



Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Intro to computer networks assessment 2 - detailed information and recommendation report relating to Network Segmentation and Network Access
Typology: Assignments
1 / 7
This page cannot be seen from the preview
Don't miss anything!




Exercise 1: Network Segmentation
Pablo Reis Geraidine SpectrumX November 10 th, 2024
1. VLANs: benefits & cost-savings. It is important for SpectrumX to segment its network into different broadcast domains to allow for improved security and provide proper separation between departments as needed. While this could be achieved by the implementation of various different network switches, one for each domain, this exercise could prove to be expensive to scale. This approach can often lead to needing to maintain a lot more switches, and having various interfaces in each switch go unused. What if there was a way to combine these switches and leverage their interfaces more efficiently, while maintaining the desired levels of network segmentation? This is where the implementation of VLANs can prove to be beneficial for SpectrumX. By utilizing VLANs, we are able to segment the interfaces in each switch, and configure them for particular networks as needed, thus maintaining a separation of broadcast domains, while being unconstrained by the physical locations of each switch. With VLANs, devices can be moved from one VLAN to another, for example, without the need for rewiring devices into other switches, thus reducing operational costs, as well as significantly reducing the amount of hardware required to maintain the desired levels of network segmentation, as there is less opportunity for interfaces to go unused. 2. Overview of Spanning Tree and Routing Protocols: types and benefits to the organization. Spanning Tree Protocols serve to prevent loops when utilizing redundant switches, preventing broadcast storms caused by broadcast messages or unicast messages without a known address, and the related issues that might arise. Spanning Tree Protocol, or STP for short, works by having the switches in a loop drop one of their ports. The blocked port is still physically connected to other switches, but the protocol tells the switch to ignore frames received on it. This effectively prevents overloading the network with broadcast storms, unstable mac address tables, and duplicate frames form being sent.
Now, when it comes to the type of routing protocol SpectrumX might consider implementing, we must look at static vs dynamic routing. Static routes present a lot of overhead, need to be manually configured, are hard to scale as they must be configured on every router that needs the route, and every new network requires a new static route. Dynamic routing protocols, on the other hand, perform a listening exercise where they determine what other routers may be located close to them. They then build a table within the router and send out their own advertisements to nearby routers. These advertisements allow routers to collaboratively build routing tables, and these routing tables are used by the routers to determine where traffic is to be directed. There are various criteria that may be considered to determine the optimal route to a destination, and for this, we might consider the following types of dynamic routing protocols:
Sales departments of SpectrumX, most devices utilized by the company are already capable of supporting IPV6, which would otherwise be the primary obstacle to overcome in this implementation. While a transition to IPV6 will be required for most corporations in the future, the prevalence of IPV4 compatible devices continues to be a challenge, and might cause pause in executing a full transition. This being the case, one approach SpectrumX might consider is replacing all IPV4 devices, where possible, with an equivalent dual-stack capable device, which can support networking with legacy IPV4 devices, while being integrated into SpectrumX’s new IPV6 networking paradigm, which is likely to pay dividends in the future. Exercise 2: Network Accessing
Pablo Reis Geraidine InfinityX November 10 th, 2024
1. Importance of securing the company’s network resources. Enterprise computer networks consist of multiple network devices, servers, and connections. It is important to manage who has access to which resource, so that only authorized users can manage and make changes to these elements and configurations in the network. As a network expands and grows in complexity however, it becomes unfeasible to manage lists of users with access to each device. For this purpose, a protocol such as TACACS can be useful for addressing this issue. TACACS runs on the background, being transparent to the users, while centralizing user login privileges into a single system and streamlining management, ultimately enhancing network security. Most enterprise and carrier class devices already provide TACACS protocol support from the factory, requiring only the enablement of the functionality. Due to this, it is unsurprising that TACACS is the fastest, simplest, and most cost-effective way to implement network security and management enhancements with low overhead costs. Another useful protocol is LDAP, which stands for Lightweight Directory Access Protocol. This protocol is often leveraged by applications needing to retrieve information on employees, devices such as printers and computers, and essentially any resource that needs access management. LDAP is designed to support a higher number of read operations than write operations into the database, which is consistent with typical day-to-day use, thus allowing LDAP to become the lightest weight access
management protocol available. This has made this protocol very prominent across enterprises worldwide, and is certain to be useful to InfinityX.
2. The benefits of deploying Bastion host servers for access, and utilizing Remote Desktop Protocols for accessing server GUI. If a network administrator needs to securely connect to and manage a network device, they will often do so by accessing the command line interface (CLI) via initiating a SSH (Secure Shell) or Telnet session against the device’s IP Address. While these cryptographic protocols may allow the network administrator to access the command line of these devices over the internet, they also require each device to have a public IP address, ultimately inflating costs, and require each device to be exposed to the internet, reducing overall security. A solution to this problem is for InfinityX to deploy redundant Bastion Hosts in its network. If InfinityX chooses to follow this approach, I recommend deploying the Bastion Hosts to support both IPV and IPV6, as well as to link Authentication, Authorization, and Accounting to an LDAP server for centralized access control. A Bastion Host is essentially a computer with 2 network interfaces. The host is positioned on the public internet, allowing remote access for anyone with an internet connection (more on the required security measures later), while the second network interface is plugged into the company’s private network. Because the Bastion host is exposed to the internet and vulnerable to malicious activities, it must be protected using such measures as Access Control Lists (ACLs), Firewalls, or VPNs. While it is important to secure the Bastion host against some potential vulnerabilities, it is ultimately beneficial to the company, since all network devices no longer need to have public IP address and device security does not need to be managed individually. When a network admin initiates a Telnet or SSH session, the request will go via the Internet to the Bastion host, which will then connect to the secure network devices within the private network, improving overall security. Alternatively, instead of accessing the command line interface through a Bastion host server, InfinityX might consider the benefits of deploying Remote Desktop Protocols for accessing their servers’ graphical interface. The protocols we will outline in this report are RDP and VNC. If you wish to allow your network administrators to access their desktops or laptops from anywhere in the globe, they can leverage one of these protocols to control a computer remotely. Windows users will find a built-in solution for remote desktop access called RDP (Remote Desktop Connection). Since RDP is built in to most Windows devices, it does not require any additional software to setup; it also allows for transfer of files between PCs and provides a high level of control, allowing users to manage all of their applications. Some drawbacks of RDP however, are that the connection is limited to windows machines connecting to other windows machines, as well as the fact that when accessing a machine from outside of the local network, a user will need to request for the network admin to make ports available in the router or firewall for the connection. Another solution for remote desktop access is VNC, or Virtual Network Computing. VNV allows a user to control another computer remotely by sending the keyboard and mouse inputs from a lightweight client computer to the larger remote server computer. Unlike RDP, VNC allows clients running
While Syslog will be useful for identifying network logs of differing severities as they occur, it will also be important for InfinityX to proactively monitor their networks, so as to remediate potential issues before they manifest themselves. For example, as your network grows in complexity, it is likely that at some point, services might start to slow down. When this occurs, the main priority is to try to identify the specific device or link that is causing the issue. Instead of just reacting to logs aggregated in the Syslog server, InfinityX can remain proactive in remediation by implementing the Simple Network Management Protocol, or SNMP for short. SNMP continuously monitors your network’s health, identifying looming problems pre- emptively, allowing for the management server to collect device information such as link speed, CPU usage, memory usage, device temperature, fan speeds, among a multitude of other relevant metrics. Not only that, but SNMP can also enable InfinityX’s management server to store data for historical reference, allowing, for example, for the identification of peak time periods when internet usage is at its highest. It can also enable the development of graphs and charts in web-based dashboards or data visualization software like Microsoft PowerBI. The implementation of both protocols should enable InfinityX to be one step ahead of any potential issues in its network, and empower the organization to take necessary step to address potential issues that may arise, thus reducing downtime and ensuring high availability and uninterrupted service 24/7.