You are on page 1of 120

Slide 1

Part II
Infrastructure Security

In this lecture, I will introduce about issues relating to network infrastructure and network
infrastructure security.
Slide 2

Contents
1. Network Topology 8. VLAN

2. Firewall 9. NAC

3. IDS/IPS 10. Wifi

4. VPN 11. Storage


5. NAT 12. Virtual

6. Load Balancing 13. Media Security

7. WAN Optimize

The lecture shall contain:


- General view of network topology
- Firewall
- IDS/IPS
- VPN
- NAT
- Load Balancing
- WAN Optimize
- VLAN
- NAC
- Wifi
- Storage Security
- Virtual
- Media Security
Slide 3

1. Network Topopogy

Let’s start with the first part: General view of network topology
Slide 4

Network Topology
IDS/IPS

Outside
VLAN2
Modem
ISP
VLAN3

Firewall
VLAN4 VLAN 5

DMZ

Access
point
Mail LDAP Web
Svr Svr Svr
Laptop PDA

This is diagram of a typical network model, include:


Network system.
Infrastructure security system: firewall, ips/ids, VPN
Slide 5

Network Topology

 Firewall: Divide network into segments (Inside,


Outside, DMZ) and control input and output
traffic among zones.
 IDS/IPS: Detect, warn, prevent attacks.
 VPN: Create secure connection among
networks of branches and users working out of
network of company.

Firewall: divide network into zones (Inside, OutSide, DMZ) and control input and output traffic
among zones.
IDS/IPS: detect, warn, prevent attack
VPN: create security connection among network of branches and users working out of network
of company.
Slide 6

2. FIREWALL

Now, we will move to the 2nd part: Firewall


Slide 7

Firewall
 Firewall: ngăn chặn tấn công, quản lý truy cập

(This slide shows operation of firewall)


Slide 8

Network Topology

 Three network segments


Inside: Internal network segment of company
Outside: Exterior network segment like the
Internet
DMZ: Demilitarized segment, where services
are published to the Internet.

Firewall divide network system into three Zones:


Inside: Internal network area of company
Outside: Exterior network area like Internet
DMZ: Internet demilitarized zone where publishing services to network.
In terms of network
Slide 9

(This slide shows zones of firewall)


Slide 10

Firewall
 Classification

ZoneAlarm Cisco PIX/ASA


Symantec MS ISA Server
Checkpoint

Personal Network

MS ISA Cisco PIX/ASA


Server Juniper Netscreen
Checkpoint FireBox Watchguard

Software Appliance

Firewall can be divided based on its operation scope in the network or based on packing
technology.
+ Personal: is set up on hosts (Server, PC, Laptop) and protects these hosts.
+ Network: has ability of protecting hosts in a network
+ Software: can be set up on hosts having different hardware foundations, taking role as a
Personal Firewall (Bkav Enpoint, …) or can be set up on a server, taking role as a Network
Firewall (Iptables, ISA Microsoft, Pfsense…)
+ Appliance: is dedicated hardware, using exclusive operating system and module of branches of
manufacture (ASA Cisco, Juniper, Sonicwall, Fortigate, …)
Slide 11

Firewall

 Generations of firewall

Packet Filtering

Stateful Inpection

Proxy Server

UTM Firewall

Next-Generation Firewall

Next, we will study about firewall technology, include:


Packet Filtering
Stateful Inspection
Proxy Server
UTM Firewall
Next-Generation Firewall
Slide 12

Packet filtering is the first technology used in firewall; its operation mechanism merely is to read
information of layer 3 and layer 4 of EACH package and then compare with policies.
Slide 13

Firewall
 Packet Filtering

This diagram shows operation activity of Packet Filtering technology in OSI reference model
Slide 14

Firewall
 Packet Filtering
• Most widely used (routers)
• Operates on network layer
• Uses ACL to filter information packet based on information in
TCP/IP header

Nowadays, Packet filtering is used in Router, called ACL


Slide 15

Firewall
 Packet Filtering

Limitatio
ns

With simple operation mechanism, Packet filtering still exists many limitations.
Slide 16

Firewall
 Packet Filtering

Limitations
 Management of ACL is difficult
 Network efficiency is affected when rule number in
ACL increases
 Able to filter upto 4 layers only (OSI model)
 Have trouble with some protocols

Limitations of Packet filtering are:


Management of ACL is difficult
Network efficiency is affected when rule number in ACL increases, then , for each package,
Firewall or Router will have to check each rule in ACL until it matches.
Scanning ability is only at layer 4 (OSI model)
Get trouble with some protocols.
Slide 17

Firewall
 Packet Filtering
Case study: FTP Protocol

* A protocol operating based on TCP


* In a session, it uses 2 channels to exchange: data (port 20) and
command (port 21)
* There are 2 modes: active & passive

In order to understand clearly about this technology, we will study about FTP protocol.
FTP:
It is a protocol operating based on TCP protocol.
At a work session, it uses 2 channels to exchange: data (port 20) and command (port 21)
There are 2 modes: active & passive
Slide 18

Firewall
 Packet Filtering
Case study: FTP Protocol
• Active FTP
 Client connects from a gate N (N >1023) to Server at gate
21 (command)
 Client listens at gate N+1, waiting for server to connect
back from gate 20 (data)

At mode Active:
Client connects from a gate N (N> 1023) to Server at gate 21 (command)
Then,Client listen at gate N+1 at wait for server connected back from gate 20 (data)
Slide 19

Firewall

Active FTP

The image on this slide shows operation steps, establishing connection between Server and
Client in mode Active of FTP
Firstly, client use source gate of 1026 to establish connection to gate 21 of FTP Server, then FTP
Server sends a Ack package back to Client for confirmation. After receiving Ack message, Client
listen at gate 1027 and wait for connection from FTP Server.
Slide 20

Firewall
 Packet Filtering
Case study: FTP Protocol
• Situation 1: Firewall opens destination gate 20, 21 from
Client to Server while locks the backward direction
=> when Server initializes a session having source gate 20 to
destination gate (N+1) of Client in order to transmit data, it
will be blocked by Firewall.

Situation 2: Firewall opens destination gate 20, 21 with


direction from Client to Server, and allows the backward
direction
=> FTP transmits data successfully, but does not ensure
safety for Client because Hacker can forge IP address of
FTP Server, initialize a session with source gate 20 to
Client
 .

- Situation 1: Firewall opens destination gate 20, 21 with direction from Client to Server,
prevents the backward direction => when Server initializes a session having source gate of 20 to
destination gate (N+1) of Client in order to transmit data, it will be prevented by Firewall.
- Situation 2: Firewall opens destination gate 20, 21 with direction from Client to Server, and
allow the backward direction
=> FTP transmits data successfully, but does not ensure safety to Client, because Hacker can
forge IP address of FTP Server, initialize a session with source get of 20 to Client
Slide 21

Firewall
 Packet Filtering
Case study: FTP Protocol
• Active FTP
 Limitation: Client does not create its own connection
but uses another one from outside
 Firewall from client side will block this connection

• Passive FTP
 Alternative of Active FTP
 Involves PASV command

In order to avoid these limitations of Active mode, we can use FTP Passive mode
Slide 22

Firewall
 Packet Filtering
Case study: FTP Protocol
• Passive FTP
 Client connects to gate 21 of server with PASV command
 Server sends back gate serial number in order to serve
client
 Client creates connection to server through the gate
received to transmit data
 Client initializes all connections to server from two gate N
and N+1 (N > 1023)

Client connects to gate 21 of server with PASV command .


Then, Server sends back with gate serial number in order to serve to client
Client will create connection with server through the gate received to transmit data.  Client
initialize all connections to server from two gate N and N+1 (N> 1023)
Slide 23

Firewall

Passive FTP

This is diagram of operation of FTP protocol at Passive mode


Slide 24

Firewall
 Packet Filtering
Case study: FTP Protocol
• Passive FTP
 Limitations:
1. Server discloses all gates N >1023
2. Some clients does not support FTP Passive mode

FTP Passive mode rejects method of faked attack, however, its limitation is that, the Server
discloses gate N>1023, creating security vulnerabilities; and Some clients are not supported
with FTP Passive mode
Slide 25

Firewall
 Packet Filtering

Packet Filtering
=
Stateless inspection

With above features, Packet Filtering is also called Stateless Inspection


Slide 26

Firewall
 Stateful Inspection
• Also called Dynamic Packet Filtering
• Is a technology enabling firewall not only to manage and filter
information packets but also to manage connections
automatically
• In case of FTP protocol, can automatically permit/prevent
connections to active gates

Today, the technology is used popularly in firewall is Stateful Inspection


Stateful Inspection is also called Dynamic Packet Filtering, this technology enables management
by connection session, while packet filtering only can manage by message package.
Slide 27

Firewall
 Stateful Inspection
* When a connection session initialized passes through Firewall, Firewall
will check the first message package of this session, from layer 1 to
layer 7 with its rules
* If the information packet matches rule having “deny” action or does
not match any rule, it will be dropped => a status document will be
added into StateTable with action ”deny”.
* If the information packet matches rule having action of permit, it will
be allowed => a status document will be added into StateTable
with action of permit.
* With the next information packets, Firewall only checks to layer 4
and associates with StateTable in order to decide to permit or deny.

When a connection session initialized passes through Firewall, Firewall will check the
first message package of this session, from layer 1 to layer 7 with its rules.
If the message package matches rule having action of deny or does not march with any
rule, the message package will be dropped => a status document will be added into
StateTable with action of deny.
If the message package matches rule with having action of permit, the message package
will be allowed => a status document will be added into StateTable with action of
permit.
In terms of the next message package, Firewall only check to layer 4 and associate with
StateTable in order to give action of permit or deny.
Slide 28

Firewall
 Stateful Inspection
 Advantages:
 High security
 Quick and flexible processing of information
packet.

The advantages of Firewall Inspection technology are high security, quick processing speed of
message package.
Slide 29

Firewall
 Proxy Server
It operates on application layer so that it can
interpose deeply to the protocols of this layer such as
HTTP, FTP, etc.

Abilities of filtering content, virus, trojan, etc.

Ability of recording log easily to understand


For example: logging URLs, etc.

Reduce cost of connection

Another Firewall technology used less is Proxy Server. This technology operates at application
layer so that it can interpose deeply to the message package.
Proxy firewall has ability of filter content, virus, trojan
Slide 30

Firewall
 UTM Firewall
 Is a technology which integrates all other security
mechanisms such as IDS/IPS, VPN, SSL, Antivirus,
LoadBalancing, QoS to traditional Firewall
 UTM Firewall provides a comprehensive network
security solution for companies.

Many firewall companies have given a method integrated with all security characteristic and
other applications into a product, called generation of firewall UTM. Firewall UTM is integrated
with characteristics of IDS/IPS, VPN, SSL, Anti-Virus, LoadBalancing, QoS
Slide 31

Firewall
 Next-Generation
 This technology enables filtering of network traffic based
on application classification and has the ability of deeply
checking the payload of information packets.
 Other than characteristics of information packet such as
IP, Port, etc. Next-Generation Firewall gives new
characteristics such as User-id, App-ID, Content-ID.

In recent years, Firewall companies have developed a Firewall technology with new generation,
or also called Next-Generation. This technology enables traffic to base on application
classification and to have ability of checking deeply content of message packages.
Normally, in order to check message package, Firewall bases on properties of message package
such as IP, Port. Firewall Next-Generation gives new properties, which helps control of traffic
more effectively and flexibly. These are properties about User-ID, App-ID, Content-ID.
Slide 32

Firewall
 Next-Generation
 App-ID:
 App-ID identifies accurately which apps are running on network
infrastructure without depending on which service gate, which
protocol they are running on, whether they are encrypted with
SSL or not.
 For example: in order to control FTP application by Firewall,
instead of setting permission rule concerning gate 20, 21, we can
set rule of using App-ID as FTP

App-ID: is a property which helps to identify accurately which service is running on network
infrastructure without depending on which service and protocol it is running on.
Back to case study about control of FTP application by Firewall, instead of setting permission
rule, preventing gate 20, 21, we can set rule of using App-ID is FTP, which is much more effective
and simple.
Slide 33

Firewall
 Next-Generation
App-ID

This is illustration picture of App-ID.


Slide 34

Firewall
 Next-Generation
 Content-ID:
 Permits checking of payload of message package.
 Content-ID contains a list of keyword needed to be filtered in
payload of traffic.
 For example: Content-ID includes keywords such as facebook,
sports, etc.

Another property of Next-Generation is Content-ID, Content-ID enables checking payload part of


message package. Content-ID contains a list of keyword needed to filter. For example, we can
create a Content-ID containing keywords of facebook, dantri, thể thao, tin tức…
Slide 35

Firewall
 Next-Generation
Content-ID

This is illustration picture of Content-ID


Slide 36

Firewall
 Next-Generation
 User-ID:
 Associates with Microsoft Active Directory to identify user in
internal network
 Uses User-ID to establish rules for Firewall
 For example: Microsoft Active Directory of company has user
accounts such as Mary, Tony, etc. Administrator can establish rule
allowing User-ID Mary, Tony to access web applications, while the
remaining User-IDs are blocked

In company network, rather than administrator has to have IP list of each employee to establish
security policies for each person, with Next-Generation Firewall, the administrator can establish
security policies through Account of employees in the company. This is User-ID property of Next-
Generation. In order to use this property, company network is required to use Microsoft Active
Directory
Slide 37

Firewall
Demo

This is demo of Packet Filtering technology on ACL of Router.


Slide 38

Firewall
Demo
 Create ACL (Access Control List):
 Access-list 100 permit tcp 10.1.1.1 0.0.0.0 20.20.20.20 0.0.0.0
eq 80
 Access-list 100 deny tcp 10.1.1.2 0.0.0.0 20.20.20.20 0.0.0.0
eq 80
 Access-list 100 permit icmp 10.1.1.2 0.0.0.0 20.20.20.20
0.0.0.0

ACL command
Access-list 100 permit tcp 10.1.1.1 0.0.0.0 20.20.20.20 0.0.0.0 eq 80
Access-list 100 deny tcp 10.1.1.2 0.0.0.0 20.20.20.20 0.0.0.0 eq 80
Access-list 100 permit icmp 10.1.1.2 0.0.0.0 20.20.20.20 0.0.0.0
Slide 39

3. IDS/IPS

Next. we will study about IDS/IPS


Slide 40

This is illustration model of role of IDS/IPS in network system


Slide 41

IDS/IPS

 IDS/IPS: detect/prevent attack


 IDS:Instrusion Detection System
 IPS: Instrusion Prevention System

 Often integrated with Firewall


 Based on signals, needs to be updated
regularly

IDS is a application which enables detection of illegal penetration based on signals known or
signals studied.
IPS is also a IDS but has ability of preventing illegal penetrations
Slide 42

This image shows operation of IPS at positive mode.


Slide 43

This image shows operation of IPS at passive mode.


Slide 44

IDS/IPS

This image illustrates administration interface of IDS/IPS Cisco equipment.


Slide 45

IDS/IPS
 Classification

Software Appliance

Host-based Network-based

Like Firewall, IDS/IPS is also classified based on packing technology and use model
Slide 46

4. VPN

Another important part in the network system is VPN, at the next part, we will study about VPN
Slide 47

VPN

IDS/IPS

Outside
VLAN2
Modem
ISP
VLAN3

Firewall
VLAN4

DMZ

Access
point
Mail LDAP Web
Svr Svr Svr
Laptop PDA

This is illustration image of VPN. VPN enables remote users connect to company network, or
connect among office of a company but far away from each other by geographical aspect.
Slide 48

VPN
 VPN – Virtual Private Network
 Enables to establish secure connection
channel (private) on shared environment
(virtual)
 Benefits:
 Ensuring security
 Saving cost

VPN is abbreviation of Virtual Private Network. VPN enables to establish safe connection
channel on share environment, ensuring security, saving cost as well.
Slide 49

This image describes threat of overhearing when exchanging information through share
network environment.
Slide 50

VPN
 Supporting equipment/software
 Often integrated with firewall
 Separate if high efficiency needed

 VPN classification
 Site-to-site VPN: network - network
 Remote access VPN: host - network

VPN can be integrated in firewall or separated. VPN is divided into two types of VPN site-to-site
and VPN remote-access
Slide 51

VPN site-to-site creates a connection channel among offices of company or organization


Slide 52

VPN remote access tạo ra một kênh kết nối giữa client vào hệ thống mạng của công ty.
Slide 53

VPN
 Protocols used for VPN
 L2F - Layer 2 forwarding (Cisco)
 PPTP - Point to Point Tunneling Protocol
(Microsoft)
 L2TP - Layer 2 Tunneling Protocol (Microsoft +
Cisco)
 IPSec - IP Security
 SSL/TLS - Secure Sockets Layer/Transport Layer
Security
 MPLS - Multi-Protocol Label Switching

In order to avoid threats of overhearing on internet environment and ensure safety, VPN
channels needed to be coded. Protocols used to code VPN include: L2F, PPTP, L2TP, IPsec, SSL,
MPLS
Slide 54

VPN
 Case Study: IPSec
 IPSec is often used in Site-to-Site VPN
 Stage 1: create a management security
tunnel to control, establish, maintain and
terminate one VPN channel
 Stage 2: creats a security tunnel to
exchange data among sites.

In order to further understand about VPN, we will study an example about Ipsec. Ipsec normally
is used in VPN Site-to-Site. One VPN channel includes 2 stages. The stage 1 creates a
management security gallery to control, establish, maintain and finish one VPN channel. Stage 2
creates a security gallery to exchange data among sites.
Slide 55

VPN
 Case Study: IPSec
Parameters of an IPSec tunnel:
 Encryption algorithm: DES, 3DES, AES
 Hash algorithm: MD5, SHA-1
 Authentication algorithm: Preshare key, Rivest,
Shamir, RSA
 Diffie-Hellman: Group 1, 2, 5

In order to establish one Ipsec gallery, we should use algorithm as follows:


Encryption algorithm: DES, 3DES, AES
Hash algorithm: MD5, SHA-1
Authentication algorithm: Preshare key, Rivest, Shamir, RSA
Diffie-Hellman: Group 1, 2, 5
Slide 56

VPN
DEMO

This is demo of lab, protocol configuration of Ipsec on Cisco equipment


Slide 57

VPN
 Case Study: IPSec
 Configuration of stage 1 :

-This is configuration of stage 1 of Ipsec


Slide 58

VPN
 Case Study: IPSec
 Configuration of stage 2

This is configuration of stage 2 of Ipsec


Slide 59

VPN
 Case Study: IPSec
 Applying Ipsec into Interface of an equipment

This is application of Ipsec configuration into Interface of the equipment


Slide 60

VPN
 Case Study: IPSec
 Checking IPSec VPN channel

Checking VPN channel


Slide 61

5. NAT

Next, we will study some important technologies, that is NAT


Slide 62

NAT – Network Address Translation


 NAT (Network Address Translation)
 NAT is technology of converting IP address, enabling to
convert source IP address or target IP address of
information package

NAT is abbreviation of Network Address Translation. NAT is technology of converting IP address,


enabling to convert source IP address or target IP address of message package. NAT is an
important technology in IPv4, helping to save IPv4 source which is exhausted
Slide 63

This is diagram which illustrates conversion of IP address of NAT, message package having source
IP address as address of Private 10.0.0.10; this address is not located on Internet. After passing
through marginal Router, it will be shown with NAT with IP address of puclic 12.0.0.12, which is
an address located on Internet and has ability of transmitting message with hosts on Internet.
Slide 64

NAT
 NAT classification
 Static NAT: logical mapping 1 – 1 between local
IP and global IP, constant mapping, used for
server
 For example:
10.1.1.1 – 123.30.20.21
10.1.1.2 - 123.30.20.22
10.1.1.3 - 123.30.20.23

Depending on use purpose, we will use different NAT technology. Static NAT technology will
make logical mapping with 1 IP Local address and 1 IP Global address.
For example:
10.1.1.1 – 123.30.20.21
10.1.1.2 - 123.30.20.22
10.1.1.3 - 123.30.20.23
Slide 65

NAT
 NAT classification
 Dynamic NAT: similar to static NAT but this
mapping can be changed
 For example:
A = {10.1.1.1 ; 10.1.1.2 ; 10.1.1.3}
B = {123.30.20.21 ; 123.30.20.22 ; 123.30.20.22}
NAT: A - B

Dynamic NAT is also similar to static NAT but this logical mapping can be changed.
For example:
A = {10.1.1.1 ; 10.1.1.2 ; 10.1.1.3}
B = {123.30.20.21 ; 123.30.20.22 ; 123.30.20.22}
NAT: A - B
Slide 66

NAT
 NAT classification
 Port Address Translation – PAT: NAT uses Port

Port Address Translation, NAT uses Port, or also called PAT. With PAT, we only need to use 1 IP
address to make NAT for many internal IP address.
Slide 67

NAT
 NAT division
 Using PAT help save IP Public address

 Using PAT help hide real IP address of


service server

Using PAT can save IP Public address


Using PAT can hidden real IP address of service Server
For example:
71.144.14.158:88 - 192.168.0.9:80
71.144.14.158:89 – 192.168.0.10:80
Slide 68

NAT

This model demonstrates NAT process for a message package


Slide 69

NAT
Demo

This is model of Demo NAT


Slide 70

NAT
Demo
Configuration of Static NAT :
ip nat inside source static192.168.1.10 20.20.20.20
Interface f0/0
ip nat outside
•Interface f0/1
ip nat inside

This is configuration of Static NAT


Slide 71

NAT
Demo
Configuration of NAT Overload (PAT) :
ip nat inside source list 1 interface f0/0 overload
Access-list 1 permit 10.1.1.0 0.0.0.255
Interface f0/0
ip nat outside
Interface f0/1
ip nat inside

Configuration of PAT
Slide 72

NAT
Demo

Check whether network system is run accurately or not


Slide 73

6. Load Balancing

Next, we will study about another technology, that is Load Balancing.


Slide 74

Load Balancing
 Traffic Load Balancing
 Outbound load balancing

Load Balancing is divided into 2 types, which are Load Balancing for path and Load Balancing for
server.
With Load Balancing for path, we can execute for inbound or outbound. This slide is image
illustrating Load Balancing for path by outbound
Internet Load Balancing by outbound normally is used in case network system has connections
line for connection to Internet
Slide 75

Load Balancing
 Traffic Load Balancing
 Inbound load balancing

-The next image demonstrates Internet Load Balancing by inbound, using DNS technology.
Slide 76

Load Balancing
 Load Balancing for
Server
 Global Server Load
Balancing

-We also can use DNS technology to make Load Balancing for Server Global. Global services
such as google, facebook, etc have service Server in everywhere in the world. Depending on
algorithm, DNS Server will disassemble and send back with address of Server which will serve to
demand of Client. Algorithms used for DNS Server are Load Balancing by number of connection
sessions, geographical area requested by Client.
Slide 77

Load balancing
 Load balancing for
Server
 Local Server Load
Balancing

With Servers which are put in the same network, Load Balancing can be implemented by
gathering Servers into a group and represented by only 1 IP, the Load Balancing equipment will
distribute this connection to physical Server. Today, VNEpress is using this technology: there are
many servers located in the same location – group, represented by 4 different IP; each IP can be
a serve group.
Slide 78

Load Balancing

-There are big companies providing methods of Load Balancing equipment such as
Peplink,Cisco, Vigor.
Slide 79

7. Wan Optimize

There is a problem that in terms of companies and organizations having branches net allocated
in far geographical areas , like on a country, connection lines among branches normally have
much lower bandwidth than connection line in LAN, which causes blockage phenomena. In
order to reduce this phenomenon, we can increase use efficiency of WAN connection line by
various technologies. These technologies are called WAN Optimize.
Slide 80

WAN Optimize
 WAN transfer line: connect network of head office
and branches in different geographical area

-This is illustration of WAN connection model of an organization having many branches.


Slide 81

WAN Optimize
 Bandwidth source of WAN link is much limited than
LAN connection

This is illustration of blockage when forwarding between LAN connection and WAN connection
Slide 82

Wan Optimize

WAN OPTIMIZE

Solution for enhancing use efficiency of WAN line => use WAN Optimize technology
Slide 83

Wan Optimize
 Wan Optimize

Two WAN Optimize equipments at two WAN network directions will communicate, determine
algorithms and WAN Optimize technology to be used.
Data in LAN are sent to WAN Optimize equipment from sending direction, the WAN Optimize
equipment from sending direction maximizes, compresses, cache, etc data, which is aimed to
reduce data traffic needed to transmit through WAN line. Then, these data are sent through
WAN line to WAN Optimize equipment from collecting direction. The WAN Optimize equipment
from collecting direction resolves coding, restores original data and transfer them into LAN
Slide 84

Wan Optimize
WAN Optimization technologies:
Protocol Optimization
Object Caching/ Byte Caching
Compression
Bandwidth Management

Technologies used in WAN Optimize are:


Protocol Optimization
Object Caching/ Byte Caching
Compression
Bandwidth Management
Slide 85

Wan Optimize
 Protocol Optimization: optimized in terms of
protocol, some protocols require a huge
amount of request/response among
client/server, consuming remarkable bandwidth
on WAN links

Protocol Optimization : is a technology optimized about protocol aspect, some protocols require
a huge amount of request/response among client/server, which is cost a remarkable band
amount when implementing through WAN line. WAN Optimize will implement optimization for
each detailed protocol
Slide 86

Wan Optimize
 Object Caching/ Byte Caching: WAN
Optimization equipment plays the role of a
caching server, which saves temporary files to
use for users’ re-access without having to
directly access to the server.

Object Caching/ Byte Caching : WAN Optimize equipment plays a role of caching server saving
temporary files, so that when user has demand for re-accessing, the equipment will respond
without direct access to server.
Slide 87

Wan Optimize
 Compression : technology in which the
equipment uses algorithms to minimize
unnecessary information in document sent, and
the remote equipment will use algorithm to re-
collect information then send out the full
information package.

Compression : is a technology used by the equipment to minimize unnecessary information in


document sent, and the remote equipment will use algorithm to re-collect information and
send message package with adequate information.
Slide 88

Wan Optimize
Bandwidth management: use technologies such
as QoS or traffic Shapping to give priority for
traffic requiring real time, or traffic having higher
priority

Bandwidth management: use technologies such as QoS or traffic Shapping to give priority for
traffic requiring real time, or traffic having higher traffic
Slide 89

Wan Optimize

Today, in the world, there are many companies supplying equipments and solutions about WAN
Optimize, that are Riverbed, Citrix, Cisco, Juniper, Bluecoast, etc
Slide 90

Wan Optimize

This diagram demonstrates market share as well as abilities of development of companies about
WAN Optimized solutions.
Slide 91

8. VLAN

You certainly have heard for many times about VLAN definition; the next lesson will focus on
VLAN
Slide 92

VLAN – Virtual LAN

Users having the same work function, the same department can have workplace in the same
geographical area and be connected to the same Switch equipment layer 2 and have the same
Broadcast area. However, it is not always in real. For examples, one company having 10 stories
of technology department, and they sit for work in 10 stories; with this geographical distance,
the connection of employees in technology department into a same physical Switch and same
broadcast area is very difficult. In order for all employees in technology department to be in a
same LAN band and a same Broadcast area, we can use VLAN technology.
Slide 93

VLAN
 One VLAN is one independent LAN
 VLAN enables equipment at layer 2 to be divided
into separated networks
 One VLAN is identified by VLAN ID or VLAN Name

One VLAN is correlative to one independent LAN. Switch distinguishes VLAN by Tag VLAN ID
fields.
Slide 94

VLAN
 Should be VLAN divided by geography or
function?

Normally, LAN is divided by geographical area, while VLAN divides users in the network by
functional, network use characteristic of users
Slide 95

VLAN
Demo

In order to have a clearer understandings about VLAN, we will study about configuration way of
one lab about VLAN
Slide 96

VLAN
- Enable Physical Interface on Router:
Router(config)#Interface f0/0
Router(config-if)#no shutdown

Demo
Slide 97

VLAN
- Divide SubInterface on Router

Demo
Slide 98

VLAN
- Configuration for initializing VLAN on Switch
SW(config)#Vlan 10
SW(config-vlan)#name BCN

Demo
Slide 99

VLAN
- Configuration of mode interface on Switch
SW(config)#interface f0/1
SW(config-if)#switchport mode trunk
SW(config)#interface f0/2
SW(config-if)#switchport mode access

Demo
Slide 100

VLAN
- Check
VLAN
database

Demo
Slide 101

9. NAC
(Network Access Control)

The next part of lesson introduces about a technology controlling network access, that is
Network Access Control, or abbreviated by NAC
Slide 102

NAC – Network Access Control


 NAC

This diagram demonstrates operation way of NAC. Server NAC will define one set of conditions
which Client needs to have in order to be allowed to access network, such as conditions of Joint
Domain, Anti Virus set-up. Client will have 1 tool called NAC Agent, which will check conditions
on Client, then send these information to NAC Server through network infrastructure. Firstly,
NAC server will check User ID of Agent, if it is not true, NAC Server will give signal of closing port
for access on Switch Access. If User ID Check is right, NAC Server will continue to check whether
Client meets any condition or not. If having any condition met, NAC Server will give signal for
Switch Access to lead Client to an insolate VLAN. In contrast, when conditions met, NAC Server
will give signal for Switch Access to open Port for Client to access network normally.
In order to control port status on Switch Access, Switch Access needed to gain configuration of
802.1x protocol.
Slide 103

NAC – Network Access Control

In order to have sharp understandings about NAC, you can study further about NAC method of
Symantec, Cisco, Sonic Wall, CheckPoint
Slide 104

10. Wifi

The next part of lesson will present about Wifi


Slide 105

Wifi Security
 Higher threat than wired system
 Problems
 Attack
 Reconaissation
 DoS
 Access

Wifi network system has brought many facilities but it also has many threats about security
compared to line network system. Access Points Wifi operate like a Hub equipment, that means
information exchanged in the network will be accessed to Point Broadcast to all other Hosts in
the network, thus, these will be easily attacked and overheard.
Slide 106

Wifi Security
 Authentication
 Preshared Key
 Username/password
 PKI (Public Key Infrastructure)

Wifi system has many mechanism of confirming users such as:


- Preshare key, this is a mechanism which we often use in wifi system at home and public wifi
Other than systems requiring high security, we can use mechanism of confirming by User
name/Password or PKI
Slide 107

Wifi Security
 Security type
 WEP (Wired Equivalent Privacy)
 WPA (Wi-fi Protected Access)
 WPA2

Currently, there are 3 types of security, that are WEP, WPA, WPA2.
Pass is a strong type, which can ensure safety for Wifi not to be hacked its password
Slide 108

Wifi Security
 Restricting access
 Remove SSID (Service Set Identifier) broadcast
 MAC/IP Filtering
 Assign IP with MAC

Supervising system
 Coverage area
 Bandwidth
 System operation

In order to restrict access to Wifi system, we also can use some optional facilities as follows:
Set up Broadcast SSID, thus, if client wants to access wifi, it has to have both SSID and password.
MAC/IP Filtering
Affix IP to MAC
Slide 109

11. Storage Security

Next, we will move to study about Storage Security


Slide 110

Storage Security

 Encrypt important
data

 Use RAID

Data are really important for organizations because data contain information, operations
strategies of these organizations. Thus, it is required integrity and high security. One popular
technology currently used to enhance integrity of data is RAID; this technology enables to
backup data on hardware on the same Server.
Slide 111

Storage Security
 Case Study: True Crypt

There are many tools for us to code data on hardware. You can refer a tool used to code
hardware, that is True Crypt
Slide 112

Storage Security
 SAN – Storage Area Network

SAN is a big storage system, providing many methods of backup data and can backup by
geographical area.
Slide 113

12. Virtualization

To continue, we will study about one technology, which has become a development trend in
recent year, that is Virtualization Technology
Slide 114

Virtualization
 Why need virtualization:
 Optimize hardware usage
 Use hardware flexibly
 Data storage
 Green technology application
 Management cost

Why do we need Virtualization Technology?


- Virtualization Technology is aimed to maximize efficiency of hardware. It’s easy to see that a
physical server (or real server) often only uses a little of its resources. With Virtualization
Technology, we can divide this physical server into various Virtual Machines with configuration
enough for use.
- Flexible use of hardware: with a physical server, we can only use one operating system , while,
with virtualization, we can run many various operating system on it.
- Moreover, there are many other reasons which make Virtualization become a trend, they are
meeting demands about data storage, applying green technologies, and saving management
cost.
Slide 115

Virtualization
 What need virtualization?
 Server
• Operating system virtualization
• Hardware virtualization

 Storage virtualization

Why do we need Virtualization Technology?


- Virtualization Technology is aimed to use maximum efficiency of hardware. A physical server
(or real server) often only use little its sources. With Virtualization Technology, we can divide
this physical server into various Virtual Machines with enough configuration for use.
- Flexible use of hardware: with a physical server, we only can set up one operating system ,
while, with virtualization, we can run many various operating system on it
- Moreover, there are many other reasons which make Virtualization become a trend, that are
meeting demands about data storage, applying green technologies, and management cost.
Slide 116

Virtualization
 Server virtualization

With Virtualization Technology, we can virtualize server and storage.


Slide 117

13. Media Security

The last part of today lesson is Media Security, that means line security or also called physical
security.
Slide 118

Media Security
 Line
 coaxial cables, UTP/STP
 Fiber
 Wireless

The most popular types of physical line are coaxial cables, UTP, STP, fiber or Wireless
Slide 119

Media Security

 “Physical” attack

Physical attack is also a very dangerous type of attack. By this type, attacker connects directly
with network infrastructure of patient and steals information
Slide 120

Media Security

In order to prevent this type of attack, we need policies controlling access and exit of data
center area such as magnetic door, striking card, etc.