Network and Security Management

Slides:



Advertisements
Similar presentations
Ethernet Switch Features Important to EtherNet/IP
Advertisements

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
© 2009 Pearson Education, Inc. Publishing as Prentice Hall 4-1 Multi-Switch Ethernet LAN Operation.
Guide to Network Defense and Countermeasures Second Edition
Supply Chain Management
Implementing a Highly Available Network
Network Management Chapter 4
System Security Scanning and Discovery Chapter 14.
Chapter 4 Panko and Panko Business Data Networks and Telecommunications, 8 th Edition © 2011 Pearson Education, Inc. Publishing as Prentice Hall Panko.
Chapter 4 Panko and Panko: Business Data Networks and Security, 9 th edition Copyright Pearson 2013 Panko and Panko: Business Data Networks and Security,
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
CPSC Topics in Multimedia Networking A Mechanism for Equitable Bandwidth Allocation under QoS and Budget Constraints D. Sivakumar IBM Almaden Research.
The Application Layer Chapter 7. Where are we now?
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Larger Site Networks Part2. 2 Ethernet Virtual LANs Hubs versus Switches –Hubs broadcast bits out all ports –Switches usually send a frame out a one port.
Performance Management (Best Practices) REF: Document ID
Top-Down Network Design Chapter Two Analyzing Technical Goals and Tradeoffs Copyright 2010 Cisco Press & Priscilla Oppenheimer.
 Network Management  Network Administrators Jobs  Reasons for using Network Management Systems  Analysing Network Data  Points that must be taken.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Network Management Concepts and Practice Author: J. Richard Burke Presentation by Shu-Ping Lin.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Panko, Chapter 4. Core concerns Quality of service (QoS)Network designSelection among alternativesOngoing management (OAM&P)Network visibility (SNMP)
Core concerns Quality of service (QoS)Network designSelection among alternativesOngoing management (OAM&P)Network visibility (SNMP) © 2013 Pearson 1.
Chapter 4 Panko and Panko Business Data Networks and Telecommunications, 8 th Edition © 2011 Pearson Education, Inc. Publishing as Prentice Hall Panko.
TUTORIAL # 2 INFORMATION SECURITY 493. LAB # 4 (ROUTING TABLE & FIREWALLS) Routing tables is an electronic table (file) or database type object It is.
Comparing modem and other technologies
Frame Relay Most Popular PSDN Today –Offers speeds of 64 kbps to about 40 Mbps; This covers the range of greatest corporate demand –Most demand is at the.
BUSINESS B1 Information Security.
1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 7 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.
Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Identifying Application Impacts on Network Design Designing and Supporting Computer.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
ATM Switches Cells Scalable QoS Perspective Virtual Circuits.
Computer Networks Performance Metrics. Performance Metrics Outline Generic Performance Metrics Network performance Measures Components of Hop and End-to-End.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Identifying Application Impacts on Network Design Designing and Supporting.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
CPT 123 Internet Skills Class Notes Internet Security Session A.
Information Security What is Information Security?
Business Data Communications, Fourth Edition Chapter 11: Network Management.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2.
Networks. Network Hardware For any network to function successfully, you need specialized computer Hardware. However, without the right knowledge, you.
Copyright © 2008 Pearson Addison-Wesley. All rights reserved. Chapter 3 Introduction to Risk Management.
Information Security 493. Lab # 4 (Routing table & firewalls) Routing tables is an electronic table (file) or database type object that is stored in a.
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)
End-to-End Principle Brad Karp UCL Computer Science CS 6007/GC15/GA07 25 th February, 2009.
Privilege Management Chapter 22.
Performance Management (Best Practices) REF: Document ID
Role Of Network IDS in Network Perimeter Defense.
Company LOGO Network Management Architecture By Dr. Shadi Masadeh 1.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
There is a lot to talk about if we think of the advantages of a wireless connection, the most important of its aspects is mobility and everything that.
Chapter 4 Network Design & Management KuangChiu Huang Ph.D. Institute of Telecommunications Management National Cheng Kung University.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Securing Interconnect Networks By: Bryan Roberts.
LAN Switching Virtual LANs. Virtual LAN Concepts A LAN includes all devices in the same broadcast domain. A broadcast domain includes the set of all LAN-connected.
Chapter 27 Network Management Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Chapter 3 Network Security KuangChiu Huang Ph.D. Institute of Telecommunications Management National Cheng Kung University.
Security+ Simulations
Instructor Materials Chapter 6: Quality of Service
Congestion Control, Quality of Service, and Internetworking
Advanced Security Architecture System Engineer Cisco: practice-questions.html.
I have many checklists: how do I get started with cyber security?
Routing and Switching Essentials v6.0
Security Threats Severity Analysis
PLANNING A SECURE BASELINE INSTALLATION
Requirements Definition
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Presentation transcript:

Network and Security Management Chapter 4 Panko and Panko Business Data Networks and Security, 10th Edition, Global Edition Copyright © 2015 Pearson Education, Ltd.

Failure in the Target Breach Cost Matters Network Quality of Service QoS Network Design Security Planning Principles Centralized Management Copyright © 2015 Pearson Education, Ltd.

Failures in the Target Breach Security is a Process, not a Product Fazio Engineering Services Contractor with weak security Fell for spear phishing attack, giving access to the vendor server Fazio used a free antivirus program not meant for corporations Did not warn for individual messages Copyright © 2015 Pearson Education, Ltd.

Failures in the Target Breach Was Able to Move to Sensitive Servers Should not have been able to Ignored Explicit Warnings Priority warning from the FireEye IDS service November 30, December 1, December 3 Exfiltration began on December 2 If had stopped the attack then, damage would have been minimal or nonexistent Copyright © 2015 Pearson Education, Ltd.

Kill Chain Analysis For a weapon to succeed, a number of steps must go correctly This is called the kill chain Security attacks also have kill chains Companies must look for evidence of kill chain patters and end the chain before the end Target did not Copyright © 2015 Pearson Education, Ltd.

Kill Chain Figure 3.1 Copyright © 2015 Pearson Education, Ltd.

Cost Matters Failure in the Target Breach Network Quality of Service QoS Network Design Security Planning Principles Centralized Management Copyright © 2015 Pearson Education, Ltd.

4.1 Network Demand and Budgets User demand is growing much faster than network budgets. Cost efficiency is always critical. Copyright © 2015 Pearson Education, Ltd.

Network Quality of Service QoS Failure in the Target Breach Cost Matters Network Quality of Service QoS Network Design Security Planning Principles Centralized Management Copyright © 2015 Pearson Education, Ltd.

4.2 Quality-of-Service (QoS) Metrics 1 ms = 0.001 sec Copyright © 2015 Pearson Education, Ltd.

4.3 Rated Speed, Throughput, Aggregate Throughput, and Individual Throughput The speed a system should achieve According to vendor claims or to the standard that defines the technology Throughput The data transmission speed a system actually provides to users Copyright © 2015 Pearson Education, Ltd.

4.3 Rated Speed, Throughput, Aggregate Throughput, and Individual Throughput Aggregate versus Rated Throughput on Shared Lines The aggregate throughput is the total throughput available to all users in part of a network Individual Throughput The individual throughput is an individual’s share of the aggregate throughput Copyright © 2015 Pearson Education, Ltd.

4.3 Rated Speed, Throughput, Aggregate Throughput, and Individual Throughput Copyright © 2015 Pearson Education, Ltd.

Speed Knowledge Check You are in a Wi-Fi hot spot with 20 other people. The access point router is rated as following the 802.11ac standard with options providing 300 Mbps. Throughput is about 50%. At a certain moment, you and four others are sending and receiving. What individual throughput are you likely to receive? Copyright © 2015 Pearson Education, Ltd.

CNET News: Steve Jobs' demo fail https://www.youtube.com/watch?v=znxQOPFg2mo Copyright © 2015 Pearson Education, Ltd.

4.4 Jitter Jitter is variability in latency Makes voice and video seem “jittery” Engineering networks to reduce jitter can be expensive Copyright © 2015 Pearson Education, Ltd.

4.5 Service Level Agreements (SLAs) Guarantees for performance Penalties if the network does not meet its service metrics guarantees Copyright © 2015 Pearson Education, Ltd.

4.5 Service Level Agreements (SLAs) Guarantees specify worst cases (no worse than) Lowest speed (e.g., no worse than 1 Mbps) Maximum latency (e.g., no more than 125 ms) SLAs are like insurance policies Copyright © 2015 Pearson Education, Ltd.

4.5 Service Level Agreements (SLAs) Often written on a percentage basis No worse than 100 Mbps 99.5% of the time Because as the percentage increases, additional engineering raises network costs 100% compliance would be prohibitively expensive Copyright © 2015 Pearson Education, Ltd.

4.5 Service Level Agreements (SLAs) Residential services are rarely sold with SLA guarantees It would be expensive to engineer the network for high-percentage guarantees for residential customers This would make prices unacceptable Businesses require high-percentage guarantees and so are willing to pay higher prices Copyright © 2015 Pearson Education, Ltd.

Network Design Failure in the Target Breach Cost Matters Network Quality of Service QoS Network Design Security Planning Principles Centralized Management Copyright © 2015 Pearson Education, Ltd.

4.6 Two-Site Traffic Analysis Network design is based on speed requirements These may be different in the two directions Most transmission lines are symmetric in speed In such cases, the higher-speed dictates line speed Copyright © 2015 Pearson Education, Ltd.

4.7 Three-Site Traffic Analysis There are three sites connected by two links Copyright © 2015 Pearson Education, Ltd.

4.7 Three-Site Traffic Analysis Link QR must carry the traffic flowing between Q and R and the traffic flowing between R and S Copyright © 2015 Pearson Education, Ltd.

4.7 Three-Site Traffic Analysis Copyright © 2015 Pearson Education, Ltd.

4.7 Three-Site Traffic Analysis Copyright © 2015 Pearson Education, Ltd.

4.8 Three-Site Traffic Analysis with Redundancy Each pair of sites is connected Lines only carry traffic between site pairs Copyright © 2015 Pearson Education, Ltd.

4.8 Three-Site Traffic Analysis with Redundancy How can traffic get from Q to R? Copyright © 2015 Pearson Education, Ltd.

4.9 Addressing Momentary Traffic Peaks Normally, network capacity is higher than the traffic. Sometimes, however, there will be momentary traffic peaks above the network’s capacity—usually for a fraction of a second to a few seconds. Copyright © 2015 Pearson Education, Ltd.

4.9 Addressing Momentary Traffic Peaks Congestion causes latency because switches and routers must store frames and packets while waiting to send them out again. Buffers are limited, so some packets may be lost. Copyright © 2015 Pearson Education, Ltd.

4.9 Addressing Momentary Traffic Peaks Overprovisioning is providing far more capacity than the network normally needs. This avoids nearly all momentary traffic peaks wasteful of transmission line capacity. Copyright © 2015 Pearson Education, Ltd.

4.9 Addressing Momentary Traffic Peaks With priority, latency-intolerant traffic, such as voice, is given high priority and will go first. Latency-tolerant traffic, such as e-mail, must wait. More efficient than overprovisioning; also more labor-intensive. Copyright © 2015 Pearson Education, Ltd.

4.9 Addressing Momentary Traffic Peaks QoS guarantees reserved capacity for some traffic, so this traffic always gets through. Other traffic, however, must fight for the remaining capacity. Copyright © 2015 Pearson Education, Ltd.

Security Planning Principles Failure in the Target Breach Cost Matters Network Quality of Service QoS Network Design Security Planning Principles Centralized Management Copyright © 2015 Pearson Education, Ltd.

4.10 Threat Environment You cannot defend yourself unless you know the threat environment you face. Copyright © 2015 Pearson Education, Ltd.

4.10 Plan-Protect-Respond Companies defend themselves with a process called the Plan-Protect-Respond Cycle. Copyright © 2015 Pearson Education, Ltd.

4.10 Planning The Plan-Protect-Respond Cycle starts with Planning. We will look at important planning principles. Copyright © 2015 Pearson Education, Ltd.

4.10 Protecting Companies spend most of their security effort on the protection phase, in which they apply planned protections on a daily basis. We covered this phase in Chapter 3. Copyright © 2015 Pearson Education, Ltd.

Even with great planning and protection, incidents 4.10 Response Even with great planning and protection, incidents will happen, and a company must have a well-rehearsed plan for responding to them. Copyright © 2015 Pearson Education, Ltd.

4.11 Security Planning Principles Security Is a Management Issue, Not a Technology Issue Without good management, technology cannot be effective A company must have good security processes Copyright © 2015 Pearson Education, Ltd.

4.11 Security Planning Principles Risk analysis Comprehensive security Defense in depth Weakest link analysis Single points of takeover Least permissions in access control Copyright © 2015 Pearson Education, Ltd.

4.11 Risk Analysis The goal is not to eliminate all risk You would not pay a million dollars for a countermeasure to protect an asset costing ten dollars You should reduce risk to the degree that it is economically reasonable You must compare countermeasure benefits with countermeasure costs Copyright © 2015 Pearson Education, Ltd.

4.12: Risk Analysis Calculation Countermeasure None A Damage per successful attack $1,000,000 $500,000 Annual probability of a successful attack 20% Annual probability of damage $200,000 $100,000 Annual cost of countermeasure $0 $20,000 Net annual probable outlay $120,000 Annual value of countermeasure $80,000 Adopt the countermeasure? Yes Countermeasure A cuts the damage per successful attack in half, but does not change the annual probability of occurrence. Copyright © 2015 Pearson Education, Ltd.

3.10 Risk Analysis Calculation Countermeasure None A Damage per successful attack $1,000,000 $500,000 Annual probability of a successful attack 20% Annual probability of damage $200,000 $100,000 Annual cost of countermeasure $0 $20,000 Net annual probable outlay $120,000 Annual value of countermeasure $80,000 Adopt the countermeasure? Yes Countermeasure A Will have a net savings of $80,000 per year. Copyright © 2015 Pearson Education, Ltd.

3.10 Risk Analysis Calculation Countermeasure None B Damage per successful attack $1,000,000 Annual probability of a successful attack 20% 15% Annual probability of damage $200,000 $150,000 Annual cost of countermeasure $0 $60,000 Net annual probable outlay $210,000 Annual value of countermeasure -$10,000 Adopt the countermeasure? No Countermeasure B cuts the frequency of occurrence in half, but does not change the damage per occurrence. Copyright © 2015 Pearson Education, Ltd.

3.10 Risk Analysis Calculation Countermeasure None B Damage per successful attack $1,000,000 Annual probability of a successful attack 20% 15% Annual probability of damage $200,000 $150,000 Annual cost of countermeasure $0 $60,000 Net annual probable outlay $210,000 Annual value of countermeasure -$10,000 Adopt the countermeasure? No This time, the countermeasure is too expensive. Copyright © 2015 Pearson Education, Ltd.

4.13 Comprehensive Security Copyright © 2015 Pearson Education, Ltd.

4.14 Defense in Depth Copyright © 2015 Pearson Education, Ltd.

4.15 Identifying Weakest Links Copyright © 2015 Pearson Education, Ltd.

Weakest Link versus Defense in Depth Countermeasures Several One Criterion One must succeed All components must succeed Copyright © 2015 Pearson Education, Ltd.

4.16 Protecting Single Points of Take-Over Central control is crucial to reducing labor costs and implementation speed Copyright © 2015 Pearson Education, Ltd.

4.16 Protecting Single Points of Take-Over Copyright © 2015 Pearson Education, Ltd.

4.17 Least Permissions in Access Control If attackers cannot get access to a resource, they cannot exploit it Access control is limiting who may have access to each resource And limiting his or her permissions when using the resource Copyright © 2015 Pearson Education, Ltd.

4.17 Least Permissions in Access Control Authentication versus Authorizations (Permissions) Authentication: Proof of identity Authorizations: Permissions a particular authorized user is given with a resource Just because a user is authenticated does not mean that he or she will be permitted to do everything Copyright © 2015 Pearson Education, Ltd.

4.17 Least Permissions in Access Control Principle of Least Permissions Give each authenticated user only the minimum permissions he or she needs to do his or her job Cannot do unauthorized things that will compromise security Copyright © 2015 Pearson Education, Ltd.

4.17 Least Permissions in Access Control Examples of Limited Permissions Create files but not delete files Cannot see files above a certain level of sensitivity Read files but not write (edit) them See files in own folders but not all folders Connect to the person’s department server but not to the Finance server Do certain things but cannot give others permission to do them Copyright © 2015 Pearson Education, Ltd.

4.18 Policy-Based Security Planners create policies, which specify what to do but not how to do it. Policy-makers create policies with global knowledge. Implementers implement policies with local and technical expertise. Copyright © 2015 Pearson Education, Ltd.

4.18 Policy-Based Security Policy Example Use strong encryption for credit cards. Implementation of the Policy Choose a specific encryption method within this policy. Select where in the process to do the encryption. Choose good options for the encryption method. Copyright © 2015 Pearson Education, Ltd.

4.18 Policy-Based Security Implementation guidance goes beyond pure “what” by constraining to some extent the “how”. For example, it may specify that encryption keys must be more than 100 bits long. Constrains implementers so they will make reasonable choices. Copyright © 2015 Pearson Education, Ltd.

4.18 Policy-Based Security Implementation Guidance has two forms. Standards MUST be followed by implementers. Guidelines SHOULD be followed, but are optional. However, guidelines must be considered carefully. Copyright © 2015 Pearson Education, Ltd.

4.18 Policy-Based Security Oversight checks that policies are being implemented successfully. Good implementation + Good oversight = Good protection Copyright © 2015 Pearson Education, Ltd.

4.18 Policy-Based Security Policies are given to implementers and oversight staff independently. Oversight may uncover implementation problems or problems with the specification of the policy. Copyright © 2015 Pearson Education, Ltd.

Centralized Management Failure in the Target Breach Cost Matters Network Quality of Service QoS Network Design Security Planning Principles Centralized Management Copyright © 2015 Pearson Education, Ltd.

4.19 Ping Copyright © 2015 Pearson Education, Ltd.

4.20: Simple Network Management Protocol (SNMP) It is desirable to have network visibility—to know the status of all devices at all times. Ping can determine if a host or router is reachable. The simple network management protocol (SNMP) is designed to collect extensive information needed for network visibility. Copyright © 2015 Pearson Education, Ltd.

4.20: SNMP Central manager program communicates with each managed device. Actually, the manager communicates with a network management agent on each device. Copyright © 2015 Pearson Education, Ltd.

4.20: SNMP The manager sends SNMP commands and gets SNMP responses. Agents can send SNMP traps (alarms) if there are problems. Copyright © 2015 Pearson Education, Ltd.

Management Information Base 4.20: SNMP Information from agents is stored in the SNMP management information base. MIB Management Information Base Copyright © 2015 Pearson Education, Ltd.

Configuring SNMP Support http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/configuration/guide/ffun_c/fcf014.pdf Copyright © 2015 Pearson Education, Ltd.

4.20: SNMP Network visualization programs analyze information from the MIB to portray the network, do troubleshooting, and answer specific questions. Copyright © 2015 Pearson Education, Ltd.

4.20: SNMP SNMP interactions are standardized, but network visualization program functionality is not, in order not to constrain developers of visualization tools. Copyright © 2015 Pearson Education, Ltd.

4.21 Traditional Device Control in Networking Firewall Forwarding How the firewall deals with incoming packets What interface (port) to send them out Firewall Control Creates the rules for firewall forwarding In comparison, firewall forwarding is comparatively simple Copyright © 2015 Pearson Education, Ltd.

4.21 Traditional Device Control in Networking Copyright © 2015 Pearson Education, Ltd.

4.22 Software-Defined Networking (SDN) Control Copyright © 2015 Pearson Education, Ltd.

4-23 Centralized Firewall Management Copyright © 2015 Pearson Education, Ltd.

4-23 Centralized Firewall Management Copyright © 2015 Pearson Education, Ltd.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.