Routing Protocols Functions and xtics

The purpose of routing protocols is to learn of available routes that exist on the
enterprise network, build routing tables and make routing decisions. Some of the
most common routing protocols include RIP, IGRP, EIGRP, OSPF, IS-IS and BGP.

There are two primary routing protocol types although many different routing
protocols defined with those two types. Link state and distance vector protocols
comprise the primary types.

Distance vector protocols advertise their routing table to all directly connected
neighbors at regular frequent intervals using a lot of bandwidth and are slow to
converge. When a route becomes unavailable, all router tables must be updated with
that new information. The problem is with each router having to advertise that new
information to its neighbors, it takes a long time for all routers to have a current
accurate view of the network. Distance vector protocols use fixed length subnet
masks which aren’t scalable.
Link state protocols advertise routing updates only when they occur which uses
bandwidth more effectively. Routers don’t advertise the routing table which makes
convergence faster. The routing protocol will flood the network with link state
advertisements to all neighbor routers per area in an attempt to converge the
network with new route information. The incremental change is all that is
advertised to all routers as a multicast LSA update. They use variable length subnet
masks, which are scalable and use addressing more efficiently.

Interior Gateway Routing Protocol (IGRP)

Interior Gateway Routing Protocol is a distance vector routing protocol developed
by Cisco systems for routing multiple protocols across small and medium sized
Cisco networks.

It is proprietary which requires that you use Cisco routers. This contrasts with IP
RIP and IPX RIP, which are designed for multi-vendor networks.

IGRP will route IP, IPX, Decnet and AppleTalk which makes it very versatile for
clients running many different protocols. It is somewhat more scalable than RIP
since it supports a hop count of 100, only advertises every 90 seconds and uses a
composite of five different metrics to select a best path destination.

Note that since IGRP advertises less frequently, it uses less bandwidth than RIP but
converges much slower since it is 90 seconds before IGRP routers are aware of
 network topology changes. IGRP does recognize assignment of different
autonomous systems and automatically summarizes at network class boundaries. As
well there is the option to load balance traffic across equal or unequal metric cost
paths.

Characteristics
• Distance Vector
• Routes IP, IPX, Decnet, Appletalk
• Routing Table Advertisements Every 90 Seconds
• Metric: Bandwidth, Delay, Reliability, Load, MTU Size
• Hop Count: 100
• Fixed Length Subnet Masks
• Summarization on Network Class Address
• Load Balancing Across 6 Equal or Unequal Cost Paths ( IOS 11.0 )
• Metric Calculation = destination path minimum BW * Delay (usec)
• Split Horizon
• Timers: Invalid Timer (270 sec), Flush Timer (630 sec), Holddown Timer (280
sec)

Enhanced Interior Gateway Routing Protocol (EIGRP)

Enhanced Interior Gateway Routing Protocol is a hybrid routing protocol developed
by Cisco systems for routing many protocols across an enterprise Cisco network.

It has characteristics of both distance vector routing protocols and link state routing
protocols. It is proprietary which requires that you use Cisco routers. EIGRP will
route the same protocols that IGRP routes (IP, IPX, Decnet and Appletalk) and use
the same composite metrics as IGRP to select a best path destination.

As well there is the option to load balance traffic across equal or unequal metric
cost paths. Summarization is automatic at a network class address however it can be
configured to summarize at subnet boundaries as well. Redistribution between
IGRP and EIGRP is automatic as well. There is support for a hop count of 255 and
variable length subnet masks.
 Convergence
Convergence with EIGRP is faster since it uses an algorithm called dual update
algorithm or DUAL, which is run when a router detects that a particular route is
unavailable. The router queries its neighbors looking for a feasible successor. That
is defined as a neighbor with a least cost route to a particular destination that
doesn’t cause any routing loops. EIGRP will update its routing table with the new
route and the associated metric. Route changes are advertised only to affected
routers when changes occur. That utilizes bandwidth more efficiently than distance
vector routing protocols.

Autonomous Systems
EIGRP does recognize assignment of different autonomous systems which are
processes running under the same administrative routing domain. Assigning
different autonomous system numbers isn’t for defining a backbone such as with
OSPF. With IGRP and EIGRP it is used to change route redistribution, filtering and
summarization points.

Characteristics
• Advanced Distance Vector
• Routes IP, IPX, Decnet, Appletalk
• Routing Advertisements: Partial When Route Changes Occur
• Metrics: Bandwidth, Delay, Reliability, Load, MTU Size
• Hop Count: 255
• Variable Length Subnet Masks
• Summarization on Network Class Address or Subnet Boundary
• Load Balancing Across 6 Equal or Unequal Cost Paths (IOS 11.0)
• Timers: Active Time (180 sec)
• Metric Calculation = destination path minimum BW * Delay (msec) * 256
• Split Horizon
• LSA Multicast Address: 224.0.0.10

Open Shortest Path First (OSPF)

Open Shortest Path First is a true link state protocol developed as an open
standard for routing IP across large multi-vendor networks. A link state protocol
will send link state advertisements to all connected neighbours of the same area to
communicate route information. Each OSPF enabled router, when started, will send
hello packets to all directly connected OSPF routers.
The hello packets contain information such as router timers, router ID and subnet
mask. If the routers agree on the information they become OSPF neighbours. Once
routers become neighbours they establish adjacencies by exchanging link state
databases. Routers on point-to-point and point-to-multipoint links (as specified with
the OSPF interface type setting) automatically establish adjacencies. Routers with
OSPF interfaces configured as broadcast (Ethernet) and NBMA (Frame Relay) will
use a designated router that establishes those adjacencies.

Areas
OSPF uses a hierarchy with assigned areas that connect to a core backbone of
routers. Each area is defined by one or more routers that have established
adjacencies. OSPF has defined backbone area 0, stub areas, not-so-stubby areas and
totally stubby areas. Area 0 is built with a group of routers connected at a
designated office or by WAN links across several offices. It is preferable to have all
area 0 routers connected with a full mesh using an Ethernet segment at a core
office. This provides for high performance and prevents partitioning of the area
should a router connection fail. Area 0 is a transit area for all traffic from attached
areas. Any inter-area traffic must route through area 0 first. Stub areas use a default
route to forward traffic destined for an external network such as EIGRP since the
area border router doesn’t send or receive any external routes. Inter-area and intra-
area routing is as usual. Totally stubby areas are a Cisco specification that uses a
default route for inter-area and external destinations. The ABR doesn’t send or
receive external or inter-area LSA’s. The not-so-stubby area ABR will advertise
external routes with type 7 LSA. External routes aren’t received at that area type.
Inter-area and intra-area routing is as usual. OSPF defines internal routers,
backbone routers, area border routers (ABR) and autonomous system boundary
routers (ASBR). Internal routers are specific to one area. Area border routers have
interfaces that are assigned to more than one area such as area 0 and area 10. An
 autonomous system boundary router has interfaces assigned to OSPF and a
different routing protocol such as EIGRP or BGP. A virtual link is utilized when an
area doesn’t have a direct connection to area 0. A virtual link is established between
an area border router for an area that isn’t connected to area 0, and an area border
router for an area that is connected to area 0. Area design involves considering
geographical location of offices and traffic flows across the enterprise. It is
important to be able to summarize addresses for many offices per area and
minimize broadcast traffic.

Convergence
Fast convergence is accomplished with the SPF (Dijkstra) algorithm which
determines a shortest path from source to destination. The routing table is built from
running SPF which determines all routes from neighbor routers. Since each OSPF
router has a copy of the topology database and routing table for its particular area,
any route changes are detected faster than with distance vector protocols and
alternate routes are determined.

Designated Router
Broadcast networks such as Ethernet and Non-Broadcast Multi Access networks
such as Frame Relay have a designated router (DR) and a backup designated router
(BDR) that are elected. Designated routers establish adjacencies with all routers on
that network segment. This is to reduce broadcasts from all routers sending regular
hello packets to its neighbors. The DR sends multicast packets to all routers that it
has established adjacencies with. If the DR fails, it is the BDR that sends multicasts
to specific routers. Each router is assigned a router ID, which is the highest assigned
IP address on a working interface. OSPF uses the router ID (RID) for all routing
processes.

Characteristics
• Link State
• Routes IP
• Routing Advertisements: Partial When Route Changes Occur
• Metric: Composite Cost of each router to Destination (100,000,000/interface
speed)
• Hop Count: None (Limited by Network)
• Variable Length Subnet Masks
• Summarization on Network Class Address or Subnet Boundary
• Load Balancing Across 4 Equal Cost Paths
• Router Types: Internal, Backbone, ABR, ASBR
• Area Types: Backbone, Stubby, Not-So-Stubby, Totally Stubby
• LSA Types: Intra-area (1,2) Inter-area (3,4), External (5,7)
• Timers: Hello Interval and Dead Interval (different for network types)
• LSA Multicast Address: 224.0.0.5 and 224.0.0.6 (DR/BDR) Don’t Filter !
• Interface Types: Point to Point, Broadcast, Non-Broadcast, Point to Multipoint,
Loopback

Integrated IS-IS
Integrated Intermediate System – Intermediate System routing protocol is a link
state protocol similar to OSPF that is used with large enterprise and ISP customers.
An intermediate system is a router and IS-IS is the routing protocol that routes
packets between intermediate systems. IS-IS utilizes a link state database and runs
the SPF Dijkstra algorithm to select shortest paths routes. Neighbor routers on point
to point and point to multipoint links establish adjacencies by sending hello packets
and exchanging link state databases. IS-IS routers on broadcast and NBMA
networks select a designated router that establishes adjacencies with all neighbor
routers on that network. The designated router and each neighbor router will
establish an adjacency with all neighbor routers by multicasting link state
advertisements to the network itself. That is different from OSPF, which establishes
adjacencies between the DR and each neighbor router only. IS-IS uses a
hierarchical area structure with level 1 and level 2 router types. Level 1 routers are
similar to OSPF intra-area routers, which have no direct connections outside of its
area. Level 2 routers comprise the backbone area which connects different areas
similar to OSPF area 0. With IS-IS a router can be an L1/L2 router which is like an
OSPF area border router (ABR) which has connections with its area and the
backbone area. The difference with IS-IS is that the links between routers comprise
the area borders and not the router. Each IS-IS router must have an assigned address
that is unique for that routing domain. An address format is used which is
comprised of an area ID and a system ID. The area ID is the assigned area number
 and the system ID is a MAC address from one of the router interfaces. There is
support for variable length subnet masks, which is standard with all link state
protocols. Note that IS-IS assigns the routing process to an interface instead of a
network.

Characteristics
• Link State
• Routes IP, CLNS
• Routing Advertisements: Partial When Routing Changes Occur
• Metric: Variable Cost (default cost 10 assigned to each interface)
• Hop Count: None (limited by network)
• Variable Length Subnet Masks
• Summarization on Network Class Address or Subnet Boundary
• Load Balancing Across 6 Equal Cost Paths
• Timers: Hello Interval, Hello Multiplier
• Area Types: Hierarchical Topology similar to OSPF
• Router Types: Level 1 and Level 2
• LSP Types: Internal L1 and L2, External L2
• Designated Router Election , No BDR

Border Gateway Protocol (BGP)

Border Gateway Protocol is an exterior gateway protocol, which is different from
the interior gateway protocols discussed so far. The distinction is important since
the term autonomous system is used somewhat differently with protocols such as
EIGRP than it is with BGP. Exterior gateway protocols such as BGP route between
autonomous systems, which are assigned a particular AS number. AS numbers can
be assigned to an office with one or several BGP routers. The BGP routing table is
comprised of destination IP addresses, an associated AS-Path to reach that
destination and a next hop router address. The AS-Path is a collection of AS
numbers that represent each office involved with routing packets. Contrast that with
EIGRP, which uses autonomous systems as well. The difference is their
autonomous systems refer to a logical grouping of routers within the same
administrative system.
 An EIGRP network can configure many autonomous systems. They are all
managed by the company for defining route summarization, redistribution and
filtering. BGP is utilized a lot by Internet Service Providers (ISP) and large
enterprise companies that have dual homed internet connections with single or dual
routers homed to the same or different Internet Service Providers. BGP will route
packets across an ISP network, which is a separate routing domain that is managed
by them.

The ISP has its own assigned AS number, which is assigned by InterNIC. New
customers can either request an AS assignment for their office from the ISP or
InterNIC. A unique AS number assignment is required for customers when they
connect using BGP. There are 10 defined attributes that have a particular order or
sequence, which BGP utilizes as metrics to determine the best path to a destination.

Companies with only one circuit connection to an ISP will implement a default
route at their router, which forwards any packets that are destined for an external
network. BGP routers will redistribute routing information (peering) with all IGP
routers on the network (EIGRP, RIP, OSPF etc) which involve exchange of full
routing tables. Once that is finished, incremental updates are sent with topology
changes. Each BGP router can be configured to filter routing broadcasts with route
maps instead of sending/receiving the entire internet routing table.

BGP Routing Table Components

• Destination IP Address / Subnet Mask
• AS-Path
• Next Hop IP Address

Campus LAN Basics – LAN Switching Fundamentals

LAN switching is a form of packet switching used in Local Area Networks. LAN
switching is performed using hardware at the Data Link Layer. Because LAN
switching is hardware-based, it uses MAC addresses, which are used by LAN
switches to forward frames.

LAN Switch process

LAN switches provide much higher port density at a lower cost than traditional
bridges, which allows LAN switches to accommodate network designs featuring
fewer users per segment (microsegmentation), thereby increasing the average
available bandwidth per user. Switches can use three main forwarding techniques,
as follows:

• Store-and-Forward Switching
• Cut-Through Switching
• Fragment-Free Switching

Store-and-Forward Switching

This LAN switch forwarding method copies the entire frame into the switch buffer
and performs a Cyclic Redundancy Check (CRC) for errors within the frame.
Because of the CRC, this method of forwarding is the slowest and most processor-
intensive.

However, the plus side to this method is that it is also the most efficient because it
avoids forwarding frames with errors. For example, if a received frame is less than
64 bytes in length (which is considered a runt) or more than 1518 bytes in length
(which is considered a giant), then the switch will discard the frame.

Cut-Through Switching

In cut-through switching, the frame header is inspected and the Destination

Address (DA) of the frame is copied into the internal memory of the switch before
the frame is forwarded.

Because only the frame header is inspected before the switch begins to forward the
frame, once it reads the destination MAC address, this forwarding method is very
fast and reduces latency, which is the amount of time it takes a packet to travel
from source to destination.

This is the fastest switching method and is sometimes referred to as Fast Forward
or Real Time switching. However, with speed comes some consequence in that the
switch also forwards frames with errors. It is up to the destination switch to discard
received frames with errors.

Fragment-Free Switching
Fragment-free switching waits for the collision window, which is the first 64 bytes
of a frame, to be accepted before forwarding the frame to its destination. The
fragment-free switching method holds the packet in memory until the data portion
reaches the switch.

This switching method was developed primarily to address and solve the problem
encountered with late collisions, which occur when another system attempts to
transmit a frame after a host has transmitted at least the first 60 bytes of its frame.

Any network device will create some latency, and switches are no exception. The
cut-through and fragment-free switching methods were used primarily in older
switches to reduce latency when forwarding frames. However, as faster processors
and ASICs were developed and introduced into newer switches, latency became a
non-factor. Instead, greater emphasis was placed on efficiency and data integrity,
and, as a result, all new Cisco Catalyst switches utilize store-and-forward
switching.

Symmetric and Asymmetric LAN Switching

LAN switching can be characterized based on the proportion of bandwidth that is

allocated to each port. LAN switching can therefore be classified into one of two
categories, as follows:

1. Symmetric LAN Switching

2. Asymmetric LAN Switching

Symmetric switching provides evenly distributed bandwidth to each port on the

switch. A symmetric LAN switch provides switched connections between ports
with the same bandwidth, such as all FastEthernet ports, for example. Symmetric
switching is therefore optimized for a reasonably distributed traffic load, such as
one found in a peer-to-peer desktop environment. This concept is illustrated in
Figure 1-11 below:
 Fig. 1-11. Switching in a Peer-to-Peer Environment

The diagram above illustrates a typical peer-to-peer LAN using symmetric

switching. The symmetric LAN switch provides switched connections between the
100Mbps ports.

Asymmetric switching provides unequal bandwidth between ports on a switch. An

asymmetric LAN switch provides switched connections between ports of different
bandwidths, such as a combination of Ethernet, FastEthernet, and even
GigabitEthernet ports, for example. This type of switching is also called
10/100/1000 switching in that some hosts may be using 10Mbps connections,
others 100Mbps connections, and others 1000Mbps connections. This is the most
common type of switching.

Asymmetric switching is optimized for client-server environments in which

multiple clients simultaneously communicate with a server, which requires that
more bandwidth be dedicated to the server port to prevent a bottleneck at that port.
The asymmetric switching concept is illustrated in Figure 1-12 below:
 Fig. 1-12. Asymmetric Switching

In the diagram illustrated above, asymmetric switching is being used in a client-

server environment. The client machines are all connected using FastEthernet
links, while the server is connected using a GigabitEthernet link. The asymmetric
LAN switch provides switched connections between the different bandwidth ports.

An internetwork consists of different types of media, such as Ethernet, Token

Ring, and FDDI, connected together by routers, enabling these different standards
to communicate in a manner that is transparent to the end user. The term
‘internetworking’ refers to the industry, products, and procedures that meet the
challenge of creating and administering internetworks.

A switched internetworking solution is comprised of both routers and switches.

The routers and switches used within the internetwork are responsible for the
following:

• The switching of data frames

• The maintenance of switching operations

The switching of data frames typically is performed in a store-and-forward

operation in which a frame arrives on an input media and is transmitted to an
output media. The two most common methods of switching data frames are Layer
2 switching and Layer 3 switching.

As described in the previous section, the primary difference between Layer 2

switching and Layer 3 switching is the information used to determine the output
interface. In Layer 2 switching, the destination Layer 2 address (MAC address) is
used to determine the egress interface of the frame, while in Layer 3 switching, the
Layer 3 address (Network address) is used to determine the egress interface of the
frame.

Switches maintain switching operations by building and maintaining switching

tables, as well as by preventing loops within the switched network. Routers support
switching operations by building and maintaining routing tables and service tables,
such as ARP tables, for example. Within the switched internetwork, switches offer
the following benefits:

• High bandwidth
• Quality of Service (QoS)
• Low cost
• Easy configuration

Routers (or Multilayer switches) also provide several benefits, which include the
following:

• Broadcast prevention
• Hierarchical network addressing
• Internetworking
• Fast convergence
• Policy routing
• Quality of Service routing
• Security
• Redundancy and load balancing
• Traffic flow management
• Multimedia group membership

When designing a switched LAN, it is important to be familiar with the following:

• The differences between LAN switches and routers

• The advantages of using LAN switches
• The advantages of using routers
• The benefits of VLANs
• How to implement VLANs
• General network design principles
• Switched LAN network design principles

The Differences between Switches and Routers

In modern-day networks, Multilayer switches, such as the Cisco Catalyst 6500
series switches, merge router and switch functionality. Because of this blurred line,
it becomes even more important for network engineers to have a solid
understanding of the differences between LAN switches and network routers when
it comes to addressing the following design concerns:

• Network loops
• Network convergence
• Broadcast traffic
• Inter-subnet communication
• Network security
• Media dependence

LAN switches use the Spanning Tree Protocol (STP) to prevent Layer 2 loops.
This is performed by the Spanning Tree Algorithm (STA), which places redundant
links in a blocked state. Although this does prevent network loops, it also means
that only a subset of the network topology is used for forwarding data. Routers, on
the other hand, do not block redundant network paths; instead, they rely on routing
protocols in order to use the optimum path and to prevent loops.

A switched network is said to be converged when all ports are in a forwarding or

blocking state, while a routed network is said to be converged when all routers
have the same view of the network. Depending on the size of the switched
network, convergence might take a very long time. Routers have the advantage of
using advanced routing protocols, such as OSPF, that maintain a topology of the
entire network, allowing for rapid convergence.

By default, LAN switches will forward Broadcast Multicast and unknown Unicast
frames. In large networks with many of these types of packets, the LAN can
become saturated quickly, resulting in poor performance, packet loss, and an
unpleasant user experience. Because routers do not forward Broadcasts by default,
they can be used to break up Broadcast domains.

Although multiple physical switches can exist on the same LAN, they provide
connectivity to hosts on the assumption that they are all on the same logical
network. In other words, Layer 2 addressing assumes a flat address space with
universally unique addresses. Routers can use a hierarchical addressing structure,
which allows them to associate a logical addressing structure to a physical
infrastructure so that each network segment has an IP subnet. This provides a
routed network a more flexible traffic flow because routers can use the hierarchy to
determine optimal paths depending on dynamic factors, such as bandwidth, delay,
etc.

Both LAN switches and routers can provide network security, but this is based on
different information. Switches can be configured to filter based on many variables
pertaining to Data Link Layer frames. Routers can use Network and Transport
Layer information. Multilayer switches have the capability of providing both types
of filtering.

When designing switched internetworks, it is imperative to ensure that network

hosts use the MTU representing the lowest common denominator of all the
switched LANs that make up the internetwork. When using switches, however, this
results in poor performance and limits throughput, even on fast links. Unlike LAN
switches, however, most Layer 3 protocols can fragment packets that are too large
for a particular media type, so routed networks can accommodate different MTUs,
which allow them to maximize throughput in internetworks.

Table 1-1 below lists the minimum and maximum frame size for common types of
media that may be found within internetworks:

Table 1-1. Frame Size for Common Media Types

MEDIA TYPE MINIMUM MAXIMUM VALID FRAME

VALID FRAME SIZE

SIZE

Ethernet 46 bytes 1500 bytes

Token Ring 32 bytes 16 KB theoretical, 4 KB normal

Fast Ethernet 46 bytes 1500 bytes

FDDI 32 bytes 4468 bytes

Serial HDLC 14 bytes No limit, 4.5 KB normal

The Advantages of Using LAN Switches

LAN switches provide several advantages over bridges. These advantages include
increased bandwidth to users via microsegmentation and supporting VLANs,
which increase the number of Broadcast domains while reducing their overall size.
In addition to these advantages, Cisco Catalyst switches also support Automatic
Packet Recognition and Translation (APaRT).
Cisco’s APaRT technology recognizes and converts a variety of Ethernet protocol
formats into industry-standard CDDI and FDDI formats. Not all switches can
provide these functions.

The Advantages of Using Routers

Even within switched LANs, the importance of routers cannot be ignored. Routers,
or Multilayer switches, provide the following critical functions in switched LANs:

• Broadcast and Multicast control

• Media transition
• Network segment services

By default, routers do not forward Broadcast or Multicast packets. Instead, routers

control Broadcast and Multicast packets via the following three methods:

1. By caching the addresses of remote hosts and responding on behalf of

remote hosts
2. By caching advertised network services and responding on behalf of those
services
3. By providing special protocols, such as IGMP and PIM

Both routers and Multilayer switches can be used to connect networks of different
media types, such as Fiber, Ethernet, and Token Ring, for example. Therefore, if a
requirement for a switched campus network design is to provide high-speed
connectivity between different media, these devices play a significant part in the
design.

Routers are also responsible for providing Broadcast services, such as Proxy ARP,
to a local network segment. When designing the switched LAN, it is important to
consider the number of routers that can provide reliable services to a given network
segment or segments.

The Benefits of VLANs

VLANs solve some of the scalability problems of large, flat networks by breaking
down a single bridged domain into several smaller bridged domains. However, it is
important to understand that routing is instrumental in the building of scalable
VLANs because it is the only way to impose hierarchy on the switched VLAN
internetwork. The advantages provided by implementing VLANs include the
following:

• They increase network security by logical segmentation.

• They increase network flexibility and scalability.
• They can be used to enhance or improve network performance.
• They reduce the size of broadcast domains.
• They allow for differentiation between traffic types, such as voice and data.
• They aid in the ease of network administration and management.

A network switch (also called switching hub, bridging hub, officially MAC
bridge)[1] is networking hardware that connects devices on a computer network by
using packet switching to receive and forward data to the destination device.
A network switch is a multiport network bridge that uses MAC addresses to
forward data at the data link layer (layer 2) of the OSI model. Some switches can
also forward data at the network layer (layer 3) by additionally
incorporating routing functionality. Such switches are commonly known as layer-3
switches or multilayer switches.[2]
Switches for Ethernet are the most common form of network switch. The first
Ethernet switch was introduced by Kalpana in 1990.[3] Switches also exist for other
types of networks including Fibre Channel, Asynchronous Transfer Mode,
and InfiniBand.

Unlike less advanced repeater hubs, which broadcast the same data out of each of
its ports and let the devices decide what data they need, a network switch forwards
data only to the devices that need to receive it
Switching loops and STP

A loop in your LAN can bring down the whole network. You can avoid a loop by
using Spanning Tree protocol (STP). Let’s find out what Spanning Tree is, how it
works, and how it can save your day by preventing a loop on your network.

What is Spanning Tree?

The Spanning Tree protocol is a networking standard, as defined by the IEEE in

the 802.1d standard. The purpose of Spanning Tree is to prevent loops in the LAN
and to select the fastest network links, if there are redundant links in the network.
In the event that a link in the network goes down, Spanning Tree will failover to
the alternate link, if one exists.

If this sounds like what a routing protocol does then you are on the right track.
Routing protocols help devices route between WAN networks (prevent loops, use
alternate paths, etc) at Layer 3. Spanning Tree could be termed a Layer 2 routing
protocol for a LAN because it performs the same functions but for an Ethernet
network, regardless of IP addresses. So, Spanning Tree is not an IP routing
protocol but has some similar functions for the data-link layer (Layer 2).

How Spanning Tree works

Spanning Tree works by first using an algorithm to find redundant links in the
LAN and selecting the best paths. Its initial goal is to put all links in either
Forwarding or Blocking. In the end, the links without a redundant link and the best
links with a redundant link would be in forwarding state. The redundant links that
weren’t as good as the selected links would be in blocking state.

Spanning Tree cannot use multiple links to the same destination. There is no load-
sharing feature with Spanning Tree. Any redundant link that is not as preferred is
blocked (essentially shut down) until the primary link goes down.

Because Spanning Tree is a complex protocol, this article won’t cover every
possible feature. We will, however, give you a solid overview of the protocol and
its process.
 The three criteria Spanning Tree uses to decide if an interface should be in
forwarding state are:

• All interfaces on the root bridge are put in forwarding state.

• For other bridges that are not the root bridge, the port that is closest to the root
bridge is put in forwarding state.

• The bridge with the lowest administrative distance to the root bridge is called
the designated bridge. The Ethernet interface on the designated bridge is called
the designated port. That port is put into forwarding state.

But how is the root bridge elected? The root bridge is elected based on bridge
ID (usually the MAC address) and a priority. By default, all priorities are the
same so, by default, the switch with the lowest MAC address will become the root
bridge.

How is the lowest administrative cost to the root bridge calculated? This is based
on the speed of the links across the LAN, to get to that root bridge. STP uses
default port costs to calculate this. These port costs can be overridden by an
administrator. Here are the default STP port costs:

• 10Mb link – Cost is 100

• 100Mb link – Cost is 19

• 1Gb link – Cost is 4

• 10Gb link – Cost is 2

The costs shown are revised costs from the original STP default port costs. The
IEEE did not anticipate the massive increase in speed now offered by Ethernet.
Because of this 1Gb and 10Gb links could not be accommodated by the old default
costs and the costs had to be revised.

How does STP prevent loops?

Because the “best ports” are put into forwarding state and the other ports are put
into blocking state, there are no loops in the network. When a new switch is
introduced to the network, the algorithm and port states are recalculated to prevent
a new loop.
 What happens when a link goes down?

Switches communicate with a BPDU (bridge protocol data unit) every 2 seconds.
If the remote switch doesn’t respond, it is assumed that that switch (and its links)
are down and the Spanning Tree algorithm is recalculated.

What are the STP port states?

Whenever a new port is enabled, Spanning Tree goes through the following port
states to get that port to be either forwarding or blocking. They are:

• Blocking – does not forward any frames but still receives BPDU’s from other
switches

• Listening – same as blocking but it is beginning its transition to forwarding

frames. Unlike Blocking, in Listening mode, the port will send BPDU’s.

• Learning – the second state in the transition to frame forwarding. In this state, the
switch receives MAC address information from devices on this switch port.

• Forwarding – transmits and receives frames. This is the normal state for a port.

• Or, Disabled – the disabled state means that the switch port is administratively
disabled.

Straight-through, Crossover, and Rollover Wiring

Straight-Through Wired Cables

Straight-Through refers to cables that have the pin assignments on each end of the
cable. In other words Pin 1 connector A goes to Pin 1 on connector B, Pin 2 to Pin
2 ect. Straight-Through wired cables are most commonly used to connect a host to
client. When we talk about cat5e patch cables, the Straight-Through wired cat5e
patch cable is used to connect computers, printers and other network client devices
to the router switch or hub (the host device in this instance).
• Connector A
• Pin 1
• Pin 2
• Pin 3
• Pin 4
• Pin 5
• Pin 6
• Pin 7
• Pin 8
• Connector B
• Pin 1
• Pin 2
• Pin 3
• Pin 4
• Pin 5
• Pin 6
• Pin 7
• Pin 8

Crossover Wired Cables

Crossover wired cables (commonly called crossover cables) are very much like
Straight-Through cables with the exception that TX and RX lines are crossed (they
are at oposite positions on either end of the cable. Using the 568-B standard as an
example below you will see that Pin 1 on connector A goes to Pin 3 on connector
B. Pin 2 on connector A goes to Pin 6 on connector B ect. Crossover cables are
most commonly used to connect two hosts directly. Examples would be connecting
a computer directly to another computer, connecting a switch directly to another
 switch, or connecting a router to a router.Note: While in the past when connecting
two host devices directly a crossover cable was required. Now days most devices
have auto sensing technology that detects the cable and device and crosses pairs
when needed.

• Connector A
• Pin 1
• Pin 2
• Pin 3
• Pin 4
• Pin 5
• Pin 6
• Pin 7
• Pin 8
• Connector B
• Pin 1
• Pin 2
• Pin 3
• Pin 4
• Pin 5
• Pin 6
• Pin 7
• Pin 8

Rollover Wired Cables

 Rollover wired cables most commonly called rollover cables, have opposite Pin
assignments on each end of the cable or in other words it is "rolled over". Pin 1 of
connector A would be connected to Pin 8 of connector B. Pin 2 of connector A
would be connected to Pin 7 of connector B and so on. Rollover cables, sometimes
referred to as Yost cables are most commonly used to connect to a devices console
port to make programming changes to the device. Unlike crossover and straight-
wired cables, rollover cables are not intended to carry data but instead create an
interface with the device.

• Connector A
• Pin 1
• Pin 2
• Pin 3
• Pin 4
• Pin 5
• Pin 6
• Pin 7
• Pin 8
• Connector B
• Pin 1
• Pin 2
• Pin 3
• Pin 4
• Pin 5
• Pin 6
• Pin 7
• Pin 8
• What is PSTN? (Public Switched Telephone Network)
• PSTN stands for Public Switched Telephone Network, or the traditional
circuit-switched telephone network. This is the system that has been in
general use since the late 1800s.
• Using underground copper wires, this legacy platform has provided
businesses and households alike with a reliable means to communicate with
anyone around the world for generations.
• The phones themselves are known by several names, such as PSTN,
landlines, Plain Old Telephone Service (POTS), or fixed-line telephones.
• PSTN phones are widely used and generally still accepted as a standard form
of communication. However, they have seen a steady decline over the last
decade.
• In fact, there are currently just 972 million fixed-line telephone
subscriptions in use worldwide, the lowest tally this century so far.
• How Do PSTN Phone Lines Work?
• Think of a Public Switched Telephone Network (PSTN) as a combination of
telephone networks used worldwide, including telephone lines, fiber optic
cables, switching centers, cellular networks, as well as satellites and cable
systems. These help telephones communicate with each other.
•
• Put simply, when you dial a phone number your call moves through the
network to reach its destination – and two phones get connected. To fully
understand how a POTS actually works, consider what happens when you
dial a number from your own phone.
• Step #1 – Your telephone set converts sound waves into electrical signals.
These signals are then transmitted to a terminal via a cable.
• Step #2 – The terminal collects the electrical signals and transmits these to
the central office (CO).
• Step #3 – The central office routes the calls in the form of electrical signals
through fiber optic cable. The fiber optic conduit then carries these signals in
the form of light pulses to their final destination.
• Step #4 – Your call is routed to a tandem office (a regional hub responsible
for transmitting calls to distant central offices) or a central office (for local
calls).
• Step #5 – When your call reaches the right office, the signal is converted
back to an electrical signal and is then routed to a terminal.
• Step #6 – The terminal routes the call to the appropriate telephone number.
Upon receiving the call, the telephone set converts the electrical signals back
to sound waves.
• This may sound complicated, but the thing to remember is that it takes a few
seconds for your call to reach its destination. This process is facilitated by
using fiber optic cables and a global network of switching centers.
•
• PSTN – Understanding The Art of Switching
• You could say that PSTNs are all about switching, which forms the
backbone of traditional phone networks. When a call is made, switches
create a wire circuit between two telephones, with this particular connection
lasting as long as the duration of the call.
• Now, let’s have a look at each of the four types of switching which take
place at different levels.
• 1. The Local Exchange
• A local exchange – which may consist of one or more exchanges – hooks up
subscribers to a PSTN line. Also known as a central office or a switching
exchange, a telephone exchange may have as many as 10,000 lines.
 • All telephones are connected to the local exchange in a specific area.
Interestingly, if you were to dial the number of your supplier located in the
building next to yours, the call won’t leave your local exchange and will be
routed to the supplier as soon as it reaches the exchange.
• The exchange then identifies the number dialed so it can route the call
towards the correct end destination. This process works as follows:
• The first three digits of a phone number represent the exchange (the local
switch), while the last four digits identify the individual subscriber within
that exchange.
• This means that when you dial a number and it reaches your local exchange,
your call is immediately linked to the subscriber without the need for any
further routing.
• 2. The Tandem Office
• Also known as a junction network, a tandem office serves a large
geographical area comprising several local exchanges while managing
switches between local exchanges.
• Let’s say you dialed the number of a client who lives in the same city but in
another suburb. In this case your call will be routed to a tandem office from
your local exchange, and the tandem office will route the signal on to the
local exchange near your client’s location.
• 3. The Toll Office
• This is where any national long-distance switching takes place.
• A toll office is connected to all the tandem offices. For instance, if you have
an office in another city you’ll find that, whenever you dial that branch’s
number, your call will be switched through a toll office.
• 4. The International Gateway
• International gateways manage international call switching, routing domestic
calls to the appropriate countries.

Asymmetric Digital Subscriber Loop (ADSL)

Computer NetworkComputer EngineeringMCA

Asymmetric Digital Subscriber Line (ADSL) is a type of broadband

communications technology that transmits digital data at a high bandwidth over
existing phone lines to homes and businesses.
In order to access ADSL, a Digital Subscriber Line modem (DSL modem) is
installed at the client side. The DSL modem sends data bits over the local loop of
the telephone network. The local loop is a two – wire connection between the
subscriber’s house and the end office of the telephone company. The data bits are
accepted at the end office by a device called Digital Subscriber Line Access
Multiplexer (DSLAM).
Features of ADSL
• ADSL is one among the DSL family of technologies.
• ADSL is used in the local loop of the telephone network, i.e. the part of the
telephone network that connects the customer premises with the end office
of the telephone company.
• The telephone company uses a Digital Subscriber Line Access Multiplexer
(DSLAM) at its end office so that multiple ADSL users can be connected to
the high-speed backbone network.
• Most ADSL communications are full-duplex communication. It is achieved
by any of the following technologies −
o frequency-division duplex (FDD)
o echo-cancelling duplex (ECD)
o time-division duplex (TDD)
• The most common technology uses FDD. Here two separate bands are used
for upstream and downstream communications.
• ADSL uses frequency bands 26.075 kHz to 137.825 kHz for upstream
communication and 138–1104 kHz is downstream communication. Voice
transmission occurs at less than 4 KHz. So, data transmission occurs
simultaneously with voice transmission.
• ADSL filters are used on customer premises with non-DSL connections.
• ADSL uses analog sinusoidal carrier waves for data transmission. The waves
are modulated and demodulated at the customer premises with ADSL
modems.
Windows Server 2016
Windows Server 2016 is a server operating system developed by Microsoft as part
of the Windows NT family of operating systems, developed concurrently
with Windows 10. The first early preview version (Technical Preview) became
available on October 1, 2014 together with the first technical preview of System
Center.[6] Windows Server 2016 was released on September 26, 2016 at
Microsoft's Ignite conference and became generally available on October 12,
2016.[2] It has two successors: Windows Server 2019, and the Windows
Server Semi-Annual Hyper-V

• Rolling Hyper-V cluster update: Unlike upgrading clusters from Windows 2008
R2 to 2012 level, Windows Server 2016 cluster nodes can be added to a Hyper-
V Cluster with nodes running Windows Server 2012 R2. The cluster continues
to function at a Windows Server 2012 R2 feature level until all of the nodes in
the cluster have been upgraded and the cluster functional level has been
upgraded.[22]
• Storage quality of service (QoS) to centrally monitor end-to-end storage
performance and create policies using Hyper-V and Scale-Out File Servers
• New, more efficient binary virtual machine configuration format (.VMCX
extension for virtual machine configuration data and the .VMRS extension for
runtime state data)
• Production checkpoints
• Hyper-V Manager: Alternate credentials support, down-level
management, WS-Management protocol
• Integration services for Windows guests distributed through Windows Update
• Hot add and remove for network adapters (for generation 2 virtual machines)
and memory (for generation 1 and generation 2 virtual machines)
• Linux secure boot
• Connected Standby compatibility
• Storage Resiliency feature of Hyper-V is formed for detecting transitory loss of
connectivity to VM storage. VMs will be paused until connectivity is re-
established.[23]
• RDMA compatible Virtual Switch Channel, which excludes the graphical user
interface and many older components.
Windows Server 2016 has a variety of new features, including

• Active Directory Federation Services: It is possible to configure AD FS to

authenticate users stored in non-AD directories, such as X.500 compliant
Lightweight Directory Access Protocol (LDAP) directories and SQL
databases.[7]
• Windows Defender: Windows Server Antimalware is installed and enabled by
default without the GUI, which is an installable Windows feature.[8]
• Remote Desktop Services: Support for OpenGL 4.4 and OpenCL 1.1,
performance and stability improvements; MultiPoint Services role
(see Windows MultiPoint Server)[9]
• Storage Services: Central Storage QoS Policies; Storage Replicas (storage-
agnostic, block-level, volume-based, synchronous and asynchronous replication
using SMB3 between servers for disaster recovery).[10] Storage Replica
replicates blocks instead of files; files can be in use. It's not multi-master, not
one-to-many and not transitive. It periodically replicates snapshots, and the
replication direction can be changed.
• Failover Clustering: Cluster operating system rolling upgrade, Storage
Replicas[11]
• Web Application Proxy: Preauthentication for HTTP Basic application
publishing, wildcard domain publishing of applications, HTTP to HTTPS
redirection, Propagation of client IP address to backend applications[12]
• IIS 10: Support for HTTP/2
• Windows PowerShell 5.1[13]
• Windows Server Containers [14]
Networking features

• DHCP: As Network Access Protection was deprecated in Windows Server

2012 R2, in Windows Server 2016 the DHCP role no longer supports NAP
• DNS:
o DNS client: Service binding – enhanced support for computers with more
than one network interface
o DNS Server: DNS policies, new DDS record types (TLSA, SPF, and
unknown records), new PowerShell cmdlets and parameters[17]
• Windows Server Gateway now supports Generic Routing Encapsulation (GRE)
tunnels
• IP address management (IPAM): Support for /31, /32, and /128 subnets;
discovery of file-based, domain-joined DNS servers; new DNS functions; better
integration of DNS, DHCP, and IP Address (DDI) Management
• Network Controller: A new server role to configure, manage, monitor, and
troubleshoot virtual and physical network devices and services in the datacentre
• Hyper-V Network virtualization: Programmable Hyper-V switch (a new
building block of Microsoft's software-defined
networking solution); VXLAN encapsulation support; Microsoft Software Load
Balancer interoperability; better IEEE Ethernet standard compliance.

Hyper-V

• Rolling Hyper-V cluster update: Unlike upgrading clusters from Windows 2008
R2 to 2012 level, Windows Server 2016 cluster nodes can be added to a Hyper-
V Cluster with nodes running Windows Server 2012 R2. The cluster continues
to function at a Windows Server 2012 R2 feature level until all of the nodes in
the cluster have been upgraded and the cluster functional level has been
upgraded.
• Storage quality of service (QoS) to centrally monitor end-to-end storage
performance and create policies using Hyper-V and Scale-Out File Servers
• New, more efficient binary virtual machine configuration format (.VMCX
extension for virtual machine configuration data and the .VMRS extension for
runtime state data)
• Production checkpoints
• Hyper-V Manager: Alternate credentials support, down-level
management, WS-Management protocol
• Integration services for Windows guests distributed through Windows Update
• Hot add and remove for network adapters (for generation 2 virtual machines)
and memory (for generation 1 and generation 2 virtual machines)
• Linux secure boot
• Connected Standby compatibility
• Storage Resiliency feature of Hyper-V is formed for detecting transitory loss of
connectivity to VM storage. VMs will be paused until connectivity is re-
established.[23]
• RDMA compatible Virtual Switch

What is Server Virtualization?

Server virtualization, like the other virtualization definitions we've discussed so
far, is simply the separation of computing functions such as the processors,
memory, and operating system from the actual physical server with the intent of
allowing system administrators to run multiple virtualized servers on a single,
physical server.
To achieve this, an administrator uses special software to carve the physical
server's resources into a number of isolated virtual machines (VMs), which are
appropriately referred to as virtual private servers. Some other terms for these
virtual environments are guests, instances, and containers.
As mentioned in Chapter 1, “How Virtualization Happens,” there are a number of
virtualization approaches. The three most popular approaches for server
virtualization are as follows:
The operating system virtualization approach
Each approach has strengths and weaknesses and is often chosen based on the
needs of the organization.
The Purpose of Server Virtualization
There are a number of reasons why an organization would want to utilize server
virtualization. The most common answer is to save money. According to research
done by Brown Associates, Inc. in Port Chester, NY, a typical server runs at only
15 to 20 percent of its capacity.
Naturally, with a figure like this, it's easy to see why an organization would rather
operate in a virtualized environment and reclaim the 80 to 85 percent of the lost
clock cycles that aren't being used.
However, the money savings don't stop with simply getting the most out of a
physical server. Some of the other benefits of server virtualization are space
savings in an organization's data center and fewer physical machines. It's rather
simple. Fewer machines also mean fewer servers to maintain. The opposite of this
is called server sprawl, in which several underutilized servers take up more space
and consume more electricity than can be justified. In short, they become part of
the problem. Server sprawl is primarily caused by the availability of inexpensive
servers and the administrative practice of dedicating one server to one application.
In addition to reducing server sprawl, server virtualization helps reduce wasteful
energy consumption, which eases the strain on the overburdened power grid and
has positive benefits for the environment. Virtual servers also give an organization
a much more flexible operating environment in which code and machine crashes
can now be reset with the click of a mouse, not with the rebuilding or reimaging of
an entire server.
Storage Virtualization
Storage virtualization is similar to other virtualization in that the physical hard
drive is separated from the function of storing data. There are a number of ways to
package storage virtualization, but the most common way is when several physical
disks appear as a single unit of storage space. Aside from the convenience of
behaving as a single unit of hard drive space, storage virtualization also allows for
easier data migration between drives without any downtime, which is a huge
advantage in almost any environment.
Storage virtualization has the following characteristics:
1.The availability of logical volumes separate from physical hard disk constraints
2.The capability of abstracting multivendor storage devices into one group and
reallocating storage space independently of size or physical location
3.The capability of having automated storage optimization and management
With this kind of flexibility, there are three issues that are immediately resolved.
The first is manageability; storage virtualization increases the effectiveness of
administrators by streamlining the management process. The second is scalability,
which by design is able to add new capacity rapidly as demand changes. The third
is availability, which reduces downtime due to drive failures or configuration
changes. Having this level of inherent convenience allows for significantly
improved data management and storage efficiency.

Virtual Machines and Hypervisor

Server virtualization adopts the one-to-many approach. In other words, a single
physical server is partitioned to appear as multiple independent logical servers. The
logical server corresponds to a VM providing a complete system platform that
supports the execution of a complete operating system. Once the physical server is
partitioned, each logical server can autonomously run an operating system and
applications. Because the guest operating systems (OSs) do not have to be the
same, it is possible to run several OSs and applications simultaneously on the same
physical machine or server in a safe and controlled manner. The introduction of
more powerful x86 platforms built to support a virtual environment, namely, the
availability of multicore CPU, the use of AMD Virtualization (AMD-V),1 and the
Intel Virtualization Technology (Intel VT),1 has made server virtualization more
adoptable.
Virtualization software is available on the market for different system
architectures. The most commonly known are VMware, XEN,2 and Hyper-
V.3 Although they differ in architectures and features, all are based on the concept
of a VM that shares the hardware resources (CPU, memory, disks, and I/O of the
single physical server) with other VMs. The virtualization software typically
achieves this by inserting a thin layer of software directly on the computer
hardware or on a host OS. This software abstraction layer is commonly referred to
as a hypervisor or a virtual machine monitor (VMM).
The hypervisor decouples the underlying physical hardware (such as CPU,
memory, disks, and I/O) from the guest OS. It hides the actual hardware resources
of the physical server from the partitioned VMs and projects the impression of a
common pool of logical resources that can be shared among these VMs. The
functions of the hypervisor include:
•
Creating VMs
 •
Allocating “hardware resources” to VMs from the virtualized pool of
hardware resources belonging to the physical server
•
Monitoring the status of the VMs
•
Taking part in the movement of VMs from one system to another
There are two types of hypervisors:
•
Type 1 (or native, bare-metal) hypervisor: Type 1 hypervisor runs directly
(at first level) on the server's hardware to control the hardware and to
monitor guest OS. The guest OS runs at the second level above the
hardware.
•
Type 2 (or hosted) hypervisor: Type 2 hypervisor runs within a
conventional OS environment with the hypervisor layer as a distinct second
software level, and the guest OS runs at the third level above the hardware.
The server virtualization portion of this chapter covers the Type 1 or bare-metal
hypervisor.

What Is Linux?

From smartphones to cars, supercomputers and home appliances, home desktops to

enterprise servers, the Linux operating system is everywhere.

Linux has been around since the mid-1990s and has since reached a user-base that
spans the globe. Linux is actually everywhere: It’s in your phones, your
thermostats, in your cars, refrigerators, Roku devices, and televisions. It also runs
most of the Internet, all of the world’s top 500 supercomputers, and the world’s
stock exchanges.

But besides being the platform of choice to run desktops, servers, and embedded
systems across the globe, Linux is one of the most reliable, secure and worry-free
operating systems available.

Here is all the information you need to get up to speed on the Linux platform.

What is Linux?

Just like Windows, iOS, and Mac OS, Linux is an operating system. In fact, one of
the most popular platforms on the planet, Android, is powered by the Linux
operating system. An operating system is software that manages all of the
hardware resources associated with your desktop or laptop. To put it simply, the
operating system manages the communication between your software and your
hardware. Without the operating system (OS), the software wouldn?t function.

The Linux operating system comprises several different pieces:

1. Bootloader – The software that manages the boot process of your

computer. For most users, this will simply be a splash screen that pops up
and eventually goes away to boot into the operating system.
2. Kernel – This is the one piece of the whole that is actually called
?Linux?. The kernel is the core of the system and manages the CPU,
memory, and peripheral devices. The kernel is the lowest level of the OS.
3. Init system – This is a sub-system that bootstraps the user space and is
charged with controlling daemons. One of the most widely used init
systems is systemd? which also happens to be one of the most
controversial. It is the init system that manages the boot process, once the
initial booting is handed over from the bootloader (i.e., GRUB or GRand
Unified Bootloader).
 4. Daemons – These are background services (printing, sound, scheduling,
etc.) that either start up during boot or after you log into the desktop.
5. Graphical server – This is the sub-system that displays the graphics on
your monitor. It is commonly referred to as the X server or just X.
6. Desktop environment – This is the piece that the users actually interact
with. There are many desktop environments to choose from (GNOME,
Cinnamon, Mate, Pantheon, Enlightenment, KDE, Xfce, etc.). Each
desktop environment includes built-in applications (such as file
managers, configuration tools, web browsers, and games).
7. Applications – Desktop environments do not offer the full array of apps.
Just like Windows and macOS, Linux offers thousands upon thousands of
high-quality software titles that can be easily found and installed. Most
modern Linux distributions (more on this below) include App Store-like
tools that centralize and simplify application installation. For example,
Ubuntu Linux has the Ubuntu Software Center (a rebrand of GNOME
Software? Figure 1) which allows you to quickly search among the
thousands of apps and install them from one centralized location.

Why use Linux?

This is the one question that most people ask. Why bother learning a completely
different computing environment, when the operating system that ships with most
desktops, laptops, and servers works just fine?

To answer that question, I would pose another question. Does that operating
system you?re currently using really work ?just fine?? Or, do you find yourself
battling obstacles like viruses, malware, slow downs, crashes, costly repairs, and
licensing fees?
If you struggle with the above, Linux might be the perfect platform for you. Linux
has evolved into one of the most reliable computer ecosystems on the planet.
Combine that reliability with zero cost of entry and you have the perfect solution
for a desktop platform.
That’s right, zero cost of entry… as in free. You can install Linux on as many
computers as you like without paying a cent for software or server licensing.

Let’s take a look at the cost of a Linux server in comparison to Windows Server
2016. The price of the Windows Server 2016 Standard edition is $882.00 USD
(purchased directly from Microsoft). That doesn’t include Client Access License
(CALs) and licenses for other software you may need to run (such as a database, a
web server, mail server, etc.). For example, a single user CAL, for Windows
Server 2016, costs $38.00. If you need to add 10 users, for example, that’s $388.00
more dollars for server software licensing. With the Linux server, it?s all free and
easy to install. In fact, installing a full-blown web server (that includes a database
server), is just a few clicks or commands away (take a look at ?Easy LAMP Server
Installation? to get an idea how simple it can be).

If zero cost isn’t enough to win you over? what about having an operating system
that will work, trouble free, for as long as you use it? I’ve used Linux for nearly 20
years (as both a desktop and server platform) and have not had any issues with
ransomware, malware, or viruses. Linux is generally far less vulnerable to such
attacks. As for server reboots, they’re only necessary if the kernel is updated. It is
not out of the ordinary for a Linux server to go years without being rebooted. If
you follow the regular recommended updates, stability and dependability are
practically assured.

Open source

Linux is also distributed under an open source license. Open source follows these
key tenants:

• The freedom to run the program, for any purpose.

• The freedom to study how the program works, and change it to make it
do what you wish.
• The freedom to redistribute copies so you can help your neighbor.
• The freedom to distribute copies of your modified versions to others.

These points are crucial to understanding the community that works together to
create the Linux platform. Without a doubt, Linux is an operating system that is
?by the people, for the people?. These tenants are also a main factor in why many
people choose Linux. It?s about freedom and freedom of use and freedom of
choice.

What is a “distribution?”

Linux has a number of different versions to suit any type of user. From new users
to hard-core users, you’ll find a “flavor” of Linux to match your needs. These
versions are called distributions (or, in the short form, “distros”). Nearly every
distribution of Linux can be downloaded for free, burned onto disk (or USB thumb
drive), and installed (on as many machines as you like).

Popular Linux distributions include:

• LINUX MINT
• MANJARO
• DEBIAN
• UBUNTU
• ANTERGOS
• SOLUS
• FEDORA
• ELEMENTARY OS
• OPENSUSE

20 Linux commands every sysadmin should know

Whether you are a new developer or want to manage your own application, the
following 20 basic sysadmin commands can help you better understand your
applications. They can also help you describe problems to sysadmins
troubleshooting why an application might work locally but not on a remote host.
These commands apply to Linux development environments, containers, virtual
machines (VMs), and bare metal.
1. curl

curl transfers a URL. Use this command to test an application's endpoint or

connectivity to an upstream service endpoint. curl can be useful for determining if
your application can reach another service, such as a database, or checking if your
service is healthy.

As an example, imagine your application throws an HTTP 500 error indicating it

can't reach a MongoDB database:

$ curl -I -s myapplication:5000
HTTP/1.0 500 INTERNAL SERVER ERROR

The -I option shows the header information and the -s option silences the response
body. Checking the endpoint of your database from your local desktop:

$ curl -I -s database:27017
HTTP/1.0 200 OK

So what could be the problem? Check if your application can get to other places
besides the database from the application host:

$ curl -I -s https://opensource.com
HTTP/1.1 200 OK

That seems to be okay. Now try to reach the database from the application host.
Your application is using the database's hostname, so try that first:

$ curl database:27017
curl: (6) Couldn't resolve host 'database'

This indicates that your application cannot resolve the database because the URL
of the database is unavailable or the host (container or VM) does not have a
nameserver it can use to resolve the hostname.

2. python -m json.tool / jq
After you issue curl, the output of the API call may be difficult to read.
Sometimes, you want to pretty-print the JSON output to find a specific entry.
Python has a built-in JSON library that can help with this. You use python -m
json.tool to indent and organize the JSON. To use Python's JSON module, pipe the
output of a JSON file into the python -m json.tool command.

$ cat test.json
{"title":"Person","type":"object","properties":{"firstName":{"type":"strin
g"},"lastName":{"type":"string"},"age":{"description":"Age in
years","type":"integer","minimum":0}},"required":["firstName","lastNam
e"]}

To use the Python library, pipe the output to Python with the -m (module) option.

$ cat test.json | python -m json.tool

{
"properties": {
"age": {
"description": "Age in years",
"minimum": 0,
"type": "integer"
},
"firstName": {
"type": "string"
},
"lastName": {
"type": "string"
}
},
"required": [
"firstName",
"lastName"
],
"title": "Person",
"type": "object"
}
For more advanced JSON parsing, you can install jq. jq provides some options that
extract specific values from the JSON input. To pretty-print like the Python
module above, simply apply jq to the output.

$ cat test.json | jq
{
"title": "Person",
"type": "object",
"properties": {
"firstName": {
"type": "string"
},
"lastName": {
"type": "string"
},
"age": {
"description": "Age in years",
"type": "integer",
"minimum": 0
}
},
"required": [
"firstName",
"lastName"
]
}

3. ls

ls lists files in a directory. Sysadmins and developers issue this command quite
often. In the container space, this command can help determine your container
image's directory and files. Besides looking up your files, ls can help you examine
your permissions. In the example below, you can't run myapp because of a
permissions issue. When you check the permissions using ls -l, you realize that the
permissions do not have an "x" in -rw-r--r--, which are read and write only.

$ ./myapp
bash: ./myapp: Permission denied
$ ls -l myapp
-rw-r--r--. 1 root root 33 Jul 21 18:36 myapp

4. tail

tail displays the last part of a file. You usually don't need every log line to
troubleshoot. Instead, you want to check what your logs say about the most recent
request to your application. For example, you can use tail to check what happens
in the logs when you make a request to your Apache HTTP server.

example_tail.png

Use tail -f to follow Apache HTTP logs and see the requests as they happen.

The -f option indicates the "follow" option, which outputs the log lines as they are
written to the file. The example has a background script that accesses the endpoint
every few seconds and the log records the request. Instead of following the log in
real time, you can also use tail to see the last 100 lines of the file with the -
n option.

$ tail -n 100 /var/log/httpd/access_log

5. cat
cat concatenates and prints files. You might issue cat to check the contents of your
dependencies file or to confirm the version of the application that you have already
built locally.

$ cat requirements.txt
flask
flask_pymongo

The example above checks whether your Python Flask application has Flask listed
as a dependency.

6. grep

grep searches file patterns. If you are looking for a specific pattern in the output of
another command, grep highlights the relevant lines. Use this command for
searching log files, specific processes, and more. If you want to see if Apache
Tomcat starts up, you might become overwhelmed by the number of lines. By
piping that output to the grep command, you isolate the lines that indicate server
startup.

$ cat tomcat.log | grep org.apache.catalina.startup.Catalina.start

01-Jul-
2017 18:03:47.542 INFO [main] org.apache.catalina.startup.Catalina.start
Server startup in 681 ms

7. ps

ps shows process status. Use this command to determine a running application or

confirm an expected process. For example, if you want to check for a running
Tomcat web server, you use ps with its options to obtain the process ID of Tomcat.

$ ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 2 18:55 ? 00:00:02 /docker-java-home/jre/bi
root 59 0 0 18:55 pts/0 00:00:00 /bin/sh
root 75 59 0 18:57 pts/0 00:00:00 ps -ef

For even more legibility, use ps and pipe it to grep.

$ ps -ef | grep tomcat
root 1 0 1 18:55 ? 00:00:02 /docker-java-home/jre/bi

8. env

env allows you to set or print the environment variables. During troubleshooting,
you may find it useful for checking if the wrong environment variable prevents
your application from starting. In the example below, this command is used to
check the environment variables set on your application's host.

$ env
PYTHON_PIP_VERSION=9.0.1
HOME=/root
DB_NAME=test
PATH=/usr/local/bin:/usr/local/sbin
LANG=C.UTF-8
PYTHON_VERSION=3.4.6
PWD=/
DB_URI=mongodb://database:27017/test

Notice that the application is using Python3 and has environment variables to
connect to a MongoDB database.

9. top

top displays and updates sorted process information. Use this tool to determine
which processes are running and how much memory and CPU they consume. A
common case occurs when you run an application and it dies a minute later. First,
you check the application's return error, which is a memory error.

$ tail myapp.log
Traceback (most recent call last):
MemoryError

Is your application really out of memory? To confirm, use top to determine how
much CPU and memory your application consumes. When issuing top, you notice
a Python application using most of the CPU, with its memory usage climbing, and
suspect it is your application. While it runs, you hit the "C" key to see the full
command and reverse-engineer if the process is your application. It turns out to be
your memory-intensive application (memeater.py). When your application has run
out of memory, the system kills it with an out-of-memory (OOM) error.

example_top.png

The memory and CPU usage of the application increases, eventually being OOM-killed.

example_topwithc.png
 By hitting the "C" key, you can see the full command that started the application.

In addition to checking your own application, you can use top to debug other
processes that utilize CPU or memory.

10. netstat

netstat shows the network status. This command shows network ports in use and
their incoming connections. However, netstat does not come out-of-the-box on
Linux. If you need to install it, you can find it in the net-tools package. As a
developer who experiments locally or pushes an application to a host, you may
receive an error that a port is already allocated or an address is already in use.
Using netstat with protocol, process and port options demonstrates that Apache
HTTP server already uses port 80 on the below host.

example_netstat.png

Using netstat -tulpn shows that Apache already uses port 80 on this machine.

11. ip address

If ip address does not work on your host, it must be installed with

the iproute2 package. ip address shows the interfaces and IP addresses of your
application's host. You use ip address to verify your container or host's IP address.
For example, when your container is attached to two networks, ip address can
show which interface connects to which network. For a simple check, you can
always use the ip address command to get the IP address of the host. The example
below shows that the web tier container has an IP address of 172.17.0.2 on
interface eth0.

example_ipaddr_0.png

Using ip address shows that the IP address of the eth0 interface is 172.17.0.2

12. lsof

lsof lists the open files associated with your application. On some Linux machine
images, you need to install lsof with the lsof package. In Linux, almost any
interaction with the system is treated like a file. As a result, if your application
writes to a file or opens a network connection, lsof will reflect that interaction as a
file. Similar to netstat, you can use lsof to check for listening ports. For example,
if you want to check if port 80 is in use, you use lsof to check which process is
using it. Below, you can see that httpd (Apache) listens on port 80. You can also
use lsof to check the process ID of httpd, examining where the web server's binary
resides (/usr/sbin/httpd).

example_lsof.png
The name of the open file in the list of open files helps pinpoint the origin of the
process, specifically Apache.

13. df

You can use df (display free disk space) to troubleshoot disk space issues. When
you run your application on a container orchestrator, you might receive an error
message signaling a lack of free space on the container host. While disk space
should be managed and optimized by a sysadmin, you can use df to figure out the
existing space in a directory and confirm if you are indeed out of space.

example_df.png

Df shows the disk space for each filesystem, its absolute space, and availability.

The -h option prints out the information in human-readable format. The example
above shows plenty of disk space on this host.

14. du

To retrieve more detailed information about which files use the disk space in a
directory, you can use the du command. If you wanted to find out which log takes
up the most space in the /var/log directory, for example, you can use du with the -
h (human-readable) option and the -s option for the total size.
$ du -sh /var/log/*
1.8M /var/log/anaconda
384K /var/log/audit
4.0K /var/log/boot.log
0 /var/log/chrony
4.0K /var/log/cron
4.0K /var/log/maillog
64K /var/log/messages

The example above reveals the largest directory under /var/log to

be /var/log/audit. You can use du in conjunction with df to determine what
utilizes the disk space on your application's host.

15. id

To check the user running the application, use the id command to return the user
identity. The example below uses Vagrant to test the application and isolate its
development environment. After you log into the Vagrant box, if you try to install
Apache HTTP Server (a dependency) the system states that you cannot perform the
command as root. To check your user and group, issue the id command and notice
that you are running as the "vagrant" user in the "vagrant" group.

$ yum -y install httpd

Loaded plugins: fastestmirror
You need to be root to perform this command.
$ id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant) context=unconfi
ned_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

To correct this, you must run the command as a superuser, which provides elevated
privileges.

16. chmod

When you run your application binary for the first time on your host, you may
receive the error message "permission denied." As seen in the example for ls, you
can check the permissions of your application binary.
$ ls -l
total 4
-rw-rw-r--. 1 vagrant vagrant 34 Jul 11 02:17 test.sh

This shows that you don't have execution rights (no "x") to run the
binary. chmod can correct the permissions to enable your user to run the binary.

$ chmod +x test.sh
[vagrant@localhost ~]$ ls -l
total 4
-rwxrwxr-x. 1 vagrant vagrant 34 Jul 11 02:17 test.sh

As demonstrated in the example, this updates the permissions with execution

rights. Now when you try to execute your binary, the application doesn't throw a
permission-denied error. Chmod may be useful when you load a binary into a
container as well. It ensures that your container has the correct permissions to
execute your binary.

17. dig / nslookup

A domain name server (DNS) helps resolve a URL to a set of application servers.
However, you may find that a URL does not resolve, which causes a connectivity
issue for your application. For example, say you attempt to access your database at
the mydatabase URL from your application's host. Instead, you receive a "cannot
resolve" error. To troubleshoot, you try using dig (DNS lookup utility)
or nslookup (query Internet name servers) to figure out why the application can't
seem to resolve the database.

$ nslookup mydatabase
Server: 10.0.2.3
Address: 10.0.2.3#53

** server can't find mydatabase: NXDOMAIN

Using nslookup shows that mydatabase can't be resolved. Trying to resolve

with dig yields the same result.

$ dig mydatabase
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> mydatabase
;; global options: +cmd
;; connection timed out; no servers could be reached

These errors could be caused by many different issues. If you can't debug the root
cause, reach out to your sysadmin for more investigation. For local testing, this
issue may indicate that your host's nameservers aren't configured appropriately. To
use these commands, you will need to install the BIND Utilities package.

18. iptables

iptables blocks or allows traffic on a Linux host, similar to a network firewall.

This tool may prevent certain applications from receiving or transmitting requests.
More specifically, if your application has difficulty reaching another
endpoint, iptables may be denying traffic to the endpoint. For example, imagine
your application's host cannot reach Opensource.com. You use curl to test the
connection.

$ curl -vvv opensource.com

* About to connect() to opensource.com port 80 (#0)
* Trying 54.204.39.132...
* Connection timed out
* Failed connect to opensource.com:80; Connection timed out
* Closing connection 0
curl: (7) Failed connect to opensource.com:80; Connection timed out

The connection times out. You suspect that something might be blocking the
traffic, so you show the iptables rules with the -S option.

$ iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT
The first three rules show that traffic drops by default. The remaining rules allow
SSH and DNS traffic. In this case, follow up with your sysadmin if you require a
rule to allow traffic to external endpoints. If this is a host you use for local
development or testing, you can use the iptables command to allow the correct
traffic. Use caution when adding rules that allow traffic to your host.

19. sestatus

You usually find SELinux (a Linux security module) enforced on an application

host managed by an enterprise. SELinux provides least-privilege access to
processes running on the host, preventing potentially malicious processes from
accessing important files on the system. In some situations, an application needs to
access a specific file but may throw an error. To check if SELinux blocks the
application, use tail and grep to look for a "denied" message in
the /var/log/audit logging. Otherwise, you can check to see if the box has SELinux
enabled by using sestatus.

$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28

The output above indicates that the application's host has SELinux enabled. On
your local development environment, you can update SELinux to be more
permissive. If you need help with a remote host, your sysadmin can help you
determine the best practice for allowing your application to access the file it needs.

20. history

When you issue so many commands for testing and debugging, you may forget the
useful ones! Every shell has a variant of the history command. It shows the history
of commands you have issued since the start of the session. You can use history to
log which commands you used to troubleshoot your application. For example,
when you issue history over the course of this article, it shows the various
commands you experimented with and learned.

$ history
1 clear
2 df -h
3 du

What if you want to execute a command in your previous history, but you don't
want to retype it? Use ! before the command number to re-execute.

example_history.png

Adding ! before the command number you want to execute issues the command again.

Basic commands can enhance your troubleshooting expertise when determining

why your application works in one development environment but perhaps not in
another. Many sysadmins leverage these commands to debug problems with
systems. Understanding some of these useful troubleshooting commands can help
you communicate with sysadmins and resolve issues with your application.

NETWORK SECURITY
What is Network Security?
Network security is the process of taking preventative measures to protect the
underlying networking infrastructure from unauthorized access, misuse,
malfunction, modification, destruction or improper disclosure.

Relentless cyber criminals, disgruntled current and former employees and careless
users can bring down your computer networks and compromise data. Network
security’s made up of the hardware, software, policies and procedures designed to
defend against both internal and external threats to your company’s computer
systems. Multiple layers of hardware and software can prevent threats from
damaging computer networks, and stop them from spreading if they slip past your
defenses.
The most common threats to your systems:
▪ Malicious programs like viruses, worms, Trojan horses, spyware, malware,
adware and botnets
▪ Zero-day and zero-hour attacks
▪ Hacker attacks
▪ Denial of Service (DoS) and Distributed Denial of Service Attacks (DDoS),
and
▪ Data theft.
These threats look to exploit:
▪ Unsecured wireless networks
▪ Unpatched software and hardware
▪ Unsecured websites
▪ Potentially unwanted applications (PUAs)
▪ Weak passwords
▪ Lost devices, and
▪ Unwitting users or users with malicious intent.

Top 10 Most Common Types of Cyber Attacks

A cyber attack is any type of offensive action that targets computer information
systems, infrastructures, computer networks or personal computer devices, using
various methods to steal, alter or destroy data or information systems.
Today I’ll describe the 10 most common cyber attack types:

1. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks

2. Man-in-the-middle (MitM) attack
3. Phishing and spear phishing attacks
4. Drive-by attack
5. Password attack
6. SQL injection attack
7. Cross-site scripting (XSS) attack
8. Eavesdropping attack
9. Birthday attack
10.Malware attack

Handpicked related content:

• Network Security Best Practices

1. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks

A denial-of-service attack overwhelms a system’s resources so that it cannot

respond to service requests. A DDoS attack is also an attack on system’s resources,
but it is launched from a large number of other host machines that are infected by
malicious software controlled by the attacker.

Unlike attacks that are designed to enable the attacker to gain or increase access,
denial-of-service doesn’t provide direct benefits for attackers. For some of them,
it’s enough to have the satisfaction of service denial. However, if the attacked
resource belongs to a business competitor, then the benefit to the attacker may be
real enough. Another purpose of a DoS attack can be to take a system offline so
that a different kind of attack can be launched. One common example is session
hijacking, which I’ll describe later.

There are different types of DoS and DDoS attacks; the most common are TCP
SYN flood attack, teardrop attack, smurf attack, ping-of-death attack and botnets.

TCP SYN flood attack

In this attack, an attacker exploits the use of the buffer space during a Transmission
Control Protocol (TCP) session initialization handshake. The attacker’s device
floods the target system’s small in-process queue with connection requests, but it
does not respond when the target system replies to those requests. This causes the
target system to time out while waiting for the response from the attacker’s device,
which makes the system crash or become unusable when the connection queue fills
up.

There are a few countermeasures to a TCP SYN flood attack:

• Place servers behind a firewall configured to stop inbound SYN packets.

• Increase the size of the connection queue and decrease the timeout on open
connections.

Teardrop attack

This attack causes the length and fragmentation offset fields in sequential Internet
Protocol (IP) packets to overlap one another on the attacked host; the attacked
system attempts to reconstruct packets during the process but fails. The target
system then becomes confused and crashes.

If users don’t have patches to protect against this DoS attack, disable SMBv2 and
block ports 139 and 445.

Smurf attack

This attack involves using IP spoofing and the ICMP to saturate a target network
with traffic. This attack method uses ICMP echo requests targeted at broadcast IP
addresses. These ICMP requests originate from a spoofed “victim” address. For
instance, if the intended victim address is 10.0.0.10, the attacker would spoof an
ICMP echo request from 10.0.0.10 to the broadcast address 10.255.255.255. This
request would go to all IPs in the range, with all the responses going back to
10.0.0.10, overwhelming the network. This process is repeatable, and can be
automated to generate huge amounts of network congestion.
To protect your devices from this attack, you need to disable IP-directed broadcasts
at the routers. This will prevent the ICMP echo broadcast request at the network
devices. Another option would be to configure the end systems to keep them from
responding to ICMP packets from broadcast addresses.

Ping of death attack

This type of attack uses IP packets to ‘ping a target system with an IP size over the
maximum of 65,535 bytes. IP packets of this size are not allowed, so attacker
fragments the IP packet. Once the target system reassembles the packet, it can
experience buffer overflows and other crashes.

Ping of death attacks can be blocked by using a firewall that will check fragmented
IP packets for maximum size.

Botnets

Botnets are the millions of systems infected with malware under hacker control in
order to carry out DDoS attacks. These bots or zombie systems are used to carry
out attacks against the target systems, often overwhelming the target system’s
bandwidth and processing capabilities. These DDoS attacks are difficult to trace
because botnets are located in differing geographic locations.

Botnets can be mitigated by:

• RFC3704 filtering, which will deny traffic from spoofed addresses and help
ensure that traffic is traceable to its correct source network. For example,
RFC3704 filtering will drop packets from bogon list addresses.
• Black hole filtering, which drops undesirable traffic before it enters a
protected network. When a DDoS attack is detected, the BGP (Border
Gateway Protocol) host should send routing updates to ISP routers so that
they route all traffic heading to victim servers to a null0 interface at the next
hop.

2. Man-in-the-middle (MitM) attack

A MitM attack occurs when a hacker inserts itself between the communications of
a client and a server. Here are some common types of man-in-the-middle attacks:

Session hijacking

In this type of MitM attack, an attacker hijacks a session between a trusted client
and network server. The attacking computer substitutes its IP address for the
trusted client while the server continues the session, believing it is communicating
with the client. For instance, the attack might unfold like this:

1. A client connects to a server.

2. The attacker’s computer gains control of the client.
3. The attacker’s computer disconnects the client from the server.
4. The attacker’s computer replaces the client’s IP address with its own IP
address and
spoofs the client’s sequence numbers.
5. The attacker’s computer continues dialog with the server and the server
believes it is still communicating with the client.
IP Spoofing

IP spoofing is used by an attacker to convince a system that it is communicating

with a known, trusted entity and provide the attacker with access to the system.
The attacker sends a packet with the IP source address of a known, trusted host
instead of its own IP source address to a target host. The target host might accept
the packet and act upon it.

Replay

A replay attack occurs when an attacker intercepts and saves old messages and
then tries to send them later, impersonating one of the participants. This type can
be easily countered with session timestamps or nonce (a random number or a string
that changes with time).

Currently, there is no single technology or configuration to prevent all MitM

attacks. Generally, encryption and digital certificates provide an effective
safeguard against MitM attacks, assuring both the confidentiality and integrity of
communications. But a man-in-the-middle attack can be injected into the middle of
communications in such a way that encryption will not help — for example,
attacker “A” intercepts public key of person “P” and substitute it with his own
public key. Then, anyone wanting to send an encrypted message to P using P’s
public key is unknowingly using A’s public key. Therefore, A can read the
message intended for P and then send the message to P, encrypted in P’s real
public key, and P will never notice that the message was compromised. In addition,
A could also modify the message before resending it to P. As you can see, P is
using encryption and thinks that his information is protected but it is not, because
of the MitM attack.

So, how can you make sure that P’s public key belongs to P and not to A?
Certificate authorities and hash functions were created to solve this problem. When
person 2 (P2) wants to send a message to P, and P wants to be sure that A will not
read or modify the message and that the message actually came from P2, the
following method must be used:

1. P2 creates a symmetric key and encrypts it with P’s public key.

2. P2 sends the encrypted symmetric key to P.
3. P2 computes a hash function of the message and digitally signs it.
4. P2 encrypts his message and the message’s signed hash using the symmetric
key and sends the entire thing to P.
5. P is able to receive the symmetric key from P2 because only he has the
private key to decrypt the encryption.
6. P, and only P, can decrypt the symmetrically encrypted message and signed
hash because he has the symmetric key.
7. He is able to verify that the message has not been altered because he can
compute the hash of received message and compare it with digitally signed
one.
8. P is also able to prove to himself that P2 was the sender because only P2 can
sign the hash so that it is verified with P2 public key.

3. Phishing and spear phishing attacks

Phishing attack is the practice of sending emails that appear to be from trusted
sources with the goal of gaining personal information or influencing users to do
something. It combines social engineering and technical trickery. It could involve
an attachment to an email that loads malware onto your computer. It could also be
a link to an illegitimate website that can trick you into downloading malware or
handing over your personal information.

Spear phishing is a very targeted type of phishing activity. Attackers take the time
to conduct research into targets and create messages that are personal and relevant.
Because of this, spear phishing can be very hard to identify and even harder to
defend against. One of the simplest ways that a hacker can conduct a spear
phishing attack is email spoofing, which is when the information in the “From”
section of the email is falsified, making it appear as if it is coming from someone
you know, such as your management or your partner company. Another technique
that scammers use to add credibility to their story is website cloning — they copy
legitimate websites to fool you into entering personally identifiable information
(PII) or login credentials.

To reduce the risk of being phished, you can use these techniques:

• Critical thinking — Do not accept that an email is the real deal just because
you’re busy or stressed or you have 150 other unread messages in your
inbox. Stop for a minute and analyze the email.
• Hovering over the links — Move your mouse over the link, but do not
click it! Just let your mouse cursor h over over the link and see where would
actually take you. Apply critical thinking to decipher the URL.
• Analyzing email headers — Email headers define how an email got to your
address. The “Reply-to” and “Return-Path” parameters should lead to the
same domain as is stated in the email.
• Sandboxing — You can test email content in a sandbox environment,
logging activity from opening the attachment or clicking the links inside the
email.

4. Drive-by attack

Drive-by download attacks are a common method of spreading malware. Hackers

look for insecure websites and plant a malicious script into HTTP or PHP code on
one of the pages. This script might install malware directly onto the computer of
someone who visits the site, or it might re-direct the victim to a site controlled by
the hackers. Drive-by downloads can happen when visiting a website or viewing an
email message or a pop-up window. Unlike many other types of cyber security
attacks, a drive-by doesn’t rely on a user to do anything to actively enable the
attack — you don’t have to click a download button or open a malicious email
attachment to become infected. A drive-by download can take advantage of an app,
operating system or web browser that contains security flaws due to unsuccessful
updates or lack of updates.

To protect yourself from drive-by attacks, you need to keep your browsers and
operating systems up to date and avoid websites that might contain malicious code.
Stick to the sites you normally use — although keep in mind that even these sites
can be hacked. Don’t keep too many unnecessary programs and apps on your
device. The more plug-ins you have, the more vulnerabilities there are that can be
exploited by drive-by attacks.

5. Password attack

Because passwords are the most commonly used mechanism to authenticate users
to an information system, obtaining passwords is a common and effective attack
approach. Access to a person’s password can be obtained by looking around the
person’s desk, ‘‘sniffing’’ the connection to the network to acquire unencrypted
passwords, using social engineering, gaining access to a password database or
outright guessing. The last approach can be done in either a random or systematic
manner:

• Brute-force password guessing means using a random approach by trying

different passwords and hoping that one work Some logic can be applied by
trying passwords related to the person’s name, job title, hobbies or similar
items.
• In a dictionary attack, a dictionary of common passwords is used to attempt
to gain access to a user’s computer and network. One approach is to copy an
encrypted file that contains the passwords, apply the same encryption to a
dictionary of commonly used passwords, and compare the results.

In order to protect yourself from dictionary or brute-force attacks, you need to

implement an account lockout policy that will lock the account after a few invalid
password attempts. You can follow these account lockout best practices in order to
set it up correctly.
Handpicked related content:

• Password Policy Best Practices

6. SQL injection attack

SQL injection has become a common issue with database-driven websites. It

occurs when a malefactor executes a SQL query to the database via the input data
from the client to server. SQL commands are inserted into data-plane input (for
example, instead of the login or password) in order to run predefined SQL
commands. A successful SQL injection exploit can read sensitive data from the
database, modify (insert, update or delete) database data, execute administration
operations (such as shutdown) on the database, recover the content of a given file,
and, in some cases, issue commands to the operating system.

For example, a web form on a website might request a user’s account name and
then send it to the database in order to pull up the associated account information
using dynamic SQL like this:

“SELECT * FROM users WHERE account = ‘“ + userProvidedAccountNumber

+”’;”

While this works for users who are properly entering their account number, it
leaves a hole for attackers. For example, if someone decided to provide an account
number of “‘ or ‘1’ = ‘1’”, that would result in a query string of:

“SELECT * FROM users WHERE account = ‘’ or ‘1’ = ‘1’;”

Because ‘1’ = ‘1’ always evaluates to TRUE, the database will return the data for
all users instead of just a single user.

The vulnerability to this type of cyber security attack depends on the fact that SQL
makes no real distinction between the control and data planes. Therefore, SQL
injections work mostly if a website uses dynamic SQL. Additionally, SQL
injection is very common with PHP and ASP applications due to the prevalence of
older functional interfaces. J2EE and ASP.NET applications are less likely to have
easily exploited SQL injections because of the nature of the programmatic
interfaces available.

In order to protect yourself from a SQL injection attacks, apply least0privilege

model of permissions in your databases. Stick to stored procedures (make sure that
these procedures don’t include any dynamic SQL) and prepared statements
(parameterized queries). The code that is executed against the database must be
strong enough to prevent injection attacks. In addition, validate input data against a
white list at the application level.

7. Cross-site scripting (XSS) attack

XSS attacks use third-party web resources to run scripts in the victim’s web
browser or scriptable application. Specifically, the attacker injects a payload with
malicious JavaScript into a website’s database. When the victim requests a page
from the website, the website transmits the page, with the attacker’s payload as
part of the HTML body, to the victim’s browser, which executes the malicious
script. For example, it might send the victim’s cookie to the attacker’s server, and
the attacker can extract it and use it for session hijacking. The most dangerous
consequences occur when XSS is used to exploit additional vulnerabilities. These
vulnerabilities can enable an attacker to not only steal cookies, but also log key
strokes, capture screenshots, discover and collect network information, and
remotely access and control the victim’s machine.
While XSS can be taken advantage of within VBScript, ActiveX and Flash, the
most widely abused is JavaScript — primarily because JavaScript is supported
widely on the web.

To defend against XSS attacks, developers can sanitize data input by users in an
HTTP request before reflecting it back. Make sure all data is validated, filtered or
escaped before echoing anything back to the user, such as the values of query
parameters during searches. Convert special characters such as ?, &, /, <, > and
spaces to their respective HTML or URL encoded equivalents. Give users the
option to disable client-side scripts.

8. Eavesdropping attack

Eavesdropping attacks occur through the interception of network traffic. By

eavesdropping, an attacker can obtain passwords, credit card numbers and other
confidential information that a user might be sending over the network.
Eavesdropping can be passive or active:
 • Passive eavesdropping — A hacker detects the information by listening to
the message transmission in the network.
• Active eavesdropping — A hacker actively grabs the information by
disguising himself as friendly unit and by sending queries to transmitters.
This is called probing, scanning or tampering.

Detecting passive eavesdropping attacks is often more important than spotting

active ones, since active attacks requires the attacker to gain knowledge of the
friendly units by conducting passive eavesdropping before.

Data encryption is the best countermeasure for eavesdropping.

9. Birthday attack

Birthday attacks are made against hash algorithms that are used to verify the
integrity of a message, software or digital signature. A message processed by a
hash function produces a message digest (MD) of fixed length, independent of the
length of the input message; this MD uniquely characterizes the message. The
birthday attack refers to the probability of finding two random messages that
generate the same MD when processed by a hash function. If an attacker calculates
same MD for his message as the user has, he can safely replace the user’s message
with his, and the receiver will not be able to detect the replacement even if he
compares MDs.

10. Malware attack

Malicious software can be described as unwanted software that is installed in your

system without your consent. It can attach itself to legitimate code and propagate;
it can lurk in useful applications or replicate itself across the Internet. Here are
some of the most common types of malware:

• Macro viruses — These viruses infect applications such as Microsoft Word

or Excel. Macro viruses attach to an application’s initialization sequence.
When the application is opened, the virus executes instructions before
 transferring control to the application. The virus replicates itself and attaches
to other code in the computer system.
• File infectors — File infector viruses usually attach themselves to
executable code, such as .exe files. The virus is installed when the code is
loaded. Another version of a file infector associates itself with a file by
creating a virus file with the same name, but an .exe extension. Therefore,
when the file is opened, the virus code will execute.
• System or boot-record infectors — A boot-record virus attaches to the
master boot record on hard disks. When the system is started, it will look at
the boot sector and load the virus into memory, where it can propagate to
other disks and computers.
• Polymorphic viruses — These viruses conceal themselves through varying
cycles of encryption and decryption. The encrypted virus and an associated
mutation engine are initially decrypted by a decryption program. The virus
proceeds to infect an area of code. The mutation engine then develops a new
decryption routine and the virus encrypts the mutation engine and a copy of
the virus with an algorithm corresponding to the new decryption routine.
The encrypted package of mutation engine and virus is attached to new code,
and the process repeats. Such viruses are difficult to detect but have a high
level of entropy because of the many modifications of their source code.
Anti-virus software or free tools like Process Hacker can use this feature to
detect them.
• Stealth viruses — Stealth viruses take over system functions to conceal
themselves. They do this by compromising malware detection software so
that the software will report an infected area as being uninfected. These
viruses conceal any increase in the size of an infected file or changes to the
file’s date and time of last modification.
• Trojans — A Trojan or a Trojan horse is a program that hides in a useful
program and usually has a malicious function. A major difference between
viruses and Trojans is that Trojans do not self-replicate. In addition to
launching attacks on a system, a Trojan can establish a back door that can be
exploited by attackers. For example, a Trojan can be programmed to open a
high-numbered port so the hacker can use it to listen and then perform an
attack.
• Logic bombs — A logic bomb is a type of malicious software that is
appended to an application and is triggered by a specific occurrence, such as
a logical condition or a specific date and time.
• Worms — Worms differ from viruses in that they do not attach to a host
file, but are self-contained programs that propagate across networks and
computers. Worms are commonly spread through email attachments;
 opening the attachment activates the worm program. A typical worm exploit
involves the worm sending a copy of itself to every contact in an infected
computer’s email address In addition to conducting malicious activities, a
worm spreading across the internet and overloading email servers can result
in denial-of-service attacks against nodes on the network.
• Droppers — A dropper is a program used to install viruses on computers. In
many instances, the dropper is not infected with malicious code and,
therefore might not be detected by virus-scanning software. A dropper can
also connect to the internet and download updates to virus software that is
resident on a compromised system.
• Ransomware — Ransomware is a type of malware that blocks access to the
victim’s data and threatens to publish or delete it unless a ransom is paid.
While some simple computer ransomware can lock the system in a way that
is not difficult for a knowledgeable person to reverse, more advanced
malware uses a technique called cryptoviral extortion, which encrypts the
victim’s files in a way that makes them nearly impossible to recover without
the decryption key.

Handpicked related content:

• How to Prevent Ransomware Best Practices

• Ransomware Protection Using FSRM and PowerShell
• Ransomware Survivor: 6 Tips to Prevent Ransomware Attacks

• Adware — Adware is a software application used by companies for

marketing purposes; advertising banners are displayed while any program is
running. Adware can be automatically downloaded to your system while
browsing any website and can be viewed through pop-up windows or
through a bar that appears on the computer screen automatically.
• Spyware — Spyware is a type of program that is installed to collect
information about users, their computers or their browsing habits. It tracks
everything you do without your knowledge and sends the data to a remote
user. It also can download and install other malicious programs from the
internet. Spyware works like adware but is usually a separate program that is
installed unknowingly when you install another freeware application.

Top 5 fundamentals of network security

These network security fundamentals are vital to downtime prevention,
government regulation compliance, reduced liability and reputation protection:
1. Keep patches and updates current
Cyber criminals exploit vulnerabilities in operating systems, software applications,
web browsers and browser plug-ins when administrators are lax about applying
patches and updates.
In particular, verify that office computers are running current versions of these
much used programs:
1. Adobe Acrobat and Reader
2. Adobe Flash
3. Oracle Java
4. Microsoft Internet Explorer
5. Microsoft Office Suite
Keep an inventory to make sure each device is updated regularly, including mobile
devices and network hardware. And make sure Windows and Apple computers
have automatic updating enabled.
2. Use strong passwords
By now, most users know not to write their passwords on Post-It Notes that are
plastered to their monitors. But there’s more to keeping pass Relentless cyber
criminals, disgruntled current and former employees and careless users can bring
down your computer networks and compromise data. Network security’s made up
of the hardware, software, policies and procedures designed to defend against both
internal and external threats to your company’s computer systems. Multiple layers
of hardware and software can prevent threats from damaging computer networks,
and stop them from spreading if they slip past your defenses.
The most common threats to your systems:
▪ Malicious programs like viruses, worms, Trojan horses, spyware, malware,
adware and botnets
▪ Zero-day and zero-hour attacks
▪ Hacker attacks
▪ Denial of Service (DoS) and Distributed Denial of Service Attacks (DDoS),
and
▪ Data theft.
These threats look to exploit:
 ▪ Unsecured wireless networks
▪ Unpatched software and hardware
▪ Unsecured websites
▪ Potentially unwanted applications (PUAs)
▪ Weak passwords
▪ Lost devices, and
▪ Unwitting users or users with malicious intent.

Top 5 fundamentals of network security

These network security fundamentals are vital to downtime prevention,
government regulation compliance, reduced liability and reputation protection:
1. Keep patches and updates current
Cyber criminals exploit vulnerabilities in operating systems, software applications,
web browsers and browser plug-ins when administrators are lax about applying
patches and updates.
In particular, verify that office computers are running current versions of these
much used programs:
1. Adobe Acrobat and Reader
2. Adobe Flash
3. Oracle Java
4. Microsoft Internet Explorer
5. Microsoft Office Suite
Keep an inventory to make sure each device is updated regularly, including mobile
devices and network hardware. And make sure Windows and Apple computers
have automatic updating enabled.
2. Use strong passwords
By now, most users know not to write their passwords on Post-It Notes that are
plastered to their monitors. But there’s more to keeping passwords secure than
keeping them out of plain sight.
The definition of a strong password is one that’s difficult to detect by humans and
computers, is at least 6 characters, preferably more, and uses a combination of
upper- and lower-case letters, numbers and symbols.
Symantec gives additional suggestions:
 ▪ Don’t use any words from the dictionary. Also avoid proper nouns or foreign
words.
▪ Don’t use anything remotely related to your name, nickname, family members
or pets.
▪ Don’t use any numbers someone could guess by looking at your mail like
phone numbers and street numbers, and
▪ Choose a phrase that means something to you, take the first letters of each
word and convert some into characters.
The SANS Institute recommends passwords be changed at least every 90 days, and
that users not be allowed to reuse their last 15 passwords. They also suggest that
users be locked out of their accounts for an hour and a half after eight failed log-on
attempts within a 45-minute period.
Train users to recognize social engineering techniques used to trick them into
divulging their passwords. Hackers are known to impersonate tech support to get
people to give out their passwords or simply look over users’ shoulders while they
type in their passwords.
3. Secure your VPN
Data encryption and identity authentication are especially important to securing a
VPN. Any open network connection is a vulnerability hackers can exploit to sneak
onto your network. Moreover, data is particularly vulnerable while it is traveling
over the Internet. Review the documentation for your server and VPN software to
make sure that the strongest possible protocols for encryption and authentication
are in use.
Multi-factor authentication is the most secure identity authentication method. The
more steps your users must take to prove their identity, the better. For example, in
addition to a password, users could be required to enter a PIN. Or, a random
numerical code generated by a key-fob authenticator every 60 seconds could be
used in conjunction with a PIN or password.
It is also a good idea to use a firewall to separate the VPN network from the rest of
the network.
Other tips include:
▪ Use cloud-based email and file sharing instead of a VPN.
▪ Create and enforce user-access policies. Be stingy when granting access to
employees, contractors and business partners.
 ▪ Make sure employees know how to secure their home wireless networks.
Malicious software that infects their devices at home can infect the company
network via an open VPN connection, and
▪ Before granting mobile devices full access to the network, check them for up-
to-date anti-virus software, firewalls and spam filters.
4. Actively manage user access privileges
Inappropriate user-access privileges pose a significant security threat. Managing
employee access to critical data on an ongoing basis should not be overlooked.
More than half of 5,500 companies recently surveyed by HP and the Ponemon
Institute said that their employees had access to “sensitive, confidential data
outside the scope of their job requirements.” In reporting on the study’s
findings, eWeek.com said “general business data such as documents, spreadsheets,
emails and other sources of unstructured data were most at risk for snooping,
followed by customer data.” When an employee’s job changes, make sure the IT
department is notified so their access privileges can be modified to fit the duties of
the new position.
5. Clean up inactive accounts
Hackers use inactive accounts once assigned to contractors and former employees
to gain access and disguise their activity. The HP/Ponemon Institute report did find
that the companies in the survey were doing a good job deleting accounts once an
employee quit or was laid off. Software is available for cleaning up inactive
accounts on large networks with many users.

Five Bonus Network Security Tips

Besides the above five network security fundamentals, it’s a good idea to also:
1. Maintain a list of authorized software and prevent users from downloading
applications that aren’t on the list. Software inventory applications can track
type, version and patch level.
2. Update the company’s written security policies. For example, spell out which,
if any, personal devices are allowed to access the company network and state
explicitly how much time users have to report lost or stolen devices. Look
into Mobile Device Management (MDM) software that can remotely wipe
devices.
 3. Segregate critical data from the rest of the network and require users to
authenticate themselves before accessing it.
4. Run vulnerability scanning tools at least once a week and conduct penetration
testing, and
5. Continuously monitor network traffic to detect unusual patterns of activity
and possible threats.
words secure than keeping them out of plain sight.
The definition of a strong password is one that’s difficult to detect by humans and
computers, is at least 6 characters, preferably more, and uses a combination of
upper- and lower-case letters, numbers and symbols.
Symantec gives additional suggestions:
▪ Don’t use any words from the dictionary. Also avoid proper nouns or foreign
words.
▪ Don’t use anything remotely related to your name, nickname, family members
or pets.
▪ Don’t use any numbers someone could guess by looking at your mail like
phone numbers and street numbers, and
▪ Choose a phrase that means something to you, take the first letters of each
word and convert some into characters.
The SANS Institute recommends passwords be changed at least every 90 days, and
that users not be allowed to reuse their last 15 passwords. They also suggest that
users be locked out of their accounts for an hour and a half after eight failed log-on
attempts within a 45-minute period.
Train users to recognize social engineering techniques used to trick them into
divulging their passwords. Hackers are known to impersonate tech support to get
people to give out their passwords or simply look over users’ shoulders while they
type in their passwords.
3. Secure your VPN
Data encryption and identity authentication are especially important to securing a
VPN. Any open network connection is a vulnerability hackers can exploit to sneak
onto your network. Moreover, data is particularly vulnerable while it is traveling
over the Internet. Review the documentation for your server and VPN software to
make sure that the strongest possible protocols for encryption and authentication
are in use.
Multi-factor authentication is the most secure identity authentication method. The
more steps your users must take to prove their identity, the better. For example, in
addition to a password, users could be required to enter a PIN. Or, a random
numerical code generated by a key-fob authenticator every 60 seconds could be
used in conjunction with a PIN or password.
It is also a good idea to use a firewall to separate the VPN network from the rest of
the network.
Other tips include:
▪ Use cloud-based email and file sharing instead of a VPN.
▪ Create and enforce user-access policies. Be stingy when granting access to
employees, contractors and business partners.
▪ Make sure employees know how to secure their home wireless networks.
Malicious software that infects their devices at home can infect the company
network via an open VPN connection, and
▪ Before granting mobile devices full access to the network, check them for up-
to-date anti-virus software, firewalls and spam filters.
4. Actively manage user access privileges
Inappropriate user-access privileges pose a significant security threat. Managing
employee access to critical data on an ongoing basis should not be overlooked.
More than half of 5,500 companies recently surveyed by HP and the Ponemon
Institute said that their employees had access to “sensitive, confidential data
outside the scope of their job requirements.” In reporting on the study’s
findings, eWeek.com said “general business data such as documents, spreadsheets,
emails and other sources of unstructured data were most at risk for snooping,
followed by customer data.” When an employee’s job changes, make sure the IT
department is notified so their access privileges can be modified to fit the duties of
the new position.
5. Clean up inactive accounts
Hackers use inactive accounts once assigned to contractors and former employees
to gain access and disguise their activity. The HP/Ponemon Institute report did find
that the companies in the survey were doing a good job deleting accounts once an
employee quit or was laid off. Software is available for cleaning up inactive
accounts on large networks with many users.
Five Bonus Network Security Tips
Besides the above five network security fundamentals, it’s a good idea to also:
1. Maintain a list of authorized software and prevent users from downloading
applications that aren’t on the list. Software inventory applications can track
type, version and patch level.
2. Update the company’s written security policies. For example, spell out which,
if any, personal devices are allowed to access the company network and state
explicitly how much time users have to report lost or stolen devices. Look
into Mobile Device Management (MDM) software that can remotely wipe
devices.
3. Segregate critical data from the rest of the network and require users to
authenticate themselves before accessing it.
4. Run vulnerability scanning tools at least once a week and conduct penetration
testing, and
5. Continuously monitor network traffic to detect unusual patterns of activity
and possible threats.