The purpose of this course is to outline the best practices that senior network administrators should follow. This includes configuring and operating the network as well as managing network usage and organizing the roles and responsibilities of IT department staff. This course will cover a broad spectrum of subjects and concepts including configuration, security, documentation, and management.
Lessons
1. Establishing your network configuration As the senior network administrator, you're responsible for the overall setup and configuration of every element of your network. Although you may assign specific tasks to junior administrators and technicians, they'll look to you for the overall organization of the network infrastructure. In this lesson, you'll explore how networks are constructed. 2. Ensuring security for the network Establishing and maintaining network security is a vital function of the senior network administrator. The greatest challenge in utilizing security measures is to keep your network reasonably safe from threats while maintaining network functionality and productivity. In this lesson, you'll find out what you need to know about keeping your network secure. 3. Working with operational management The job of a senior IT administrator includes establishing, maintaining, and updating all of the documentation for the IT department. These documents include operational plans for network functioning and all the policies that define network access and use. In this lesson, you'll learn how to create operational plans, and network policies and procedures, as well as how to assign roles and responsibilities. 4. Controlling email Although a network provides a wide variety of daily services to end users, no service is more vital than access to email. Unfortunately, it's also a major security concern for most senior systems administrators. In this lesson, you'll learn how to take charge of this powerful and problematic network application. 5. Monitoring and maintaining the network After you get the network up and running the way you want, you have to ensure that network operations remain within the guidelines you've established. In this lesson, you'll learn how to monitor your network, modify the infrastructure as your network business needs change and grow, and keep a tight rein over how software is installed and updated on networked computers. 6. Recovering from disaster with backup and restore The best way to recover from a disaster is to be prepared before it happens. The greatest defense you have as a senior administrator is to be proactive rather than reactive. In this lesson, you'll learn how to create a recovery plan that'll have your network up and running as quickly as possible after a disaster strikes.
Establishing your network configuration As the senior network administrator, you're responsible for the overall setup and configuration of every element of your network. Although you may assign specific tasks to junior administrators and technicians, they'll look to you for the overall organization of the network infrastructure. In this lesson, you'll explore how networks are constructed.
This class is geared toward the senior network administrator of a small to medium-sized organization. It describes the best practice factors every network administrator should follow. These elements include the overall configuration of the network itself as well as managing network usage and organizing roles and responsibilities of the IT department staff. To achieve this purpose, this class will cover a broad spectrum of subjects and concepts, including configuration, security, documentation, and management. Although the responsibilities of this role may seem daunting, this class will help prepare you to perform all of the necessary functions and duties of a senior network administrator. The variety of network and connectivity designs and configurations used in a business environment is staggering. This lesson doesn't try to address all possible configurations; rather, it covers the basics you'll need to know as an administrator to establish and create an appropriate connection configuration. You might not use all of the typical connection solutions available, such as wireless, but it's still prudent to examine all of the common options. Remember that this isn't an exhaustive study in network design. In this lesson, you'll learn just enough to get your feet wet. You'll have plenty of time to go for a swim as you delve deeper into network management in this class.
HP business desktop PCs are not only easily networked, but feature a long lifecycle and extensive configuration options, as well as high performance and managebility.
Connection configuration
It's a foregone conclusion that if you establish no other network connection type, you'll be configuring a LAN (local area network) for your organization. While the vast majority of us work in a networked environment every day, LAN design and configuration requires a skilled administrator. Networking an office or office suite is more than playing a game of "connect the dots." Creating a network that meets your needs the first time will prevent expansion and troubleshooting headaches down the road. You need a clear vision of the user, service, and application requirements for the LAN. So let's take a look at some of the more common elements in LAN design.
requirements. Keep in mind that they won't necessarily make design suggestions that are technically feasible, and perhaps not within budgetary constraints. To learn your customer's goals for the network, ask the customer to define an overall business goal in a short, compressed statement by answering the following: How do you measure success relative to a network? Which applications will you use and which are mission critical? It's important to get a clear picture of which applications and services your customer expects to use over the network. This includes user applications and services such as email, file sharing and transfer, and database access as well as system applications such as authentication, directory services, and software distribution. Have the customer rank applications as being extremely critical, somewhat critical, and not critical. How will your employees access the network? Do you want to integrate data and voice communication? Customer decision-making usually involves business politics as well as business goals. You need to discover which managers and departments have goals that conflict with each other, and technological preferences based on "ideology" rather than sound business goals and design, and identify the supporters and opponents of the project. Budget and staffing limitations may sometimes have a harsh effect on your design. Your proposal must not only be within the customer's monetary scope but the customer must also have or be capable of recruiting the necessary support staff. If this is an in-house project, you likely will support the network you're designing; however, a corporate customer will need to develop its own day-to-day support system. Another limiting factor is scheduling -- when does the customer need to have the network constructed and operational? Work with the customer to develop the final due date as well as milestone points.
Data broadcasts use smaller-sized frames and don't have the same processing requirements on a networked device. Multimedia broadcast frames, by comparison, are usually several megabits in size.
LAN addressing occurs at Layers 2 and 3 of the OSI (Open Systems Interconnection) reference model. Although MAC (Media Access Control) addresses are coded on the NICs (network interface cards) of networked devices, part of your design is to develop a Network layer addressing scheme. Your addressing and subnet schemes are dependent, to a degree, on the number of users on individual network segments and how many subnets are required by the customer to accomplish their goals. When creating a network design for a department, office, or campus, architecture of your switch fabric will determine how bandwidth and throughput
are allocated to different parts of the structure. This combines both hardware and software to move data efficiently throughout the network minimizing delay by allowing switching paths to be controlled. Placement of switches allows you to contain collision domains, filter traffic by priority, and select half or full-duplex mode based on need. The use of STP (Spanning Tree Protocol) on a switched network is required to prevent broadcast loops across interswitch channels. Your design should accommodate the delay caused by slow STP convergence. You can also bias the selection of the root switch to fit your requirements rather than allow automatic election to take place.
This lesson assumes you're designing an Ethernet network using a physical and logical star topology. Although other network topologies and types exist, they're not as common and it's unlikely that you'll be required to develop a plan using ring or bus types. Of greater importance is the hierarchical network design. In general, networks are created at three different levels: core, distribution, and access. A graphic of this design is shown in Figure 1-1.
Figure 1-1: Hierarchical network design. The core layer of your network is the high-speed switched backbone that enables vital corporate transmissions. Qualities of this layer include: High reliability Fault tolerance Quick adaptability High redundancy factors The distribution layer represents the conduit between the core and access layers. The characteristics typically seen at this layer are security, department or workgroup access, routing between VLANs, and broadcast and multicast domain containment.
The distribution layer actually has many different roles in a network design but doesn't have to contain all the possible roles.
The access layer allows end users access to local network segments. Qualities at this layer can include division of collision domains, and switched and shared bandwidth. In small office environments, this layer allows smaller branch offices to connect to the central office using such WAN (wide area network) technologies as ISDN (Integrated Services Digital Network) and frame relay. Figure 1-2 shows an example of the access layer in action.
Figure 1-2: Branch office accessing central office. This layered model can be implemented in a switched and routed hierarchical design. Figure 1-3 shows a switched design.
Figure 1-3: Switched design. Figure 1-4 shows a routed hierarchical design.
Although LANs are still the most common network configuration, your business may need to implement a more complex network design, in the form of a virtual or wireless network, or a combination of designs.
This how-to guide from HP walks you through the steps needed to evaluate the role wireless networking technologies might play in your organization's overall networking solution, and helps you understand what it will take to implement a wireless networking solution.
Actually, the management VLAN or VLAN 1 communicates with the switches and provides VLAN updates using VTP.
Not only is switch-positioning affected in your design by a requirement for VLANs, but switch access to routers is also impacted because traffic to and from VLANs must be passed through a router.
VPN design
VPN (virtual private network, or virtual private networking) is a method that lets a remote user communicate privately to the central office over a public telecommunications network such as the internet. If your customer's requirements include telecommuters or traveling "road warriors" who do much of their work from remote business sites, you need to build VPN into your design. You can also use VPN as an alternative to expensive leased lines to allow small branch offices to communicate to the central office. There are three main types of VPN solutions you can implement in your design: Remote access VPN: Also known as VPDN (Virtual Private Dialup Network), this VPN is used by telecommuters and traveling users. Traditionally, this VPN type was accessed via dial-up directly into the central office network; however, this isn't very cost-effective because they use toll calls. More
commonly, the user makes a connection to its ISP (internet service provider) and then the corporate office across the internet. Site-to-site VPN: Typical users of a site-to-site VPN are branch offices connecting to the main office. This is a lower-cost alternative to using leased lines to connect offices. This method is also used for corporate intranets and extranets, the latter being used by other companies partnered with your customer. Firewall-based VPN: This type of VPN is deployed as a site-to-site solution. This isn't technically different from a site-to-site VPN; however, it includes firewalls to provide for greater security needs. Security best practices will be covered in Lesson 2.
WLAN design
WLANs (wireless LANs) are common on business networks today; however, they can pose a significant security risk because wireless security still lags behind its wired equivalent. It's best to include a wireless component in your design only if you can reasonably ensure that critical network traffic doesn't travel through the airwaves. Also, you can improve wireless security if you adjust power levels on wireless APs (access points) so that the transmission radius doesn't spill outside the business environment. Directional antennas can also reduce access to RF (radio frequency) data signals, at least in bridging APs.
If you're implementing your network design in a building that isn't and can't be cabled with Category 5 or 6 cabling due to expense, a wireless infrastructure may be your only option. For example, older motels that want to offer guests free high-speed internet access often select a wireless solution as an inexpensive alternative to the costly job of cabling their building or buildings.
If you use wireless connections in a business environment, the following are minimum security precautions: Implement MAC address filtering and WEP (Wired Equivalency Privacy). However, WAP (Wireless Application Protocol) provides much better encryption and is preferred over WEP. Require wireless users to authenticate to a RADIUS (Remote Authentication Dial-In User Service) server. Include VPN with WLAN use. Regardless of these protections, think of your WLAN as an untrusted network sitting outside of your firewall.
Servers can be considered a networking device to the degree that they provide the network with directory services, DHCP (Dynamic Host Configuration Protocol), DNS (Domain Name System), and other services
Looking for products for your LAN, WAN, or WLAN, or for networking management and solutions? Look no further than the ProCurve Networking Portfolio index at HP.
that are required for other devices to use the network successfully.
Device management generally involves the first three layers of the OSI model, which cover devices from hubs to routers. The responsibilities of a network administrator and systems administrator overlap to a degree at the Transport layer, however, depending on the network and organization. Network support can also include services such as DNS, WINS (Windows Internet Naming Service), DHCP, storage, and directory services because such services are deeply integrated into the overall functioning of the network. Depending on which vendor manufactured your devices, there are usually integrated tools and log files you can use to oversee the functioning of these devices. It's rare that you'll have the opportunity to design and build a network from scratch and far more likely that you'll maintain and upgrade an existing network. Change and configuration management is vitally important in most cases.
The CLI (command-line interface) is a common tool for switch and router management. Each network device vendor provides proprietary software for its devices, so the command structure varies depending on the devices you purchased. You need to be skilled using your preferred vendor's CLI. Basic switch settings that you must configure include IP (Internet Protocol) address, subnet mask, and default gateway. Also, part of device management is VLAN management, system time management, and voice configuration (if relevant). Other features or services that require switch configuration are port analyzers, flooding controls, SNMP (Simple Network Management Protocol), managing ARP (Address Resolution Protocol) and MAC address tables, STP, and TACACS+ (Terminal Access Controller Access Control System+). Direct management of any network is usually preferred to remote management, for security reasons. If you must manage remotely (which includes routers as well), do the following: Use SSH (Secure Shell) instead of Telnet. Although Telnet has been widely used for years, it's not secure. SSH provides a much higher level of security with little inconvenience. Back up the switch's configuration file. As you make changes, it's possible that you can introduce an error that renders the switch unusable. Configuration files are usually text-based files, so restoring them is simple. Router oversight shares some overlap with switch management. Configuration files are text-based and the console interface is similar, especially if you use the same vendor for your switches and routers. A reliable CLI is sometimes easier for an experienced network administrator to use than some GUIs (graphical user interfaces). Some of the features and services you need to configure and monitor on a router are ACLs (access control lists), interface addressing, monitoring network traffic, managing the dynamic routing protocol, and SNMP. You should also use the Syslog utility to collect router console messages.
You can monitor router traffic with MRTG (Multi Router Traffic Grapher), which is free software licensed under the GNU General Public License. MRTG enables you to review network traffic patterns to quickly determine if you're experiencing an unusual traffic load. You can find out more about MRTG at the MRTG website.
Deciding which routing protocol to use can occasionally be a puzzle, depending on where the router is placed on the network. The following are the most
commonly used routing protocols: OSPF (Open Shortest Path First): Routes within the hierarchical network infrastructure. BGP (Border Gateway Protocol): Routes in interdomains. EGP (Exterior Gateway Protocol): Routes between multiple domains. Other common routing protocols include IGRP (Interior Gateway Routing Protocol), EIGRP (Enhanced Interior Gateway Routing Protocol), and RIP (Routing Information Protocol). Hubs are simple devices compared to switches and routers; however, more intelligent hubs require some management. You can configure intelligent hubs for SNMP, traffic monitoring, stacking, user accounts, and device security. You can upgrade some hubs with a management module that allows additional features to be added. You can also access the management console on a switch or hub using the same method -- by connecting a computer to the device using its serial port.
Scripting reference
The specifics of writing automation scripts are beyond the scope of this class. However, you can learn about automating TCP/IP networking on clients, for example, by visiting the Microsoft Automating TCP/IP Networking on Clients website.
SNMP uses a MIB (Management Information Base), which is a collection of information organized in a hierarchical structure and describes various qualities about the managed device. Each piece of information is considered a managed object and is identified by object identifiers. Object identifiers are values that uniquely identify the managed object in the information base. Each individual managed object represents a single quality or characteristic on the managed device. SNMP queries managed devices periodically to assess the condition of these devices. The NMS can send numerous requests to a device without receiving a response. The agent uses SNMP traps on a managed device to report some significant event to the NMS, such as when CPU usage goes over a particular amount.
SNMP is considered the de facto network device management standard. Network monitoring will be covered in more detail in Lesson 5.
solution, you must have a plan. The same is true for automation. Although automation has the benefits of reducing the amount of time it takes to perform tasks, reducing errors, and freeing up the time of IT staff, it only works as well as it's designed. Your automation plan should be part of your overall design plan for the network, and you should prepare to spend a significant amount of time and effort in its development. Automation is essentially a programming task and, like all programming tasks, it should be completely developed and tested before being put into production. Lack of attention to even a few details can result in you spending the same amount of time fixing a problem that you had hoped to save.
The tasks you can automate with administration scripts are almost endless. A partial list includes: Updating software Synchronizing folders Automating backups and archiving Managing DNS Cleaning up Active Directory Archiving logs, including web server logs You can automate updating tasks, such as Microsoft Windows Automatic Updates, after spending just a few minutes in the GUI.
A best practice is to not allow Windows Automatic Updates on a production network. Instead, test patches and hotfixes in a test environment to determine their effect, including any problem issues, before updating your production network.
Some software programs such as the Mozilla Firefox web browser are now largely self-updating; however, there is no single, overall standard for updating all software on a device.
Moving on
In this lesson, you learned about network connection planning and design, and how to work with a customer to integrate organizational goals into network development. You also reviewed different types of networks such as LANs, VPNs, VLANs, and WLANs, and explored hierarchical network design. Before moving on, complete the assignment and take the quiz for this lesson. Then, head over to the Message Board to share your experiences and questions with your classmates and instructor. In Lesson 2, you'll tackle security best practices on a network, including testing security and locking down access.
Assignment #1
Using a web browser, visit the following sites and review the specified information:
Network design links at Network Computing Networking tutorials at CLN.org Networking terms at Networking Knowledge Base Network infrastructure white papers at Bitpipe Compile notes about significant features and details as you visit each website, and apply the information to your own network, if applicable.
Quiz: #1
Question 1: Which layer of hierarchical network design provides security and routing between VLANs? A) B) C) D) Question 2: True or False: Site-to-site VPN provides an inexpensive alternative to leased lines when connecting a branch office to a main office but isn't used by traveling employees connecting to the main office from numerous different customer locations. A) B) Question 3: Device management generally involves which layers of the OSI model? (Check all that apply.) A) B) C) D) Question 4: True or False: You install an SNMP agent on the NMS and enable it to query managed devices on the network. A) B) Ensuring security for the network Establishing and maintaining network security is a vital function of the senior network administrator. The greatest challenge in utilizing security measures is to keep your network reasonably safe from threats while maintaining network functionality and productivity. In this lesson, you'll find out what you need to know about keeping your network secure. True False Physical Data Link Network Transport True False Core Distribution Access Connection
Whether you need help with assessing your vulnerabilities, or with writing or implementing your security policy, HP offers a collection
of robust resources to help you define the right security practices for your business.
With HP services like Total Education One and IT Professional Help Desk for SMB, users are able to quickly identify and solve their own computer problems, without having to rely on you.
How to develop network policies and procedures, including those affecting security, will be addressed in Lesson 3.
Basic proactive tasks of your group include: Setting and changing firewall and SNMP configurations Creating and managing ACLs Evaluating and installing updated software, particularly security patches Remember that, if feasible, you should always test any software upgrades in a test environment that's isolated from your production network. After you observe the response of a patch or hotfix and eliminate potential problems, you can update your entire network. Changing passwords on all network devices and servers regularly Limiting access to network devices to necessary personnel only If you suspect that an unauthorized member of the IT staff or another department has obtained access to a device, change the password immediately and conduct a review of how the breach happened. Even a relatively well-meaning person can misconfigure a switch or router, bringing portions of the network to its knees. Security monitoring is like network monitoring except that instead of doing a regular review searching for any significant change in operations, the review is focused on detecting any change that may indicate a breach of network security. Monitor firewalls in real-time because even a small interruption in their functioning leaves the sensitive areas of the network vulnerable. Any suspicious network change monitored by a nonsecurity group member should be reported immediately to security staff. The key to a reactive security measure is quick detection and response to the intrusion. The response, once an intrusion is detected, is to recover the lost data or service as quickly as possible, and determine the point of entry and correct the situation that allowed unauthorized access. The affected device or systems might have to be shut down to prevent further access until the problem is corrected. Your security group should respond first and be available 24/7. Other reactive tasks include contacting your carrier and trying to trace the attack to its source. In some cases, you must contact law enforcement and, in all cases, notify the relevant managers and legal staff. Determine just how much damage was done by reviewing all records of the event including logs, active user accounts, and "sniffer" traces. Log files and other records may contain information about the current incident and a history of similar attacks not previously detected. You may have to limit user accounts or even temporarily disable internet access. Also, even if you believe only one area of the network was affected, review all other systems and look for signs of intrusion.
Identifying and mitigating risks to your business -wireless or otherwise -- can be time consuming and have an associated learning curve. Business protection services from HP give you both time
system. Changes to the network may have occurred over time and had an effect on security. One important question to consider is: Who will perform the security testing? The natural candidates are in your internal security group. After all, they designed and implemented the system. They should be well positioned to know what to test. The advantages of using your own group are to save time and money, plus to leverage internal staff to do the job. Some disadvantages include how your team conceives of security for the network. They might only test for attacks they anticipate, but because of their position, don't have an outsider's perspective on the network. Also, when you design your own security and believe you've done a good job, you might not want to discover and admit that it has holes. Periodically, you should hire an outside security consultant to perform a security audit on your network. This can be somewhat ego-bruising because you're allowing an outside group to set the standard for how well you've designed your network security system and how testing should be accomplished. The major advantage in using a consultant is that they have no vested interest in how well or how "not-so-well" your security performs. They'll attempt to penetrate your network as effectively as they can and might find vulnerable areas you wouldn't ordinarily consider. Once you receive their report, you can make the recommended changes, providing for a higher level of security.
and knowledge resources that you can use to identify risks and to put the right protections in place.
Although hiring an outside consultant must be within budget (and you may consider the cost prohibitive), think about how much it would cost the company if an undetected security hole resulted in an intrusion that deleted all human resources records.
There are a variety of techniques you can use to test network security. The following sections describe most common methods used in security best practices.
Vulnerability scanning
This is an advanced form of port scanning that not only scans ports and hosts but also identifies the associated vulnerabilities. This type of scanner also attempts to provide a remedy for the detected vulnerability rather than having a technician or administrator interpret the results as they would when performing a standard port scan.
Penetration testing
As the name implies, this form of testing attempts to bypass or otherwise breach the security measures you've put in place. This is a test that can provide invaluable information but shouldn't be conducted lightly. Perform this test only after considerable planning and approval by senior staff. This test is very time- and labor-intensive and great care should be taken to make sure the test doesn't accidentally cause real damage to systems or data. Penetration testing can help in finding previously unknown access points to the network that could be exploited by an attacker.
Sometimes, an outside intruder called an ethical hacker may breach some part of your system. When you detect and question an ethical hacker, the hacker might explain that the purpose of the attack was to show you your network's vulnerabilities. Unless you hired this person as a consultant to
perform this type of testing, generally consider their actions to be unwanted and illegal.
Virus detection
This is a test most often performed on mail servers or servers that specifically scan for viruses as traffic enters the network. A complete test of this system isn't always possible because new malicious software is almost constantly being developed or modified and released into the wild. In a virus detection test, you introduce selected viruses to the server to determine if they are detected and isolated, and to make sure that the system continues to function.
Perform this virus detection test in a test environment that mimics your actual mail server or firewall. An unsuccessful test on your production system (in which the virus goes undetected) can result in an infection of your actual system.
File-integrity testing
File-integrity checkers examine files and databases to determine whether unauthorized changes have been made, which may indicate an intrusion or data corruption. Checkers calculate and save a checksum for every file in the system in its database. These checksums can be regularly recalculated to determine whether an unauthorized change has occurred. To effectively use this tool, you first have to establish a baseline for the data, which must be secure up to that point. If you establish a baseline for the integrity checker on data that's been compromised, subsequent test results won't be reliable.
Intrusion detection
ID (intrusion detection) is a method of testing and monitoring that attempts to detect security breaches based on changes in network activity. The changes you attempt to monitor are those that are usually associated with a network attack, as opposed to other changes related to general performance. Intrusion detection can be host- or network-based. Users use host-based ID by installing ID software onto the device you want to monitor, and then use log files or auditing agents to collect and review data, looking for possible intrusion. Network-based ID monitors traffic on the network-segment level rather than an individual device, looking for patterns that indicate a security breach.
Password cracking
You can use one or more password-cracking programs on your network to detect users who have set weak passwords. Ideally, you should have a policy regarding how to set strong passwords; however, not all users comply with policies. A password-cracking program can also verify that users with sensitive access to network devices and servers have set their passwords to a sufficient complexity that'll prevent them from easily being discovered.
Even in a locked down environment, system crashes happen from time to time, and a good network administrator knows that the first priority is to get your systems back up and running in a timeframe that you can live with. HP Care Pack Services allow you to get back in the game, faster.
If taken to the extreme, allowing users unrestricted access to make system additions and changes will result in a completely chaotic user environment.
Locking down the user environment by implementing specific software policies enables you to determine which types of software will run on the system and limit who can run various programs. You can also prevent the accidental or purposeful deletion of important data files, which would result in the loss of productivity. In a Windows Active Directory environment, you can use GPOs (Group Policy objects) to set security levels to either allow or disallow the running of different software types. GPOs can be applied either to a group of computers or to individual users as needed. You should also prohibit the installation of personal devices on the network. A classic example is the user who wants to have wireless access to the network. They install an unauthorized wireless access point to accomplish their task but inadvertently allow a war driver outside the building access as well. You can prevent this by using MAC filters on your switches so that only devices whose MAC addresses are contained in the switch's database will have their traffic switched on the network. Also, restrict physical and remote access to your networking devices to authorized staff only. Locking down access to the network has other advantages. You can limit which network applications the user can or can't use. For example, if your company wants to restrict use of an instant messaging program, you can block the relevant port on your firewall, preventing it from communicating. It's a good practice to start by blocking all ports and then opening only those that you absolutely need for business practice. Of course, most companies allow more access to the network and internet than is strictly needed to perform necessary tasks; however, the level of security you implement and enforce needs to be
established based on your customer's goals and needs. Security lockdown has a dark side as well. A network that's severely locked down can result in necessary software applications that fail to run when opened or that won't open at all. You might also cause important data to not be saved, resulting in its loss. When you try to deploy new software, you could be blocked from doing so. Also, a severely locked-down environment is harder to troubleshoot. The same is true to network access that's locked down too tightly. You could prevent needed access to vital internet sites for the sales department, for example, or otherwise inhibit necessary telecommunications channels. As mentioned in Lesson 1, security and usability have an inverse relationship.
Moving on
In this lesson, you learned how to provide security for your network. You explored network security best practices, creating a security group, testing your security measures, and locking down system services and access. Before moving on, complete the assignment and take the quiz for this lesson. Also, take some time to visit the Message Board and post questions and comments for your classmates and instructor. In Lesson 3, you'll address the role of the network administrator as an organizational manager. This will include topics such as how to create operational plans, establishing policies and procedures, and assigning roles and responsibilities to your staff.
Assignment #1
A great deal of information is available about ID on the SANS website, including basic information such as terms, theory, and research; how scanners and scan patterns work; management and legal issues related to ID, and more. Go to the SANS FAQ web page and look for information on ID. Although you don't have to read the page exhaustively, review the section or sections that you find more interesting or relevant to how you would use this tool on your network. Feel free to share what you found with your classmates and instructor on the Message Board. You might also find some information you'll want to add to your network security arsenal.
Quiz: #1
Question 1: True or False: The distribution layer of a network infrastructure can be a risk level 1, 2, or 3, depending on the types of devices operating at that layer and their function. A) B) Question 2: Which of the following are legitimate reactive security measures? (Check all that apply.) A) B) Contacting your carrier and attempting to trace an attack to its source Contacting law enforcement agencies to report the attack True False
C) D)
Disconnecting your network from the internet Shutting down a compromised server or system
Question 3: True or False: Intrusion detection works by installing ID software onto an individual host so you can monitor an entire network segment. A) B) Question 4: Locking down a network involves which of the following? (Check all that apply.) A) B) C) Using GPOs to prevent or allow users to run certain applications Blocking ports to prevent some services from accessing the internet Setting MAC address filters on your firewall to allow only authorized devices access to the network True False
D) Locking server and telecommunications closets and only allowing authorized IT staff physical access to internetworking devices Working with operational management The job of a senior IT administrator includes establishing, maintaining, and updating all of the documentation for the IT department. These documents include operational plans for network functioning and all the policies that define network access and use. In this lesson, you'll learn how to create operational plans, and network policies and procedures, as well as how to assign roles and responsibilities.
When it comes time to update your server infrastructure, ProLiant servers from HP can help you do that quickly and costeffectively.
up or are coming onboard as the senior administrator, you should conduct a complete audit of all hardware, software, equipment, supplies, areas of staff responsibility, assignment lists, and user groups. This gives you a baseline document that tells you what kind of inventory you have on hand and helps you keep track of property. You'll also know which projects your IT staff is working on and who's responsible for specific tasks, and have a blueprint of network users, group memberships, and privileges assigned to those users and groups.
When you make any changes to the network, you should make sure a change audit is conducted and those changes recorded to ensure your information remains current.
Managing IT assets via audits can be difficult in a large organization. After all, you can't manage something if you don't know it exists. Network audits and asset management is about the senior IT administrator "discovering" the network. One of the keys to discovering network assets or at least minimizing the "loss" of aspects of your network is communication and documentation. For example, you order 50 PCs but only 40 arrive and the shipping department loses the invoice, which you're not aware of. You roll out 30 PCs right away and have someone store the others for future needs. In five weeks, when you need to install the other 20 PCs, you discover you have only 10. You've now got a big problem to solve because the details of the shipment are no longer fresh in your mind and you must involve several people -- including accounting staff in your company and the vendor's -- to resolve the problem of the missing PCs. You can easily avoid this type of situation by keeping detailed records and conducting regular audits. There are a number of important elements that you should include in your auditing plan: Purpose and scope of the audit: This will tell you why the audit is necessary and how wide a net you're planning to throw. For example, are you auditing a single site or multiple sites? Staff members responsible for specific auditing tasks: Recording who's responsible for what helps to minimize confusion and ensures that each task has ownership. Auditing details: How the audit will be managed, the cost of the audit, and the schedule for when audits will be updated. Inventory: Consider using asset management software to discover and keep track of your inventory. This kind of software can discover which devices are in use, which software is installed on the devices, and where the devices are located. You can also use it to integrate invoicing and purchase order tracking into your auditing system. Licenses and leases: You can also use asset management software to track licenses and leases. This is very important if you're developing a licensing scheme with a company such as Microsoft. You'll need to know which licenses you have so you can negotiate the most advantageous agreement. Using software to track licenses and leases can also help you avoid using unlicensed software. Although asset management software can save you money, it can also be an expensive purchase. If your business is relatively small, the direct cost of purchasing this software might not be compensated by a gain in savings. Consult with your company's accounting department and CIO (chief information officer) to see if management software is the best way to track network assets.
Network operating systems such as Microsoft Windows, Novell NetWare, Linux, and Unix have the ability to record when a directory or file has been accessed. This form of audit -- an access audit -- would be difficult to accomplish if you planned to manually review each directory and file on the system. However, server systems usually generate security logs that record suspicious activity on the system. If you suspect something of this nature, you can enable auditing on the server and select the type of events you want to monitor. You can also configure the scope of the audit in terms of users or groups (such as the Everyone group or only selected groups). You may want to perform a similar assessment -- a logon audit -- if you suspect an unauthorized person has tried to log on to one or more of your systems. Most server systems also record that data in a security log, enabling you to review which accounts the user tried to log on, determine if the attempts were successful, and track the IP address of the host used in the logon attempt. This form of auditing is an important subset of your operational documentation because it establishes a record of attempted security breaches over time.
Incident reports
This is one type of document that no network administrator wants to have to create, but it's inevitable. An incident is any event that causes an impairment or breach of the overall network or some portion of it. Creating incident reports enables you to gather all of the information about a problem that can be used to develop a solution. This is especially true if the incident was an attempted or successful break-in. Legal department staff and law enforcement officials might need the incident report to take action against the perpetrator. These kinds of reports are also necessary to help you find and correct gaps in your security, or any problems with the network design.
You can often use a standardized form to create an incident report, and then have all persons who are involved in discovering the issue complete a form. Make sure you have a record of who completed these forms, the type of problem discovered, and the data, equipment, and software that was accessed or impaired. Also, keep a record of how the problem was initially discovered (such as via security logs, and so on), the symptoms that indicated an issue existed, and the actions taken in response.
Unrestricted internet access at work sets the environment for users who conduct illegal business dealings, look for another job, surf adult websites, and other activities that affect productivity, put network security at risk, or make the company potentially libel for legal action.
A network use policy should specify: How and under which circumstances a user may access the network Which activities are not permitted The consequences of violating the network use policy Usually, employees are provided with some sort of training or informational workshop that acquaints them with network use policy. Employees are given a written copy of the policy and are required to sign a form stating that they've read and understand the policy. This protects the company should the user later inappropriately use their network access for unethical or illegal purposes and ultimately can be used as the basis to discipline the user up to and including dismissal from the organization.
Security policy
A security policy defines the rules and procedures required to keep a network safe from outside intrusion as well as being compromised internally by an authorized user or unauthorized personnel. A security policy is usually comprised of a series of documents because the topic of network security is quite broad, covering everything from password policy to email usage. Depending on the level of security your company requires, you can create a general security policy document that describes the overall requirements to keep the network safe, or create security policy modules addressing specific procedures that provide security at various points on the network. A good security policy should describe: How particular security procedures will be enacted and monitored. The person or persons responsible for implementing the policy. How it will be managed. The consequences of breaching the security policy, which includes the consequences to the network as well as the individual who caused the breach. Consequences could include disciplinary action if the breach involved a user and notifying law enforcement, especially if the breach was caused deliberately by an unauthorized person. All security policies must be documented and presented to every individual in the company who's responsible for carrying them out. In many cases, this will include all end users, although many security policies and procedures are
carried out only by IT staff, such as a policy regarding the rules and operation of your firewall.
Performance policy
A performance policy defines how resources are made available and used on a network. This may address network use access to some extent, and the user groups and applications involved in network performance. Performance policy defines which services and applications are given priority in the event of limited network availability. For example, you configure your routers and switches to give a higher priority to network traffic based on IP address or port number, ensuring that those forms of traffic are queued first. You give your mission-critical applications the highest priority. This is all part of a performance policy. Your performance policy should also record how application traffic is prioritized, such as which mechanisms your networking devices use to provide QoS (quality of service) on the network.
You can also specify in your performance policy how connection types are prioritized. It's common to give the highest priority to WAN traffic, allowing your web presence and e-commerce to be maintained.
In a small company, a PC support specialist is the person responding to the initial call center phone request. Network engineer: This person is responsible for supporting some portion of the network infrastructure or, in a small organization, all of the major roles. This can include managing switch and router configuration and operations, supervising different areas of network security such as the firewall and antivirus server, and maintaining servers such as applications, email, and file and print. In a very small IT department, the senior IT administrator might take on some of these roles to help balance the workload. Depending on the size of your organization and specific business goals, you might also supervise the web designer, network security technician, and programmers, for example. So how do you decide who takes on which roles?
Hands-on problem solving is also a great assessment method for the candidate with a formal education and background.
is that you can assign them to lower-level types of tasks that are usually backburnered due to insufficient staff availability. The flip side is that you're expected to provide training and guidance. This takes staff time and energy away from the actual administration of the network.
Consultants
Periodically, you may have network tasks that don't require a full-time permanent staff person to accomplish, such as one-time or occasional network diagnostic or configuration tasks. To get the job done, you may need to hire an outside specialist or consultant to perform the necessary activities. It's wise to research the consultant or consulting firm to ensure that they're sufficiently skilled and ethical, and won't misuse their position to endanger network security. Part of your contract with the consultant should include an NDA (nondisclosure agreement), which states that the consultant promises not to reveal any information about your network configuration and security procedures. A consultant should submit a bid to you for the amount of time the project will take and the cost. You can take bids from multiple consultants to negotiate the most favorable arrangement. The lowest bid is not necessarily the best bid. You must ensure safety and efficiency of network operations during any project, even if it costs a little more. Of course, in this matter, you'll also have to refer to your budget. Also be sure that you're comparing similar services -- a low bid might not actually include all of the services you thought you had asked for.
Temps
If you need additional staff on a short-term basis for a specific project, consider hiring temporary contract workers. These workers don't have to be high-level experts, such as a consultant. For example, you might hire contract workers for assistance with a large-scale rollout, such as deploying 50 new workstations for a new department or upgrading from an older to a newer version of an operating system. To hire contract workers, you contact a staffing agency to place a request for the number of workers you need, specifying their skill level and experience. Your initial point of contact is with the hiring agency rather than individual workers; however, the conditions of the contract would be similar to one you sign with consultants -- contract workers are also expected to sign and abide by NDAs. You pay a fee to the agency, and the agency remunerates the workers.
Provide for outside training for staff, if your budget allows. One concern is that a newly trained person may decide to seek employment elsewhere, taking your training investment with them! To minimize the potential, consider requesting that staff sign an agreement stating they won't leave the firm within a certain number of months after having completed training. This would give you the opportunity to benefit more from the education you provided.
Moving on
In this lesson, you learned about procedural network administration, including operational plans, network and change audits, incident reports, and network diagrams. You also learned about policy and procedure development, and the importance of assigning roles and responsibilities to IT staff. Before moving on, complete the assignment and take the quiz for this lesson. Stop by the Message Board to discuss this lesson and other lessons with your classmates and instructor. In Lesson 4, you'll delve into email management, including maintaining and securing email and controlling spam.
Assignment #1
For this assignment, visit the following IT small business websites and read articles or news items that are relevant to Lesson 3: IT Manager's Journal Small Business Trends Small Business IT World Network World Small and Medium Business Center Keep notes about your findings, and then go to the Message Board and discuss your findings and how they're relevant to Lesson 3..
You might not find an article, news story, or other item that exactly fits the subjects presented in Lesson 3. However, try to find something that's as close as possible. The point is to find information in the "real world" that's associated with what you're learning.
Quiz: #1
Question 1: What are some of the key variables usually included in a network operations plan? (Check all that apply.) A) B) C) D) Question 2: True or False: An access audit records logon attempts by unauthorized personnel. A) B) True False Priority Funding Asset number Dependencies
Question 3: A member of the company's sales staff has been discovered using internet access to surf adult websites. The salesperson has potentially breached which policies? (Check all that apply.) A) B) C) D) Question 4: One of your network technicians is responsible for configuring and monitoring the switches and routers in the network infrastructure. The tech is highly proficient in this area. Recently, you assigned the tech the additional responsibility of conducting and reviewing backup and restore operations on all servers. The tech is not familiar with the hardware and software involved. No one else in your department can train this tech; however, you're familiar with those systems. What are the two best methods of training the tech? (Check all that apply.) A) B) C) D) Controlling email Although a network provides a wide variety of daily services to end users, no service is more vital than access to email. Unfortunately, it's also a major security concern for most senior systems administrators. In this lesson, you'll learn how to take charge of this powerful and problematic network application. Train the tech yourself. Give the tech the documentation on those systems and ask that she "learn the skills on her own. Send the tech to a training seminar. Assume the tasks of backup and restore yourself. Network use policy Security policy Password policy Performance policy
Maintaining email
There are many vital issues involved in managing and maintaining an email system, and a myriad of tasks that an IT department must perform to ensure continual end-user access to email. Management of your email system isn't just a matter of technical complexity but of regulatory law as well. For example, SEC (Securities and Exchange Commission) Rule 17a-4 outlines the requirements governing how any electronic messaging system (emails and instant messaging included) are stored and managed.
A server for every role
A server from HP's line of ProLiant servers can perform in any role your infrastructure requires, from an email server to a domain controller and beyond.
For details about SEC Rule 17a-4, visit the U.S. Securities and Exchange Commission website.
The following sections briefly describe the main considerations of an email system.
Storing email
Even in small to medium-sized business environments, the demand for email storage capacity is considerable. The typical volume of email storage is now in the petabyte range, requiring that you provide larger hard drive volumes to store all the data. Unfortunately, greater storage space means greater expense, and you face the usual conflict of need versus cost. Because you don't have an infinite amount of space on your email server to store messages, how do you manage this problem? HP Electronic Vaulting service
Deleting email
Emails have a habit of multiplying at an alarming rate. Although emails on a business server represent formal corporate records, the content, in fact, can be anything from a sales proposal to the latest joke buzzing around the internet. In other words, every email on the server isn't really necessary. A common solution to a burgeoning number of email messages is to limit the amount of space each end user may use on the mail server, and to send users warning messages as they near their allotted limit. This allows users to select which emails they no longer need and to clean out their folders. You may encounter a few users who, for various reasons, either refuse to delete unneeded emails or just neglect to tackle the job. To counter this problem, you can create a policy that states that emails in accounts that are full will be deleted automatically, or manually by IT staff.
Consult with your HR and legal departments, as well as other key administrators, before enacting a policy that allows for email deletion by anyone other than the end user. Because emails are official records, randomly deleting such records could cause business and legal complications for the company and the end user.
If your company decides not to implement a deletion policy, at the least, inform your users that once the limit is reached, emails that are sent to them will bounce back to the sender, which can cause confusion, delays, and frustration. Your company's clients and other associates can get a particularly negative impression of your company if they must endure repeated email bouncebacks.
Archiving email
Rather than deleting emails to make room on the server, you can require that users archive older emails when their storage space is nearing the limit. Microsoft Outlook, for example, offers this option to end users. Archiving removes selected email messages off the mail server and stores them on the user's hard drive in .pst format. This option is usually voluntary though, and you may encounter some users who decide not to archive their email. Another option is for you to configure your server to transfer all emails older than a certain date to a backup mail server to free up space on the primary mail server. If certain emails need to be retrieved, they can be restored to the mail server from backup storage. Ultimately, the most reasonable solution to your storage space dilemma is to combine the deletion of unneeded emails and archival of required messages.
Accessing email
Storage and access are two sides of the same coin. It's difficult to address one without mentioning the other. Your users have to be able to retrieve their stored emails from the server to read and manipulate their messages. This isn't the same as a user's ability to check the server for new mail. As mentioned previously, emails represent official company records, and there are times when it's vital for a user to locate and open a particular email that's
already been read. You must have the ability to organize and control how stored emails are accessed, particularly in an important business transaction or in response to a subpoena or court order. Failing to do so can result in significant cost to your company. As the number of stored emails grows, they tend to get scattered around the mail server's hard drive, making locating a particular email difficult. Your method of email organization and retrieval is only as good as your storage method. Here are some options: Using your mail server: The simplest solution, in one respect, is to store all company email on your mail server. The end users can access their email, regardless of age, and the information is searchable either by header or body content, making individual messages easy to locate. Although this may appear simple and easy, the drawback is that your server must always have adequate storage space. Even if users judiciously delete unneeded emails, this is not a very practical solution. Using a backup server: Another solution is to back up the email server to another storage device, storing older messages there. Although this solves the storage problem on the primary mail server, it creates others. If you use tape media for backup and restore operations, for example, your end users lose the ability to easily search for a particular email. You might have to restore the entire contents of the tape on which the desired email is believed to be located to access it. Also, this method requires a significant amount of time to restore and access a particular email. If you need the information fast, this isn't a good solution. Using an archive server: Instead of having emails archived as PST files on the user's hard drive, you can use a dedicated archive server for this purpose. If your users archive their emails onto their individual hard drives and you need to recover one email (for legal purposes, for example), you have to get it directly from the user's computer. This may not appear to be a problem, but it's compounded if you don't know which user has it. Perhaps you only know who the email was from, when it was received, or the subject. Also, what if the needed email was deleted after being archived onto the user's computer? Using an archive server allows you to keep all older emails in a single, searchable location for easy access, and allows the IT department rather than the end user to be in control of storage and retrieval. Remember, the emails belong to the company, not the individual user.
HP ProLiant Storage Servers support the use of third-party archiving software called DataArchiver, which is produced by CommVault. You can visit the HP ProLiant Storage Servers web page to learn more.
Preventing spam
There are a number of ways you can minimize or prevent the amount of spam your network receives. Here are the common methods:
Educate the end user: The first, best step is not a technical solution. You'll recall from Lesson 3 that part of your role is to create and implement network use policies for all end users. One policy should address under which conditions end users disclose their company email addresses. You can significantly reduce the amount of spam your mail server receives by restricting users from posting their email addresses on public websites. To facilitate this, encourage users to use a secondary or personal email address rather than their primary business email address when engaging in communications that aren't strictly business-related. Create a policy whereby no user is ever allowed to respond to a piece of spam, especially by clicking a link that states it will be used to remove them from a spammer's mail list. This is a sure way for the spammer to confirm that the email address is valid. Once the spammer establishes this, the spammer can easily overload your mail server. Filter spam at the mail server: You can use various software applications to filter email at the point it enters your system, routing any mail identified as spam to a separate destination. Usually, spam filters examine the header and body for any key words or terms that usually appear in spam mail. Because no spam filter is perfect, some spam will still get through. Also, some mail identified as spam may actually be legitimate mail. For this reason, don't configure your spam filter to automatically delete mail tagged as spam. You should review any mail marked as spam to make sure no legitimate mail has made it into the spam folder. Panda Software is partnered with HP and produces a product for HP ProLiant Servers called Panda GateDefender. This software is written to work with Linux servers. Panda BusinessSecure with Exchange is written specifically for use with Microsoft Exchange servers to accomplish the same tasks, including filtering spam. Filter spam at the client: You can also filter mail using the mail client on each individual PC in your organization. Filtering at the client rather than the server though can result in much more work for your IT staff, depending on how many computers you're responsible for. When it's reasonable to filter at the client level, you can use Microsoft Outlook's built-in spam filter feature, or install a third-party spam filtering program to accomplish the same purpose. Create a black list: Some organizations keep lists of known spammers, and you can access one of these lists and use it to filter out any mail from them. This solution is best to employ on your mail server or a gateway device, such as a firewall, to prevent spam from entering your system. You can find an example of such lists at Email-policy.com. Conduct reverse DNS lookups: This solution isn't quite as effective as it once was. In the past, spammers frequently used spoofed or invalid IP addresses that didn't match the domain name they were accessing. Using reverse DNS lookups, if your mail server received mail from an IP address that didn't match the domain name, the mail would be tagged as spam. However, spammers use spoofed IP addresses less frequently now. Also, this method can result in some false positives, marking legitimate mail as spam.
by at least some businesses, preventing or at least delaying email communications with your partners and customers and impeding commerce. Here are some strategies you can implement to protect your mail server: Limit relaying: Restrict your mail server relay service to use only specific IP addresses or, even better, require authentication. Change default passwords: Even if you require authentication, if your postmaster account's password is set at the default, it won't be long before a spammer figures it out and freely sends spam through your server. Change the default password, rename the account, or even disable it to prevent it from being used against you. See Lesson 2 for more details about password security. Set time-out for failed SMTP commands: Spammers try to use invalid SMTP commands to gain control of mail servers. If you allow spammers to issue an unlimited number of commands, they may eventually compromise your server. Most mail server software has a feature that, when configured, drops the connection after a certain number of failed commands. You can also disable the use of particular commands that might be used by spammers. Block known spammer IP addresses: This is the same concept as creating a black list. You can identify the IP addresses from which spam originates and block those addresses at your firewall. You may also consider blocking a range of addresses because spammers use numerous IP addresses within a single or multiple IP ranges. Monitor your mail server: Periodically monitor traffic to and from your mail server using a packet sniffer, such as Snort or Ethereal. You can then determine if your server has been compromised or if an attempt is underway to turn it into a spam relay. Network monitoring will be covered in Lesson 5. Keep up with security patches: Periodically, vulnerabilities are discovered in software, and spammers along with others can exploit those vulnerabilities and waltz right through your security. Make sure your mail server is patched with the latest updates.
Securing email
Securing your email system, in general, includes some of the same practices applied to preventing spam, and general network security practices described in Lesson 2. Some email-specific security issues and procedures are covered in the next section.
Wi-Fi security
Check out HP's wireless security guide which covers basic Wi-Fi concepts and terminology and discusses how important security issues are for proper deployment and use of this powerful and flexible networking technology.
Some users will undoubtedly balk at this rule; however, these kinds of unofficial emails can tax the network and use valuable storage space on your server. You should also prohibit users from using email for a personal business or other individual gain. As part of the policy, include a privacy and confidentiality clause stating that any information contained in organizational emails is privileged and belongs to the company. This includes trade secrets or any other information that, if released, would result in security being compromised and loss of profits.
Visit Email-policy.com for more information about writing email use policies.
Moving on
In this lesson, you explored email management, covering mail storage and access issues, minimizing spam, and securing your mail server. Before moving on, complete the assignment and take the quiz for this lesson. Then, head over to the Message Board to share your experiences with your classmates and instructor. In Lesson 5, you'll learn about monitoring and maintaining the network, including how to monitor network utilization, maintaining network services, and controlling how software is installed.
Assignment #1
Lesson 4 refers to SEC Rule 17a-4, which outlines the requirements governing how any electronic messaging system is managed. To learn more about the details of Rule 17a-4, use a search engine to determine how this rule affects the position of a senior network administrator. Consider these questions: 1. Does this rule affect all businesses or only certain types? 2. How, in general, are emails to be stored? 3. Which facets of this rule are significant to your business? Keep notes while reviewing information about SEC Rule 17a-4 and cite your source(s). Then, discuss your findings and questions with your classmates and instructor on the Message Board.
Solution
Lesson 4 refers to SEC Rule 17a-4, which outlines the requirements governing how any electronic messaging system is managed. To learn more about the details of Rule 17a-4, use a search engine to determine how this rule affects the position of a senior network administrator. Consider these questions: 1. Does this rule affect all businesses or only certain types? 2. How, in general, are emails to be stored? 3. Which facets of this rule are significant to your business? Keep notes while reviewing information about SEC Rule 17a-4 and cite your source(s). Then, discuss your findings and questions with your classmates and instructor on the Message Board.
Quiz: #1
Question 1: Which of the following are valid locations for storing archived mail? (Check all that apply.) A) B) C) D) Mail server Backup server Archive server PC's hard drive (as .pst files)
Question 2: Which of the following are effective ways to minimize or prevent the receipt of spam mail by your end users? (Check all that apply.) A) B) C) D) Question 3: True or False: Using reverse DNS lookups is an effective way of detecting spam. A) B) Question 4: Which of the following are problems that can plague a mail server? (Check all that apply.) A) B) C) D) Monitoring and maintaining the network After you get the network up and running the way you want, you have to ensure that network operations remain within the guidelines you've established. In this lesson, you'll learn how to monitor your network, modify the infrastructure as your network business needs change and grow, and keep a tight rein over how software is installed and updated on networked computers. DDoS attacks Viruses Spyware Exploitation of a known vulnerability True False Prohibit end users from replying to spam mail Limit open relay on the mail server Filter spam on the mail server Filter spam on the client
Collisions
A collision domain is a single LAN segment in which all network traffic interacts and where datagrams can potentially interfere with each other. This traffic is bounded by layer 2 devices such as switches and bridges. For example, all networked devices interconnected by a layer 1 hub exist within a single collision domain, whereas only two directly communicating devices connected through a layer 2 switch are in a collision domain. Traffic from any other devices connected through that switch aren't involved. Although the careful design and implementation of a switch fabric on your network can greatly reduce collision traffic, you can't completely eliminate collisions. Network administrators working on smaller networks with a limited operating budget or who must use legacy hardware may need to use hubs, which can increase the likelihood of collisions.
HP offers a robust collection of server expertise to help you build your network administration toolkit so you can meet the demands of your internal customers and fulfill your duties as a network administrator.
Hubs often come with built-in collision counters that enable you to monitor the number of collisions per unit of time. You can also configure other devices, such as firewalls, to measure collision rates on a network. What appears to be collision traffic though might be a broadcast storm issued by a device with a malfunctioning NIC, or the device may be measuring packet fragments. You can use switches to your advantage in the latter scenario by setting them to fragment-free. This prevents the switches from forwarding packet fragments from all ports -- which is normal operation for broadcast traffic -- thus reducing or eliminating these apparent collisions.
If you're running an IPv6 network, you also need to monitor anycast traffic.
Requiring users sign a network use policy won't eliminate misuse; however, it's an effective way to reduce problems and provides a basis of disciplining willful offenders.
You can also close the ports that use this form of traffic, preventing peer-topeer requests from accessing the internet. Simultaneously, you can monitor these requests and determine which IP address(es) they're coming from, allowing you to notify specific users that they're potentially violating policy. There are legitimate forms of traffic that can also cause drains on available
resources. Streaming video, audio, and video conferencing traffic can pose significant bandwidth availability issues. You don't always have control of the use or timing of these events because scheduling is usually controlled by other departments. For example, if the sales department manager scheduled a highlevel video conference with four branch offices from 9:00 a.m. to 10:00 a.m. and the HR manager set up a webinar to begin at 9:30 a.m., the network will slow down greatly once the webinar begins. You can set a policy to have such bandwidth-intensive network use cleared through your department first, but be willing to work flexibly with key company decision makers, each of whom have their own priorities. If you can make the IT department a partner with the other departments rather than an "adversarial" gatekeeper, you'll have more success at eliciting cooperation in scheduling these activities.
HP ProLiant server management software is designed to help you more effectively manage servers both in your office and at remote locations so you can manage your organization's technical operations more easily.
DNS
DNS is the method used to provide name resolution on networks. The service runs on a variety of NOS (network operating system) platforms including Unix, Linux, Windows, and NetWare. Usually, NOSs come with software or utilities, such as Windows DNS server performance counters, that help you monitor and test DNS services. You need to determine which DNS operations you want monitored and then set performance counters or SNMP traps to alert you when various performance factors cross significant thresholds. The primary measuring stick for DNS is the overall functioning of the service, which includes the number of queries and responses processed by the DNS server. Other elements you should monitor include: The number of queries and responses by transport protocol using TCP and UDP (User Datagram Protocol) counters Dynamic update and secure dynamic update counters, which measure client registration and update functions performed by network nodes Recursive lookups Zone transfers Memory usage In a Windows environment that includes a WINS server, you should also measure queries and responses (called records) made to the WINS server. Additionally, verify that the A record (address record) is associated with the correct IP address. WINS is discussed later in this section. HP ProLiant Essentials software
Make sure you regularly review the DNS server logs. Also, because the service runs on server hardware, stay on top of basic hardware maintenance such as backups, disk defragmentation, and other hardware tasks. Even when the service and server are operating correctly, client computers can't use name resolution if they can't contact the DNS server. Maintaining reliable DNS services depends on maintaining general network operations.
DHCP
DHCP simplifies the administration of IP address assignment to network nodes by assigning addresses dynamically on the network. On a medium-to-large network, the use of DHCP is mandatory. DHCP failure is costly because without dynamic address assignment, nodes can't communicate.
Imagine the task of manually configuring 75 computers with IP addresses. It's much easier to monitor and troubleshoot a single DHCP server.
As with a DNS server, you should monitor the overall health of the DHCP service, including system load and service utilization. Some of the elements you should monitor include: Messages sent and received by the DHCP service Amount of time messages take to be processed Number of message packets dropped due to delays and timeouts Types of DHCP message packets include discovers, offers, requests, informs, acks, nacks, declines, and releases. These are usually monitored by counters on a per-section basis and collected either by the counter or in the DHCP server logs.
You should also verify that network nodes are receiving dynamic address assignments and that the addressing is correct. Failure of a node to receive an address or any other configuration information -- such as addresses to the DNS servers, default gateway, and so on -- can indicate a problem with the DHCP server, an incorrectly configured node, or a network connection failure. As with DNS, reliable DHCP service is related to the general health of the network and server hardware.
WINS
Although Microsoft Windows Server 2003 networks and domains are supposed to make exclusive use of DNS for name resolution, you might encounter some legacy equipment or applications that require a WINS server. WINS, like DNS, provides name resolution services on Windows networks, and many of the tasks involved in monitoring and maintaining this service are similar to those you use for DNS. You should monitor the following: Name registration Renewal and release counters Server start time Replication statistics Extinction statistics Review the Windows Event Viewer logs to keep track of all significant events involving the WINS service. You can also examine the WINS database mappings in the WINS console. WINS database entries represent a single computer, group, internet group, domain, or multihomed entry. You can also view the following: The record name Type of record IP address associated with the mapping Whether the record is active or released Whether the record is statically or dynamically mapped Record owner Database version Expiration date of the mapping
Pathping, Route, and Tracert. You also need to configure and monitor encryption, authentication, routing remote access, and multilink traffic. Without access to RRAS, VPN, and RADIUS, remote users or remote sites can't establish a secure link over public telco (telecommunications) lines.
Microsoft
Windows servers come with several different tools designed for patch management and software distribution. These utilities enable you to assess, test, implement, and review patches and other software installations consistently, which allows you to control how and when your systems are updated. These utilities include the following: Microsoft SUS (Software Update Services): This service enables you to update your operating systems in a secure and controlled environment but doesn't provide a comprehensive solution package. With SUS, you can access and download any updates or service packs available on Microsoft's update website. After you select and approve the packages, SUS deploys them to preconfigured servers and workstations. SUS works for deploying critical and security updates and service packs -- you must update and manage application software using a different process, such as SMS. Microsoft SMS (Systems Management Server) 2003: SMS provides a greater degree of control than SUS, enabling you to assess, identify, evaluate, plan, and deploy software updates providing guidance and automation tools to help in establishing the process for software management. Machines exist in SMS "managed space," which allows only those machines to be affected by the updates. SMS can also locate and identify those unmanaged machines on the network running server platforms so that you can plan to include them as managed devices. Platforms supported by SMS for management include Microsoft SQL Server 2000, Microsoft Virtual Server 2005, and Microsoft Virtual PC 2004. Additionally, Microsoft Office 2000/XP/2003 are also supported and managed under SMS.
Novell
Novell offers ZENworks Linux Management to optimize software deployment in environments up to enterprise-class. ZENworks supports Novell's relatively newly released SUSE Linux Enterprise Server 9, providing fine control and scheduling of software updates as well as dependency analysis and conflict resolution. You can access ZENworks Linux Management from a web interface or via the command-line, and control updates and software distribution to different groups of machines from a centralized location. You can use ZENworks with the YaST administration utility, which manages operating systems elements, network services, and third-party application solutions. An alternative to the YaST graphical package management tool is
y2pmsh. y2pmsh is not installed in SUSE by default; however, you can add it using YaST. Like any package manager, y2pmsh installs, uninstalls, and upgrades RPM (RPM Package Manager) packages, but you can also use it to create packages as well.
Moving on
In this lesson, you learned about network utilization monitoring, vital network services, and methods for managing software and update deployments. Before moving on, complete the assignment and take the quiz for this lesson. Stop by the Message Board to discuss topics in this lesson with your classmates and instructor. In Lesson 6, you'll find out how to recover from a disaster using backup and restore procedures -- from laying the foundation for a backup, to optimizing backup performance, to testing your recovery plan.
Assignment #1
Select a package manager you're interested in and research it on the web. Determine the advantages and disadvantages of your chosen package manager. Cite your sources and be
prepared to share your findings on the Message Board. Here are some sources you might find helpful: Patch Management using SUS Patch Management using SMS 2003 Novell ZENworks 6.6 Linux Management Package Management using SUSE's y2pmsh Red Hat's Package Management Tool
Quiz: #1
Question 1: To prevent a switch from passing apparent broadcast traffic that mimics collisions through all of its ports, which switch setting should you use? A) B) C) D) Question 2: Which service reports name registration, renewal, and release as well as replication and extinction statistics? A) B) C) D) Question 3: Which utilities can you use to monitor RRAS? (Check all that apply.) A) B) C) D) Question 4: True or False: RPM is a graphical tool used in the X Window System in Red Hat. A) B) Recovering from disaster with backup and restore The best way to recover from a disaster is to be prepared before it happens. The greatest defense you have as a senior administrator is to be proactive rather than reactive. In this lesson, you'll learn how to create a recovery plan that'll have your network up and running as quickly as possible after a disaster strikes. True False ROUTEMON RRAS Admin Telnet Netsh DNS DHCP WINS RRAS Cut-through Store and forward Fragment-free Packet switching
There is a reason that tape backup is so popular: it's affordable, reliable, scalable for any size business, and can be programmed for
responsibilities. In the next section, you'll look into what it takes to lay a foundation for a backup plan.
scheduled unattended backup, making it the ideal choice for your business.
for full backups while employing CDs or DVDs for incremental backups. Tapes and discs are easily transported offsite to a safe storage location, so there's no true barrier to implementing such a plan.
Delegate responsibility
Someone on your staff must be responsible for managing the backup and restore system at all times. Although the business of backups may seem routine, you must be sure that someone is tending the system. If the responsible party is ill or on vacation, make sure that a substitute person is always in place to attend to such mundane tasks as changing tapes and cycling tapes, and more importantly, emergency restore functions. An IT department is a busy place and a lack of organization and planning can result in details being overlooked. This is one area that you must not allow to be neglected. Also, a disaster or incident can occur at anytime, not just during business hours. An IT staff member should always be on call if a problem arises in the middle of the night or on the weekend. Such occurrences should be rare, but when they happen, you should always have someone available to respond to a crisis.
management approach.
across public lines such as backing up a branch office server to a backup server at the main office. Security is a two-part process because, in the backup system, data is either directly being backed up across the network or is in storage. To protect data in transit, you're best method is using IPSec (Internet Protocol Security) over a VPN tunnel to ensure security. Even if the data is intercepted, it's encrypted and unable to be read. Encrypting data in storage protects it if your storage medium is compromised. This can occur either on the hard drive of a backup server or if your portable backup media should fall into the wrong hands. Even if you take these precautions, if you suspect that your data has been compromised, report the incident to law enforcement as well as the appropriate business managers and your legal department. (Lesson 2 covered network security.) To keep your backup media as safe as possible, keep your portable storage in a tape vault or some other secure location. Smaller businesses with limited budgets can use a safety deposit box or offsite safe. The location must be readily accessible to authorized staff should the media be needed for a recovery procedure.
In a small to medium-sized business environment, it's unlikely that you'll implement a SAN or NAS storage solution, so those options are beyond the scope of this lesson. Read more about SAN and NAS on the HP StorageWorks solution center.
implement fault tolerance on your network, which isn't the same as a backup and recovery process. Whereas RAID 0, 1, and 5 may afford you some measure of protection in terms of redundancy and data protection, in the event of a catastrophic loss of data due to a hardware failure, RAID can't take the place of a set of backup tapes stored in a secure location and ready for use. Don't take shortcuts and don't make assumptions.
the disaster (and you should always plan for the worst-case scenario), you may have a Computer Recovery plan to address issues of restoring workstation and laptop functions. On the other hand, the systems recovery plan should address server faults and the network recovery plan should focus on bringing up internetworking devices, such as routers and switches after a disaster. You'll likely have an overall disaster management plan that oversees all of the other aspects of recovery and a communications plan that coordinates how different organizations are contacted, such as law enforcement, company management, and Hazmat and FEMA if necessary. These different parts of the plan can easily map to different teams in a larger organization. In a small to medium-sized business, you might have one staff person wearing multiple hats with the entire IT staff representing a dozen different functions. As your network changes and grows, so must your plan. Build in periodic reviews of your backup and recovery plan to keep it current.
In a total disaster, most of your infrastructure will be unavailable, and every aspect of your network must be examined. Be prepared to quickly perform a damage assessment and determine the scope of the recovery effort.
You can't simulate a hurricane, tornado, or earthquake; however, you can create circumstances that test at least the most basic or common recovery tasks your team should be familiar with in the event of a major problem. The recovery plan you put into practice will likely be some form of data loss or systems malfunction and not a major catastrophe. In fact, the most common reason for conducting a data recovery operation is when a user accidentally erases or damages a file or the contents of a folder. Other similar circumstances might be a junior administrator inadvertently deleting the engineering organizational unit and all the members therein. Also, it's impractical to test every tape you create. Use a random sampling of tapes periodically to make sure they're readable and that data is properly restored.
Moving on
In this lesson, you learned how to create and test a data backup plan, and how to recover data. Before moving on, complete the assignment and take the quiz for this lesson. Drop by the Message Board to exchange any final questions and comments with your classmates and instructor. The best to you in your role as senior IT administrator!
Assignment #1
Read the Network backup - disk-to-disk or tape emulation? article in Techworld. Notice that the author favors tape emulation as a superior solution. After reading the article, write a brief report that describes why tape emulation may be the better option.
Solution
Read the Network backup - disk-to-disk or tape emulation? article in Techworld. Notice that the author favors tape emulation as a superior solution. After reading the article, write a brief report that describes why tape emulation may be the better option.
Quiz: #1
Question 1: What are some common elements of a backup plan? (Check all that apply.) A) B) Redirecting user My Documents folders to a directory on a central server Increasing the speed of backups to optimize network availability
C) Selecting a homogenous backup media scheme such as tape or optical disc or using a heterogeneous scheme by mixing the two D) Question 2: Which are appropriate methods to ensure staff is assigned to monitor backup and restore operations? (Check all that apply.) A) Rotate responsibility among the IT staff so that everyone shares in these tasks, including being on call in the event of a crisis B) Assigning a single staff person who's responsible for monitoring backup and restore operations but having other staff positioned to take over if the primary person becomes ill or is on vacation C) Having the senior administrator take sole responsibility for backup and restore operations because it's too important a function to be left to junior staff D) Assigning a backup and recovery team that rotates monitoring responsibilities among themselves and, in a crisis, works together to restore the network Question 3: What can you do to optimize backup performance? (Check all that apply.) A) Buy additional storage capacity well ahead of time to accommodate for future growth B) Set quotas for the amount of data end users are allowed to store on network servers and issue notices to them when they're nearing their personal capacity C) Secure data on portable media by making sure it's encrypted, and then keep it in a tape vault in your locked office D) Use IPSec to encrypt data as it's backed up across the network Using multiple types of backup software to manage multiple types of hardware platforms and data types
Question 4: What kinds of teams should you create to respond to a disaster on the network? (Check all that apply.) A) B) C) D) Question 5: What's the single most common reason for conducting a data recovery operation? A) B) C) D) 2003 - 2006 Powered, Inc. Accidental deletion of data Server hard drive crash Power failure Natural disaster Communications team Systems recovery team Network recovery team Computer recovery team