Big Switch Network Design - Assignment Example

? Big Switch Network Design Big Switch Network Design Network infrastructure is simply information relay flow. The best developed infrastructure should be reliable, fast delivery should be a factor to consider, ability to adapt to changes to both the environment and platform on which it is based, and lastly the network should grow simultaneously with the business growth (Keith, 2011). All the above require completion of very complex tasks; these are information gathering, planning as a task, designing and modeling. While building a network, the designer focuses more on three layers of the OSI model. Although there are many technologies available for network construction, it is extremely important to be aware of the implications of selecting a technology over the other, the network devices or equipment to use, and in which layer the device can function, and lastly have knowledge on the functionality of the device by conforming to the network architecture requirements. Implementation of VLAN segments in a network (Keith, 2011) VLAN is Virtual Local Area Network. VLAN is a logical LAN segment that pair different physical LANs by creation of logical subnets. In VLAN, we involve different physical LAN segment to enable communications between them. This infrastructure enables functional separation of the departments, for example, separating the HR department from the production department by two different LANs without a router. Creation of workgroups enables communication of two different VLANs even though there are in different buildings physically. VLAN improves performance increasing available bandwidth according to how many VLANs are created to share the bandwidth being consumed. This infrastructure eases network maintenance; this can involve removal, changing and addition of network users and equipments. In LANs, a designer needs to re-configure the routers, servers and the work stations if a user moves, and this leads to reconfigure the switch, hub and arrangement of the cables. This can be avoided in a VLAN on the work station and the involved router however; they bring additional administrative complexity which in the other hand increases security by management of virtual workgroups by the administration. Generally, this type of networking reduces every type of cost from implementation cost to maintenance cost by minimizing the network administration (Krzysztof, 2008). We can also use multiple VLANs per switch port. This is using of shared hub off of the switch ports. Also, the designer can introduce a wireless VLAN. In implementing this, the designer introduces a wireless access point that can be located by more units from one administration centre so that we avoid a lot of cabling and use of routers. At each access point contain mapped SSIDs of a maximum of 16 membership units. Then the access points is assigned a 802.11 standard called a primary SSID, broadcasting with beacons to all wireless clients on that segment. Membership is assigned for each wireless client on the VLAN by considering the specific company department, the security rights and which servers are most accessed. Then VLAN 1 is considered as the default native VLAN, so it does not tag traffic. This native VLAN number given must then watch all the attached access points assigned VLAN on that network segment. To filter traffic and enable secure management VLAN traffic, this company will implement access control lists on every network switch. The introduction of the RADIUS SSID control will require wireless clients with an authenticated configuration of 802.1x, to have a RADIUS server that is already configured with mapped SSIDs on every wireless client. The list is sent to the access point where the client is a member by the server. Here, the employee cannot be a member of just any wired VLAN except to the assigned specific VLAN, and all this is done during authentication. The VLAN defines its own policy group filters, so all infrastructure devices are denied membership to a non-infrastructured SSID (Krzysztof, 2008). Another ability to be implemented is the trunking. This ability switches traffic between networks segments that contain a multiple VLANs defined. Each company department comprises of a group of employee that are defined by a separate broadcast of a VLAN (Krzysztof, 2008). Infrastructure that protects against MAC layer attacks MAC layer attacks involve the denial of services, and this will actually target protocol in that layer. During its attack, it improvises different ways that will affect the station with the access point or that which is controlling power management. This is done by sending forged or fake pinged protocol messages in the network, which in turn overloads the system and at last rendering it unreliable (Kingsley, 2012). These attacks include: Malicious nodes transmitting fake route updates The malicious nodes drop a certain number of the data packets when participating in a route The malicious nodes replaying stale updates Reduction of time-to-live (TTL) in the IP header, this causes the packets not to reach destination Denial of Service (DoS) has undergone study extensively and ways of preventing from overwhelming a host have been implemented. To prevent this occurrence we can do the following: Involve corroboration within the different neighbor of the network and enable them to communicate, so that if any malicious node is introduced in the system, we can isolate the nodes from harming the entire network. In a TCP connection, instead of using FTP based TCP we can introduce CBR application client that uses UDP. Authenticating the nodes and the hosts; this will enable the legitimacy determination of a given communication from its source to destination. We can change the routing information. This will make it difficult to launch an attack on a node that is at a far distance from the other (Kingsley, 2012). The above solutions can be implemented by involvement of a NAT and a firewall. Also, Introduction of administration centers, that can watch the flow of data packets through the network. Protection against VLAN attacks The subnetting of the network into manageable VLANs can invite a quite a number of threats, but measures are deployed to make sure the interconnection is prevented from interference. VLAN threats include: VLAN hopping attack Address Resolution Protocol attack VLAN Trunking Protocol attacks Overload of the bridge, switch, router and host tables The above threats can be prevented by implementing some measures which include configuration of the switches and other devices in the network (Kingsley, 2012). These measures include: Configuring passwords and authenticating the nodes: This will also involve the ports and access points in the network by use a ‘port-security’ command then use static ARP for critical hosts like servers and routers. We can also add an intrusion-detection system that can track and report attacks. In case of VTP attacks, we can disable VTP, but it will affect a large firm with more than 5 switches like the Big Switch Network, so we introduce MD5 Authentication, checks for every VTP message sent, and only allow messages with the correct password to be processed with the client switches (Steven, 2004). Introduction of VLAN Membership Policy Server (VMPS): This protocol uses the MAC address of the host to determine the proper location of a VLAN. Another form is by use of EtherChannel which is used for port aggregation. We can also introduce port security, whereby we restrict allowed MAC address on a per-port basis. We can involve the basic Cisco Discover Protocol, which can be enabled by default on all the Cisco devices (Keith, 2011). It broadcasts information after every minute about the device on the network. Introduction of firewalls, NATs and any other restrict access like proxy servers and cookies can also prevent VLAN attacks to certain levels and prevent unauthorized entry. Protect against spoofing attacks Spoofing involves an attempt to acquire or forge an identity of a legitimate IP source address. After acquiring an 802.11 wireless network user the malicious user accesses the services that are restricted to only the legitimate user, and then gets entry to the network as an authorized user. To avoid these attacks 7 steps are taken by both the sender and receiver of data packers or nodes (Kingsley, 2012). At the sender node 1st step is capturing of the IEEE 802.11 MAC frame by use of Packet Capture Library function. 2nd step is Steganography. This involves hiding of the proposed information identity in a proposed channel covert. 3rd step is Encryption. Here, identity information is encrypted or ciphered with decoded algorithm before being transmitted. 4th step is sending of a modified frame of IEEE 802.11. This is the final step for the sender which involves sending of a deciphered message. At the receiver node 1st step is to analyze the received frame by extracting the frame fields. 2nd step is decryption of the encrypted information. 3rd step will involve matching. Here, the receiver will look through the list and check for the name and sequence number from the current frame and see if they match. 4th step is to determine the frame type if it is spoofed or legal frame. Securing the network switches When selecting a switch we can either decide between modular configuration or fixed configuration, and stackable or nonstackable. With fixed configuration, we cannot add feature beyond the current options. In modular switches, they offer flexibility and have different sized chassis. For stackable switches, they allow interconnection by special backbone cable. To protect attacks we should do the following: Administrator should unsure there is one MAC address for each switch port (Steven, 2004). Install firewalls, intrusion detection systems and intrusion prevention systems, gateways, access controls, NATs and proxy servers. We should avoid spoofing of IP addresses from external networks. Avoid bandwidth abuse and protection against viruses, worms and Trojan by avoiding malicious files. We can protect the switch during configuration by configuring a password, and other network access control measures. Introduction of switch trunk links, for example, VLAN trunking, inter-switch link trunking and virtual trunking protocols. We can also use Cisco Discovery Protocol, spanning tree protocols that prevent looping data, MAC Hardcore, ARP Hardcore, and protocol analyzers (Steven, 2004) Core backbone In this enterprise, the core backbone will provide paths and enable information flow and communication between different sub-networks. Core backbones can be switches, routers and service providers so they must be intelligent devices to control the network interactions. Campus This is the use of multigigabit switches to build high reliability network with high performance. Because this firm is large, we will definitely need these switches and a connection with gigabit Ethernet and EtherChannel. Data centers These are physical or virtual centralized repository for management, storage and dissemination of information and data organized of a particular body (Martin, 1999). For the case of this organization, this data centers should be places at the top most administration position and be highly secured. Branch/WAN This will involve the branches routers’ WAN edges. They control link-speed categories, link-specific caveats and bandwidth-provision directions. For this firm, they will link two different networks located further away from each other. Internet edges This is a network infrastructure that allows business enterprises to connect to the internet and to rest on the cyberspace. It allows the customer, and the business people to interact. For this firm, they will allow corporate access and DMZ, service providers, remote access, branch backup and edge distribution. Departmental design For the seven departments, we will need to create seven different subnets. Each department will have its own network and broadcast domain. They will have each a switch that will avoid interference with other subnetworks (Martin, 1999). Then a router will be introduced to connect the VLANs to each other, which will then be connected to the NAT which will enable the whole network to access the internet. Graphical representation of infrastructure design and the deployment design of the seven departments. Firewall (Departments) Above we show how the VLAN are created and set out as different department and assigned their own switches. Host in one department can share common resources like printers in the same subnetwork. For the department to communicate with other departments outside their boundaries the will have to go through the router. So the router enables communication of hosts from different departments. Each department has its policies and security measures so the administrator at every switch can control and check out of any intrusion on the network. Here, performance is increased, reliability is enhanced and security is well maintained. Secure environment for Big Switch In implementing all the above, we will not only secure the network we will also make it reliable and stable. A stable network creates a secure environment for both users and administrators. Through the creation of VLANs and avoid the native LANs, we will get to provide a lot of great, secure measure to protect the network. All attacks will be taken care of at all levels and layers in the system. Lastly with the ability of robustness within the network we can be able to fight new attacks and keep the entire network from collapsing (Martin, 1999). References Keith, H. T., John, T., & Diane, T. (2011). Designing Cisco Network Services Architecture (ARCH). Indianapolis: Cisco Press. Kingsley, A., G, A., B, C., F, O., & C, S. (2012). Designing of and Appropriate Network Infrastructure to Support Research and education network. Norderstedt: GRIN verlag. Krzysztof, I., Carl, M., & Minoli, D. (2008). Network Infrastructure and Architecture: Designing High-Availability Network. Toronto: Wiley-Interscience. Martin, M. W., Kok-Keong, L., & Payam, M. (1999). IP Network Design Guide. New York: International Technical Support Organization. Steven, A., & Brian, K. (2004). Security Sage's Guide Hardening the Network Infrastructure. Rockland: Syngress publishing, Inc. Read More