Network Topology and Security
This is the second part on Securing Your WHS & Network. We understand that those who are participating in this blog have a wide disparity of technical capabilities. We want to provide comprehensive coverage and explain the technology in an easy to read format. Dividing this topic in to multiple parts helps us address specific areas so that threats and vulnerabilities are managed as they relate to your environment.
In Part 1 of our series we provided a history of the personal computer, talked about general concepts of threats and risk assessment, developing a security plan, and discussed in depth the concept of physical security. We provided the criteria to identify computers and components that are critical and those that are important. We discussed and made recommendations on physically protecting the computing and network equipment. We identified the importance of surge and power conditioning as it related to critical and important computers and devices.
We acknowledged that key components will fail and recommended having spare parts available to replace those components is a way to reduce risk. Finally, we recommended the components to build a Windows Home Server computer that will give excellent performance, is expandable, and will provide satisfaction for years.
Part 2 of our series continues with network topology and enhancing the security plan to manage risks and vulnerabilities related to networks. We discuss the following topics.
It is important to note that in this part we do not have an in depth identification of the threats and vulnerabilities that one may expect to encounter with managing a network that has a constant connection to the Internet. Rather, we feel that it is important to first identify and explain each component of the network. This information is intended to form a basis that will be used in the remaining parts of our series to identify in detail the threats and vulnerabilities and methods to manage and mitigate them.
Computer Security and the Single Computer
In this scenario there is a computer that may be a laptop or a desktop personal computer, it never connects to the internet, and is used by a single person. Is there a need for computer security? If you said "Yes", you are correct! The computer and files still needs protection from unauthorized alteration by viruses introduced by removable media such as floppy and optical discs or memory sticks. The computer itself needs to be environmentally protected from electrical surges and accidental damage such as dropping the laptop or the kids spilling milk on the computer. And of course computers do not last forever especially the hard drives and power supply.
The prudent method to protect the computer would include installing anti-virus software, connecting the computer power supply to either a surge protector or UPS, and making backups of critical files. To be most effective, the backups should be stored at a location other than the home or small business. As one stores their valuable documents in a safety deposit box at a bank, backups should be stored at a different location in case of fire, weather, or hardware malfunction that could destroy the computer.
We will discuss in greater detail backup methods and anti-virus software in later blogs. And, yes we will tell you how you can use that spare hard drive.
Computer Security and the LAN
This scenario has more than one computer that is connected to other computers at the same location. The computers may be connected using wires or by wireless devices to form a LAN. The LAN is connected to the Internet. Homes and small businesses have an increased need to protect their computers as the number of networked computers grows. Also the topology or how the computers are connected to the network affects the security. Computers that use wireless network connections and LANs that connect to the Internet pose greater security risks.
With a LAN, there is an increased concern as to who is using the computer and what resources such as files, printers, or other computers that the person is permitted to use. There still exists a concern of introducing viruses and protecting against electrical surges, accidents, and hardware failure. The same precautions as those identified in the previous section should be taken to protect the computers and files. The use of UPS devices to ensure continuous power during short power interruptions should be considered for computers and devices considered to be critical.
The use of the Internet by homes and small business users has become so wide-spread that being connected is considered to be the norm. Today most homes and small businesses have LANs and maintain a constant connection to the Internet. Internet connections are provided by cable, telephone, and satellite companies.
While there are many useful benefits to the Internet, the threats are numerous. Having a constant connection exposes the network and its computers to a wider range of attacks from anyplace around the world. The time is now to develop a security plan to aggressively protect the computers and files. This is similar to moving in to a new house and changing all the locks to fit a new key, or add dead bolt locks, or install a security system.
We at Home Server Land recently did a search for "computer theft" at www.fbi.gov where there are hundreds of convicted cases of computer related theft. These cases range from identity theft, malicious computer code called "spybot" that turns the infected computer into "zombies" to steal information, to child pornography. In one case a computer security consultant was convicted with infecting up to 250,000 computers with malicious code.
As part of our risk assessment, we need to identify these types of threats and be proactive by taking the necessary steps to guard against both environmental and cyber-related vulnerabilities. We recommend as a minimum that each computer have anti-virus software installed and that the virus signature files are maintained up-to-date. We will discuss anti-virus software and cyber-related vulnerabilities in later blogs.
Network Topology
There are two methods that can be used to connect your servers, computers, and media extenders in a local area network. One is by physically connecting each computer together by wires in a hub-and-spoke configuration. The following graphic depicts a network that interconnects organizations from different geographical areas. Windows Home Server, using the remote access feature, supports this type of topology.
Another method is to connect all the computers wirelessly or use a combination of wired and wireless topologies. The following graphic depicts a typical Windows Home Server network. The network consists of the WHS computer, and desktop and laptop computers that are connected in a hub and spoke configuration either wirelessly or wired with the router. The DSL/cable modem is the device that connects the network to the Internet.
We describe both the wired and wireless LAN topologies and identify methods to provide optimal response time and network performance. In Part 6 of this series, we identify the inherent threats and vulnerabilities, and make recommendations to mitigate them.
The Wired Local Area Network
The wired LAN consists of connecting computing devices such as servers, computers, and media extenders by wires. Without getting overly technical, the most common technology of organizing and transmitting the computer network traffic is called Ethernet. Each computing device has an Ethernet network interface card with a female connecter. The connector is called RJ-45. The computer's network card is connected by a cable with male RJ-45 connectors at each end. The other end is connected to a network router, switch, or hub.
The cable consists of four pairs of copper wires of which each pair is twisted. This is called twisted-pair. The twisting of the wire pairs reduces electromagnetic interference, or cross-talk, caused by the electrical signals that are passed through the copper wire pair. The length of the Ethernet cable cannot exceed 300' (90m).
There are different categories of wiring. Category or Cat-3 is used for telephone traffic and low speed computer network at 10Mbs (megabits per second). Cat -5 can be used for telephone traffic but is designed to support network traffic at 10Mbs and 100Mbs. Cat-6 can be used for Cat-3 and Cat-5 traffic, but is designed to support traffic at 1000Mbs or gigabit.
The device that connects with the other end of the wire is a network router, switch, or hub. This forms a classic hub-and-spoke topology whereby each computing device communicates with each other via the router, switch, or hub. All three of these devices perform the same network communication function but each has limitations and benefits that affect its use.
The Wireless Local Area Network
Wireless communication with computers is often called Wi-Fi, short for wireless fidelity. A wireless LAN is one that uses high frequency radio signals to communicate with other computing devices such as computers, printers, and media extenders. It is more likely that laptop computers have a wireless device built-in. Desktop computers can have a wireless network interface card installed. These wireless devices transmit and receive radio signals to a device called a wireless access point. The access point performs the same function as does a router or switch.
The maximum range of the wireless signal is limited by the specification that the manufacturer has implemented. The most common specification in use today is 802.11g. Devices that are based on this specification have a maximum raw data rate of 54Mbs (about 19Mbs net throughput rate) and operate at a frequency of 2.4GHz. They are capable of transmitting a maximum unobstructed distance of 150' (45m) indoors and 300' (90m) outdoors. Both the speed and range is reduced by obstructions such as furniture, walls, and floors.
There are other conditions that reduce the speed and range. If an older device that is based only on the 802.11b specification is used, the speed of the overall network is significantly reduced. Also, the 2.4GHz radio spectrum is very overcrowded with microwave ovens, cordless digital telephones, baby monitors, and Bluetooth devices that all operate at the same frequency. These devices cause interference and will reduce the throughput of the wireless network traffic.
A new 802.11n specification is officially in a draft stage. Many manufacturers are not waiting for final approval. They are implementing what they consider will be finally approved. This is similar to what had been done prior to the final adoption of the 802.11g specification and products that were released prior to the finalization suffered from compatibility problems. We fear that early adopters of 802.11n will encounter the same fate.
The goal of the 802.11n specification is to increase the maximum raw data rate to 600Mbs. Currently, early adopters of home use products are attempting to achieve 300Mbs. High end products are attempting to achieve 600Mbs.
The increase in speed is based on splitting the transmission of network traffic in two channels. This technique is similar to dividing network traffic on two Ethernet connections in the same computer to double the data rate. Most server and many high-end gaming motherboards have this capability.
Below is a wireless access point that supports all four specifications to support legacy products and to maximize the transmission speed. Note that there are separate antennas for sending and receiving 822.11a, 822.11b, 822.11g, and 822.11n signals.
We want to point out that, as Ethernet is limited by speeds of devices at either end of the cable, so is wireless. The wireless technologies are backward compatible but the speed that can be transmitted between the access point and computer is limited to the speed of the slowest device.
The wireless access point can be part of the router and some routers have built-in DSL or cable modems. Depending on the number of Ethernet connections that are used on the network, this device may be all that is needed for the network. If computers are widely dispersed or there is a noticeable delay with network traffic, some computers may benefit by the use of wired Ethernet.
The Network Router
The router is the device that connects the LAN to the Internet service provider's (ISP) interface device. An ISP interface device is either a cable or DSL modem. Every network has a router if it connects to the Internet. The router has one female RJ-45 port to connect to the ISP interface. Depending on the model, it can have up to eight RJ-45 ports that can be used to connect Ethernet cables to computing devices. So if the number of Ethernet cables used for the network does not exceed the number of ports on the router, no other device is needed.
The majority of routers support a maximum speed of 100Mbs. If two or more computers on the network have gigabit network cards and are connected with Cat-6 cable, connecting them to a router will reduce the network speed from 1000Mbs to 100Mbs. A switch that supports gigabit traffic is needed to take advantage of the higher speed.
This is an example of a router that includes a wireless access point. The router is connected to the ISP interface device with a Cat-5 cable. There are four ports available to connect to computers with Cat-5 cable.
Part 5 includes a detailed overview of how a router functions and how it is used to establish a security perimeter for the network.
The Network Switch
A switch can have from four to 24 ports and have maximum speeds of 100Mbs or 1000Mbs. The advantage of the switch is that it is more efficient as to how it handles the network traffic and the speed of each port is matched to the speed of the computer's network card and cable. To connect two or more computers at 1000Mbs one needs a switch capable of 1000Mbs.
The Network Hub
A typical hub can have from four to eight ports and have maximum speeds of 10Mbs or 100Mbs. The speed of the hub is normally determined by the speed of the slowest device that is connected to it. The advantage of the hub is that it can efficiently handle network traffic to devices that are connected to it. At one time it was a lower cost option when compared to a switch; however, pricing of switches are now at a point where there is no advantage to purchasing a hub. We, therefore, do not recommend purchasing hubs.
Home Server Land's Recommendation:
We at Home Server Land recommend make the following recommendations to enhance the security and performance of your Windows Home Server and network;
A Network Topology and Security Risk Assessment Guide is attached at the end of this blog. The guide helps to identify network topology threats or vulnerabilities and methods to prevent or mitigate them. The Threat and Risk Assessment Worksheet can be used to document threat areas that apply to your network.
Summary
This concludes Part 2 of Securing Your WHS & Network. We hope that you are being exposed to the all this technology in a way that is understandable and informative.
Network topology, performance characteristics, and network devices that are commonly used were identified and compared. We discussed computer security as it relates to the single computer and to computers connected to a LAN, and threats involved with having a constant connection to the Internet.
By explaining in detail all the topics in this part we are providing the basis for a common understanding of the terminology, technology, and methodology as it relates to the Windows Home Server and network. Our recommendations can be used to plan for future purchases of computer and network equipment and to plan for the obsolescence of legacy components. This planning is part of the computer security plan.
Part 3 of Securing Your WHS and Network continues our analysis of performance and security considerations of Internet service providers. The different types of services that are offered by ISPs are compared. Strengths and weaknesses of each provider type and service offering are analyzed. We expand the risk analysis worksheet that was presented in Parts 1 and 2.
Part 4 begins a very detailed analysis of the network topologies and devices as they relate to the identification and management of threats and vulnerabilities. Part 4 and all subsequent parts rely on the basic understandings that are presented in Parts 1 through 3.
In the meantime, we invite your comments and to participate in a discussion in response to this blog.
Attachments
I found this article to be informative and well organized. I haven't purchased network hardware in a while, but I'm glad that the switches have finally come down in price to match hubs, rendering hubs almost obsolete. The explanation about hubs vs switches was concise and complete too. Thanks for a well done article. I look forward to the next part in this series.
I am wondering should I get CAT6 or will CAT5e work the same?
CAT6 has greater tolerance than CAT5e. CAT5e is marginally better than CAT5. That said, I have used CAT5 to connect the gibabit nic in my computer to my gigabit switch. The connection speed registers 1.0 Gbs. The run is about 20 feet and I am using a high quality cable.
The true test is when you transfer a file to another computer on the network. In my case, the WHS has a gigabit card and a 3 foot CAT5 cable to the switch. When I copy a 1GB file, the speed ranges from 8.1 to 9MBs (1000 bytes per second). Assuming 10 bits per byte (data plus overhead) the max speed is 90Mbs.
Based on this test, I am getting 90% the throughput of a 100Mbs connection. The cable plays a significant role with the throughput of network traffic.
I would suggest that you use CAT6 cable. Specifications for CAT7 are already on the drawing board.
You didn't mention if you are planning to make your cables. If you are, make sure you use the male and female connectors that are rated for CAT6.
That is a very good answer. I will get CAT6 and not risk it. Thanks