Agenda

1. QUIZ 2. HOMEWORK LAST CLASS 3. HOMEWORK NEXT CLASS 4. DATA LINK CONTROL 5. FIREWALLS 6. PRACTICE EXAM

Homework

Study For Exam

Chapter 10

Data Link Control

1. An Advise To The Lovelorn database operates on a 10 Mbps line (the lovelorn need alot of advise). The average input has1000 bytes of questions. The average outputhas 1Millionbytes of answers. Database processing time averages 9 seconds. What isthe total response time if you assume 8 bits per byte. If the line is a SONET MAN,what determines if there is a congestion problem?

Figure 10-1

Data Link Layer

Figure 10-2

Data Link Layer Function

Figure 10-3

Line Discipline Categories

Figure 10-4

Line Discipline Concept: ENQ/ACK

Figure 10-5

ENQ/ACK Line Discipline

Figure 10-6

Poll/Select Line Discipline

Figure 10-7

Select

Figure 10-8

Poll

Figure 10-9

Categories of Flow Control

Figure 10-10

Stop-and-Wait

Figure 10-11

Sliding Window

Figure 10-12

Sender Sliding Window

Figure 10-13

Receiver Sliding Window

Figure 10-14Example of Sliding Window

Figure 10-15

Categories of Error Control

Figure 10-16

Stop-and-wait ARQ, Damaged Frame

Figure 10-17

Stop-and-wait ARQ, Lost Frame

Figure 10-18

Stop-and-wait ARQ, Lost ACK

Figure 10-19

Go-Back-n, Damaged Frame

Figure 10-20

Go-Back-n, Lost Frame

Figure 10-21

Go-Back-n, Lost ACK

Figure 10-22 Selective-Reject, Damaged Frame

WAN-Virtual Circuits

VPNVPN

WAN-Virtual Circuits

Problems For Management• VPN implementation, services & overall utility vary widely--the single complete solution that can meet all your needs does not exist• (Depending on your environment) some implementations hold distinct advantages over others

WAN-Virtual Circuits

Virtual Private Networking Version 2.01. What is a VPN?2. What is a tunnel?3. What is the relationship between VPNs and multi- system management?4. What is significance of Service Level Agreements (SLAs)?

WAN-Virtual Circuits

Virtual Private Networking Enhancers1. IPSec: • A protocol that authenticates, encapsulates (tunnels) and encrypts traffic across IP networks.• It supports key management, the Internet Key Exchange protocol & various encryptions (e.g., DES & Tripple DES) 2. Multiprotocol Label Switching (MPLS):• Defines a process in which a label is attached to an IP header to increase routing efficiency and enable routers to forward packets according to specified QoS levels.• Uses a tunneling technique.

MPLS vs. Circuit Switching

MPLS• Minimizes changes to hardware by routing and switching functions• Will establish pre-hop behavior for delay sensitive traffic• Permits bandwidth reservation and flow control over wide range of paths• Will permit bandwidth & other constraints to be considered in computes• Provides ranking to individual flows so during failure important flows go first

Circuit Switching• Hardware designs do not need to change• Minimizes delay variations

• Enables accurate bandwidth reservations• Can automatically compute routes over known/specified bandwidths• Can provide hard guarantees of service and routing

VPN Example: Cisco Secure Client

CAMPUS

X.509Cert Auth

VPN Administrator

Cisco SecureAccess ControlServer-AAA

Cisco 7100 SeriesVPN Router Extranet User

with Internet Access

Extranet Userwith Cisco SecureVPN Client

InternetVPN and/or IP-VPN

Mobile DialRemote Access Userwith Cisco Secure VPN Client

Mobile Home Userwith Cisco Secure VPN Client

VPN Example: Cisco Secure Client

Advertised Features• Full compliance with IPSec and related standards

• DES, 3DES, MD-5 & SHA-1 algorithms• Internet Key Exchange using ISAKMP/Oakley

• Interoperates with virtually all PC Windows communications devices: LAN adapters, modems, PCMCIA cards, etc.• GUI for configuring security policy and managing certificates• Easy to install and transparent to use with easy configuration for deployment to end users• Security policy can be exported and protected as read only by the VPN administrator

VPN Example: Cisco Secure Client

Advertised Applications• Travelling “Road Warrior” communications (client to gateway)• Creation of virtual “secure enclave” on unprotected network• X.509 v3 certificates• FIPS-46 DES encryption• FIPS-180-1 SHA-1 hash• FIPS-186 DSS digital signatures• CAPI 2.0: Microsoft Crypto API• PKCS: Public Key Cryptographic Standards• IP Security Standards

VPN Example: Cisco Secure Client

Internet Protocol Security Standards• RFC 2401 Security Architecture for Internet Protocol• RFC 2402 IP Authentication Header• RFC 2403 Use of HMAC-MD5-96 within ESP & AH• RFC 2404 Use of HMAC-SHA-1-96 within ESP & AH• RFC 2405 ESP DES-CBC Cipher Algorithm with Explicit IV• RFC 2406 IP Encapsulating Security Payload (ESP)• RFC 2407 IP Security Domain of Interpretation for ISAKMP• RFC 2408 Internet Security Association & Key Management Protocol (ISAKMP)• RFC 2409 Internet Key Exchange (IKE)• RFC 2410 NULL Encryption Algorithm & its uses with IPSec

VPN Evaluation: Computer Networks Report

Services Wt. GTEI Uunet InfonetQuest AT&TPSINetGeogr Coverage 25% 5 3 4 2 2 2.5SLAs 25% 4 4.5 3 1.5 3 2.5Pricing 20% 2.5 5 3.5 3.5 1 1Security 20% 4.5 3.5 2 4 3.5 2QoS Support 10% 2 2 2 1 1 2Total Score 3.85 3.76 3.05 2.46 2.25 2.05

B B C+ D D DSpecific Products Evaluated: GTE Internetworking: VPN Advantage Note: Scores weighted 0-5Uunet: UUsecure VPN Direct EditionInfonet: Private InternetQuest Communications: Quest VPNAT&T: Virtual Private Network Service (VPNS)

PSINET: IntraNet

Enterprise Firewalls Problems For Management• What are you most concerned about?

• Penetration protection• Performance• Logging & reporting• Data overload• Good records

• Type to use?• Hardware (inspection only)• Proxy (software processing)

• Central or Distributed Management?

Enterprise FirewallsPotential Contradictory Goals• Penetration protection vs. performance• Logging & reporting vs. data overload• Good records vs. archival costs

Central or Distributed management• Central management creates security policy & pushes it out (security policy defined once & easier monitor or each firewall is configured separately in one GUI (good for small sites but more overhead)• Distributed management takes more people

Enterprise Firewall

Internet

CentralManager

Firewall Evaluation: Computer Networks Report

Services Wt. VPN-1 SecPIX Raptor NetScreen Sidewinder

Management 30% 4 5 4 3 2 Reporting 30% 5 4 2 2 2 Security Features 20% 5 3 5 3 3 Firewall Perform 10% 5 5 3 5 3 VPN Perform 10% 3 2 2 5 2 Total Score 4.5 4.0 3.3 3.1 2.3

A- B+ C+ C+ D Compaines: VPN-1 Gateway & VPN-1 Accellerator Card: Check Point Secure PIX: CiscoRaptor: Axent NetScreen 100 1.66: NetScreen Technologies Note: Scores weighted 0-5Sidewinder: Secure Computing

Current OfferingsVPN/Firewall Appliances – SMB/SOHO

Cisco

PIX 515E NetScreen

NetScreen-100 Nokia /CP

IP380

Nortel Contivity

1100

Secure Comp

Sidewinder 25

Symantec SGS 5300

Number of Tunnels

2,000 1,000 Unlimited 5

(ungradeable to 30)

400 2,500

Max throughput 3DES

63Mbits/sec 170Mbits/sec 90Mbits/sec 15Mbits/sec 40Mbits/sec 14Mbits/sec

AES Support No Yes Yes Yes No Yes

Remote User Authentication

RADIUS, XAUTH,

digital certificates

RADIUS, SecurID, LDAP,

XAUTH

Pre-shared secrets, digital

certificates, SecurID, RADIUS

RADIUS, LDAP,

SecurID, digital

certificates, smartcards

RADIUS, XAUTH, SecurID,

Safe-Word, NT Domain

RADIUS,SecurID, User Level

Authentication

Management Platform

VPN Security Management

Solution

NetScreen-Global PRO

Nokia Horizon

Manager, Check Point Smart Center

Contivity Configuration

Manager

Not for VPN

functions

Raptor Management

Console

Price $3,495 $9,995 $9,995 $1,499 $6,900

$51,990 (includes anti-virus , content mgmt and intrusion detection functions)

Current OfferingsVPN/FIREWALL Appliance/Routers – Enterprise

Cisco

7200 NetScreen

5400 Nokia/CP

IP740 Nortel

Contivity 4600

Secure Comp

Sidewinder 2000

Symantec VelociRaptor

1300

Number of Tunnels 5,000 25,000 Unlimited 5,000 400 2,500

Max throughput 3DES

145Mbits/sec 6Gbits/sec 139Mbits/sec 140Mbits/sec 40Mbits/sec 14Mbits/sec

Routing Protocols VGP,RIP,OSPF OSPF OSPF,BGP.RIP RIP,OSPF RIP,OSPF None

High Availability/Failover

Yes Yes Yes Yes Yes Optional

Dedicated Crypto-graphic processing

Optional Included (ASIC)

Included Optional Optional None

Management System

Cisco Secure Policy Manager,

VPN Device Manager

Global-PRO

Nokia Horizon Manager, Check

Point Smart-Center

Configuration Manager

Not for VPN Raptor

Management Console

Price $15,500-$23,500

$69,000-$209,000

$50,995 $50,000 $35,400 $14,995