Agenda 1. QUIZ 2. HOMEWORK LAST CLASS 3. HOMEWORK NEXT CLASS 4. DATA LINK CONTROL 5. FIREWALLS 6. PRACTICE EXAM

Homework Study For Exam

Chapter 10 Data Link Control

Figure 10-1 Data Link Layer

Figure 10-2 Data Link Layer Function

Figure 10-3 Line Discipline Categories

Figure 10-4 Line Discipline Concept: ENQ/ACK

Figure 10-5 ENQ/ACK Line Discipline

Figure 10-6 Poll/Select Line Discipline

Figure 10-7 Select

Figure 10-8 Poll

Figure 10-9 Categories of Flow Control

Figure Stop-and-Wait

Figure Sliding Window

Figure Sender Sliding Window

Figure Receiver Sliding Window

Figure Example of Sliding Window

Figure Categories of Error Control

Figure Stop-and-wait ARQ, Damaged Frame

Figure Stop-and-wait ARQ, Lost Frame

Figure Stop-and-wait ARQ, Lost ACK

Figure Go-Back-n, Damaged Frame

Figure Go-Back-n, Lost Frame

Figure Go-Back-n, Lost ACK

Figure Selective-Reject, Damaged Frame

WAN-Virtual Circuits VPN

WAN-Virtual Circuits Problems For Management VPN implementation, services & overall utility vary widely--the single complete solution that can meet all your needs does not exist (Depending on your environment) some implementations hold distinct advantages over others

WAN-Virtual Circuits Virtual Private Networking Version What is a VPN? 2. What is a tunnel? 3. What is the relationship between VPNs and multi- system management? 4. What is significance of Service Level Agreements (SLAs)?

WAN-Virtual Circuits Virtual Private Networking Enhancers 1. IP Sec: A protocol that authenticates, encapsulates (tunnels) and encrypts traffic across IP networks. It supports key management, the Internet Key Exchange protocol & various encryptions (e.g., DES & Tripple DES) 2. Multiprotocol Label Switching (MPLS): Defines a process in which a label is attached to an IP header to increase routing efficiency and enable routers to forward packets according to specified QoS levels. Uses a tunneling technique.

MPLS vs. Circuit Switching MPLS Minimizes changes to hardware by routing and switching functions Will establish pre-hop behavior for delay sensitive traffic Permits bandwidth reservation and flow control over wide range of paths Will permit bandwidth & other constraints to be considered in computes Provides ranking to individual flows so during failure important flows go first Circuit Switching Hardware designs do not need to change Minimizes delay variations Enables accurate bandwidth reservations Can automatically compute routes over known/specified bandwidths Can provide hard guarantees of service and routing

VPN Example: Cisco Secure Client CAMPUS X.509 Cert Auth VPN Administrator Cisco Secure Access Control Server-AAA Cisco 7100 Series VPN Router Extranet User with Internet Access Extranet User with Cisco Secure VPN Client InternetVPN and/or IP-VPN Mobile Dial Remote Access User with Cisco Secure VPN Client Mobile Home User with Cisco Secure VPN Client

VPN Example: Cisco Secure Client Advertised Features Full compliance with IP Sec and related standards DES, 3DES, MD-5 & SHA-1 algorithms Internet Key Exchange using ISAKMP/Oakley Interoperates with virtually all PC Windows communications devices: LAN adapters, modems, PCMCIA cards, etc. GUI for configuring security policy and managing certificates Easy to install and transparent to use with easy configuration for deployment to end users Security policy can be exported and protected as read only by the VPN administrator

VPN Example: Cisco Secure Client Advertised Applications Travelling “Road Warrior” communications (client to gateway) Creation of virtual “secure enclave” on unprotected network X.509 v3 certificates FIPS-46 DES encryption FIPS SHA-1 hash FIPS-186 DSS digital signatures CAPI 2.0: Microsoft Crypto API PKCS: Public Key Cryptographic Standards IP Security Standards

VPN Example: Cisco Secure Client Internet Protocol Security Standards RFC 2401 Security Architecture for Internet Protocol RFC 2402 IP Authentication Header RFC 2403 Use of HMAC-MD5-96 within ESP & AH RFC 2404 Use of HMAC-SHA-1-96 within ESP & AH RFC 2405 ESP DES-CBC Cipher Algorithm with Explicit IV RFC 2406 IP Encapsulating Security Payload (ESP) RFC 2407 IP Security Domain of Interpretation for ISAKMP RFC 2408 Internet Security Association & Key Management Protocol (ISAKMP) RFC 2409 Internet Key Exchange (IKE) RFC 2410 NULL Encryption Algorithm & its uses with IP Sec

VPN Evaluation: Computer Networks Report Services Wt.GTEIUunetInfonetQuestAT&TPSINet Geogr Coverage25% SLAs25% Pricing20% Security20% QoS Support10% Total Score B B C+ D D D Specific Products Evaluated: GTE Internetworking: VPN Advantage Note: Scores weighted 0-5 Uunet: UUsecure VPN Direct Edition Infonet: Private Internet Quest Communications: Quest VPN AT&T: Virtual Private Network Service (VPNS) PSINET: IntraNet

Enterprise Firewalls Problems For Management What are you most concerned about? Penetration protection Performance Logging & reporting Data overload Good records Type to use? Hardware (inspection only) Proxy (software processing) Central or Distributed Management?

Enterprise Firewalls Potential Contradictory Goals Penetration protection vs. performance Logging & reporting vs. data overload Good records vs. archival costs Central or Distributed management Central management creates security policy & pushes it out (security policy defined once & easier monitor or each firewall is configured separately in one GUI (good for small sites but more overhead) Distributed management takes more people

Enterprise Firewall Internet Central Manager

Firewall Evaluation: Computer Networks Report Services Wt.VPN-1 SecPIX Raptor NetScreen Sidewinder Management30% Reporting30% Security Features20% Firewall Perform10% VPN Perform 10% Total Score A- B+ C+ C+ D Compaines: VPN-1 Gateway & VPN-1 Accellerator Card: Check Point Secure PIX: Cisco Raptor: Axent NetScreen : NetScreen Technologies Note: Scores weighted 0-5 Sidewinder: Secure Computing

Current Offerings