spiceworks it boot camp - pt. 1
DESCRIPTION
This presentation about IT Networking Basics was given by Spiceworks IT guy, Kris as part of an IT Boot Camp series.TRANSCRIPT
Bandwidth is Expensive.Are you getting the most out of your money?
Cymphonix makes it easy to automate your Internet security
∙ Filter web content and applications Stop spyware and malware∙
∙ Monitor user activity in real-time Control applications for faster ∙performance
∙Prioritize bandwidth for websites and applications you want to go fast
Cymphonix makes it easy to automate your Internet security
∙ Filter web content and applications Stop spyware and malware∙
∙ Monitor user activity in real-time Control applications for faster ∙performance
∙Prioritize bandwidth for websites and applications you want to go fast
www.cymphonix.com
IT Boot Camp: Pt1 - Networking
IT Bootcamp Part 1Designing an SMB Network
Network Design Principles Layering and Hierarchical Design Patterns VLANs IP Addressing Wireless
Network Access Control NAC methods Physical Security Switch security
Part 1: Setting Up Your NetworkNetwork Design
Hierarchical design Design your network in layers Modular in nature Design elements can be replicated Transition points can be identified easily Simple to understand Provide for network growth Fault tolerance
Part 1: Setting Up Your NetworkNetwork Design
Three layers Core Distribution Access
* Image Credit: http://www.ciscopress.com/content/images/sam_bruno_ccda/elementLinks/da270401.gif
Part 1: Setting Up Your NetworkNetwork Design
Core layer High-speed backbone
of the network High reliability Redundancy Limited diameter
(when using routers at the core layer)
Part 1: Setting Up Your NetworkNetwork Design
Distribution layer Demarcation between
core and access layers
Policy, security, and VLAN routing occurs here
Filtering (by source/destination and input/output)
Static Routing QOS
Part 1: Setting Up Your NetworkNetwork Design
Access layer Provides user access
to network segments Wireless Access
Points
Part 1: Setting Up Your NetworkNetwork Design
The layers do not necessarily need to be implemented as distinct physical devices Each layer can be
implemented in routers and switches, or in single devices (layer 3 switches capable of routing switched packets)
Part 1: Setting Up Your NetworkNetwork Design
Less fault-tolerant and does not take advantage of all of the features of a fully hierarchical network design
Less expensive and less complex
Appropriate for very small networks
Part 1: Setting Up Your NetworkNetwork Design - VLANs
VLANs allow for network nodes to be assigned to a particular network segment even when not located on the same switch
Implemented in order to segment networks logically rather than physically (using routers)
Allows for reassignment via software rather than by physically moving a device
Part 1: Setting Up Your NetworkNetwork Design - VLANs
Types of VLANs Static
AKA port-based VLANs Individual ports mapped to VLAN Must be manually maintained
Dynamic Switch ports assigned to VLANs dynamically Assignments based on characteristics such as MAC
address or username Achieved via software such as VQP and VMPS
Part 1: Setting Up Your NetworkNetwork Design
When designing a hierarchical network, design from the inside out
When starting with the access layer, you can more accurately gauge capacity needs
Optimization at the distribution and core layers becomes easier when access needs are known
Part 1: Setting Up Your NetworkNetwork Design
Design in layers KISS – but try to take
advantage of as many features of a hierarchical design as feasible
Part 1: Setting Up Your NetworkNetwork Design
Now that you have your network designed, time to move on to IP addressing....
Part 1: Setting Up Your NetworkNetwork Design
IP addressing Determine your scheme early, as this is difficult to
change later on Design should be scalable so as to meet current
and future needs Typical SMB LANs will use either the 172.16.0.0/12
or the 192.168.0.0/16 private subnets. Obviously, the 10.0.0.0/8 subnet is available, but
not too many SMB networks will require such a large address space, remember KISS
Part 1: Setting Up Your NetworkNetwork Design
IP addressing Learn to subnet! Many resources available, including web-based
subnet calculators, but the benefits of being able to quickly calculate subnet values are many
http://www.subnet-calculator.com/
http://www.subnetmask.info/
http://www.learntosubnet.com/
Part 1: Setting Up Your NetworkNetwork Design
IP addressing DHCP and static assignments Know where you will be placing your DHCP
server(s) – this goes back to your layered network design
Based on this, determine DHCP relay needs (switch/router capabilities, agents, etc)
Keep a manifest of statically assigned addresses, it will help keep things organized
Part 1: Setting Up Your NetworkNetwork Design
Now, onto wireless....
Part 1: Setting Up Your NetworkWireless
Wireless LAN How to fit wireless into your design so as to provide
a high level of secure service Multiple approaches available Must always be aware of security issues
Part 1: Setting Up Your NetworkWireless
Spiceworks Community suggests multiple methods of securing wireless
Part 1: Setting Up Your NetworkWireless
Simple design with single wireless AP
Connected directly to LAN
WPA2 for security
Part 1: Setting Up Your NetworkWireless
Simple design with single wireless AP
Connected directly to LAN
EAP/RADIUS for authentication
Part 1: Setting Up Your NetworkWireless
More complex design using VLANs
Wireless AP connected to an isolated VLAN
WPA2 for access to wireless, VPN for access to LAN
Part 1: Setting Up Your NetworkWireless
Other security methods MAC filtering Dynamic VLANs hosted by the AP WEP (don't use) Proprietary systems
Part 1: Setting Up Your NetworkAccess Control
Network Access Control
Part 1: Setting Up Your NetworkAccess Control
Network Admissions/Access Control Policy enforcement
Role management End-point compliance
User Access Management Enforce policy based on authenticated user ID
Attack vector mitigation By enforcing end-point compliance, networks can be
protected from systems that may be harboring malicious software or be in a vulnerable state
Part 1: Setting Up Your NetworkAccess Control
Network Admissions/Access Control Pre-admission control
Clients are inspected prior to being granted access to the network
Criteria such as up-to-date AV, service packs, etc Post-admission control
Enforcement based on user actions
Part 1: Setting Up Your NetworkAccess Control
Network Admissions/Access Control Can be managed by devices devoted specifically to
either out-of-band or in-band management In-band systems act like firewalls, enforcing policy
prior to accessing the switch Out-of-band systems control switches directly and
enforce policy based upon information received from clients – often via the use of remote agents
Part 1: Setting Up Your NetworkAccess Control
Physical Security Secure all cable plants, IDF closets, and server
rooms Disable unused ports, or place them into a specific
VLAN designed for unused ports (no layer 3 access)
Secure wireless access points so they cannot be tampered with or have their network access cables disconnected
Part 1: Setting Up Your NetworkAccess Control
Switch security Disable any and all unused protocols (SSH, telnet,
HTTP(s), etc) When using VLANs, ensure that trunking is
disabled for all ports that do not require it, and ensure that all VLAN ID's used for trunks are distinct from any port numbers
Use MAC address filtering where appropriate
Bandwidth is Expensive.Are you getting the most out of your money?
Cymphonix makes it easy to automate your Internet security
∙ Filter web content and applications Stop spyware and malware∙
∙ Monitor user activity in real-time Control applications for faster ∙performance
∙Prioritize bandwidth for websites and applications you want to go fast
Cymphonix makes it easy to automate your Internet security
∙ Filter web content and applications Stop spyware and malware∙
∙ Monitor user activity in real-time Control applications for faster ∙performance
∙Prioritize bandwidth for websites and applications you want to go fast
www.cymphonix.com
IT Boot Camp: Pt1 - Networking