INTRODUCTION
Users have complained about some of the worst network implementations since the basic concepts of network topology were not followed. Here are a few crucial points to remember:
- Professional network designers are required.
- Several trades are frequently involved in network construction.
- Maintain a straightforward approach.
- Systems and assets of high value.
- Precaution and prevention are important.
- Logging of security events.
- Privilege of the Principal.
- OSI MODEL:
The OSI Model (Open Systems Interconnection) is a security architecture that defines the seven-layer security safeguards (three media and four hosting levels) that must all be secured for an application to be considered secure.
Those layers are:
- The Physical Layer
- The Data Link Layer
- The Network Layer
- The Transport Layer
- The Session Layer
- The Presentation Layer
- The Application Layer
- The Physical Layer
This is a media layer that contains technical information on mobile and electronic data connections. It’s also how the various endpoints make physical contact with each other.
Malicious or malicious purpose (e.g., power outages or network cables) or environmental conditions like as power surges can readily compromise visual layer security. Denial of Service (DoS) attacks on important applications and networks can have serious consequences. It is frequently protected using biometric verification, electromagnetic protection, and advanced locking techniques.
- The data link layer
All data packets transferred by the virtual layer are included in this media layer. Attempts to circumvent virtual local area network (VLAN) security agreements, as well as network interference identifying a media access controller or MAC addresses, are frequent vulnerabilities to this layer, and their successful exploitation can imperil network security. The common security tactics of this layer include filtering MAC addresses and ensuring that all wireless apps have authentication and encryption built in.
- The Network Layer
This final layer of media controls the network’s routing, control, and data and traffic management.
An internet address or packet fraud, in which data packets from malicious sources are hidden to be seen from official addresses within a network, is a severe danger to application security in this layer. The best potential protection for this layer can be provided by route filters and fraud prevention, as well as well-established fire extinguishers.
- The Transport Layer
This first host layer serves as a logical location for data transfer sequences of varying durations. A robust transport platform protocol, such as TCP or Transmission Control Protocol, ensures isolation and segmentation by ensuring smooth data flow and error control and measurement. The security of this system is dependent on limiting access to the transfer protocols and their basic information, as well as the security system’s strong protection.
- The Session Layer
The interaction between local and remote apps is controlled by the second host layer. On demand, creates, controls, and disconnects machines (i.e., each session).
If verification procedures are poor, the session layer is vulnerable to attack and can be broken. To maintain security, passwords should be exchanged (and kept safe), and timers should be established to minimise the amount of work required to start a session.
- The Presentation Layer
As data is transported from the system layer to the network, this logical or host layer employs a variety of modes to transform data to and from various local formats.
To avoid malicious inputs that could cause a crash or system harm, user inputs (which should be cleaned before continuing on to work) should be segregated from system control operations.
- The Application Layer
The host’s last layer is closest to the end user, and it’s this layer that exposes potential attackers to the major attack surface. User contact with numerous other sensitive services is included in the application layer, and if all exploited networks are shut down in a Denial-of-Service attack, user data may be stolen, and individual programmes may fall under the control of a criminal.
The safest method to assure that apps can clean user inputs, detect risky conduct, and handle and securely transfer sensitive information is to use safe applications to design them.
- NETWORK DESIGN
When discussing network architecture, it’s useful to categorise networks according to the number of devices available:
Small network: Up to 200 devices can be served by this network.
A medium-sized network serves between 200 and 1,000 devices.
Large network: 1,000+ devices are served by this network.
The size and needs of the organisations influence the network design. A small organization’s network infrastructure with fewer devices, for example, will be far more complex than a large organization’s network architecture with a high number of devices and connections.
- NETWORK DESIGN PRINCIPLE TO ACHIEVE PERFORMANCE
Examine the failure points thoroughly? Your network should have duplication so that a single link or hardware failure does not disconnect any section of the network, preventing users from accessing network services. From network to network, the quantity of unwanted demand varies. Some networks, for example, may require a support link between two sites, as well as disabled links, routers, and switches. The disadvantage is determined by how much money you want to spend on extra equipment and how much risk you are ready to take on unnecessarily.
Backup copy and load sharing are two characteristics of non-completion work to consider. The backup system should be accessible as an alternative to the primary route, so that if the primary route fails, traffic will automatically switch to the secondary route; this is similar to a network deviation. When two or more routes to the destination exist and may both be used to share network load, upload sharing occurs.
When it comes to app behaviour and protocol traffic, what should you do? Application data flow is a client/server connection profile that is used to allocate suitable resources to your users across your network. Some examples may reduce the number of client channels in a segment or the number of channels using a specific server.
- TO ACHIEVE SCALABILITY
Long-established principles like classification and encryption are used in good network design. Data encapsulation in basic network protocols reflects this. Changes in the lower levels do not affect the upper layers because the layers below disguise their performance in the upper layers (i.e., applications).
Core, Distribution, and Access layer designs are recommended for network design. The main objective of the distribution layer (where the final channels are connected to the network) in this sort of design is to avoid changes in the access layer (where the last channels are connected to the network) from changing the context.
To provide high reliability, low delay, and minimal packet loss, the package should be built to perform with high packet transfer efficiency. In some ways, the distribution layer is similar to OSPF environments in that it summarises changes in the access layer and only shows the root summary data. The distribution layer, on the other hand, isolates the context from changes in the access layer, making the context more stable and efficient.
- TO ACHIEVE SECURITY
Routing protocols utilise a number of techniques to reduce the scope of updates, or the number of hosts that will hear the update packet. Broadcast is the worst conceivable channel for providing updates since every site on the line is compelled to examine the packet and determine if it is interesting or not. Because only a few hosts on a network are interested in routing changes, sending them via the broadcast mechanism is a huge waste of time and resources.
Routing protocols employ multicast or unicast routing updates to get around this problem. For their routing updates, Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), and Intermediate System-to-Intermediate System (IS-IS) all use well-known multicast addresses so that hosts and other computers that aren’t interested in the updates can filter them out at the hardware layer. BGP employs unicast routing updates, which is much better, but it requires special settings to work (neighbour statements).
Reduce the frequency of updates in a routing protocol is another way for lowering overhead. RIP consumes a lot of bandwidth because it broadcasts all known destinations every 30 seconds.
SECTION 2
- HIERARCHICAL NETWORK DESIGN MODEL
A hierarchical network is one in which a network is divided into tiers. Each layer, or category, section has its own set of functions that determine its place in the network. This allows the network designer and builder to set and choose the right network hardware, software, and features for various network layer responsibilities. Both LAN and WAN designs benefit from hierarchical models.
The benefit of breaking up a large network into smaller, more manageable pieces is that local traffic stays put. Only traffic intended for other networks is transferred to the top layer.
The following three layers make up a typical corporate LAN network design:
- Group / user access to the network is provided by the access layer.
- Distribution Layout: Controls the boundary between access and key levels and provides policy-based communication.
- Key Layout: Allows for quick movement between distribution switches on a business campus.
- SUBNETTING
Subnetting is the process of dividing a network into smaller segments. For a variety of reasons, this can be done. For example, a corporation with multiple door LANs connected to separate routes or VLANs to switch cannot use the same network component and mask on devices across all departments since they will not interact.
Because of the vast number of IP addresses that could be compromised, using various IP network addresses on separate LAN devices within the same firm is not recommended.
Subnetting determines the number of hosts on a network by selecting a suitable mask, often known as a subnet mask or Netmask. A legitimate Internet address from a subnet network that devices may no longer utilise can be used as a subnet network address. You lose useable IP addresses when you use subnet (two per subnet).
Mask of a Subnet
Like an IP address, the mask below is a set of 32-bit zeros and ones. All of the bits in the network part of the IP address are set to 1 in the subnet mask, while all of the bits in the host part of the IP address are set to 0. The subnet mask functions similarly to a network mask (essentially the same thing), except that it lends certain bits to the host portion to identify the subnet.
Assume that the IP address 192.168.1.130 belongs to the class network C 192.168.1.0-255, and hence has the mask 255.255.255.0. The company has two distinct departments, both of which are connected to the same network; however, they should be in separate networks.
The network administrator used to assign IP addresses sequentially, starting with 192.168.1.1 to department A and working his way down to 192.168.1.254 to department B, so he decided to split this class C network into two subnet networks, each with 128 addresses. 192.168.1.0-127 and 192.168.1.128-255 will be the subnets in question.
- VLAN CONFIGURATION, VLAN TRUNKING 802.1Q, INTER-VLAN ROUTING
VLAN CONFIGURATION
Although independent or native VLANs on both sides of the link may be more effective, it is best practise to align both sides of the link. VLANs that are native to the area or that have been approved by a VLAN committee could have unforeseen implications. Keep in mind that a native VLAN is one that is used for unlabelled traffic. Indigenous VLANs on separate sides of the stem that are not matched can cause a “VLAN leap.” This is typically a premeditated network intrusion attack that poses an open security risk. Take a look at the diagram and example below.
The client is connected to the VLAN 1 access port and is looking for an address from the VLAN 1 subnet’s DHCP server (192.168.1.0/24). On the trunk link between the two switches, there is a native VLAN variant that prevents the client from getting the right address. It shows in VLAN 1 access port, and if the DHCP request reaches the switch’s root, it will be unmarked traffic, as VLAN 1 is the native VLAN. The native VLAN is 10 when traffic reaches another switch on the other side of the trunk. On the left machine, unmarked communication from the right version will be handled as VLAN 10. The DHCP server will respond to the client’s DHCP request for VLAN 10 (192.168.10.0/24) and return the address. Because VLAN 10 isn’t marked on the left switch, it can’t be used. Due to native VLAN variance, it will be considered as VLAN 1 on the right swap, and the client will eventually receive an address on the wrong subnet.
VLAN TRUNKING 802 1.q
This, along with all other trunk configurations, should be identical to the network that will be followed by traffic in every aspect. If there are three switches between the client and the gateway on VLAN 100, all switch connection connectors must be linked (shown below).
d40542f3-7d27-464d-94a6-93eb3f8e40d0
Although VLANs are effective at segmenting networks and limiting streaming traffic, communication between VLAN-divided subnets is sometimes required. Only a 3-enabled layer that can route between VLANs can accomplish this. Unless the route device intervenes in level 3, even if both VLANs are present on the device, their traffic will be divided.
INTER-VLAN ROUTING
Each VLAN has its own subdomain and distribution base, which means that frames are only transferred between holes in the same VLAN. An OSI layer 3 device (typically a router) is required for interVLAN communication. This third device must have an IP address for each VLAN as well as a route to the networks listed below. Each subnet’s host can then be set to use router IP addresses as its default gateway.
Within the VLAN, three route possibilities are available:
1. Connect each VLAN switch to a router using a virtual LAN router connector. Because each VLAN requires a single Ethernet interface on your router, this option isn’t very useful and isn’t often utilised nowadays.
router interVLAN through router
2. Make use of a virtual router connector with trunking enabled. A router on a stick (ROAS) is a device that allows all VLANs to connect to a single interface.
router interVLAN router
3. Make use of a Layer 3 switch, which is a tool that can switch and route data.
- DHCP SERVER, DNS SERVER, WEB SERVER, EMAIL SERVER
DHCP SERVER:
A DHCP server (Dynamic Host Configuration Protocol) distributes IP addresses to computers and other network devices automatically. Aside from the DHCP server, each device on the network will need to be assigned an IP address by hand.
DNS SERVER:
Domain Name System is the abbreviation for Domain Name System. An IP address is represented by a domain name in human language. An IP address is what each computer on the Internet uses to connect with itself when utilising the TCP / IP network protocol to communicate with other computers. IP (v4) addresses, such as 123.123.123.12, are made up of a series of numbers and decimal points.
When a user type www.domain.com into their browser, it connects to a chain of root domain name servers, which act as a reference book and provide an IP address for that domain name. The browser then communicates directly with the website’s hosting server using that IP.
DNS serves as a middleman in this case, turning user requests into IP addresses. This is what enables Internet users to connect to websites.
WEB SERVER:
Configuring the web server to use the binary plug-in module offered by the WebSphere® Application Server is known as plug-in configuration. Updating the plug-XML in’s configuration file to reflect the current application server settings is part of the plug-in setting. To aid transfer web client programmes, the binary module employs an XML file.
[AIX Solaris HP-UX Linux Windows] [AIX Solaris HP-UX Linux Windows] [AIX Solaris HP- After you’ve installed a compatible web server, you’ll need to install Web Server Plug-ins to get the web server plug-in module. The plug-in module enables communication between the web server and the application server.
EMAIL SERVER:
For a variety of reasons, the repository manager may send you email messages. You must configure the connection to the SMTP server under the Email Server menu item in the Administration menu section in order for these messages to be delivered, as illustrated in Figure: “Email Server Configuration.”
- DYNAMIC ROUTING PROTOCOL CONFIGURATION USING RIPv2(WAN)
Configuration of the ripv2 route protocol: There are three essential phases to preparing the RIP routing protocol: On the router, enable the RIP router protocol. This parameter specifies the RIP version that will be used. Specifying visible connectors to participate in route updates or preparing network addresses for inclusion in route updates.
SECTION 3
- USER PREVILEGES (ENCRYPTED PASSWORDS CONFIGURATION FOR CONSOLE, USER, PREVILEGE EXEC MODE)
A user right is the ability to write SQL statements or to access the objects of another user. Oracle defines the different types of rights.User-generated roles, on the other hand, are used to gather privileges or other roles and are created by users (typically administrators). They’re a way to help users get greater permissions or positions.
The Oracle user rights are described in this section, which includes the following titles:
- User Roles
- System Rights
- Object Rights
Rights to Objects
Each category has its own set of privileges.
You can grant or cancel all applicable rights to the item by specifying ALL [PRIVILEGES]. EVERYTHING is not a right; rather, it is a shortcut in GRANT and the Withdrawal statement for giving or revoking all rights to a single item. Individual rights may be removed if all item rights are granted using ALL shortcuts.
Similarly, specifying ALL will cancel all permissions provided by others. However, if you withdraw ALL and the withdrawal removes the integrity bars (because to the REFERENCES right you’re withdrawing), you should use the CASCADE CONSTRAINTS option in the REFERENCES statement.
Roles of Users
The role group is a collection of permissions and roles that can be granted and revoked to users simultaneously. Before a user may use a role, it must first be enabled for them.
To aid with site management, Oracle provides pre-defined roles.
In these pre-defined roles, you can assign rights and roles, as well as withdraw rights and roles, in the same way that you can in any other role you design.
Extended Access List –
This is one of the most commonly used Access list kinds since it can discriminate IP traffic, which means that all traffic will not be allowed or rejected as it would be in a regular access list. To split IP traffic, these ACLs use both the source IP address and the destination and port numbers. We may also indicate which IP traffic should be allowed or prohibited in this form of ACL. The ranges 100-199 and 2000-2699 are used in these.
Here’s an example of a topology with three departments: sales, finance, and marketing. The sales department has a 172.16.10.40 / 24 network, the finance department has a 172.16.50.0 / 24 network, and the sales department has a 172.16.60.0 / 24 network. Now, in both the sales and marketing departments, we want to refuse FTP communication from the sales department to the finance department and restrict telnet access to the finance department.
The first step now is to prepare for extended access by creating a list of FTP connections denied from sales to finance.
R1# config terminal
R1(config)# access-list 110
deny tcp 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.255 eq 21
Here, we first create a numbered Access-list in which we use 110 (used from extended access-list range) and deny the sales network (172.16.40.0) to make an FTP connection to the finance network (172.16.50.0).
Note that FTP uses the TCP protocol and port number 21. As a result, we must either specify the permit or refuse the status as necessary. We must also utilise the supplied protocol port number for the application layer after eq.
Now, both the marketing and marketing departments must deny the telnet connection to the finance department, implying that no one should inform the finance department. It makes the same preparations.
R1(config)# access-list 110
deny tcp any 172.16.50.0 0.0.0.255 eq 23
By identifying any source with any IP address, traffic will reach the finance department without adhering to the previously established rules. For the router interface, we must now utilise the access list:
# int fa0 / 1 R1 (config)
# ip access-group 110 out R1 (config-if)
We should utilise the extended list of access as close to the source as possible, but we’re using it to close the destination since we need to block traffic from both the sales and sales departments, so we’ll need to apply. Otherwise, we’ll have to create two different access lists for incoming fa1 / 0 and outgoing fa0 / 0.
IPsec VPN CONFIGURATION
With a peer who is setting up a VPN connection, an IPsec VPN peer may have an anonymous IP address. The Dynamic Host Configuration Protocol, for example, can enable an IP address for a peer (DHCP). This may be the situation with a branch or home office remote access client or a mobile device that moves between different viewable locations. A peer can also be identified behind a NAT device, which converts a peer source’s IP address to a different address. A strong endpoint is a VPN peer with an anonymous IP address, and a strong endpoint VPN is a VPN built with a flexible endpoint.
Dynamic endpoint VPNs for SRX Series devices support IKEv1 or IKEv2. SRX Series devices with dynamic endpoint VPNs that handle IPv4 traffic in a secure tunnel. Dynamic point VPNs for SRX Series devices now handle IPv6 traffic in a secure tunnel, thanks to Junos OS 15.1X49-D80.
AutoVPN networks do not support IPv6 traffic.
The sections that follow provide guidance on how to set up a VPN with a flexible end point.
- Contacts, security locations, and address book information can all be customised.
- (For VPNs with routed connections) For the st0.x interface, create a secure tunnel. Route to the device
- Configure the IPsec VPN tunnel’s Phase 1 configuration.
- (Optional) Prepare a Phase 1 IKE suggestion that is unique to you. This phase is optional because the IKE Phase 1 pre-defined suggestion set can be used instead (Normal, Compliant, or Basic)
- Configure the IPsec VPN tunnel’s Phase 2.
- (Optional) Configure an IPsec Phase 2 suggestion that is unique to you. This step is optional because the predefined IPsec Phase 2 proposal set can be used instead (Normal, Consistent, or Basic).
- Prepare an IPsec policy based on your custom IPsec Phase 2 proposal or a pre-defined set of IPsec Phase 2 proposals. Complete passwords must be specified (PFS).
- Configure the IPsec VPN tunnel using the IKE gateway as well as the IPsec policy. Indicate the representative IDs that will be used in the Section 2 discussions.
- (For VPNs with routed connections) Connect the IPsec VPN tunnel to the st0.x secure tunnel connector.
- Allow traffic from the originating site to the destination by adjusting the security policy.
- (In the case of policy-based VPNs) In the name of the IPsec VPN tunnel you’ve created, type ipsec-vpn security policy action tunnel.
SECTION 4
- Ethical Considerations
In commerce, industry, government, medicine, education, entertainment, and the general public, information technology (IT) plays a critical role. Its economic and social advantages are self-evident. However, IT, like all other forms of technology, has flaws as well as bad consequences for our society. Other ethical issues are set and created by it, and it usually contains three categories of ethical issues: personal privacy, access rights, and damaging behaviours. Let’s take a closer look at these concerns and see how the public’s reaction to technological changes was affected in each situation.
In terms of personal privacy, IT allows for large-scale data transfer for everyone, anywhere in the globe, at any time. As a result of its extensive dissemination, the chances of releasing the information and violating the privacy of any individual or group of individuals are increasing in this instance. Computer hacking at places like Los Alamos National Laboratories and NASA in the United States has piqued curiosity. Many attempts by cybercriminals to gain unlawful access to US government and military computers have become commonplace to conserve Network communication is important in addition to implementing adequate computer security policies and strategies.
Unauthorized access to the Internet is impossible to prevent.
Dangerous activity in computer systems refers to injury or negative repercussions, such as the unlucky loss of data information, property loss, property damage, or unnecessarily negative environmental consequences This regulation forbids the use of computer technology in ways that affect users, the general public, employees, or employers.
Intentional destruction or manipulation of files and programmes that result in major losses are examples of dangerous behaviours or the waste of human resources, such as the time and effort required to clean up systems “Computer viruses” comes from there. A survey of numerous internet behaviours demonstrates that it is illegal in the tables below.
Nowadays, information is widely disseminated. According to the data, the ratio of responses from Japanese companies is high and organisations are essential In comparison to the privacy and security challenges linked with these principles, there has been little investigation to far. Issues in IT and Cyberspace. Many people are seeking to get into the knowledge that they have no right to do so because of the deceptive content of web information. As a result, computer scientists proposed and implemented them.
Intrusion detection systems serve as the foundation for privacy-protection security systems. Intrusion detection systems, which are usually in the form of a range of internal systems, identify whether a user is a criminal or a genuine user profile.