Académique Documents
Professionnel Documents
Culture Documents
College: IIIT-A
SUBMITTED TO: ONGC PROJECT ICE
Topic: Networking and Security
Contents
1. Introduction to Networking and Security
2. OSI AND TCP/IP model
3. Routing
4. Switching
5. Spanning tree protocol
6. VLANS
7. VTP
8. Security
9. Access list
10. NAT & PAT
A Word of Thanks
This page is solely dedicated to appreciate the very generous
help and support that I have received from the whole
Networking Team of O.N.G.C Project ICE. The whole team has
contributed a lot in my learning process at project ICE. Without
them my training programme here would not have been
successful. Specially Mr. Dharamraj , Mr. Rakesh Arora , Mr
Dushyant and above all Mr A.S Dobre have shared some very
important facts about the Networking Industry, which I am sure
I would have never received by studying in a Classroom. I
Thank all the people I mentioned above for being very patient
and generous with their time even when they had so much of
commitment towards their work.
OVERVIEW OF THE REPORT
Routing Schemes
anycast
broadcast
multicast
unicast
Deflection routing
Dijkstra's algorithm
Fuzzy routing
Geographic routing
Heuristic routing
Hierarchical routing
IP Forwarding Algorithm
Multipath routing
Policy-based routing
Static routing
world network
Routing protocols
Classless inter-domain routing (CIDR): Classless Inter-Domain
Routing (CIDR) is a methodology of allocating IP
addresses and routing Internet Protocol packets. It was
introduced in 1993 to replace the prior addressing architecture
of classful network design in the Internet with the goal to slow
the growth of routing tables on routers across the Internet, and to
help slow the rapid exhaustion of IPv4addresses.
IP addresses are described as consisting of two groups of bits in
the address: the most significant part is the network
address which identifies a whole network or subnet and the least
significant portion is the host identifier, which specifies a
particular host interface on that network. This division is used as
the basis of traffic routing between IP networks and for address
allocation policies. Classful network design for IPv4 sized the
network address as one or more 8-bit groups, resulting in the
blocks of Class A, B, or C addresses. Classless Inter-Domain
Routing allocates address space to Internet service providers and
end users on any address bit boundary, instead of on 8-bit
segments. In IPv6, however, the host identifier has a fixed size
of 64 bits by convention, and smaller subnets are never allocated
to end users.
MPLS routing: Multiprotocol Label Switching (MPLS) is
a mechanism in high-performance telecommunications
networks which directs and carries data from one network
node to the next. MPLS makes it easy to create "virtual links"
between distant nodes. It can encapsulate packets of
variousnetwork protocols.
MPLS is a highly scalable, protocol agnostic, data-carrying
mechanism. In an MPLS network, data packets are assigned
labels. Packet-forwarding decisions are made solely on the
contents of this label, without the need to examine the packet
itself. This allows one to create end-to-end circuits across any
type of transport medium, using any protocol. The primary
benefit is to eliminate dependence on a particularData Link
Layer technology, such as ATM, frame
relay, SONET or Ethernet, and eliminate the need for multiple
Layer 2 networks to satisfy different types of traffic. MPLS
belongs to the family of packet-switched networks.
ATM routing: Asynchronous Transfer Mode is a cell-based
switching technique that uses asynchronous time
division multiplexing. It encodes data into small fixed-sized
cells (cell relay) and provides data link layer services that run
over OSI Layer 1 physical links. This differs from other
technologies based on packet-switched networks (such as
the Internet Protocol or Ethernet), in which variable
sized packets (known as frames when referencing Layer 2)
are used. ATM exposes properties from both circuit switched
and small packet switched networking, making it suitable for
wide area data networking as well as real-time media
transport.ATM uses a connection-oriented model and
establishes a virtual circuit between two endpoints before the
actual data exchange begins.
RPSL: The Routing Policy Specification Language
(RPSL) is a language commonly used by ISPs to describe
their routing policies.
The routing policies are stored at various whois databases
including RIPE, RADB and APNIC. ISPs (using automated
tools) then generate router configuration files that match their
business and technical policies.
RFC 2622 describes RPSL, and replaced RIPE-181.
RFC 2650 provides a reference tutorial to using RPSL in the
real-world.
RPSL has been extended with RPSL-NG (RPSL-Next
Generation) effort to support IPv6 routing policies
and multicast routing policies. RPSL-NG is defined in RFC
4012
RSMLT: Routed-SMLT (R-SMLT) is a computer
networking protocol designed by Nortel (now acquired
by Avaya) as an enhancement to SMLT enabling the exchange
of Layer 3 information between peer nodes in a Switch Cluster
for unparalleled resiliency and simplicity for both L3 and L2.
In many cases, core network convergence-times after a failure is
dependent on the length of time a routing protocol requires to
successfully converge (change or re-route traffic around the
fault). Depending on the specific routing protocol, this
convergence time can cause network interruptions ranging from
seconds to minutes. The Nortel R-SMLT feature works
withSMLT, and DSMLT technologies to provide sub-second
failover (normally less than 100 millisecond[1] so no outage is
noticed by end users. This high speed recovery is required by
many critical networks where outages can cause loss of life or
very large monetary losses in critical networks.
RSMLT routing topologies providing an active-active router
concept to core SMLT networks. The protocol supports
networks designed with SMLT or DSMLT triangles, squares,
andSMLT or DSMLT full mesh topologies, with routing
enabled on the core VLANs. R-SMLT takes care of packet
forwarding in core router failures and works with any of the
following protocol types: IP Unicast Static Routes, RIP1, RIP2,
OSPF, BGP and IPX RIP.
Alternative methods for network data flow
Peer-to-peer
Network coding
Switches
A network switch or switching hub is a computer networking
device that connects network segments.
The term commonly refers to a network bridge that processes
and routes data at the data link layer (layer 2) of the OSI model.
Switches that additionally process data at the network
layer (layer 3 and above) are often referred to as Layer 3
switches or multilayer switches.
The term network switch does not generally encompass
unintelligent or passive network devices such
as hubs and repeaters.
The first Ethernet switch was introduced by Kalpana in 1990
Function
The network switch, packet switch (or just switch) plays an
integral part in most Ethernet local area networks or LANs. Mid-
to-large sized LANs contain a number of linked managed
switches. Small office/home office (SOHO) applications
typically use a single switch, or an all-purpose converged
device such as a gateway access to small office/home broadband
services such as DSL router or cable Wi-Fi router. In most of
these cases, the end-user device contains a router and
components that interface to the particular physical broadband
technology, as in Linksys 8-port and 48-port devices. User
devices may also include a telephone interface for VoIP.
A standard 10/100 Ethernet switch operates at the data-link
layer of the OSI model to create a different collision domain for
each switch port. If you have 4 computers (e.g., A, B, C, and D)
on 4 switch ports, then A and B can transfer data back and forth,
while C and D also do so simultaneously, and the two
"conversations" will not interfere with one another. In the case
of a "hub," they would all share the bandwidth and run in Half
duplex, resulting in collisions, which would then necessitate
retransmissions. Using a switch is called micro-segmentation.
This allows you to have dedicated bandwidth on point-to-point
connections with every computer and to therefore run in Full
duplex with no collisions.
Role of switches in networks
Protocol operation
The collection of bridges in a LAN can be considered
a graph whose nodes are the bridges and the LAN segments (or
cables), and whose edges are the interfaces connecting the
bridges to the segments.
To break loops in the LAN while maintaining access to all LAN
segments, the bridges collectively compute a spanning tree.
tree The
spanning tree is not necessarily a minimum cost spanning tree.
A network administrator can reduce the cost of a spanning tree,
if necessary, by altering some of the configuration parameters in
such a way as to affect the choice of the root of the spanning
tree.
The spanning tree that the bridges compute using the Spanning
Tree Protocol can be determined using the following rules. The
example network at the right, below, will be used to illustrate
the rules.
1. An example
xample network. The numbered boxes represent
bridges (the number represents the bridge ID). The
lettered clouds represent network segments.
2. The smallest bridge ID is 3. Therefore, bridge 3 is the
root bridge.
VTP Modes
VTP operates in one of three modes:
Server – In this VTP mode you can create, remove, and
modify VLANs. You can also set other configuration
options like the VTP version and also turn on/off VTP
pruning for the entire VTP domain. VTP servers
advertise their VLAN configuration to other switches in
the same VTP domain and synchronize their VLAN
configuration with other switches based on messages
received over trunk links. VTP server is the default
mode. The VLANs information are stored on NVRAM
and they are not lost after a reboot.
Client – VTP clients behave the same way as VTP
servers, but you cannot create, change, or delete
VLANs on the local device. Remember that even in VTP
client mode, a switch will store the last known VTP
information—including the configuration revision
number. Don’t assume that a VTP client will start with a
clean slate when it powers up.
Transparent – When you set the VTP mode to
Token Ring Bridge Relay Function (TrBRF) and Token Ring Concentrator Relay
Token Ring Function (TrCRF) VLAN are supported
Unrecognized In V2, a server will propagate TLVs even those it does not understand. It also saves
Type-Length-Value them in NVRAM when the switch is in VTP server mode. This could be useful if not all
devices are at the same version or release level.
(TLV)
Version-Dependent Version 1 supports multiple domains while Version 2 supports only 1. Normal
behavior for V1 would be to forward messages only if they match the destination
Transparent Mode domain name and version. VTPv2 does not do this check before forwarding.
VTPv1 does more consistency checking on messages, which can add overhead. As
long as the MD5 digest on a message is correct, VTPv2 will forward it. VTPv2 will
Consistency Checks consistency-check new configuration information added through the configuration
editor, Cluster Management Software or SNMP.
VTP version 3: is a protocol that is only responsible for
distributing a list of opaque databases over an administrative
domain. When enabled, VTP version 3 provides the following
enhancements to previous VTP versions:
Support for extended VLANs.
Support for the creation and advertising of private
VLANs.
Improved server authentication.
Protection from the "wrong" database accidentally being
inserted into a VTP domain.
Interaction with VTP version 1 and VTP version 2.
Provides the ability to be configured on a per-port basis.
Provides the ability to propagate the VLAN database and
other databases.
Configuration Commands
Task Command
Step Define the VTP domain name (Case vtp domain name
1 sensitive)
Step
Set which VTP version to run vtp version #
2
Step
Verify the VTP configuration. show vtp status
4
VLAN Pruning
Task Command
Step
Verify the VTP pruning configuration. show vtp status
4
Medium businesses
A fairly strong firewall or Unified Threat
Management System
Strong Antivirus software and Internet Security Software.
For authentication, use strong passwords and change it on a
bi-weekly/monthly basis.
When using a wireless connection, use a robust password.
Raise awareness about physical security to employees.
Use an optional network analyzer or network monitor.
An enlightened administrator or manager.
Large businesses
A strong firewall and proxy to keep unwanted people out.
A strong Antivirus software package and Internet Security
Software package.
For authentication, use strong passwords and change it on a
weekly/bi-weekly basis.
When using a wireless connection, use a robust password.
Exercise physical security precautions to employees.
Prepare a network analyzer or network monitor and use it
when needed.
Implement physical security management like closed circuit
television for entry areas and restricted zones.
Security fencing to mark the company's perimeter.
Fire extinguishers for fire-sensitive areas like server rooms
and security rooms.
Security guards can help to maximize security.
School
An adjustable firewall and proxy to allow authorized users
access from the outside and inside.
Strong Antivirus software and Internet Security Software
packages.
Wireless connections that lead to firewalls.
Children's Internet Protection Act compliance.
Supervision of network to guarantee updates and changes
based on popular site usage.
Constant supervision by teachers, librarians, and
administrators to guarantee protection against attacks by
both internet and sneakernet sources.
Large government
A strong firewall and proxy to keep unwanted people
out.
Strong Antivirus software and Internet Security Software
suites.
Strong encryption.
Whitelist authorized wireless connection, block all else.
All network hardware is in secure zones.
All host should be on a private network that is invisible
from the outside.
Put web servers in a DMZ, or a firewall from the outside
and from the inside.
Security fencing to mark perimeter and set wireless
range to this.
ACCESS CONTROL LIST
An access control list (ACL), with respect to a computer
file system, is a list of permissions attached to an object.
An ACL specifies which users or system processes are
granted access to objects, as well as what operations are
allowed on given objects. Each entry in a typical ACL
specifies a subject and an operation. For instance, if a file
has an ACL that contains (Alice, delete), this would
give Alice permission to delete the file.