agenda 1. quiz 2. homework last class 3. homework next class 4. data link control 5. firewalls 6....
TRANSCRIPT
Agenda
1. QUIZ 2. HOMEWORK LAST CLASS 3. HOMEWORK NEXT CLASS 4. DATA LINK CONTROL 5. FIREWALLS 6. PRACTICE EXAM
Homework
Study For Exam
Chapter 10
Data Link Control
1. An Advise To The Lovelorn database operates on a 10 Mbps line (the lovelorn need alot of advise). The average input has1000 bytes of questions. The average outputhas 1Millionbytes of answers. Database processing time averages 9 seconds. What isthe total response time if you assume 8 bits per byte. If the line is a SONET MAN,what determines if there is a congestion problem?
Figure 10-1
Data Link Layer
Figure 10-2
Data Link Layer Function
Figure 10-3
Line Discipline Categories
Figure 10-4
Line Discipline Concept: ENQ/ACK
Figure 10-5
ENQ/ACK Line Discipline
Figure 10-6
Poll/Select Line Discipline
Figure 10-7
Select
Figure 10-8
Poll
Figure 10-9
Categories of Flow Control
Figure 10-10
Stop-and-Wait
Figure 10-11
Sliding Window
Figure 10-12
Sender Sliding Window
Figure 10-13
Receiver Sliding Window
Figure 10-14Example of Sliding Window
Figure 10-15
Categories of Error Control
Figure 10-16
Stop-and-wait ARQ, Damaged Frame
Figure 10-17
Stop-and-wait ARQ, Lost Frame
Figure 10-18
Stop-and-wait ARQ, Lost ACK
Figure 10-19
Go-Back-n, Damaged Frame
Figure 10-20
Go-Back-n, Lost Frame
Figure 10-21
Go-Back-n, Lost ACK
Figure 10-22 Selective-Reject, Damaged Frame
WAN-Virtual Circuits
VPNVPN
WAN-Virtual Circuits
Problems For Management• VPN implementation, services & overall utility vary widely--the single complete solution that can meet all your needs does not exist• (Depending on your environment) some implementations hold distinct advantages over others
WAN-Virtual Circuits
Virtual Private Networking Version 2.01. What is a VPN?2. What is a tunnel?3. What is the relationship between VPNs and multi- system management?4. What is significance of Service Level Agreements (SLAs)?
WAN-Virtual Circuits
Virtual Private Networking Enhancers1. IPSec: • A protocol that authenticates, encapsulates (tunnels) and encrypts traffic across IP networks.• It supports key management, the Internet Key Exchange protocol & various encryptions (e.g., DES & Tripple DES) 2. Multiprotocol Label Switching (MPLS):• Defines a process in which a label is attached to an IP header to increase routing efficiency and enable routers to forward packets according to specified QoS levels.• Uses a tunneling technique.
MPLS vs. Circuit Switching
MPLS• Minimizes changes to hardware by routing and switching functions• Will establish pre-hop behavior for delay sensitive traffic• Permits bandwidth reservation and flow control over wide range of paths• Will permit bandwidth & other constraints to be considered in computes• Provides ranking to individual flows so during failure important flows go first
Circuit Switching• Hardware designs do not need to change• Minimizes delay variations
• Enables accurate bandwidth reservations• Can automatically compute routes over known/specified bandwidths• Can provide hard guarantees of service and routing
VPN Example: Cisco Secure Client
CAMPUS
X.509Cert Auth
VPN Administrator
Cisco SecureAccess ControlServer-AAA
Cisco 7100 SeriesVPN Router Extranet User
with Internet Access
Extranet Userwith Cisco SecureVPN Client
InternetVPN and/or IP-VPN
Mobile DialRemote Access Userwith Cisco Secure VPN Client
Mobile Home Userwith Cisco Secure VPN Client
VPN Example: Cisco Secure Client
Advertised Features• Full compliance with IPSec and related standards
• DES, 3DES, MD-5 & SHA-1 algorithms• Internet Key Exchange using ISAKMP/Oakley
• Interoperates with virtually all PC Windows communications devices: LAN adapters, modems, PCMCIA cards, etc.• GUI for configuring security policy and managing certificates• Easy to install and transparent to use with easy configuration for deployment to end users• Security policy can be exported and protected as read only by the VPN administrator
VPN Example: Cisco Secure Client
Advertised Applications• Travelling “Road Warrior” communications (client to gateway)• Creation of virtual “secure enclave” on unprotected network• X.509 v3 certificates• FIPS-46 DES encryption• FIPS-180-1 SHA-1 hash• FIPS-186 DSS digital signatures• CAPI 2.0: Microsoft Crypto API• PKCS: Public Key Cryptographic Standards• IP Security Standards
VPN Example: Cisco Secure Client
Internet Protocol Security Standards• RFC 2401 Security Architecture for Internet Protocol• RFC 2402 IP Authentication Header• RFC 2403 Use of HMAC-MD5-96 within ESP & AH• RFC 2404 Use of HMAC-SHA-1-96 within ESP & AH• RFC 2405 ESP DES-CBC Cipher Algorithm with Explicit IV• RFC 2406 IP Encapsulating Security Payload (ESP)• RFC 2407 IP Security Domain of Interpretation for ISAKMP• RFC 2408 Internet Security Association & Key Management Protocol (ISAKMP)• RFC 2409 Internet Key Exchange (IKE)• RFC 2410 NULL Encryption Algorithm & its uses with IPSec
VPN Evaluation: Computer Networks Report
Services Wt. GTEI Uunet InfonetQuest AT&TPSINetGeogr Coverage 25% 5 3 4 2 2 2.5SLAs 25% 4 4.5 3 1.5 3 2.5Pricing 20% 2.5 5 3.5 3.5 1 1Security 20% 4.5 3.5 2 4 3.5 2QoS Support 10% 2 2 2 1 1 2Total Score 3.85 3.76 3.05 2.46 2.25 2.05
B B C+ D D DSpecific Products Evaluated: GTE Internetworking: VPN Advantage Note: Scores weighted 0-5Uunet: UUsecure VPN Direct EditionInfonet: Private InternetQuest Communications: Quest VPNAT&T: Virtual Private Network Service (VPNS)
PSINET: IntraNet
Enterprise Firewalls Problems For Management• What are you most concerned about?
• Penetration protection• Performance• Logging & reporting• Data overload• Good records
• Type to use?• Hardware (inspection only)• Proxy (software processing)
• Central or Distributed Management?
Enterprise FirewallsPotential Contradictory Goals• Penetration protection vs. performance• Logging & reporting vs. data overload• Good records vs. archival costs
Central or Distributed management• Central management creates security policy & pushes it out (security policy defined once & easier monitor or each firewall is configured separately in one GUI (good for small sites but more overhead)• Distributed management takes more people
Enterprise Firewall
Internet
CentralManager
Firewall Evaluation: Computer Networks Report
Services Wt. VPN-1 SecPIX Raptor NetScreen Sidewinder
Management 30% 4 5 4 3 2 Reporting 30% 5 4 2 2 2 Security Features 20% 5 3 5 3 3 Firewall Perform 10% 5 5 3 5 3 VPN Perform 10% 3 2 2 5 2 Total Score 4.5 4.0 3.3 3.1 2.3
A- B+ C+ C+ D Compaines: VPN-1 Gateway & VPN-1 Accellerator Card: Check Point Secure PIX: CiscoRaptor: Axent NetScreen 100 1.66: NetScreen Technologies Note: Scores weighted 0-5Sidewinder: Secure Computing
Current OfferingsVPN/Firewall Appliances – SMB/SOHO
Cisco
PIX 515E NetScreen
NetScreen-100 Nokia /CP
IP380
Nortel Contivity
1100
Secure Comp
Sidewinder 25
Symantec SGS 5300
Number of Tunnels
2,000 1,000 Unlimited 5
(ungradeable to 30)
400 2,500
Max throughput 3DES
63Mbits/sec 170Mbits/sec 90Mbits/sec 15Mbits/sec 40Mbits/sec 14Mbits/sec
AES Support No Yes Yes Yes No Yes
Remote User Authentication
RADIUS, XAUTH,
digital certificates
RADIUS, SecurID, LDAP,
XAUTH
Pre-shared secrets, digital
certificates, SecurID, RADIUS
RADIUS, LDAP,
SecurID, digital
certificates, smartcards
RADIUS, XAUTH, SecurID,
Safe-Word, NT Domain
RADIUS,SecurID, User Level
Authentication
Management Platform
VPN Security Management
Solution
NetScreen-Global PRO
Nokia Horizon
Manager, Check Point Smart Center
Contivity Configuration
Manager
Not for VPN
functions
Raptor Management
Console
Price $3,495 $9,995 $9,995 $1,499 $6,900
$51,990 (includes anti-virus , content mgmt and intrusion detection functions)
Current OfferingsVPN/FIREWALL Appliance/Routers – Enterprise
Cisco
7200 NetScreen
5400 Nokia/CP
IP740 Nortel
Contivity 4600
Secure Comp
Sidewinder 2000
Symantec VelociRaptor
1300
Number of Tunnels 5,000 25,000 Unlimited 5,000 400 2,500
Max throughput 3DES
145Mbits/sec 6Gbits/sec 139Mbits/sec 140Mbits/sec 40Mbits/sec 14Mbits/sec
Routing Protocols VGP,RIP,OSPF OSPF OSPF,BGP.RIP RIP,OSPF RIP,OSPF None
High Availability/Failover
Yes Yes Yes Yes Yes Optional
Dedicated Crypto-graphic processing
Optional Included (ASIC)
Included Optional Optional None
Management System
Cisco Secure Policy Manager,
VPN Device Manager
Global-PRO
Nokia Horizon Manager, Check
Point Smart-Center
Configuration Manager
Not for VPN Raptor
Management Console
Price $15,500-$23,500
$69,000-$209,000
$50,995 $50,000 $35,400 $14,995