3.

Network Infrastructure Design

 Network Infrastructure: - is a set of physical and logical components that provide connectivity,
security, routing, management, access, and other integral features on a network.
 During a network’s planning phase, engineers select the hardware and software components that will
compose the network infrastructure and specify the particular location, installation, and configuration of
those components.
 In most cases, the elements of a network infrastructure are both inherited and designed.
 If you are building a network that will be connected to the Internet, for example, certain aspects of the
network, such as the use of the TCP/IP protocol suite, are inherited from the Internet.
 Other network elements, such as the physical layout of basic network components, are chosen by
design when the network is first conceived and are then inherited by later versions of the network as it
evolves.
 It is rare for an engineer to have the opportunity to design a network from scratch, with no pre-existing
influences.
 Nearly always, the engineer must incorporate some existing elements into the network design, such as
specific applications, operating systems, protocols, or hardware components.
 Implementing a network infrastructure is the process of evaluating, purchasing, and assembling the
specified components, and installing them in the manner prescribed by the design plan.
 The implementation process begins with engineers installing the network’s hardware infrastructure,
including computers, cables, and connectivity devices such as hubs, switches, and routers, as well as
printers and other peripherals.
 Once the hardware is in place, the engineers install and configure the operating systems, applications,
and other software.
 The operating systems running on the computers are the primary software components in the network
infrastructure, because they incorporate the protocols and other routines that make network
communications possible.
 In addition to the standard communication protocols common to all network operating systems, the
Microsoft Windows Server 2008 family also includes a collection of applications and services that
implement important security and special communications capabilities on the network.

Physical vs. Logical Network Infrastructure

1. Physical Network Infrastructure: - is its topology, the physical design of the network, along with
hardware components such as cabling, routers, switches, hubs, servers, and workstations.
 The hardware you select when planning the network’s physical infrastructure is frequently
dependent on elements of the network’s logical infrastructure.
 For example, if you decide to use Ethernet for your network’s data-link layer protocol, you are
limited to certain specific cable types supported by Ethernet, and the network’s connectivity
components—hubs, routers, and switches—must be designed for use with Ethernet as well.
 For a small network, the physical infrastructure can be very simple—computers, a hub, and a
few cables are generally all you need.
 For medium-to-large networks, however, the physical infrastructure can be extraordinarily
complex.
2. Logical Network Infrastructure:-comprises the many software elements that connect, manage, and
secure hosts on the network.
 The logical infrastructure allows communication between computers over the pathways
described in the physical topology.
 The logical infrastructure of a network consists of both abstract software elements, such as
networking protocols, and concrete elements, such as specific software products.
 In addition to basic communication protocols such as TCP/IP, the abstract elements of the
logical infrastructure can include security technologies such as digital certificates and the IP
Security (IP. Sec) protocols.
Planning a Network Infrastructure
 Planning the infrastructure is by far the most complicated part of building a network because during this
phase you create the blueprint you will use to implement the network and maintain it later.
 A complete network infrastructure plan consists of a great deal more than a physical infrastructure
layout and a list of hardware and software products.
 To plan the infrastructure properly, a network designer must consider the requirements of the network’s
users, its owners, and its hardware and software components.
 What tasks do the network users have to accomplish?
 In addition to selecting applications, a network designer must also be conscious of the services the
network’s users need for their computers to function properly
 Security is also an omnipresent consideration in planning a network infrastructure.
 The designer must attempt to anticipate all possible dangers to the network and plan a suitable security
infrastructure to protect it from those dangers.
 The security infrastructure might include advanced configuration of the operating systems, services,
and applications, as well as the use of additional components, such as IPSec and digital certificates.
Implementing a Network Infrastructure
 The network infrastructure plan planned should be implemented at this stage.
 The process of implementing the technologies outlined in a network infrastructure plan typically involves
a number of disciplines.
 The elements of the implementation process focus largely on the selection of protocols, operating
systems, applications, and security mechanisms that satisfy the requirements of a network’s owners,
administrators, and users, as determined in the planning process.
Maintaining a Network Infrastructure
 To maintain the network properly, administrators must have an intimate knowledge of the infrastructure
and the technologies used to implement it.
 Network infrastructure maintenance includes tasks such as updating operating systems and
applications, monitoring ongoing processes, and troubleshooting problems.
 Keeping the network’s operating systems and applications updated is more complicated than simply
downloading the latest patch releases and installing them on all the computers.
 For a large and complex network infrastructure, you must be careful to test each release before
deploying it on the production network.
 Administrators must monitor many services that are essential to a large network at regular intervals to
ensure they are operating properly.
 This monitoring can include regular examination of logs, function testing, and network traffic analysis.
 The network administrator must be capable of configuring these services to log the appropriate
information and of using Windows Server 2008 tools such as Network Monitor and the Performance
console.
 Troubleshooting is one of the primary maintenance functions of a network administrator.
 Although much of the infrastructure design and implementation process revolves around the creation of
a robust network, problems do occur, and in a large organization, network failures can mean reduced
productivity and loss of revenue.
4. Security Threat
Security Threat is defined as a risk that which can potentially harm computer systems and organization.
The cause could be physical such as someone stealing a computer that contains vital data. The cause
could also be non-physical such as a virus attack. In these tutorial series, we will define a threat as a
potential attack from a hacker that can allow them to gain unauthorized access to a computer system.
4.1. Physical Threats
A physical threat is a potential cause of an incident that may result in loss or physical damage to the
computer systems. The following list classifies the physical threats into three (3) main categories;
Internal: The threats include fire, unstable power supply, humidity in the rooms housing the hardware, etc.
External: These threats include Lightning, floods, earthquakes, etc.
Human: These threats include theft, vandalism of the infrastructure and/or hardware, disruption, accidental
or intentional errors.
To protect computer systems from the above mentioned physical threats, an organization must have
physical security control measures.
The following list shows some of the possible measures that can be taken:
Internal: Fire threats could be prevented by the use of automatic fire detectors and extinguishers that do
not use water to put out a fire. The unstable power supply can be prevented by the use of voltage
controllers. An air conditioner can be used to control the humidity in the computer room.
External: Lightning protection systems can be used to protect computer systems against such attacks.
Lightning protection systems are not 100% perfect, but to a certain extent; they reduce the chances of
Lightning causing damage. Housing computer systems in high lands are one of the possible ways of
protecting systems against floods.
Humans: Threats such as theft can be prevented by use of locked doors and restricted access to computer
rooms.
4.2. Non-Physical Threats
A non-physical threat is a potential cause of an incident that may result in;
 Loss or corruption of system data
 Disrupt business operations that rely on computer systems
 Loss of sensitive information
 Illegal monitoring of activities on computer systems
 Cyber Security Breaches and others
The non-physical threats are also known as logical threats. The following list is the common types of non-
physical threats;
 Virus
 Trojans
 Worms
 Spyware
 Denial of Service Attacks
 Distributed Denial of Service Attacks
 Unauthorized access to computer systems resources such as data
Other Computer Security Risks
To protect computer systems from the above-mentioned threats, an organization must have logical security
measures in place. The following list shows some of the possible measures that can be taken to protect
cyber security threats
To protect against viruses, Trojans, worms, etc. an organization can use anti-virus software. In
additional to the anti-virus software, an organization can also have control measures on the usage of
external storage devices and visiting the website that is most likely to download unauthorized programs
onto the user’s computer.
Unauthorized access to computer system resources can be prevented by the use of authentication
methods. The authentication methods can be, in the form of user ids and strong passwords, smart cards or
biometric, etc.
Intrusion-detection/prevention systems can be used to protect against denial of service attacks. There
are other measures too that can be put in place to avoid denial of service attacks.
Testing and verifying security access level
An access list is essentially a list of conditions that categorize packets. They can be really helpful when you
need to exercise control over network traffic. An access list would be your tool of choice for decision
making in these situations. One of the most common and easiest to understand uses of access lists is
filtering unwanted packets when implementing security policies. For example, you can set them up to make
very specific decisions about regulating traffic patterns so that they’ll allow only certain hosts to access web
resources on the Internet while restricting others. With the right combination of access lists, network
managers arm themselves with the power to enforce nearly any security policy they can invent.
Access lists can even be used in situations that don’t necessarily involve blocking packets. For example,
you can use them to control which networks will or won’t be advertised by dynamic routing protocols. How
you configure the access list is the same. The difference here is simply how you apply it—to a routing
protocol instead of an interface. When you apply an access list in this way, it’s called a distribute list, and it
doesn’t stop routing advertisements, it just controls their content. You can also use access lists to
categorize packets for queuing and for controlling which types of traffic can activate a pricey ISDN link.
There are a few important rules that a packet follows when it’s being compared with an access list
 It’s always compared with each line of the access list in sequential order—that is, it’ll always start with
the first line of the access list, then go to line 2, then line 3, and so on.
 It’s compared with lines of the access list only until a match is made. Once the packet matches the
condition on a line of the access list, the packet is acted upon and no further comparisons take place.
 There is an implicit “deny” at the end of each access list—this means that if a packet doesn’t match the
condition on any of the lines in the access list, the packet will be discarded.
 Each of these rules has some powerful implications when filtering IP packets with access lists.
There are two main types of access lists:
1. Standard access lists
These use only the source IP address in an IP packet as the condition test. All decisions are made based
on the source IP address. This means that standard access lists basically permit or deny an entire suite of
protocols. They don’t distinguish between any of the many types of IP traffic such as web, Telnet, UDP, and
so on.
2. Extended access lists
Extended access lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP
packet. They can evaluate source and destination IP addresses, the protocol field in the Network layer
header, and the port number at the Transport layer header. This gives extended access lists the ability to
make much more granular decisions when controlling traffic.
5. Security Mechanisms
Cryptographic algorithms are just one piece of the picture when it comes to providing security in a network.
The next thing we need is a set of mechanisms and protocols for solving various problems. In this section
we examine mechanisms that are used to authenticate participants, techniques for assuring the integrity of
messages, and some approaches to solving the problem of distributing public keys.
5.1. Authentication and Authorization
• Authentication verifies user identification
 Client/server environment
 Ticket-granting system
 Authentication server system
 Cryptographic authentication
 Messaging environment
 e-mail
 e-commerce
• Authorization grants access to information
 Read, read-write, no-access
 Indefinite period, finite period, one-time use
5.2. Firewalls
• The main purpose of firewall is to protect a network from external attacks.
• It monitors and controls traffic into and out of a secure network.
• It can be implemented in a router, gateway, or special host.
• A firewall is normally located at the gateway to a network, but it may also be located at host
access points.
• Firewalls involve the use of
 Packet filtering or
 Application-level gateways

5.2.1. Packet Filters

• Packet filtering is based on protocol-specific criteria.
• It is done at the OSI data link, network, and transport layers.
• Packet filters are implemented in some commercial routers, called screening routers or packet
filtering routers.
• Although routers do not look at the transport layers, some vendors have implemented this additional
feature to sell them as firewall routers.
• The filtering is done on the following parameters:
 Source IP address, destination IP address, source TCP/UDP port, and destination TCP/IP port.
• The filtering is implemented in each port of the router and can be programmed independently.
• Packet filtering routers can either drop packets or redirect them to specific hosts for further
screening.
• Some packets never reach the local network because they are trashed.
• A packet filtering firewall works well when the rules to be implemented are simple.
5.2.2. Application-Level Gateway
• An application-level gateway is used to overcome some of the problems identified for
packet filtering.
 • From the figure Firewalls I and 2 will forward data only if it is going to or coming from the
application gateway.
• Thus a secured LAN is a gateway LAN.
• An application gateway behaves differently for each application, and filtering is handled by the
proxy services in the gateway.
• Firewalls protect a secure site by checking addresses (e.g., IP address), transport parameters
(e.g., as FTP and SMTP), and applications.
5.3. Cryptography
• For secure communication we need to ensure integrity protection and authentication validation.
 Integrity protection makes sure that information has not been tampered with as it moves
between source and destination.
 Authentication validation verifies originator identification.
• Cryptography means secret (crypto) writing (graphy).
• It deals with techniques of transmitting information from a sender to a receiver without any
intermediary being able to decipher it.
• The basic model of cryptographic communication is shown in the Figure below.

Basic Cryptographic communication

• The input message, called plaintext, is encrypted with a secret (encryption) key.
• The encrypted message is called ciphertext, which moves through an unsecure communication
channel, the Internet for example.
5.3.1. Secret key Cryptography
• It's the same key used for encryption and decryption and is called secret key cryptography
• The encryption and decryption modules can be implemented in either: hardware or software.

5.3.2. Public Key Cryptography

• In private key cryptography each pair of users must have a secret key.
• Public key cryptography overcomes the difficulty of having too many cryptography keys.
• The secret key cryptography is symmetric in that the same key is used for both encryption and
decryption,
• But public key cryptography is asymmetric with a public key and a private key, which are
different.
Checking Passwords
A password is a string of characters used to verify the identity of a user during the authentication process.
Passwords are typically used in conjuncture with a username; they are designed to be known only to the
user and allow that user to gain access to a device, application or website. Passwords can vary in length
and can contain letters, numbers and special characters. Other terms that can be used interchangeably are
passphrase for when the password uses more than one word, and postcode and passkey for when the
password uses only numbers instead of a mix of characters, such as a personal identification number.
Creating a Secure Password
Many organizations set password policies so employees create strong passwords and use best practices
for their login credentials. Some of the best practices for password requirements include: A minimum length
of eight characters with a limit of anywhere from 16 to 64 characters or possibly even higher;
 The inclusion of both uppercase and lowercase letters with case sensitivity;
 The use of at least one number; and
 The use of at least one special character.
Policies should prohibit certain characteristics in weak passwords. For instance, any recognizable personal
information -- such as birthdates, names of children, or favorite sports teams -- should not be part of a
password, as well as any words or phrases that are on a password blacklist. Password blacklists are lists
of passwords that are too easily cracked and thus are not secure enough to use. Common offenders that
wind up on blacklists include "123456," "password," "football," "qwerty" and so on.
Strong password policies also include a time limit for user passwords. This means that passwords will
expire after a set period of time -- such as 90 or 180 days -- and users will be forced to change their
password to prevent the reuse of the same couple of passwords. The policy may also require the user to
create a password that is different from any other they have used in the last six to 12 months.
While strong passwords are ideal, users often forget them. As a result, password recovery methods might
vary depending upon access to an application, website or device. Methods might include answering
security questions, confirming emails asking if users want to reset their passwords, or entering numerical
security codes sent via text to a mobile phone to authenticate users who need to reset passwords or
recover the original one.
Alternative Methods to Passwords
There are many authentication options available today so that users do not have to rely on passwords that
can be easily cracked or compromised. These options include:
Two-factor authentication (2FA):- 2FA requires users to provide two authentication factors that include a
combination of something the user knows -- like a password or PIN; something the user has -- like an ID
card, security token or Smartphone; or something the user is -- biometrics.
Biometrics -- Biometric technology is mainly used for identification and access control. Biometrics includes
physiological characteristics such as fingerprints or retinal scans, and behavioral characteristics such as
typing patterns and voice recognition.
Multifactor authentication (MFA) -- MFA is similar to 2FA except that it is not limited to only two
authentication factors. It also uses something the user knows, something the user has and something the
user is.
Tokens -- A security token is a physical hardware device like a smart card or key fob that a user carries to
authorize access to a network.
One-time passwords (OTP):- An OTP is an automatically generated password that only authenticates a
user for a single transaction or session. These passwords change for every use and are typically stored on
security tokens.
Social logins:- A social login in when users can authenticate themselves on applications or websites by
connecting to their social media account such as Face book or Google instead of using a separate login for
each and every site.