
‚ÄĘ Trojan horses
Providing adequate security for end devices may not be in the scope of a network design project. Nevertheless, the designer needs to understand the network impact of a security incident, such as a worm or a Trojan, at an end device. The designer can then better determine which network security measures to put in place to limit the effects on the network.
Permitting network access to only known or authenticated devices limits the ability of intruders to enter the network. It is important to apply wireless security measure that follow recommended practices.
Todays networks are more likely to face an attack originating from the access layer of the internal network than from external sources. Thus, the design of server farm security is different from the older DMZ model. A layer of firewall features and intrusion protection is required between the servers and the internal networks, and between the servers and the external users. An additional security layer between the servers may also be required.

The sensitivity of data stored on the servers and contained in the transactions traveling the network determines the appropriate security policy for the design of the server farm.

To achieve high availability, servers are redundantly connected to two separate switches at the access layer. This redundancy provides pa path from the server to the secondary switch if the primary switch fails. Devices at the distribution and core layers of the server farm network are also redundancy and failover.

Because these servers will form the foundation of our network management and security, we will want to create a separate management VLAN which is isolated from the rest of the network by a firewall or access lists. The only traffic that we will allow in the management network is either from the managed devices or protected by encryption. 

A design goal will be to keep management traffic off the production network, to eliminate the possibility that it could be intercepted in transit. Ideally, we would configure each device with a physical port on the management VLAN. If this is encrypted via ssh or IPSEC. For traffic coming into a subnet, we will permit only appropriate incoming packets, based on the policy of that subnet. Similarly, we will filter outbound traffic to eliminate spoofing and minimize any malicious or illegitimate activates. Finally, we will want to filter traffic leaving each subnet to prevent spoofing. The presence of incorrect source addresses could indicate either a misconfigured machine, or one which was compromised and attempting to launch a DDOS or similar attack
We will use strong authentication provided by a one-time password server, such as RSA Security’s ACE server. Encrypted communication protocols such as ssh  will be used if an (over the production network) communication is necessary. Logging to the syslog servers located on the management network will meet our auditing requirements. As most busy network admins may not be able to monitor every unused port., there are many other techniques that can be used to enhance security. One technique is to require the users to authenticate via RADIUS or LDAP before they are given access to any resources. This technology is implemented in Cisco’s User Registration Tool (URT) Ciscos URT allows users to be assigned to different VLANs depending on the credentials supplied.

Limiting the MAC addresses that are permitted to communicate on the ports is key to layer 2 security. A flood of MAC addresses, or even a single new MAC address could indicate an intruder, or ARP spoofing activities such a the sniff utility. Creating a static MAC assignment ensures that frames for the designated ethernet address are always forwarded to the specified port, and it can present ARP spoofing attacks. To set a static port on a Cisco switch, the following statement is used:
‚ÄĘ Set cam permanent aa-bb-cc-11-22-22 6/1
Another good idea is to limit the number of MAC addresses that can appear on each port, either to one or an appropriate small number, or configure a timeout that prevents a new MAC from appearing until a certain time period elapses. These features can be configured with the set port security statement on a Ciosco switch.
Spanning-Tree Protocol (STP) is used by switches and bridges to establish their MAC address forwarding tables, and establish a tree-like topology which forwards frames via the fasters path and eliminates loops. Bridge Port Data Units (BPDUs) are exchanged by switches to share information about the topology.
For optimum performance, we will want the root bridge of the spanning tree to be located near the core of the network on the highest bandwidth links. The STP root guard feature allows us to enforce the STP topology, and prevent the root bridge from appearing on an edge segment, or on a lower bandwidth connection. Root guard will be enabled on ports we do not want to see the root . If superior BPDUs are received from a port with root guard enabled, the port will change from forwarding to listening state until the superior BPDU announcements are stopped.

The spanning tree portfast command is typically configured on ports where end stations are attached, and slows the port to immediately transition the forwarding state, without the delay caused by the STP calculation. 
I also propose a private VLAN. If a hacker gains entry to our public server, the will logically launch attacks against other hots on the public segment. Private VLANs provide a means to prevent hosts on the same subnet from communication with each other. While permitting required communication to their router and hosts on other networks.

A final strategy that could be considered is implementing security at the network level. Strongencrypting and authentication implemented at the network level would prevent all but the most determined attacker from compromising our hosts, even if he were able to penetrate our perimeter defenses. IP security (IPSEC) is an enhancement to the IP protocol documented in various RFCs by the IETF. IPSEC ensures that every packet transmitted on the LAN is encrypted with strong encryption algorithms.


We Also Recommend


Sale

Unavailable

Sold Out