PPP (Point-to-Point Protocol), is the most widely used method for transporting IP packets
over a serial link between the user and the Internet Service Provider (ISP).
PPP was designed to enable the transmission of different protocols over one point-to-
point link by utilizing encapsulation. Encapsulation is the process of storing packets from
the foreign protocol inside PPP frames.
• A Link Control Protocol (LCP) for establishing, configuring, and testing the data-
link connection.
• A suite of Network Control Protocols (NCPs) for establishing and configuring
different network-layer protocols.
PPP LCP
The PPP Link Control Protocol is responsible for establishing, configururing, managing,
and terminating the point-to-point link.
LCP accomplishes these tasks through the use of simple control messages:
• Configure-Request
• Configure-Ack
• Configure-Nak
• Configure-Reject
• Terminate-Request
• Terminate-Ack
• Code-Reject
• Protocol-Reject
• Echo-Request
• Echo-Reply
• Discard-Request
PPP NCP's
A PPP Network Control Protocol must be defined for each type of network packet which
is to be encapsulated and transmitted across the PPP link.
The key to the system is a 'token' - which is actually a data frame or container for storing
data that is to be transmitted down a 'ring' of computers connected to the network. A
simple analogy is to imagine a clock with each number on the clock face representing one
computer on a network; 12 numbers, 12 computers.
A 'free' (or empty) token is released into the network, moving around the network,
'stopping off' at each computer to check if it is needed. Assume that computer 3 wants to
send a data package to computer 9. When the free token 'stops off' at computer 3, it is
grabbed and the data is 'injected' into the empty vessel and then sent on its way. The
token passes each computer in the sequence (e.g. computer 4, 5, 6 and so on); each
computer notes that the packet is not addressed to it and 'rejects' it, in effect, "passing" it
on to the next computer in the series.
Once the packet or token reaches computer 9 (to which the data is addressed), it is
'grabbed' again and an exchange of data occurs - the data is released to computer 9, and
the computer 'injects' an acknowledgement receipt into the token. The token (with the
acknowledgement receipt) is released back into the network, proceeding down the chain
(e.g. moving to computers 9, 10 and so on) with each one again 'rejecting' the token since
it is not addressed to them.
What is a VLAN?
The Basic Definition
The acronym VLAN expands to Virtual Local Area Network. A VLAN is a logical local
area network (or LAN) that extends beyond a single traditional LAN to a group of LAN
segments, given specific configurations. Because a VLAN is a logical entity, its creation
and configuration is done completely in software.
How Is a VLAN
Identified
Since a VLAN is a software concept, identifiers and configurations for a VLAN must be
properly prepared for it to function as expected. Frame coloring is the process used to
ensure that VLAN members or groups are properly identified and handled. With frame
coloring, packets are given the proper VLAN ID at their origin so that they may be
properly processed as they pass through the network. The VLAN ID is then used to
enable switching and routing engines to make the appropriate decisions as defined in the
VLAN configuration.
A VLAN solution can alleviate both of these drawbacks by permitting the same broadcast
domain to extend beyond a single segment.
• Additional Bandwidth Usage - Traditional network designs require additional
bandwidth because packets have to pass through multiple levels of network
connectivity because the network is segmented.
A proper VLAN design can ensure that only devices that have that VLAN defined on it
will receive and forward packets intended as source or destination of the network flow.
Types of VLAN
There are only two types of VLAN possible today, cell-based VLANs and frame-based
VLANs.
• Cell-based VLANs are used in ATM switched networks with LAN Emulation (or
LANE). LANE is used to allow hosts on legacy LAN segments to communicate
using ATM networks without having to use special hardware or software
modification.
• Frame-based VLANs are used in ethernet networks with frame tagging. The two
primary types of frame tagging are IEEE 802.10 and ISL (Inter Switch Link is a
Cisco proprietary frame-tagging). Keep in mind that the 802.10 standard makes it
possible to deploy VLANs with 802.3 (Ethernet), 802.5 (Token-Ring), and FDDI,
but ethernet is most common.
VLAN modes
There are three different modes in which a VLAN can be configured. These modes are
covered below:
• VLAN Switching Mode - The VLAN forms a switching bridge in which frames
are forwarded unmodified.
• VLAN Translation Mode - VLAN translation mode is used when the frame
tagging method is changed in the network path, or if the frame traverses from a
VLAN group to a legacy or native interface which is not configured in a VLAN.
When the packet is to pass into a native interface, the VLAN tag is removed so
that the packet can properly enter the native interface.
• VLAN Routing Mode - When a packet is routed from one VLAN to a different
VLAN, you use VLAN routing mode. The packet is modified, usually by a router,
which places its own MAC address as the source, and then changes the VLAN ID
of the packet.
VLAN configurations
Different terminology is used between different hardware manufacturers when it comes
to VLANs. Because of this there is often confusion at implementation time. Following
are a few details, and some examples to assist you in defining your VLANs so confusion
is not an issue.
Cisco VLAN terminology
You need a few details to define a VLAN on most Cisco equipment. Unfortunately,
because Cisco sometimes acquires the technologies they use to fill their switching,
routing and security product lines, naming conventions are not always consistent. For this
article, we are focusing only one Cisco switching and routing product lines running Cisco
IOS.
To define a VLAN on a cisco device, you need a VLAN ID, a VLAN name, ports you
would like to participate in the VLAN, and the type of membership the port will have
with the VLAN.
• Step 1 - Log into the router or switch in question and get into enable mode.
• Step 2 - Get into configuration mode using "conf t".
• Step 3 - Create your VLAN by entering "vlan X" where X is the ID you would
like to assign the VLAN.
• Step 4 - Name your VLAN by entering "name <VLAN Name>". Replace <Vlan
Name> with the string you would like to identify your VLAN by.
• Step 5 - If you want your new VLAN to be a private-vlan, you now enter "private-
vlan primary" and "private-vlan association Y" where Y is the secondary VLAN
you want to associate with the primary vlan. If you would like the private VLAN
to be community based, you enter "private-vlan community" instead.
• Step 6 - Exit configuration mode by entering "end".
• Step 7 - Save your configuration to memory by entering "wr mem" and to the
network if you have need using "wr net". You may have to supply additional
information to write configurations to the network depending on your device
configuration.
You have now created a vlan by assigning it an ID, and giving it a name. At this point,
the VLAN has no special configuration to handle IP traffic, nor are there any ports that
are members of the VLAN. The next section describes how you complete your vlan
configuration.
VLAN Configuration
A VLAN isn't much use if you haven't assigned it an IP Address, the subnet netmask, and
port membership. In normal network segment configurations on routers, individual
interfaces or groups of interfaces (called channels) are assigned IP addresses . When you
use VLANs, individual interfaces are members of VLANs and do not have individual IP
addresses, and generally don't have access lists applied to them. Those features are
usually reserved for the VLAN interfaces. The following steps detail one method of
creating and configuring your VLAN interface. NOTE: These steps have already
assumed that you have logged into the router, gotten into enable mode, and entered
configuration mode. These specific examples are based on the Cisco 6500 series devices.
• Step 1 - Enter "Interface VlanX" where X is the VLAN ID you used in the VLAN
definition above.
• Step 2 - This step is optional. Enter "description " where VLAN description
details what the VLAN is going to be used for. You can just simply re-use the
VLAN name you used above if you like.
• Step 3 - Enter "ip address <address> <netmask>" where <address> is the address
you want to assign this device in the VLAN, and <netmask> is the network mask
for the subnet you have assigned the VLAN.
• Step 4 - The step is optional. Create and apply an access list to the VLAN for
inbound and outbound access controls. For a standard access list enter "access-
group XXX in" and "access-group YYY out" where XXX and YYY corresponds
to access-lists you have previously configured. Remember that the terms are taken
in respect to the specific subnet or interface, so "in" means from the VLAN INTO
the router, and "out" means from the router OUT to the VLAN.
• Step 5 - This step is optional. Enter the private VLAN mapping you would like to
use if the port is part of a private VLAN. This should be the same secondary
VLAN you associated with the primary VLAN in VLAN definition above. Enter
"private-vlan mapping XX" where XX is the VLAN ID of the secondary VLAN
you would like to associate with this VLAN.
• Step 6 - This step is optional. Configure HSRP and any other basic interface
configurations you would normally use for your Cisco device.
• Step 7 - Exit configuration mode by entering "end".
• Step 8 - Save your configuration to memory by entering "wr mem" and to the
network if you have need using "wr net". You may have to supply additional
information to write configurations to the network depending on your device
configuration.
Now you have your vlan defined and configured, but no physical ports are a member of
the VLAN, so the VLAN still isn't of much use. Next port membership in the VLAN is
described. IOS devices describe interfaces based on a technology and a port number, as
with "FastEthernet3/1" or "GigabitEthernet8/16". Once you have determined which
physical ports you want to be members of the VLAN you can use the following steps to
configure it. NOTE: These steps have already assumed that you have logged into the
router, gotten into enable mode, and entered configuration mode.
• Step 1 - Enter "Interface <interface name>" where <interface name> is the name
Cisco has assigned the interface you would like to associate with the VLAN.
• Step 2 - This step is optional. Enter "description <interface description>" where
<interface description> is text describing the system connected to the interface in
question. It is usually helpful to provide DNS hostname, IP Address, which port
on the remote system is connected, and its function.
• Step 3 - This step depends on your equipment and IOS version, and requirements.
Enter "switchport" if you need the interface to act as a switch port. Some
hardware does not support switchport mode, and can only be used as a router port.
Check your documentation if you don't know the difference between a router port
and a switch port.
• Step 4 - Only use this step if you used step 3 above. Enter "switchport access vlan
X" where X is the VLAN ID of the VLAN you want the port to be a member of.
• Step 5 - Only use this step if you used step 3 above. Enter "switchport mode
access" to tell the port that you want it to be used as an access port.
• Step 6 - Exit configuration mode by entering "end".
• Step 7 - Save your configuration to memory by entering "wr mem" and to the
network if you have need using "wr net". You may have to supply additional
information to write configurations to the network depending on your device
configuration.
• Step 1 - Enter "Interface <interface name>" where <interface name> is the name
Cisco has assigned the interface you would like to associate with the VLAN.
• Step 2 - This step is optional. Enter "description <interface description>" where
<interface description> is text describing the system connected to the interface in
question. It is usually helpful to provide DNS hostname, IP Address, which port
on the remote system is connected, and its function.
• Step 3 - This step depends on your equipment and IOS version, and requirements.
Enter "switchport" if you need the interface to act as a switch port. Some
hardware does not support switchport mode, and can only be used as a router port.
Check your documentation if you don't know the difference between a router port
and a switch port.
• Step 4 - Enter "switchport private-vlan host association XX YY" where XX is the
primary VLAN you want to assign, YY is the secondary VLAN you want to
associate with it.
• Step 5 - Enter "switchport mode private-vlan host" to force the port to operate as a
private-vlan in host mode.
• Step 6 - Exit configuration mode by entering "end".
• Step 7 - Save your configuration to memory by entering "wr mem" and to the
network if you have need using "wr net". You may have to supply additional
information to write configurations to the network depending on your device
configuration.
You should now have your VLAN properly implemented on a Cisco IOS device.
HP VLAN terminology
HP's Procurve line of switchgear is becoming more and more prevalent in enterprise and
other business environments. Because of this, it isn't uncommon to have to get Cisco and
Procurve hardware to integrate, and because of terminology this can be a challenge.
Below some of the VLAN terminology is defined so there is less opportunity for
confusion.
• VLAN ID - Fortunately, VLAN id's are pretty much the same everywhere, the
only significant differences are the range of IDs that can be used. With Procurve
devices, the number of VLANs is defined in the configuration. The default
maximum VLANs supported on a Procurve device differs between models and
firmware revisions, but is commonly set to 8. Newer Procurve hardware supports
4,096 VLAN ids, but only 256 concurrently defined VLANs on a single device.
VLAN ID 1 is reserved for the "DEFAULT_VLAN" or the default administrative
VLAN.
• VLAN names - VLAN names are text fields that assist technicians to identify
VLANs. Procurve allows names up to 32 characters, but if you want it to properly
display in menu configuration mode, you should probably limit the name to 12
characters.
• VLAN modes - Procurve has three modes of operation for VLANs on the chassis,
Untagged, Tagged, and No. Untagged mode is cisco's access mode. This mode is
used for ports that connect to end nodes, or devices that will not be passing
VLAN traffic forward. Tagged mode is the same as Cisco's trunk mode. This
mode is used for ports that are connecting to devices that will be passing VLAN
traffic forward, or for trunking multiple VLANs. No mode means that the port in
question has no association whatsoever with that VLAN.
• Special note on "trunk" - Lots of confusion surrounds the word "trunk" when you
go between vendor equipment. In Cisco's case, trunking is only used with
VLANs. If you want to group multiple ethernet ports into a single logical ethernet
group, they call it a channel-group. This is regardless of whether FEC or LACP is
used for the channel properties. Procurve uses "trunk" to define a group of
ethernet ports when using the HP trunking protocol, and the term "Tagged" for
what Cisco calls a VLAN trunk. Of course, these two technologies have nothing
to do with each other, but because of naming conventions, confusion arises.
VLAN Configuration
Configuring VLANs on a modern Procurve is pretty simple, you must first define the
VLAN, set its properties, and then set up membership for ports and the VLAN mode they
will support. The following list should help you accomplish these tasks. NOTE: HP has
defined its interface ports by using a module/port convention. If you have a non-modular
chassis (such as the 3448cl) then ports are numbered only using numbers, such as 1 or 36.
If the chassis is modular (such as the 5308) then the ports number is prepended with the
module slot, such as A1 or H6. No reference to the type of switch port (ethernet, fast
ethernet , gigabit ethernet) is used for port reference.
• Step 1 - Log into the switch and get into manager mode. If, after logging in, you
are in the configuration menu, exit the configuration menu by selecting item 5 (in
most cases) or by using the arrow keys on your keyboard to highlight the
"Command Line (CLI)" item.
• Step 2 - Enter "conf t" to get into terminal configuration mode.
• Step 3 - Enter "vlan X" where X is the VLAN id of the VLAN you would like to
create.
• Step 4 - Name your VLAN by entering "name "<VLAN Name>"" where <VLAN
Name> is a text string from 1 to 32 characters (12 characters if you care about the
configuration menu display). You should use quotes when naming the VLAN.
• Step 5 - Give the VLAN an IP address by entering "ip address <ip address>
<netmask>" where <ip address> is the IP address you want to assign this switch
in that subnet, and <netmask> is the network mask for the subnet assigned.
• Step 6 - This step is optional. If you want to assign some end node ports to the
VLAN enter "untagged <port-list>" where <port-list> is a list of ports either
comma delimited if they are non-sequential, or using a dash between list
beginning and end if they are. An example of this is "untagged 1,3,5,7-16". This
would configure ports 1, 3, 5, and 7 through 16 to be untagged on that VLAN.
• Step 7 - This step is optional. If you want to assign some VLAN trunk ports to the
VLAN enter "tagged <port-list>" where <port-list> is a list of ports either comma
delimited if they are non-sequential, or using a dash between list beginning and
end if they are. An example of this is "untagged 1,3,5,7-16". This would configure
ports 1, 3, 5, and 7 through 16 to be untagged on that VLAN.
• Step 8 - Enter "exit" to leave VLAN configuration mode.
• Step 9 - Exit configuration mode by entering "exit" again.
• Step 10 - Save your configuration by entering "wr memory".
What is a Firewall?
A firewall is a system that is set up to control traffic flow between two networks.
Firewalls are most commonly specially configured Unix systems, but firewalls have also
been built out of many other systems, including systems designed specifically for use as
firewalls. The most common commercial firewall today is CheckPoint FireWall-1, but
competitors such as Cisco's PIX are quickly catching up on CheckPoint.
• Source IP address
• Source port
• Destination IP address
• Destination port
• IP protocol (TCP or UDP)
Based upon rules configured into the firewall, the packet will either be allowed through,
rejected, or dropped. If the firewall rejects the packet, it sends a message back to the
sender letting him know that the packet was rejected. If the packet was dropped, the
firewall simply does not respond to the packet. The sender must wait for the
communications to time out. Dropping packets instead of rejecting them greatly increases
the time required to scan your network. Packet filtering firewalls operate on Layer 3 of
the OSI model, the Network Layer. Routers are a very common form of packet filtering
firewall.
An improved form of the packet filtering firewall is a packet filtering firewall with a
stateful inspection engine. With this enhancement, the firewall "remembers"
conversations between systems. It is then necessary to fully examine only the first packet
of a conversation.
The Application-Proxy Firewall
Another type of firewall is the application-proxy firewall. In a proxying firewall, every
packet is stopped at the firewall. The packet is then examined and compared to the rules
configured into the firewall. If the packet passes the examinations, it is re-created and
sent out. Because each packet is destroyed and re-created, there is a potential that an
application-proxy firewall can prevent unknown attacks based upon weaknesses in the
TCP/IP protocol suite that would not be prevented by a packet filtering firewall. The
drawback is that a separate application-proxy must be written for each application type
being proxied. You need an HTTP proxy for web traffic, an FTP proxy for file transfers,
a Gopher proxy for Gopher traffic, etc... Application-proxy firewalls operate on Layer 7
of the OSI model, the Application Layer.
• Coverage Area
• Authentication and Authorization Mechanisms
Coverage Area
You can limit coverage area with an access point by using the proper antenna for the
coverage needs. This prevents our wireless signals from emitting beyond your coverage
area. Unfortunately, with the proper antenna in place on the receiver side, this method is
easily defeated. An individual or group who has enough interest and funding to buy better
equipment is the limiting factor here.
WEP is usually found in 64bit, 128bit, and 256bit implementations. WEP has been found
to be weak cryptographically, and should not be used for any wireless infrastructure you
would like to have secured. Choosing a good passphrase or password does not increase
the level of security offered by WEP.
WPA is based on WEP, but the WPA algorithm changes the effective key more often.
WPA is still weak cryptographically, so choosing a passphrase or password of 20
characters or more is important to keep your wireless network secure. If you use a good
passphrase with WPA is it believed that attacks are impractical.
WPA2 uses new encryption technologies called AES or TKIP which are not based on
WEP. WPA2 is the preferred encryption technology if it is available. As of March 13,
2006, all equipment using the WiFi trademark must be certified for WPA2.
Devices that support WPA2 mixed mode allow clients using both AES and WEP
configurations to interoperate. This does not include broadcast and multicast traffic.
Encryption Keys
Encryption requires a key exchange for the algorithms to have a common starting point.
Wireless devices usually provide two methods for key exchange, pre-shared keys (PSK
or password), and enterprise (RADIUS). For individuals and small businesses it is better
to use a pre-shared key mechanism. For environments that will have many different
wireless access devices, enterprise is generally a better choice.
MAC address filtering prevents or allows clients to attach to your wireless network using
a look-up table. If the wireless network card MAC address is on the list it can be
permitted or allowed. Unfortunately, a knowledgeable attacker can use a wireless
network sniffer to capture MAC address values of currently connected systems and
change his MAC address value accordingly. It is a trivial matter to change your systems
MAC address. Because of this, this security technique is considered "security through
obscurity".
Some systems will not pass traffic from connected systems until the user authenticates
with the wireless device. The authentication details may be stored in a table locally on the
wireless device, or they may be checked remotely from the device using the RADIUS
protocol, TACACS, or some other remote authentication technology.
Soft-tokens is a software package installed on client systems that interact with the
authentication and authorization software on the wireless device to validate users.
Certificates are special files installed on the client machine that must properly match up
with certificate information on the wireless device to validate a wireless network client.
Hard-tokens are small computing devices that use a challenge-response mechanism with
the wireless device to validate a user or wireless network client.
A Fob is a piece of hardware you can attach and detach from a client system that provides
credentials to the wireless device for client validation.
Conclusion
In conclusion, you should use WPA2, then WPA, and then WEP in that order, for your
wireless encryption if you have a choice. Setting up WEP is better than having a
completely open wireless network. For key exchange use pre-shared keys if you don't
many wireless devices to manage, or set up a RADIUS server for that function if you
have lots of devices to manage. You can disable SSID Broadcast, and use MAC filtering,
but don't rely on them solely to secure your wireless network.
To solve all these problems and allow people to easily connect their computers to
telecommunication network, RADIUS is used by most of the widespread open source and
decorum systems. Systems associated
with RADIUS are frequently put into
services by telcos or several companies to identify their customers or employees with
ease. RADIUS is good to use because it can easily determine the authorized rights of the
users to execute and create a testimony of the entrance in the "Accounting" feature of the
server.
However, the RADIUS associated servers can verify that the information is exact through
confirmation schemes including PAP, CHAP and EAP as well. Moreover, the RADIUS
is frequently utilized to ease roaming services between ISPs and many companies use it
because it provides a particular universal position of testimonials that can be used by
most of public networks. The primary use of RADIUS is for Internet Service Providers,
since it can be used on any network, which requires a centralized verification and
accounting services for its workstations.
Hence, RADIUS enables centralized running of certification data like, usernames and
passwords as well. The RADIUS server can accumulate these certified data locally but it
may also store authentication data in an outdoor SQL database or even an external UNIX
file. In fact, the RADIUS is an exceptional option to perform accounting without any
hassle. It can also appreciably improve safety by enabling the centralization of password
executive. Overall, if people take over the RADIUS server, they would have everything.
Take a look at the door's handle. You twist it in order to open or close the door. It is the
access control at its very centre. Without this handle the door would be swinging and
wouldn't stop anyone from entering the room. Below this handle, there is a sort of lock
and a keyhole. This keyhole will stop anyone trying to get through the door. Nowadays,
there are different types of keypads and access control systems. In today's world the keys
and locks are beginning to look different. With the passage of time, the key locks also got
smarter. They can identify the patterns of your physical features, your voice, and
fingerprint locks can read your fingerprints.
Basics of IP Address
Spoofing
The Internet Protocol or IP is the fundamental protocol for sending/receiving data over
computer networks and the Internet. With the Internet protocol, each packet sent or
received contains information relevant to the operation such as the source and the
destination of the packet. With IP address spoofing, the information placed on the source
field is not the actual source of the packet. By using a different address in the source field
of the packet, the actual sender can make it look like the packet was sent by another
computer and thus the response of the target computer will be sent to the fake address
specified in the packet - unless the attacker wants to redirect the response to his own
computer.
Hackers using IP address spoofing frequently make use of randomly chosen IP addresses
from the entire spectrum of IP address space while some more advanced hackers only use
the unregistered portions of the IP address range. IP address spoofing, however, is less
effective than using botnets for DoS attacks because it can be monitored by Internet
authorities using backscatter technique which can determine a DoS attack based on the
number of invalid IP addresses used in the attack. Nevertheless, it remains a viable
alternative for hackers.
IP address spoofing is also a very useful tool in infiltrating networks and overcoming
network security measures. This happens when IP address spoofers use a trusted IP
address within the network and thus circumvent the need to provide a username or
password to log in to the system. This sort of attack generally is based on a specific set of
host controls (such as rhosts) that are configured insecurely.
IP Address Spoofing Defense
Ingress filtering or packet filtering the incoming traffic from outside the system using a
technology is an effective way of defending against IP address spoofing since this
technique can determine if packets are coming from inside or outside the system.
Consequently, egress filtering can also block spoofed IP address packets from exiting the
system and launching an attack on other networks.
Upper layer protocols such as the TCP or Transmission Control Protocol in which a
sequence of numbers is used to established a secure connection with other systems is also
an effective way of defending against IP address spoofing.
Turning off source routing (loose and strict) on your network routers can also assist in
preventing hackers from taking advantage of many spoofing features. Source routing was
a technology used widely in the past to prevent a single network fault from causing a
major network outage, but the current routing protocols on the Internet today makes it all
but unnecessary.
If the person knows the username and the password, the computer systems trusts that
they are the account owner and grants them access to their data.
Password Construction
Password crackers have many tools at their disposal to cut down the amount of time it
takes to crack your password. Selecting a secure password will help to ensure that the
password cracker must take as much time as possible to guess or otherwise identify your
password. No password is ultimately secure, but if it takes the password cracker longer to
crack the password than it takes for the password to become useless, you will have
succeeded in thwarting the cracker's attack.
Insecure methods
Secure methods
• Always change your password immediately if you feel that your password has
been compromised. Always do this directly. Never follow links sent to you in
email, through an instant messenger client, or from a phone call you received. Ask
for administrative assistance if you have trouble changing your password.
• Do not write your password down where others may find it. If you must write it
down, ensure it is in a locked location that is only accessible to you. Hiding your
password in places you feel it is unlikely to be found is not helpful. Password
crackers have a criminal mind, and generally know where to look.
• It is important that you change your password on a regular schedule, at least every
six months. This assists you by throwing off any cracking efforts that might be in
progress, but have not yet been completed. It also helps you if somehow you have
compromised your password in some other way without knowing it.
• Select passwords that use a mixture of capital letters, numbers, and special
characters. Take heed however, some systems do not allow you to use some or
any special characters. Make sure you check the password criteria for the system
you are using ahead of time, if possible.
• Use substitution of numbers for letters and letters for numbers in your passwords.
Although this is not a primary method of securing your password, it will add
another layer of security on top of a good password, and will prevent the
accidental guess of your password due to circumstances.
• Where it is not possible to use many characters in your password (less than 14), it
is advisable to create a password by creating a passphrase, and selecting letters in
a specific position in each word. An example of this is "jJjshnImn2". As you
notice, it's unlikely that any cracker would guess this password; however, it is
easy to remember when you note the passphrase "John Jacob Jingleheimer
Schmidt, his name is my name too". Notice the use of number substitution and
capitalization in the password.
• The best passwords are complete phrases if the system will allow them. They are
sometimes called "passphrases" in reflection of this. For example, a good
passphrase might be "I clean my Glock in the dishwasher." You can also use
number and letter substitution on passphrases as well. Longer passphrases
generally mean better password security.
Password Secrecy
Passwords are useless if they are distributed to other than to their intended users. Below
is a list of methods to keep your passwords private.
• If you have a large number of passwords to remember, or you don't feel you can
remember important ones, you can use your computer to assist you in the storage
of passwords. You can encrypt your password list with an acceptable master
password using reliable encryption software. Many password managers are
available for this purpose. For experienced users Gnu Privacy Guard and Pretty
Good Privacy are free for individual use. Ensure you know how to use encryption
properly; improper use of encryption technologies may defeat the whole purpose
of using encryption in the first place. Seek help from an encryption expert, or
purchase commercial encryption software if understanding is not forthcoming. Do
not store your encrypted passwords, or your encryption keys, somewhere that
another person may gain access to them.
• Refrain from using the same password on multiple systems, especially systems
that do not serve the same function. Never use passwords you use on Internet
forums, games, websites, or otherwise for any important password. It is trivial for
the owners of these systems to extract your passwords if they are willing.
• Never tell another a password through e-mail, instant messenger clients, chat
rooms, forums or other shared environments. These conversations are almost
never entirely private. Do not tell someone your passwords over a cell phone or
cordless telephone, as these are insecure mediums for conversation, and may
easily be monitored. If you must tell someone a password over a telephone land
line, make sure the party you are speaking with is the only listener. You may want
to validate that additional parties are not listening in by calling the original party
on a number you know is owned by them.
• Do not use shared passwords unless it is entirely unavoidable. Passwords shared
between multiple users prevents the determination of which user performed which
actions.
• Of course, never tell your passwords to anyone. Once you tell someone else your
password, you no longer have control over the scope of password knowledge. If
you absolutely must share your account access to a computer system, change the
password to a new password first before sharing it, and then change the password
back to its original form once the other users are done performing the necessary
efforts.
Two-Factor Authentication
The original password concept has been proven to be insecure. There have been cases
where passwords have been compromised without a users knowledge, through coersion,
or because they were conned into revealing it. The core problem with legacy passwords is
that it is very difficult or impossible for an administrator or a computer system to
differentiate between a legitimate user and illegitimate user gaining access through the
same password. Because of this inherent flaw in the original password system, Two
Factor Authentication was invented.
There are two common methods of authentication when users use electronic components
for two-factor authentication, response-only, and challenge-response systems.
Challenge-response systems require the user to enter a specific passphrase or pin into the
electronic device first, before the device responds with the proper access credentials data.
This varient is always considered two-factor authentication, since the user must provide
both "something they know" (the pin), and use "something they have" (the electronic
device).
Both the response-only and challenge-response systems can be defeated if the user both
reveals the private information they keep secret, such as their username or pin code, and
the attacker takes ownership of the electronic device. Due to this weakness, the bioligcal
factor was invented.
Biological factors have been in use for several decades, and have proven to be reliable
and secure ways to prevent unauthorized users from gaining access to secure systems or
environments, regardless of the privacy of their passwords used. Systems monitor
fingerprints, eye retina patterns, weight, ambient temperature, and other biological signs
to determine the authenticity of the user requesting access. Movies have been touting
methods of defeating these systems by cutting off body parts, using retinal masks, or
forcing legitimate users into bypassing the authentication mechanisms for the attacker.
These are largely Hollywood schemes and rarely work in the real world. In most cases
where this level of security is required, local or remote monitoring of entry points
through cameras and security personnell is common. Deadlock portals, remote activated
magnetically controlled entranceways, and visual idenfitication are the norm.
Many simple methods have been devised to defeat weakly designed biological factor
systems, so be sure you thoroughly test the security measures you plan to put in place
before implementation.
How do I Disable the Netgear Router
Firewall?
In most cases, disabling the firewall on your Netgear router is a really bad idea. In fact, it
is such a bad idea that Netgear doesn't even make a button in their GUI that does this.
• Outbound Services: Allow all access from the inside to the outside.
• Inbound Services: Block all access from the outside to the inside, except
responses to requests from the inside.
To do this, type the router's address (the default is either 192.168.0.1 or 192.168.1.1) in
your Web browser
Enter your username and password in the prompt that appears. The default username is
admin and the default password is password.
Add a new rule for Inbound Services with a service name of "ANY" and an action of
"ALLOW always."
Then, move your new rule up until it is the first rule in the Inbound Services section.
Finally, make certain that this rule is enabled by checking the Enable column.
Your Netgear Router firewall is now disabled and your internal network is now
completely unprotected and open to attack from the Internet.
What is RADIUS (Remote Authentication
Dial In User Service)?
RADIUS (Remote Authentication Dial In User Service), defined in RFC 2865, is a
protocol for remote user authentication and accounting.
When a user attempts to login to a RADIUS client, such as a router, the router send the
authentication request to the RADIUS server. The communication between the RADIUS
client and the RADIUS server are authenticated and encrypted through the use of a
shared secret, which is not transmitted over the network.
The RADIUS server may store the authentication data locally, but it can also store
authentication data in an external SQL database or an external Unix /etc/passwd file.
The RADIUS server can also plug into a PAM (Pluggable Authentication Service)
architecture to retrieve authentication data.
The role of the RADIUS server as the centralized authentication server makes is an
excellent choice for also performing accounting.
RADIUS servers are available from many vendors. In addition, GNU RADIUS is an
excellent non-commercial option.
A: Very easy! You can change MAC address in six easy steps.
3) Type "M" to change MAC address, press 4) Type your desired Ethernet address, press
enter. enter.
5) Press "Y" to change mac address. 6) Press "E" and enter to reboot.
Q: I want to change MAC address, should I buy a SpeedDemon
network card?
The OSI model was originally intended to describe a complete set of production network
protocols, but the cost and
complexity of the government
processes involved in defining the OSI network made the project unviable. In the time
that the OSI designers spent arguing over who would be responsible for what, TCP/IP
conquered the world.
Layer Name
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
The easiest way to remember the layers of the OSI model is to use the handy mnemonic
"All People Seem To Need Data Processing":
The Presentation Layer of the OSI model is responsible for defining the syntax which two
network hosts use to communicate. Encryption and compression should be Presentation
Layer functions.
The Session Layer of the OSI model is responsible for establishing process-to-process
commnunications between networked hosts.
The Transport Layer of the OSI model is responsible for delivering messages between
networked hosts. The Transport Layer should be responsible for fragmentation and
reassembly.
The Network Layer of the OSI model is responsible for establishing paths for data
transfer through the network. Routers operate at the Network Layer.
The Data Link Layer of the OSI model is responsible for communications between
adjacent network nodes. Hubs and switches operate at the Data Link Layer.
The Physical Layer of the OSI model is responsible for bit-level transmission between
network nodes. The Physical Layer defines items such as: connector types, cable types,
voltages, and pin-outs.
The OSI was created after many of todays protocols were already in production use.
These existing protocols, such as TCP/IP, were designed and built around the needs of
real users with real problems to solve. The OSI model was created by academicians for
academic purposes.
The OSI model is a very poor standard, but it's the only well-recognized standard we
have which describes networked applications.
The easiest way to deal with the OSI model is to map the real-world protocols to the
model, as well as they can be mapped.
The difficulty with this approach is that there is no general agreement as to which layer of
the OSI model to map any specific protocol. You could argue forever about what OSI
model layer SSH maps to.
TCP/IP Model
Application Layer
Transport Layer
Internet Layer
Network Interface Layer
The most significant downside with the TCP/IP model is that if you reference it, fewer
people will know what you are talking about!
For a better description of why the OSI model should go the way of the dodo, disco, and
DivX, read Kill the Beast: Why the Seven-Layer Model Must Die