Embed Size (px)
Citation preview
NetworkOperations
Domain3.0
3.0NetworkOperations• 3.1Givenascenario,useappropriatedocumentationanddiagramstomanagethenetwork.• 3.2Compareandcontrastbusinesscontinuityanddisasterrecoveryconcepts.• 3.3Explaincommonscanning,monitoringandpatchingprocessesandsummarizetheirexpectedoutputs.• 3.4Givenascenario,useremoteaccessmethods.• 3.5Identifypoliciesandbestpractices.
3.1GivenaScenario,UseAppropriate
DocumentationandDiagramstoManagethe
Network
• DiagramSymbols• StandardOperatingProcedures/WorkInstructions• Logicalvs.PhysicalDiagrams• RackDiagrams• ChangeManagementDocumentation• WiringandPortLocations• IDF/MDFDocumentation• Labeling• NetworkConfigurationandPerformanceBaselines• InventoryManagement
DiagramSymbols
DiagramSymbols
• Networkdiagramisavisualrepresentationofanactualsystem,itreliesonsymbolstoconveymeaning• RecognizableandConsistent• Cisco• OtherVendorsandCompanyofferings
• Importantforplanning,implementation,andchangemanagement
CommonCiscoIcons
HubRouter Routerw
Firewall ASA
FirewallSwitch
MultilayerSwitch
EthernetLink
SerialLink
CommonCiscoIcons(cont’d)Router
WirelessAccessPoint
DualBandWirelessAccessPoint
WirelessLink
WirelessRouter
WirelessBridge
WANCloud
WirelessController
CiscoIcons(cont’d)
StandardHost
Server
Laptop
DatabaseIPPhone
Printer
Telecommuter
GenericBuilding
WLANSTAFFVLAN8
WLANSTUDENTVLAN7
WLANITVLAN1
*10C2702LWAPPs:AP-GROUND-ADMIN10.1.6.2AP-GROUND-RECEPTION10.1.6.3AP-GROUND-LIBRARY10.1.6.4AP-FLOOR-1-EAST10.1.6.5AP-FLOOR-1-WEST10.1.6.6AP-FLOOR-2-EAST10.1.6.7AP-FLOOR-2-WEST10.1.6.8AP-FLOOR-2-CENTER10.1.6.9AP-ROOF-FRONT10.1.2.10AP-ROOF-REAR10.1.6.11
VLAN610.1.6.0/24
WS-3850COREVlan210.1.2.2
FW-1ASA5545X
RoutedMode
MAINc2911
VLAN98192.168.98.0/2
4
ISP
Telephone
35mb
ISDNPRIE1
COAX
OPENVOXIX123PABX-1
DSW-G-1Vlan210.1.2.3
DSW-G-2Vlan210.1.2.4
DSW-1-1Vlan210.1.2.5
DSW-1-2Vlan210.1.2.6
DSW-2-1Vlan210.1.2.7
DSW-2-2Vlan210.1.2.8
ACCOUNTINGVlan210.1.2.16
ASW-G-1Vlan210.1.2.9
ASW-G-2Vlan2
10.1.2.12
ASW-1-1Vlan2
10.1.2.11
ASW-2-1Vlan2
10.1.2.13
Eth15.254
ASW-2-2Vlan2
10.1.2.14
Gi1/0/205.1
Gi1/0/1-106.1
Gi1/1/1
Gi1/0/3398.2
x.y.z.128/29
PoE-SW-G-1CameraPoESwitchGround&1st Floors
PoE-SW-2-1-ACameras2nd Floor
Note:AllswitchesexceptCOREandPoE-x-xareCiscoC2960X
Gi1/0/50,52Gi1/0/50,52
Gi1/0/45-46Gi1/0/23-24
Gi1/0/33,35
Gi1/0/23-24
Gi1/0/40,52
Gi1/0/48,52
Gi1/0/50-51Gi1/0/25-26
Gi1/0/47
Fa4Gi17
Gi0/03.130-132
Gi0/198.1
Gi0/2
Gi1/0/37
CAMPUSNETWORKINFRASTRUCTURE
ASW-G-3Vlan2
10.1.2.10
Gi1/0/23-24
Gi1/0/38,40
Gi0/099.3
VLAN5192.168.5.0/24
10C2702LWAPPs*
Gi0/199.1
PoE-SW-2-1-BCameras2nd Floor
Fa8
VLAN99192.168.99.0/
24
MEDIACONVERTERG-
1
MEDIACONVERTERG-2
Gi1/0/48
StandardOperatingProcedures/WorkInstructions
StandardOperatingProcedures
• Bestpracticeforexecutingtasks• Hardwareandsoftwareplanningandmaintenance• Incidentandchangemanagement• Thetoplayerofdocumentsthataresharedwithcustomer• Usuallydonotcontainconfidentialinformation
WorkInstructions
• Instructionstoperformaspecificpieceofwork• Specifictoyourenvironment• Mayjustbeaseriesofbulletpointsorhigh-levelsteps• Willthendependonproceduredocumentsforexactsteps
ProceduresDocument
• MoredetailedthanSOP• Usuallyproduct-specificbutimplementation-generic• Sometimescontaindescriptionofthestepsandvisuals• Mayincludeusecasesandworkflowdiagrams• Documentswillbeuseduringaudits
Logicalvs.PhysicalDiagrams
LogicalDiagram
• Usedbytechnicianstotrace/troubleshoottheflowofdata• Focusedmoreonelectricalconnectivityratherthanphysicallocation• Techniciansmustdeducewheredevicesorcablingarephysicallylocated
TRENDnetTEW-731BRSOHONATRouter
172.16.0.1Gi1/0/42
172.16.0.3
WLANSTUDENTVLAN7
VLAN6
C2702LWAPPs- (5)Campus2- (6)Campus3
ComputerLabUnmanagedSwitches
LabComputers- (15)Campus2- (10)Campus3
172.16.0.0/20
eGranaryLibraryContentServer
CUZMUNALIANDCAIROSHOPRITECAMPUSNETWORKINFRASTRUCTURELogicalDiagramExample
ISPFiberOptic-EthernetMediaConverter
CollegeSatelliteCampuses
CiscoWS-3850CoreSwitchandWAPController
x.y.z.2/30
PhysicalDiagram
• Usedbytechnicianstophysicallylocatedevicesandcabling• Ifrequired,maybehighlyphysicallydetailed• Mayincludeprecisemeasurementsandexactconnectortypes
• Ormaybepartly“logical”forvisualsimplicity• Mayjustshowa“count”ofdesktopcomputersorphonesinaroom• Devicesshouldbeeasilylocatedoncethetechnicianisintheroom
• Atopologydiagramisatypeofphysicaldiagram
ISPIncomingFiberOpticLink
SimpleTopologyDiagramExample
RackDiagrams
RackDiagrams
• Showshowcomputerandnetworkequipmentisorganizedinanequipmentrack• Showstechnicianswheretofindeachpieceofequipment• Visuallysimplerand“cleaner”thanusingaphotofordocumentation• Displaysthelocationofeachdevice• Oftenusedtohelpdesigners/administratorsvisualizewhichrackstopurchaseandhowtoorganizetheequipment/cabling• Manyvendorshavesoftwaretohelpnetworkadministratorscreatethediagrams
-----------------SERVERROOM-------------------
GroundFloorRacks
TelcoMediaConverter
ClassroomDC-1Server
DatabaseServer
ProdDCServer
LibraryContentServer
SNMPManager
Ciscoc2911EdgeRouter
RackDiagramExample
ChangeManagementDocumentation
ChangeManagementDocumentation
• Usedtoestablishtheprocesstomanagechangewithinanetwork• Documentshowchangeswillbeproposed,accepted,monitored,andcontrolled• Includes instructionsforeachtypeofchange• Specifiesversioningformatfortaggingdocumentsunderitscontrol
WiringandPortLocations
WiringAndPortLocations
• Visualizetheplacementofdevicesandcabling• Goodforanynetwork• Especiallyimportantinmediumtolargenetworks• Helpswithinstallation,configurationchanges,andtroubleshooting• Needtobeaccompaniedbyschematicorrackdiagrams
IDF/MDFDocumentation
NeedforCableManagement
ImagescourtesyPixabay&Wikimedia
StructuredCabling
• Organizecablinghorizontallyandvertically• Standardizestructuressotechniciansatallfacilitieshaveidenticalenvironments• Easiertodocument• Easierexpansion• Facilitatesmaintenance• Consistencyhelpsmanagecomplexity• Aidstroubleshooting
MainDistributionFrame(MDF)
• Usuallythecommunicationsroom• Coreswitcheslivehere• Locatedinprimarywiringcloset• Typicaloneormoresteelrackswithtermination(110or66)blocks• IncomingTelcolocalloopisterminated
TelcoMainDistributionFrame(MDF)
ByThalerTamas- Ownwork,CCBY-SA4.0,https://commons.wikimedia.org/w/index.php?curid=58918735
IntermediateDistributionFrame(IDF)
• SmallerversionofMDF• DistributionRacks• Distributionswitcheslivehere• Usuallycoverspartofthebuilding(floororfloors)
MDFandIDFLogicalDiagram
HorizontalandVerticalCablingDeployment
ServerRoomwithMDF
VerticalCabling
DistributionRack/IDF
HorizontalCabling
HorizontalCabling
HorizontalCabling(cont’d)
HorizontalCablingUnderFloor
ImagecourtesyWikimedia
VerticalCabling
• Cablingisusuallysecuredtoaladderrack• Ifcablingnotdesignedtosupportitsownweightvertically,itmightbesecuredtoastrongeritemsuchasapipeorrope,whichisthensecuredtotheladder
UsingaVerticalCableRackLeaveabout20– 25%free
spaceBundleCat5e/6/6aetc.EthernetCables
ORFiberOpticCables
FiberOpticVerticalCableStrainRelief• Removeasmallsectionofsheathingfromtheendofthecable• Usethat“skin”towrapthesheathofthecableunderneathbeforeclamping• YoucanalsouseafiberopticcableskintowrapmultipleCAT5/6/7etc.cables
ExamplesofGoodCableManagement
ImagescourtesyWikimedia
GoodExamplesofCableManagement(cont’d)
Properairflowinrack!
ImagescourtesyWikimedia
Labeling
Labeling
• Easyidentificationofalldevicesandcabling• Correlatestodocumentation• Facilitatestroubleshootingandmaintenance
ImagecourtesyWikimedia
MinimalLabelingShouldInclude:• Cabling• Servers• Networkdevices• WANlinks• Userinformation
LabelingBestPractices• Logicalandconsistent,acrossalllocations,matchingtheprojectdrawings• Identifytheassociatedphysicallocations(building,room,cabinet,rack,port,etc.)• Easilyread,durable,andcapableofsurvivingforthelifeofthecomponentthatwaslabeled• Thelabelingsystem,andtheidentifiersused,mustbeagreeduponbyallstakeholders• Shouldbepervasive• Cablesandconnectinghardwareshouldbelabeled• Soshouldconduitsandfirestops,groundingandbondinglocations,racks,cabinets,ports,andtelecommunicationsspaces
ANSI/TIA-606-B• Avoluntarystandard• Establishesthelabelingandrecordkeepingstandardsfor:• telecommunicationsandnetworksystems• industrial,residential,andhealthcarefacilities
ANSI/TIA-606-BExample
• 3MK02-35:05/DC.A04-35:05• / Separatesthenearendidentificationfromthefarendidentification
3MK02-35:05 DC.A04-35:05
ANSI/TIA-606-BExample
• 3MK02 – Thefirstelementidentifiestheracklocationatthenearendofthecable.• “3”=thirdfloor• “MK”=marketingdepartment• “02”=secondcabinetinthatthird-floormarketingequipmentroom
• -35 =Patchpanellocated35rackunitsfrombottomofcabinet• specifiedas3MK02justpreviously
• :05 =Specificportinthepatchpanel• Thisisport05.
3MK02-35:05 DC.A04-35:05
ANSI/TIA-606-BExample(cont’d)
• DC.A04 =Cabinetlocation,butthistimeforthefarendofthecable• FarendofthecableisintheDataCenter(DC)• Fourthcabinetinrow“A.”
• -35 =Thepatchpanellocated35rackunitsfromthebottomofthecabinetinquestion,A04• :05 =Specificportinthepatchpanel
3MK02-35:05 DC.A04-35:05
NetworkConfigurationandPerformanceBaselines
NetworkConfigurationAndPerformanceBaselines• Creatingabaselineallowsanadministratortohaveastartingpointforcomparisonthataidsin• Measuringperformancestatistics• Troubleshootproblemswithapplications
• Createabaselinebycapturingstatisticstocreatethebaseline• Baselineschange,soadministratorsmustbeconstantlyawareofchangesinthenetworkandupdatewhenneeded
InventoryManagement
InventoryManagement• Theprocessofkeepingrecordsofnetworkassets• Enablesnetworkadministrators/businessestohaveaphysicalrecordofnetworkequipmentwithintheorganization• Improvesefficiency• Reducescost• Facilitatesreportsandanalytics• Allowsmanagerstokeeptrackofassetsandplantheirpurchasing/replacementcycles• OrganizationhasknowledgeofROI,sizeofnetwork,minimizestheft!
NetworkInventoryManagementNetworkinventorymanagementmayinclude:• Numberofdevices,vendor,serialnumbers,installationinformation• IPaddressesofalldevices,IPaddressingsegmentsused• Softwaretypes,names,licensekeysandexpirationdates
Activity3.1- UsingDocumentation
• Let’sseehowtousedifferenttypesofnetworkdocumentation
3.2CompareandContrast
BusinessContinuityand
DisasterRecoveryConcepts
• AvailabilityConcepts• Recovery• MTTR• MTBF• SLARequirements
AvailabilityConcepts
FaultTolerance
• Capabilityofasystemornetworktoprovideuninterruptedserviceifoneormoreofitscomponentsfail• Mitigateandavoidsinglepointsoffailure• Avoidlosingdataorconnectivity• Fault-tolerantenvironmentsrestoreservicerapidlyfollowingaserviceoutage• Faulttoleranceisassociatedwithbusinesscontinuitybyusinghighavailablesolutions
HighAvailability
• A system,network,orservicethatiscontinuouslyoperationalforadesirablelengthoftime• Mechanismsinclude:• Faulttolerance• Redundantcomponentsorsystems• Loadbalancing• Clustering• NICteaming• Portaggregation
LoadBalancing
• Twoormoresystemssimultaneouslyprovidethesameservice• Ifonenodefails,theothernode(s)continuetoprovideservice• Especiallygoodresilienceagainstdenial-of-serviceattacks• AllsystemshavetheirownIPaddress,butshareacommonvirtualIPaddress• ClientsconnecttothevirtualIPaddress• SystemsdoNOTshareacommondatabase/datafiles• Systemsaretypically“frontend”websitesthat“point”toacommonbackenddatabaseserver• Canbehardwareorsoftwaresolution
LoadBalancingExample
1
2
3
4
Client
VirtualIP192.168.1.10
LoadBalancingClusterAllfrontendwebservernodesactive
BackEndDatabaseServer
192.168.1.20
192.168.1.30
192.168.1.40
Clustering
• Twoormoresystemsthatprovideasingleservice• Systemstypicallyshareacommondatabase/files• Onesystemisactive• Theothersystemisinstandby(passive)mode• Passivesystemlistenstothe“heartbeat”oftheactivesystem• Ifitstopshearingtheheartbeat,thepassivesystemtakescontrolofthedata/database/service• AllsystemshavetheirownIPaddress,butalsoshareacommonvirtualIPaddress• Clientsconnecttothevirtualaddress
ClusteringExample
1
2
3Client
VirtualIP
ActiveNode
PassiveNode
SharedStorage
NICTeaming
• NetworkInterfaceCardteamingcombinesmultipleNICs/connectionstocreateasingle“link”• Aggregatesbandwidth• Increasesperformance• Providesfaulttolerance
• Alsoknownasaggregation,balancing,andbonding
NICTeamingExample
PortAggregation
• LogicalaggregationofEthernetswitchports• Usedtoincreasethebandwidthofa“single”link• Commonlyusedinuplinks/trunklinks• AlsoreferredtoasEtherChannel• Twocommonmethods:• CiscoproprietaryPAgP• Vendor-neutralLACP(IEEE802.3ad/802.1ax)
PortAggregationExamplePhysicalView
MultipleportsdefinedaspartofanEtherChannelGroup
LogicalViewDifferentsubsystemsrunningontheswitchseeonlyonelargelink
PowerManagement
• Devicesandplanningforfaulttoleranceincludespowermanagement• Uninterruptablepowersupplies(batterybackups)• Powergenerators• Electricproviders• Dualpowergridsources
BatteryBackups/UPS• UPS’sorUninterruptiblepowersupplies(batterybackup)• Multipletypes• Dataavailability• Protectionfromdataloss
• Protecthardwarefromdamage• Blackouts,spikes,surges,sags,andbrownouts
• EnterpriseUPSwillbedirectlywiredonadedicatedline
PowerGenerators
• Backuppowersuppliesthatkickonduringapoweroutage• Gasoline• Fueloil• Solarandwind
DualPowerSuppliesandRedundantCircuits
• Oneormoreoffollowing• Buildingcircuitsincludetwoseparatededicatedcircuits
• “A”feed(120V,20A)• “B”feed(120V,20A)
• UPSSystemsincludetwoseparateUPSsystems• “A”UPS(120V,2200VA)• “B”UPS(120V,2200VA)
• ServerRedundancyallowsseparate“A”and“B”inputs• “A”inputconnectsto“A”UPSpoweredbycircuit“A”• “B”inputconnectsto“B”UPSpoweredbycircuit“B”
Recovery
BackupSites
• Companiesspecializinginprovidingdisasterrecoveryservices• Otherlocationsownedandoperatedbyyourorganization• Amutualagreementwithanotherorganizationtosharedatacenterfacilitiesintheeventofadisaster
ColdSites• Emptybuilding• Noequipment• Power• Security• Telecommunications(darkfiber)• Cheapest• Takeslongesttobringonline
ColdSiteExample
WarmSites• Containsmostofthehardwareneededtocreateyourcurrentdatacenter• Restoringservicerequiresthelastbackupsfromyouroff-sitestorage• Canberestoredmorequicklythanacoldsite• Couldendupwithoutdatedequipment• Moreexpensivethancoldsite
WarmSiteExample
HotSites• Apracticalmirrorimageofyourcurrentdatacenter• Allsystemsconfiguredandwaitingonlyforthelastbackupsofyouruserdatafromyouroff-sitestoragefacility• Uptofullproductioninafewhours• Ahotbackupsiteisthemostexpensiveapproachtodisasterrecovery
HotSiteExample
Backups• Protectagainstdataloss,corruption,disasters(manmadeornatural)andother• BackupTypes
• Typesincludefull,differential,andincremental• Snapshots
• BackupDestinations:• Localdisks• Networkshares
WindowsServer2016BackupTool
FullBackup
• Themostbasicandcompletetypeofbackup• Backsupallselecteddatatoanothersetofmedia,tape,disk,DVD,networklocation• Providesafoundationfortheotherbackuptypes• Changesthefile’sarchivebit• Longestbackuptime• Shortestrestoretime
DifferentialBackup
• Copiesalldatachangedsincelastfullbackup• Doesnotchangethearchivebit• Typicallygetlargerovertimeuntilthenextfullbackup• Backuptakeslongereachdayastheweekgoesby• Restoretakeslesstimeasyouonlyneedthefullplusthelatestdifferential
IncrementalBackup
• Copiesonlythedatathathaschangedsincethelastfullorincrementalbackup• Restorerequiresthefullbackupplusallsubsequentincrementalbackups• Changesthearchivebit• Fastesttypeofbackup• Longestrestore• Takesuplessstoragespace
Snapshots
• Couldbeconsideredatypeofbackup• Animageofthestateofasystematapointintime• Typicallyrequiresthebaseimage• Popularwithvirtualmachineimplementations• Aswithbackups,youcanreverttothesnapshotofyourchoice
VirtualMachineSnapshotExample
Activity3.2– BackingUpYourData
• Let’sperformdifferentbackups
MTTR
MeanTimeToRepair(MTTR)
• Howlongitwilltaketorepairadevice,system,orcomponentthatisdownandbringitbackonline• Assumptionisthatthedevice/systemcanberepaired• Criticalmetricinplanningdatacenter/cloud/systemconfigurationandfutureconfigurations
MTBF
MeanTimeBetweenFailure
• Howlongthedevice/systemisexpectedtofunctionuntilitsfirstfailure• Statedbythemanufacturer• Sometimesassumptionisthatthesystemcannotberepaired/mustbereplaced• Estimatesonly,butimportantinplanning,implementation,maintenance,andfutureplans
DifferentiatingBetweenFailureMetrics
SLARequirements
ServiceLevelAgreement(SLA)Requirements
• AServiceLevelAgreementisacontractedcommitmentbyaprovider• Formallydefines"whatyouget"intermsofuptime/availability• MTBFandMTTRfigureprominentlyintheguaranteesofanSLA• Clearlystatesmetrics,responsibilitiesandexpectationsfromvendorsintheeventofissues• Ensuresbothvendorandorganizationhavethesameunderstandingofrequirements
SLAExample ServiceLevels
3.3ExplainCommonScanning,
MonitoringandPatching
ProcessesandSummarizeTheir
ExpectedOutputs
• Processes• EventManagement• SNMPMonitors• Metrics
Processes
LogReviewing
• Thepurposeofreviewinglogsisaproactivemeasureforplanning,performance,troubleshooting,andsecurity• Comparelogstobaseline• Makeitdifficultfordevice/networkcompromise
PortScanning
• Portscannersareapplicationsthatprobeaserver/deviceforopenports• Findopenportsthatcanbeclosedifnotusedordangerous• Reportsopen/listening,closed/denied,orfiltered/blocked• Canusenetstatcommand-lineutility
PortScannerExample
VulnerabilityScanning
• Avulnerabilityscandetectsandclassifiessystemweaknessesofanattacksurface• Canscancomputers,networksandothercommunicationsequipment• Canmeasuretheeffectivenessofcountermeasuresthatareimplemented• Runasauthorizedorunauthorizedscan
VulnerabilityScanningExample
PatchManagement
• Patchmanagementisusedbyadministratorstoacquire,test,andinstallpatches(codechanges)tocomputers/devices/systems• Patchmanagementincludes:• maintainingcurrentknowledgeofavailablepatches• decidingwhatpatchesareneededforsystems• installingproperly• testingsystemsafterinstallation• documentingproceduresandconfigurations
TypicalPatchManagementArchitecture
PatchManagementExample
Rollback
• Recoverfromerrorsandnetworkmisconfiguration• Torollback,apply:
• Savedconfigurationfiles• Previousversionofconfigurations• Previousbackups,snapshots,orsavepoints
• Alwayshavearollbackstrategybeforechanginganything!
ReviewingBaselines
• Baseliningconsistofrecordingnetworktrafficandperformance,savingitforreferenceand/orreviewingittoseetrafficpatterns• Baselinesareusedasabenchmarktocomparecurrent/newtrafficpatterns• Cancompareandchartnormaltoabnormalforcomparisons• Shouldbaselineandreview:
• alltraffictotheInternet• alltrafficforbusinesscriticalapplications• alltrafficto/fromcriticalsystems• andallsystemsbackuptraffic
• Afterconductinganinitialbaselinescan,youshouldmitigatevulnerabilitiesandperformancebottlenecks,thencreateanewbaseline
WhatYouShouldBaseline
• AlltraffictotheInternet• Alltrafficforbusinesscriticalapplications• Alltrafficto/fromcriticalsystems• Allsystemsbackuptraffic• Performanceofcriticalsystems
• CPU,RAM,Disk,NetworkInterface• Databaseperformance
• Performanceofcriticalprocesses• Operational/humanaswellastechnical
Packet/TrafficAnalysis
• Processofinterceptingandexaminingmessages• Gatherinformationfrompatternsincommunication• Canbedonefornefariousorhelpfulpurposes• Canbeperformed(inalimitedway)onencryptedtraffic• Examineprotocolusage,trafficpatterns
NetworkTrafficAnalysisExample
EventManagement
Notifications
• Aresetupasacomponentofanalert• Alertsareconfiguredbasedonaconditionorconditionsonaresourceusingamonitoringsoftware• Alertscanbesetuptobehigh,medium,orlowbasedonsoftwarevendor
Alerts
• Asettingonamonitoringsoftwarethatadvisesanadministratorthatsomethinghasoccurredonaresource• Conditionsandnotificationsareconfiguredforalerts forresources
SecurityInformationandEventManagement(SIEM)• Amethodofsecuritymanagementthatcombines SIM(securityinformationmanagement)andSEM(securityeventmanagement)functionsintoonesystem• Defineanormalbaselineandlookforanomalies• Canberules-basedoremployastatistical correlationengine toestablishrelationshipsbetween eventlogentries• AdvancedSIEMscanincludeuserandentitybehavioranalytics(UEBA)andsecurityorchestrationandautomatedresponse(SOAR)
SNMPMonitors
SNMPComponents
• ManagedDevices• Router,switch,hub,firewall,computer,serverservice(DHCP,DNS,etc.)printer,IoTdevice
• Agents• Softwareinstalledonmanageddevice• RespondstotheNMS
• NetworkManagementSystem(NMS)• Typicallysoftwareinstalledonadedicatedcomputer
SNMPNetworkManagementSystem
• AkaSNMPManager• Amonitoringsoftwareorsystem• UsesSNMPtoquerydevicesabouttheircurrentstatus• UsesaManagementInformationBase(MIB)toknowwhatquestionstoaskthevariousdevices• DifferentdeviceshavetheirownMIBs• Manager“walks”throughtheMIB• SNMPmessagetypes:
• Get• GetNext• Set• Trap
SNMPManagementConsole
ManagementInformationBase(MIB)
• AsetofquestionsthatanSNMPmanagercanaskadeviceregardingitsstatus• Createdbythemanufacturer/vendor• Mostnetworkdevicesandserveroperatingsystems/serviceshavetheirownMIB• MostSNMPmanagershaveMIBSforthemostpopularproductsalreadyinstalled• YoumighthavetoinstalltheMIBfromlesser-knownequipmentintothemanager
SNMPMIBsandAgents
MIBObjectID(OID)HierarchyExample:AsthesystemforitsuptimestatusNMS:“Get1.3.6.1.2.1.25.1.1.0”Agent:“22hours”
Agentresponsemightlook
somethinglikethisinNMSconsole
Metrics
WhatareMetrics?
• Performancevaluesthatyoumonitor• Youwatchtrendsto:• Identifyincidentsandproblems• Planforupgrades• Redistributeloadifnecessary
CommonNetworkMetricsErrorRate,Utilization,PacketDrops,andBandwidth/Throughput• Errorrate• thefrequencyoferrors
• Utilization• showsthepercentageofresourcesbeingutilized
• Packetdrops• thenumberofpacketsonanetworkthatdonotreachtheirintendeddestination
• Bandwidth/throughput• thecapabilitytomovedatathroughaconnectionascomparedtocapacityandidentifyingbottlenecks,throttling,andadditionalmetrics
Activity3.3– TestingtheNetwork
• Let’srunsometestsagainstthenetwork.
3.4GivenaScenario,Use
RemoteAccessMethods
• VPN• RDP• SSH• VNC• Telnet• HTTPS/ManagementURL• RemoteFileAccess• Out-of-BandManagement
VPN
IPSec
• IPSecservices• AuthenticationHeader(AH)authenticatesthesendermonitorforchangesindataduringtransmission
• EncapsulatingSecurityPayload(ESP)performsauthenticationandencryptsdatabeingsent
• IPSecmodes• TunnelModewilltakethewholeIPpacketsecurelycommunicatebetweentwosites• TransportModeonlyencapsulatestheIPpayload
• IPsecsupportsencryptionandhashalgorithms• Encryption:DES,3DES,AES• Authentication:MD5,SHA1,SHA2
IPSECTunnelMode
LAN LAN
IPSECTransportMode
LAN LAN
SSL/TLS/DTLS
• SecureSocketsLayer(SSL)andTransportLayerSecurity(TLS)protocolscreateasecuresessionbetweenahostandaserverwithinaLAN• SSL– predecessorofTLS- insecure• POODLE• BEAST
• TLS– moresecurethanSSL• TheDatagramTLS(DTLS)isavariantofTLS• ReusesthemainfunctionalitiesofSSL/TLSprotocols
SSLVPNtoCorporateSiteExample
Anonymizer
• ProxyontheInternet• ClienttypicallycreatesanSSLVPNtotheproxy• Youcanbouncethroughseveralproxiesinadaisychain• Veryhardtotraceaconnectionbacktoyou
Anonymizer/SSLVPNExample
AnonymousWebSurfing- Today’sCommonUseofSSLVPNs
AdditionalVPNProtocols
Protocol Description
Point-to-PointTunnelingProtocol(PPTP)
• AMicrosoftprotocolthatcombinesPoint-to-Point(PPP)andGenericRoutingEncapsulation(GRE)protocols• Doesnotdigitallysignthepacketsandthereforedoesnotguaranteepacketintegrity• UsesTCPport1723toestablishtheconnection,andMicrosoftPoint-To-PointEncryption(MPPE)toencryptthedata
Layer2TunnelingProtocol(L2TP)
• AcombinationofPPTPandLayer2Forwardingprotocol(L2F)thatcanencapsulatedifferenttypesofprotocols,notjustIP• UsestheEncapsulatingSecurityPayload(ESP)partofIPSecforbothencryptionandintegrity.ThisisreferredtoasL2TP/IPSEC(“L2TPoverIPSEC”)• L2TPusesUDPport1701• ESPusesUDPport500andprotocolID50
Site-to-Site• Connectsorganization’smainheadquarterstobranchofficesororganizationtoorganization• Routing,encryption,anddecryptionisdoneusinghardwareorsoftwarebasedroutersonbothends• TrafficisunencryptedwithintheLAN
LAN LAN
Client-to-Site
• Individualclients,suchasemployeesthatworkfromhomeortravelremotelyconnecttotheorganization’snetwork• Usespre-sharedkeyorcertificates• Usuallybothmachineandusermustauthenticate
MultipleClientsUsingVPNsExample
RDP
RemoteDesktopProtocol(RDP)
• Providesasecuredesktoptoaremotecomputer• PopularamongMicrosoftadministrators• Includesencryption, smartcardauthentication,bandwidthcontrol,resourcesharing,multipledisplaysandmultiplelogoffoptions• Includestheabilitytoredirectaudio,video,andprintjobs• TCP3389• CompetitorsincludeTeamViewer,VNC,CitrixGoToMyPC• Vulnerabilities
• Man-in-the-middle
RDPExample
VNC
VNC
• VirtualNetworkComputing(VNC)• Providesaremotedesktoptoacomputer• TherearemanyversionsofVNCavailable• Hostcanbeconfiguredasserverorclient• UsesTCPport5900andarbitraryport• Oftenmisusedasamaliciouspayload
Telnet
Telnet
• TErminalNETworkisoneoftheoldestTCP/IPprotocolscurrentlyinuse• Givesthecommandpromptofaremotesystem• Commonlyusedfornetworkdevices/*Nixservers• Mostorganizationsblockitsuse/replacewithSSH• UsesTCPport23• Canbeusedasatooltosearchforopenports/grabservicebanners
TelnetExample
TelnetConsoleExample
SSH
SecureShell(SSH)
• SecureShell(SSH)protocolsecuresremoteloginfromonecomputertoanother• Strongauthenticationandencryption• Includessecurefiletransfercapabilities(SCP,SFTP)• Alternatetotelnet,FTP,TFTP• UsesTCPport22• PreferredmethodforUNIX/Linux• Microsoftdoesnothavebuilt-inSSHserverorclientcapabilities• CansometimesbeusedtomakearemotebackdoorconnectiontoajailbrokeniPhone
SSHExample
HTTPS/ManagementURL
HTTPS/ManagementURL
• Useawebbrowsertoadministeradevice• Commonwithhomerouters
RemoteFileAccess
FileTransferProtocol(FTP)
• Downloadanduploadfiles• MoreefficientthanHTTP• OftenusedontheInternet• TCP21,20• FTPclientapplicationscaninclude:• GUIclient• BrowserspecifyingFTP://<server_name_or_ip• Command-lineclient
• FTPS=FTPwithSSLorTLS• EncryptspayloadusingSSLorTLS
SecureFTP(SFTP)
• PartofSSH• TCP22• AlternativetoSFTP• Securefileupload/download
TrivialFileTransferProtocol(TFTP)
• FTP’s“LittleBrother”• UDP69• Noauthentication• Usedtoupload/downloadconfigurationfilesandoperatingsystemsofnetworkdevices
TFTPServerExample
Out-of-bandManagement
Out-of-BandManagement
• Outofbandmanagement(OBM)allowsadedicatedmethodtomanagenetworkthatcanbeusedseparatefromusualin-band(acrossthenormalnetwork)methods• Administratorshaveabilitytoaccess,manage,monitornetwork/devicesremotelyandsecurelyifnormalsystemsaredown• Vendorsoftenuseforremotesupport• Modems,consoles,vendorspecificdevices
Modem
• MODulator– DEModulator• Ondemandconnectiontoaremotesystem• ConvertsEthernetorserialsignaltoformatforISP/telcoprovider• Dialup• Cellular• Cable• DSL
RouterConsole• OOBconnectivityusingConsolePort/Auxportofanetworkdevice• Givesacommandpromptviaaserialconnection
Activity3.4– MakingRemoteConnections
• Let’susedifferentprotocolstomakeremoteconnections
3.5IdentifyPoliciesand
BestPractices
• PrivilegedUserAgreement• PasswordPolicy• On-boarding/Off-boardingProcedures• LicensingRestrictions• InternationalExportControls• DataLossPrevention• RemoteAccessPolicies• IncidentResponsePolicies• BYOD• AUP• NDA• SystemLifeCycle• SafetyProceduresAndPolicies
PrivilegedUserAgreement
PrivilegedUserAgreement
• PrivilegedUserAgreementispartofUserAccountPolicies• Privilegedusershaveescalatedaccesstonetworkdevicesandmanytimesconfidentialdata• Userregularuseraccountexceptwhenescalatedprivilegeinrequired• Auditinguserswhenloggedonwithescalatedprivilegesisrecommended• Agreementshouldbesignedasunderstoodandwilladheretoagreement
PasswordPolicy
PasswordPolicy
• Organizationalpolicythatstatesrequirementsforuserpasswords• Rulesthatusersmustadheretoiftheyarepermittedtologintoandworkonanorganizationsnetwork• Shouldinclude:• Passwordlength,complexity,expiration,history• Confidentialityofcredentials• Violationpenalty
On-boarding/Off-boardingProcedures
On-boarding/Off-boardingProcedures
• Establishasecurityandcompliancegroupwithintheorganization• IncluderepresentativeofITdepartment,includingCIO
• DefinewhowillhaveaccessITservicesandhowtheorganizationisbeingaccessedandshared• Putinplaceaclearsetoftheorganization’sITpolicies• CreatedocumentationforbothonboardingandoffboardingtobefollowedbyITandotherdepartments• Auditusersaccessregularly
LicensingRestrictions
LicensingRestrictions
• AspartoftheITadministrativetasks,isonthelist• Typesoflicensingandrestrictions• SoftwareAssetManagement(SAM)vs.ITAssetManagement(ITAM)• Budgetaryconcerns• Trustedvendormanagement
InternationalExportControls
InternationalExportControls
• U.S.exportcontrolregulationscontrolwhethercertaincommodities,softwareandinformationcanbetransmittedoutsidetheU.S• OrganizationsandITmustreviewlawsandregulations• Physicalshipmentorelectronictransfer• Legaldepartmentneedstobeinvolved• Third-partyverification
DataLossPrevention
DataLossPrevention
• Databreachisoneofthebiggestfearsthatorganization’sface• Needtoidentifyandprotectsensitivedata• Attemptstominimize/preventdataexfiltration(dataleakage)• Examinedatainmotion,dataatrest,anddataatendpoints
DLPExample
Network
CD/DVD/SDMemoryCard
Printer
InstantMessaging
HTTP/S,FTP,TFTP,SSH,Telnet,etc.Webmail,
SMTPSocialNetworking
Clipboard
USB,Firewire
DLPSystem
Wi-Fi,IRDA,Bluetooth,NFC
iPhone/iPadAndroidPalm
BlackBerryWindowsMobile
CommonCausesofDataLoss/Leakage• Maliciousorcarelessemployees• “ReplyAll”email• Unprotectedprintjobs• Removablemedia• Laptopsandmobiledevices• Copy/pasteactivities• Insufficientlyprotectedphysicalenvironment• Socialmedia,instantmessaging• Cellphonecameras• Socialengineering
• Trash/recycledpaper• Networkapplications• Fileupload/sharingactivities• Viruses/hacking• Insufficientsegregationofsensitivenetworksegments• Equipmentorassettheft• Improperlyconfigureddevices• Vulnerablenetwork• Vulnerableservers,websites,andapplications• Public-facingcomputermonitors
MethodstoEnforceDLP
• Policiesandprocedures(includingforprintjobsandremovablemedia)• Firewalls• DLPapplicationsandservices• Clientpolicies• IDS/IPS• Digitalrightsmanagement(DRM)
RemoteAccessPolicies
RemoteAccessPolicy
• Formaldocumentofwhich,why,andhowemployeesuseremoteaccessprivileges• Definesbehaviorthatisacceptablefortheuseofremoteaccessconnections• DefineswhetherBYOD- orOrganization-provideddevicesareused• Definespenaltiesforviolatingtheorganization'sremoteaccesspolicy• Enforcedtechnically
TypicalComponentsofaRemoteAccessPolicy• Hardwareandsoftwareconfigurationstandardsforremoteaccess,includinganti-malware,firewalls,andantivirus
• Encryptionpolicies• Informationsecurity,confidentiality,andemailpolicies• Physicalandvirtualdevicesecurity• Accessprivileges,authentication,andaccesshierarchy• Connectivityguidelines• Passwordprotocols• Acceptableusepolicies• Third-partyprotectionsandstandards(trustedvs.non-trustedsourcesorhosts)• Policycompliance,governance,andenforcement• Accessandequipmentownershiprequirements
IncidentResponsePolicies
IncidentResponsePolicies• Definestheorganization’sresponsetoaninformationsecurityincident• Usuallycontainsinformationregarding:• Whoisintheincidentresponseteam• Teammemberrolesandresponsibilities• Implementingthepolicy• Technologicaltools
BYOD
BringYourOwnDevice(BYOD)• Employeesbringandusetheirownmobiledevicesatwork• Pros:
• Savestheorganizationmoney• Convenientfortheemployee• Choicefortheemployee• Usuallynewtechnology
• Cons:• Securityrisks• BurdenonITdepartment
• manytypesofdevices,phonenumberownership• Thecompanycantrackallactivity/dataonaBYODphone• Incaseoflawenforcement/legalaction,thephonemightbeconfiscatedforalongtime
• CreateBYODpolicy• Acceptableuse,devicetype,support,security,reimbursement,liability
• CompanymaypreferSelect/ChooseYourOwnDevice
AUP
AcceptableUsePolicy(AUP)• Asetofrulesthatspecifiespracticesandrestrictionsauseragreestoforaccesstoanorganization’snetwork/Internet• Examples:• Donotsharecredentialsoruseanother’scredentialsonthenetwork• Useofemail• Reportanyattempttobreakintotheiraccounts
• Consequencesofbreachingthelaid-downregulations
NDA
Non-DisclosureAgreement(NDA)• Alsoknownasaconfidentialityagreement• Alegallybindingcontract• Onepartyagreestogiveasecondpartyconfidentialinformationbusiness/products• Secondpartyagreesnottosharethisinformationwithanyoneelseforaperiodoftime• Usedtoprotectsensitiveinformationandintellectualproperty(IP)• Outlinesindetailwhatinformationremainsprivateandwhatinformationcanbeshared
SystemLifeCycle
AssetDisposal• ITassetsrequirenotonlyethicaldisposalofequipmentbutalsothecompletedestructionandinabilityfororganization’sdatatobeaccessed• Recycling
• Ensureerasureanddatadestructiontoeliminaterisksofdatabreachtheequipmentdisposition• Networkingdevices,routers,andswitchesholdsensitiveinformationthatcouldbeusedtofindentrytoorotherwisecompromiseanorganization’snetwork
SafetyProceduresAndPolicies
SafetyProceduresandPolicies• Anorganizationshouldalwayshavewrittensafetypoliciesandprocedures• Everyoneshouldbetrainedinthesepoliciesandprocedures• Policyistheoverarchingstatementofwhatmanagementwants• Proceduresaretheactualsteps/taskstakentofulfillpolicy
Activity3.5– CreatingPoliciesandProcedures
• Let’sexaminehowtocreatepoliciesandprocedures
