Computer Networks - Assessment 2, Assignments of Computer Networks

Intro to computer networks assessment 2 - detailed information and recommendation report relating to Network Segmentation and Network Access

Typology: Assignments

2023/2024

Available from 01/16/2025

pablo-geraidine
pablo-geraidine 🇲🇹

1 document

1 / 7

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Exercise 1: Network Segmentation
Network Segmentation Recommendations
for SpectrumX
Pablo Reis Geraidine
SpectrumX
November 10th, 2024
1. VLANs: benefits & cost-savings.
It is important for SpectrumX to segment its network into different broadcast domains to allow
for improved security and provide proper separation between departments as needed. While this could
be achieved by the implementation of various different network switches, one for each domain, this
exercise could prove to be expensive to scale. This approach can often lead to needing to maintain a lot
more switches, and having various interfaces in each switch go unused. What if there was a way to
combine these switches and leverage their interfaces more efficiently, while maintaining the desired
levels of network segmentation? This is where the implementation of VLANs can prove to be beneficial
for SpectrumX.
By utilizing VLANs, we are able to segment the interfaces in each switch, and configure them for
particular networks as needed, thus maintaining a separation of broadcast domains, while being
unconstrained by the physical locations of each switch. With VLANs, devices can be moved from one
VLAN to another, for example, without the need for rewiring devices into other switches, thus reducing
operational costs, as well as significantly reducing the amount of hardware required to maintain the
desired levels of network segmentation, as there is less opportunity for interfaces to go unused.
2. Overview of Spanning Tree and Routing Protocols: types and benefits to the organization.
Spanning Tree Protocols serve to prevent loops when utilizing redundant switches, preventing
broadcast storms caused by broadcast messages or unicast messages without a known address, and the
related issues that might arise.
Spanning Tree Protocol, or STP for short, works by having the switches in a loop drop one of their
ports. The blocked port is still physically connected to other switches, but the protocol tells the switch to
ignore frames received on it. This effectively prevents overloading the network with broadcast storms,
unstable mac address tables, and duplicate frames form being sent.
pf3
pf4
pf5

Partial preview of the text

Download Computer Networks - Assessment 2 and more Assignments Computer Networks in PDF only on Docsity!

Exercise 1: Network Segmentation

Network Segmentation Recommendations

for SpectrumX

Pablo Reis Geraidine SpectrumX November 10 th, 2024

1. VLANs: benefits & cost-savings. It is important for SpectrumX to segment its network into different broadcast domains to allow for improved security and provide proper separation between departments as needed. While this could be achieved by the implementation of various different network switches, one for each domain, this exercise could prove to be expensive to scale. This approach can often lead to needing to maintain a lot more switches, and having various interfaces in each switch go unused. What if there was a way to combine these switches and leverage their interfaces more efficiently, while maintaining the desired levels of network segmentation? This is where the implementation of VLANs can prove to be beneficial for SpectrumX. By utilizing VLANs, we are able to segment the interfaces in each switch, and configure them for particular networks as needed, thus maintaining a separation of broadcast domains, while being unconstrained by the physical locations of each switch. With VLANs, devices can be moved from one VLAN to another, for example, without the need for rewiring devices into other switches, thus reducing operational costs, as well as significantly reducing the amount of hardware required to maintain the desired levels of network segmentation, as there is less opportunity for interfaces to go unused. 2. Overview of Spanning Tree and Routing Protocols: types and benefits to the organization. Spanning Tree Protocols serve to prevent loops when utilizing redundant switches, preventing broadcast storms caused by broadcast messages or unicast messages without a known address, and the related issues that might arise. Spanning Tree Protocol, or STP for short, works by having the switches in a loop drop one of their ports. The blocked port is still physically connected to other switches, but the protocol tells the switch to ignore frames received on it. This effectively prevents overloading the network with broadcast storms, unstable mac address tables, and duplicate frames form being sent.

Now, when it comes to the type of routing protocol SpectrumX might consider implementing, we must look at static vs dynamic routing. Static routes present a lot of overhead, need to be manually configured, are hard to scale as they must be configured on every router that needs the route, and every new network requires a new static route. Dynamic routing protocols, on the other hand, perform a listening exercise where they determine what other routers may be located close to them. They then build a table within the router and send out their own advertisements to nearby routers. These advertisements allow routers to collaboratively build routing tables, and these routing tables are used by the routers to determine where traffic is to be directed. There are various criteria that may be considered to determine the optimal route to a destination, and for this, we might consider the following types of dynamic routing protocols:

  • Distance vector routing protocols: Defines the best route on the basis of how many hops are between each router, or in other words, how many routers a data packet must pass through to reach its destination. Each router maintains a routing table that tracks the destination network, the distance (hops) to that destination, and which is the next router to send a packet to deliver it to the destination with the least number of hops. This is an ideal protocol for small networks, but is not highly scalable, becoming cumbersome when needing to manage hundreds or thousands of routers. Examples of Distance vector routing protocols are RIP and EIGRP.
  • Link-state routing protocols: In a link-state routing protocol, each router collects information about the states of its directly connected links. For each link, the router maintains information on bandwidth, latency, up or down status, among other states. Based on these criteria, a router determines the best most efficient path between itself and all other destinations in the network. This type of protocol is highly scalable and is often implemented for large networks. A common type of Link-State routing protocols is OSPF.
  • Hybrid routing protocols: Hybrid routing protocols combine link-state intelligence with distance vector information, aiming to leverage the strengths of each while minimizing their weaknesses. BGP, or Border Gateway Protocol, is commonly used on the internet to connect sites together, and is an example of a hybrid routing protocol. Hybrid routing protocols are highly scalable and can present less overhead and complexity to implement. 3. Subnetting: purpose and impacts on segmentation and security. An IP address consists of 2 parts, the network address and the host address. The network address or network ID is a number that is assigned to the network, so every network will have a unique ID. The host address, or host ID, is assigned to hosts (devices) within the network. Subnetting comes into place to distinguish which portion of the IP address is the network ID and which is the host ID. Subnets are used to divide larger networks into smaller, more manageable networks. This is achieved by assigning different subnet masks to segment the network. A subnet mask is

Sales departments of SpectrumX, most devices utilized by the company are already capable of supporting IPV6, which would otherwise be the primary obstacle to overcome in this implementation. While a transition to IPV6 will be required for most corporations in the future, the prevalence of IPV4 compatible devices continues to be a challenge, and might cause pause in executing a full transition. This being the case, one approach SpectrumX might consider is replacing all IPV4 devices, where possible, with an equivalent dual-stack capable device, which can support networking with legacy IPV4 devices, while being integrated into SpectrumX’s new IPV6 networking paradigm, which is likely to pay dividends in the future. Exercise 2: Network Accessing

Networking Accessing Recommendations

for InfinityX

Pablo Reis Geraidine InfinityX November 10 th, 2024

1. Importance of securing the company’s network resources. Enterprise computer networks consist of multiple network devices, servers, and connections. It is important to manage who has access to which resource, so that only authorized users can manage and make changes to these elements and configurations in the network. As a network expands and grows in complexity however, it becomes unfeasible to manage lists of users with access to each device. For this purpose, a protocol such as TACACS can be useful for addressing this issue. TACACS runs on the background, being transparent to the users, while centralizing user login privileges into a single system and streamlining management, ultimately enhancing network security. Most enterprise and carrier class devices already provide TACACS protocol support from the factory, requiring only the enablement of the functionality. Due to this, it is unsurprising that TACACS is the fastest, simplest, and most cost-effective way to implement network security and management enhancements with low overhead costs. Another useful protocol is LDAP, which stands for Lightweight Directory Access Protocol. This protocol is often leveraged by applications needing to retrieve information on employees, devices such as printers and computers, and essentially any resource that needs access management. LDAP is designed to support a higher number of read operations than write operations into the database, which is consistent with typical day-to-day use, thus allowing LDAP to become the lightest weight access

management protocol available. This has made this protocol very prominent across enterprises worldwide, and is certain to be useful to InfinityX.

2. The benefits of deploying Bastion host servers for access, and utilizing Remote Desktop Protocols for accessing server GUI. If a network administrator needs to securely connect to and manage a network device, they will often do so by accessing the command line interface (CLI) via initiating a SSH (Secure Shell) or Telnet session against the device’s IP Address. While these cryptographic protocols may allow the network administrator to access the command line of these devices over the internet, they also require each device to have a public IP address, ultimately inflating costs, and require each device to be exposed to the internet, reducing overall security. A solution to this problem is for InfinityX to deploy redundant Bastion Hosts in its network. If InfinityX chooses to follow this approach, I recommend deploying the Bastion Hosts to support both IPV and IPV6, as well as to link Authentication, Authorization, and Accounting to an LDAP server for centralized access control. A Bastion Host is essentially a computer with 2 network interfaces. The host is positioned on the public internet, allowing remote access for anyone with an internet connection (more on the required security measures later), while the second network interface is plugged into the company’s private network. Because the Bastion host is exposed to the internet and vulnerable to malicious activities, it must be protected using such measures as Access Control Lists (ACLs), Firewalls, or VPNs. While it is important to secure the Bastion host against some potential vulnerabilities, it is ultimately beneficial to the company, since all network devices no longer need to have public IP address and device security does not need to be managed individually. When a network admin initiates a Telnet or SSH session, the request will go via the Internet to the Bastion host, which will then connect to the secure network devices within the private network, improving overall security. Alternatively, instead of accessing the command line interface through a Bastion host server, InfinityX might consider the benefits of deploying Remote Desktop Protocols for accessing their servers’ graphical interface. The protocols we will outline in this report are RDP and VNC. If you wish to allow your network administrators to access their desktops or laptops from anywhere in the globe, they can leverage one of these protocols to control a computer remotely. Windows users will find a built-in solution for remote desktop access called RDP (Remote Desktop Connection). Since RDP is built in to most Windows devices, it does not require any additional software to setup; it also allows for transfer of files between PCs and provides a high level of control, allowing users to manage all of their applications. Some drawbacks of RDP however, are that the connection is limited to windows machines connecting to other windows machines, as well as the fact that when accessing a machine from outside of the local network, a user will need to request for the network admin to make ports available in the router or firewall for the connection. Another solution for remote desktop access is VNC, or Virtual Network Computing. VNV allows a user to control another computer remotely by sending the keyboard and mouse inputs from a lightweight client computer to the larger remote server computer. Unlike RDP, VNC allows clients running

While Syslog will be useful for identifying network logs of differing severities as they occur, it will also be important for InfinityX to proactively monitor their networks, so as to remediate potential issues before they manifest themselves. For example, as your network grows in complexity, it is likely that at some point, services might start to slow down. When this occurs, the main priority is to try to identify the specific device or link that is causing the issue. Instead of just reacting to logs aggregated in the Syslog server, InfinityX can remain proactive in remediation by implementing the Simple Network Management Protocol, or SNMP for short. SNMP continuously monitors your network’s health, identifying looming problems pre- emptively, allowing for the management server to collect device information such as link speed, CPU usage, memory usage, device temperature, fan speeds, among a multitude of other relevant metrics. Not only that, but SNMP can also enable InfinityX’s management server to store data for historical reference, allowing, for example, for the identification of peak time periods when internet usage is at its highest. It can also enable the development of graphs and charts in web-based dashboards or data visualization software like Microsoft PowerBI. The implementation of both protocols should enable InfinityX to be one step ahead of any potential issues in its network, and empower the organization to take necessary step to address potential issues that may arise, thus reducing downtime and ensuring high availability and uninterrupted service 24/7.