Final Assignment
Both Bridges and Switches work on the data link layer of the OSI Model. However, switches are more advanced. Discuss how a switch has an advantage over a bridge in a network then elaborate more on the technology implemented in switches to control broadcast domains
A bridge is a two interfaces device that creates two collision domains. This is because it forwards the traffic received from one interface only to the interface where layer two devices is connected (Olenewa, 2014). Bridges serves the main function of reading the destination of MAC address to forward the traffic only to the interface where it is connected. On the other hand, a switch is a multi-interfaced hub, and every interface is a collision domain. In the ISO mode, a switch creates an entire broadcast domain since broadcasts are a layer 2 concept because they use MAC addresses to communicate (Lowe, 2005). A switch has an advantage over a bridge in a network because they are more secure, faster and has many ports.
Switches are more advanced than bridges in a network. Bridges perform the function of extending networks by maintaining traffic and signals. In a network, bridges have the capability to perform what switches do like data filtering and separating the collision domain, though less advanced. They also extend the distance capabilities of networks. Bridges master the MAC layer addresses of each node on each segment and the location of each interface (Olenewa, 2014). This enables bridges to forward each frame only if the destination MAC address is on another port or if the bridge does not detect its location. Instead of broadcasting the frames to any direction, a switch actually checks for the destination MAC address and forward it to a specific computer through a relevant port (Null, 2011). Switches serve well in busy LANs and secure frames from sniffing by other computers sharing a segment (Olenewa, 2014). This is because switches reduce and divide the collision domain into segments.
Switches construct a table that places each MAC address into a segment. Switches may look like bridges, but they are more advanced. Bridges cannot evaluate the possible paths to the destination to determine the best route (Maggiora & Doherty, 2003). Than can significantly slow the net resulting into inefficient use of network resources. Additionally, bridges cannot use redundant paths. While two bridges can connect two networks, they pose the risk of sending packets in an endless loop between two networks. Such situation floods the network, making it unusable (Pabrai, 1996). Bridges cannot join dissimilar networks. For example, it is impossible to link a Token Ring network and an Ethernet network using bridge. Switches also have built-in hardware dedicated to perform switching capabilities, there making them faster, in addition to many ports.
Despite a significant drop in the prices of switches, most domestic users enjoy very little, if any advantage from switches, even when sharing broadband internet connections. Most users have broadband connections with a range of 1-2Mbps, far below even 10Mbps speed. This implies that a switch can only benefit heavy users, such as companies and offices (Lowe, 2005). Even though bridges cannot join dissimilar networks, very few users need such capabilities because most people use broadband and can connect devices using other technologies, such as LAN (Maggiora & Doherty, 2003). Switches also support different speed levels, including 10Mbs, 100Mbss, and 1Gbs or more. In conclusion, switches are on the data link layer making them deal with frames instead of bits and filter them based on MAC addresses
Briefly research the different components of the Domain Name System (DNS) and demonstrate how each component is critical to build a working DNS system
The Domain Name System (DNS) consists of three components, including Name Space, Globally Distributed Database, and Resolver. Name Space establishes the syntactical rules for structuring and creating legal DNS names (Dempster & Eaton-Lee, 2006). The Global Distributed Database is implemented in a network of Name Servers. The “Resolver” software understands how to formulate a DNS query and it is integrated in every internet-capable application. The function of NDS is to translate Internet domain and host names to IP addresses (Liu, Larson & Albitz, 1998). It has applications that automatically convert the names typed in Web browser address bar to the IP address of the Web servers hosting those sites (Dempster & Eaton-Lee, 2006). DNS works on the assumption that IP addresses do not change. These components of the DNS are critical in building a working DNS system.
The Domain Name Space is a common inverted tree hierarchy with a dot nation, ".", and a DNS name that contains multiple labels represents its path along the tree to the root. The name server implements the NDS and is distributed around the world, making the service resilient to attacks and failures, as well as ensuring a high performance. The server had mechanisms that ensure the any user access the DNS servers closest to the user from a network topology perspective (Dempster & Eaton-Lee, 2006). Additionally, name servers usually cache data they have recently queried, which can speed repeated queries from the same information. Slave or secondary name servers hold replicated copies of the primary server’s data with the aim of ensuring redundancy and reduce the workload of the primary server. Name server also has a built-in agent mechanism that identifies where to find the data it lacks. In case a name server cannot find a domain within its zone, it sends the query to the next step, closer to the root, which will resend it yet to a step close if it cannot find the domain.
If the name server cannot determine a domain within its zone, it transfers the query further up the hierarchy with the process repeating itself until it reaches a TLD. The TLD ensures that the entire depth of the name space will be queried if necessary (Mockapetris & Dunlap, 2010). The combination of the DNS names servers and the architecture of the system creates a remarkable database. The popular TLD has more than 32 million domain names for which the whois utility works. Additionally, the data is distributed, as no single computer contains all the data. Nonetheless, the data is maintained locally even though it is distributed globally, and any device connected to the IP network can execute lookups. The updated serial mechanism in each zone ensures a form of loose coherency on the network, such that if the server identifies an outdated record, the query chocks for a more authoritative name server (Mockapetris & Dunlap, 2010).
Lastly, the third domain component of the NDS is the “resolve.” It is a special piece of software integrated into the IP stack of every host. When a host is configured, it is assigned to at least one default name server along with its IP address. This name server is the first place that the host looks in order to resolve a domain name into an IP address (Rampling & Dalan, 2003). The default name server can handle a request for a domain in the local zone. However, of the default name server cannot handle the query, it passes the query further up the hierarchy, usually known as referral. Upon completion of the referral process, the local server caches the record and returns the address of the queried hostname.
Virtual Private networks (VPNs) are frequently used to assure confidentiality and integrity during network communications. Discuss in-depth the differences and limitations of using IPSec, TLS/SSL and SSH as VPN-solutions
Virtual Private network (VPN) is a generic concept, which designates a part of a bigger network that is logically isolated from the bigger network through virtual means. It essentially helps ensure confidentiality and integrity during network communications (Nemeth, 2001). VPN execute it functions through different network security protocols including IPsec, SSH, and SSL/TLS.
Secure Shell (SSH) is a UNIX-based command protocol and interface for secure gateway to a remote computer such as telnet. Mainly used by administrators to remotely control Web and other kinds of networks. The major limitation with these protocols is that when authenticating request into a server, the information is sent in the clear. This can enable eavesdroppers easily intercept these requests and masquerade as potential users. Additionally, the data sent is plaintext, which makes access by intruders easier. If a company uses telnet to access a corporate machine, it could potentially store sensitive information that could find its way into the possession of an intruder (Stallings, 2011). Corporation must discontinue telnet, ftp, and remote login services and replace them with the secured versions SFTP, SSH, and SCP. Both ends of the client/server connection are authenticated using digital certificate, and passwords protected by encryption
TSL is a Layer 4 protocol based in SLLv3 and runs directly in top of TCP ONLY. TSL uses PKI as a means of providing user authentication as well as symmetric keying for confidentiality to ensure confidentiality protection. Unlike SSH, TSL is designed to prevent eavesdropping, message forgery, and tampering (Dempster & Eaton-Lee, 2006). TSL can serve using two methods. The first method is mutual authentication, where both the server and user equipment provide certificates when establishing a session (Stallings, 2011). This method provides a high level of security, but it is computationally extremely expensive because it is a public key cryptography. The other method is Serve-Side Authentication, which use the server alone to provide a certificate when establishing a session. This is commonly used today and is evident in using secure web sessions between a web server and a user (Dempster & Eaton-Lee, 2006). It does not use the extra computational overhead of PKI operation on the User Equipment. It does not require the used to own a valid certificate and provides medium levels of security.
The main disadvantage of TSL is that it requires the server and the client to support PKI features, while not all solutions and clients support PKI (Izadinia, 2013). PKI is mainly used in complex environments. TLS poses significant memory scaling and consumption issues when the network requires numerous TCP connections. On the other hand, IPsec are easier to scale. Many service providers do not prefer TCP because the overheads associated with its mass use surpass that of UDP. It only provides hop-by-hop security, which implies that every intermittent hop would require security from TLS (Dempster & Eaton-Lee, 2006). This renders TLS unable to provide true end-2-end security. TSL cannot handle dead office recovery scenarios efficiently, and only has Server-Side Authentication that means that only one end is authenticated.
IPSec VPNs are still widely used, especially for large corporations. IPSec is a protocol suite that runs at the networking Layer 3 (Izadinia, 2005). It provides integrity protection, confidentiality, data origin authentication, and replay protection of each message by encrypting and signing every message. The main advantage of IPSec is its transparency to applications. Since its operations are confined to Layer 3, IPSec has no impact on the higher network layers (Maggiora & Doherty, 2003). IPSec runs at the IP layer and as such, is indifferent as to whether application traffic is being transported using UDP or TCP protocols. This makes IPSec appropriate for securing real-time traffic, such as VoIP because it if for traditional applications. Additionally, requirement of buying dedicated expensive lease lines from one site to another is completely eliminated as telecommunication lines are used to transmit data. The internal IP addresses for both participating networks remain anonymous to each other and from external users. This ensures encryption of the entire communication between the source and the destination, which means that chances of information theft are extremely low.
The main disadvantage is that IPSec requires expensive router at each site to play the role of the VPN server. Since decapsulation, encapsulation, and decryption takes place at the routers, the devices may experience processing overload and increased CPU utilization (Dempster & Eaton-Lee, 2006). This may inconvenience users because of reduced communication speed. Additionally, the configuration process of setting a IPPSec VON site-to-site is complex and requires highly skilled IT professional to do the job to perfection (Maggiora & Doherty, 2003). Both devices must be configured to communicate to each other and use third party software and hardware. This comes with higher configuration costs making it suitable for large corporations. Additionally, configuring IPSec and IKE is cumbersome and complex (Maggiora & Doherty, 2003). The functionality of IPSec depends on the system security of the gateway machines. No system can be trusted if the underlying machine has been subverted.
In conclusion, there is no better protocol because each has its limitations and benefits. Decision of the best protocol depends on understanding what needs security. After understanding that question, the choice of what network security protocol to use will be easy enough. However, it is important to consider cost, security, and maintenance issues.
References:
Dempster, B., & Eaton-Lee, J. (2006). Configuring IPCop firewalls closing borders with Open Source. Birmingham, U.K., Packt Pub. http://search.ebscohost.com/login.aspx?direct=true&scope=site&db=nlebk&db=nlabk&AN=236612.
Izadinia, V. D. (2005). Fingerprinting Encrypted Tunnel Endpoints. University of Pretoria. http://upetd.up.ac.za/thesis/available/etd-06092005-093203/.
Izadinia, V. D. (2013). Fingerprinting Encrypted Tunnel Endpoints. http://hdl.handle.net/2263/25351.
Liu, C., Larson, M., & Albitz, P. (1998). Understanding the domain name system (DNS). Sebastopol, CA, O'Reilly & Associates.
Lowe, D. (2005). Networking all-in-one desk reference for dummies. Hoboken, NJ, Wiley Pub.
Maggiora, P. L., & Doherty, J. (2003). Cisco networking simplified. Indianapolis, Ind, Cisco.
Mockapetris, P. V., & Dunlap, K. J. (2010). Development of the domain name system. Marina del Rey, Calif, University of Southern California, Information Sciences Institute.
Nemeth, E. (2001). Unix system administration handbook. Upper Saddle River, NJ, Prentice Hall PTR.
Null. (2011). Essen of computer organ & arch. [s.l.], Jones and bartlett publis.
Olenewa, J. (2014). Guide to wireless communications. Boston, MA, Course Technology/Cengage Learning.
Pabrai, U. O. (1996). UNIX internetworking. Boston, Artech House.
Rampling, B., & Dalan, D. (2003). DNS for dummies. Indianapolis, IN, Wiley Pub.
Stallings, W. (2011). Cryptography and network security: principles and practice. Boston, Mass, Prentice Hall.
