Final Review (Spring 2000)
Chapter 9
Focuses:
Networking services for MAN/WAN
Contrast circuit-switched networks and packet-switched networks
Two methods of routing by packet-switch networks
Datagram vs. virtual circuit
Devices for connection LAN/computers to the network services:
T-Carrier - channel service unit/data service unit (CSU/DSU)
XDSL, Cable modem - modem
ISDN - Network terminator (NT-1/NT-2, need a unique service profile identifier)
Packet-switched networks - packet assembly/disassembly device (PAD)
Frame relay - frame relay access devices (FRAD)
ATM - edge switch
Switched Multmegabit Data Service (SMDS) - PAD
Questions:
- ATM vs. frame relay
Similarities:
1)All data are packet-switched,
2)no error control at the intermediate computers within the network;
3)CIR and MAR (which ATM calls available burst rate (ABR)) can be negotiated when circuits are established.
Differences:
1)ATM uses fixed-length packets of 53 bytes (5 bytes of overhead and 48 bytes of user data), while frame relay's packet size is variable.
2)ATM provides extensive quality of service information that enables the setting of very precise priorities among different types of transmissions. Quality of service is now being implemented in many frame relay and SMDS services, so this difference may disappear.
3)ATM is scaleable; it is easy to multiplex basic ATM circuits into much faster ATM circuits. Most common carriers offer ATM circuits that provide the same data transmission rates as SONET: 51.84 Mbps, 466.56 Mbps, 622.08 Mbps, and so on. New versions called T-1 ATM (1.544 Mbps) and T-3 ATM (45 Mbps) are also available.
- SMDS vs. ATM
Similarities:
1)Both are unreliable packet service.
2)SMDS encapsulates incoming packets from the user's network with ATM-like 53-byte cells, although the address is different than an ATM address. The user's data link layer address is mapped to the SMDS address, which is used for transmission through the SMDS network. The SMDS cell is stripped off at the destination and the user's data link layer packet reassembled.
3)Like ATM and frame relay, SMDS does not perform error checking; the user is responsible for error checking.
Difference: SMDS provides only a connectionless datagram service.
- CIR vs. MAR.
The committed information rate (CIR) is the data rate the circuit must guarantee to transmit. If the network accepts the connection, it guarantees to provide that level of service. Most connections also specify a maximum allowable rate (MAR), which is the maximum rate that the frame relay network will attempt to provide, over and above the CIR. The circuit will attempt to transmit all packets up to the MAR, but all packets that exceed the CIR are marked as discard eligible (DE). If the network becomes overloaded, DE packets are discarded. So while can transmit faster than the CIR, they do so at a risk of lost packets.
Chapter 11
Focus:
Network management tasks
Network management software
How SNMP works, with or without RMON
CMIP
Questions:
- What are network management tasks?
There are mainly six tasks in network management:
- Configuration Management
- Performance Management
- Fault Management
- End-user management
- Cost Management
- Security Management
- What is the Simple Network Management Protocol (SNMP)?
SNMP originally was developed to control and monitor the status of network devices on TCP/IP networks, but now it is available for other network protocols (e.g., IPX/SPX). Each SNMP device (e.g., router, gateway, server) has an agent that collects information about itself and the messages it processes, and stores that information in a database called the management information base (MIB). The network manager’s management station that runs the network management software has access to these MIBs. Using this software, the network manager can send control messages to individual devices or groups of devices asking them to report the information stored in their MIB. As the name suggests, SNMP is a simple protocol with a limited number of functions.
- What is RMON?
1)An important addition to SNMP - the ability for distributed or remote monitoring (RMON).
2)Most first generation SNMP tools reported all network monitoring information to one central network management database. Each device would transmit updates to its MIB to the server every few minutes, greatly increasing network traffic. RMON SNMP software enables MIB information to be stored on the device itself or on distributed RMON probes that store MIB information closer to the devices that generate it. The data is not transmitted to the central server until the network manager requests the data, thus reducing network traffic.
Chapter 12
Focuses:
Controlling security threats: 1) disruption, destruction & disaster; 2) unauthorized access
Approaches to presenting unauthorized access
Firewall techniques and proxy server
Application case: DMZ
Encryption - DES, RSA
Digital signature and CA
Web security: SSL, and S-HTTP
Questions:
- List the approaches to presenting unauthorized access.
Six approaches to presenting unauthorized access:
1)Developing a security policy
2)Developing user profiles
3)Mending up security holes
4)Securing network access points (using firewalls, etc)
5)Preventing eavesdropping
6)Using encryption
- What are the differences between the different types of firewalls?
A packet level firewall examines the source and destination address of every network packet that passes through it. It only allows packets into or out of the organization’s networks that have acceptable source and destination addresses. Each packet is examined individually, so the firewall has no knowledge of what the user is attempting to do. It simply chooses to permit entry or exit based on the contents of the packet itself. This type of firewall is the simplest and least secure because it does not monitor the contents of the packets or why they are being transmitted, and typically does not log the packets for later analysis.
An application level firewall acts as an intermediate host computer or gateway between the Internet and the rest of the organization’s networks. Anyone wishing to access the organization’s networks from the Internet must login to this firewall, and can only access the information they are authorized for based on the firewall account profile they access. This places an additional burden on users who must now remember an additional set of passwords. With application level firewalls, any access that has not been explicitly authorized is prohibited. In contrast, with a packet level firewall, any access that has not been disabled is permitted.
- How authentication works.
Public key encryption permits authentication (or digital signatures). When one user sends a message to another, it is difficult to legally prove who actually sent the message. Legal proof is important in many communications, such as bank transfers and buy/sell orders in currency and stock trading, which normally require legal signatures. Thus a digital signature or authentication sequence is used as a legal signature on many financial transactions. This signature and the other key-contents are encrypted by the sender using the private key. The receiver uses the sender’s public key to decrypt the signature block and compares the result to the name and other key contents in the rest of the message to ensure a match.
- What is a certificate authority?
A certificate authority (CA) is a trusted organization who can vouch for the authenticity of the person or organization using authentication (e.g., VeriSign). A person wanting to use a CA registers with the CA and must provide some proof of identify. The CA issues a digital certificate that is the requestor's public key encrypted using the CA's private key as proof of identify. This certificate is then attached to the user's email or Web transactions in addition to the authentication information. The receiver then verifies the certificate by decrypting it with the CA's public key -- and must also contact the CA to ensure that the user's certificate has not been revoked by the CA.
1