Basics of IPsec

IPsec

Internet Protocol Security

The Internet Protocol Security is a security protocol, which includes encryption and authentication technologies. It has been developed to ensure the integrity, confidentiality and authentication of data communications over an IP network.

It can be used at Virtual Private Networks (VPN), Application-level security and routing security. It mechanisms by encrypting IP packets, along with authenticating the source where the packets come from.

In general view IPSec deals with higher security than old and vulnerable protocols like Point to Point protocol.

IPsec has two modes of operation i.e. transport mode and tunnel mode. When operating in transport mode, the source and destination hosts must directly accomplish all cryptographic operations. Encrypted data is sent through a single tunnel that is created with L2TP (Layer 2 Tunneling Protocol). Data (cipher text) is created by the source host and retrieved by the destination host. This mode of operation establishes end-to-end security.

When operating in tunnel mode, special gateways accomplish cryptographic processing in addition to the source and destination hosts. Here, several tunnels are created in series between gateways, establishing gateway-to-gateway security.

IPsec can protect data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host).

Advantages

• IPSec security is executed at the network layer. Thus, it do not depend on the applications used.
• It offers confidentiality. Throughout any data exchange, IPSec uses public keys that helps to safely transfer of confidential data over the network.
• It have no impact on higher network layer and it have transparent feature on the applications.

IPSEC Tunnel

An Internet Protocol Security (IPSec) tunnel is a set of standards and protocols formerly developed by the Internet Engineering Task Force (IETF) to support secure communication as packets of information are transported from an IP address across network borders and vice versa.

An IPSec tunnel allows for the implementation of a virtual private network (VPN) which an organization may use to securely spread its reach elsewhere in its own network to customers and stakeholders.

In tunnel mode, it encrypts entire packet including IP Header and creates new IP header.

What IPSEC can do for me?

• Authentication
• Integrity
• Access control
• Confidentiality

-DR

Basics of EVPN

Basics of EVPN

Ethernet VPN (EVPN) is a standards-based technology that offers virtual multipoint bridged connectivity between different Layer 2 domains over an IP or IP/MPLS backbone network.

It can be termed as next generation VPN.

• EVPN is a multi-tenant BGP-based control plane for layer-2 (bridging) and layer-3 (routing) VPNs.
• It can be used with almost any data-plane encapsulation.
• It can be used EVPN to implement end-to-end bridging, integrated bridging and routing, or routing-only fabrics.
• EVPN supports MAC and IP address mobility.
• The unifying control plane used to device layer-2 and layer-3 VPNs in data center and service provider networks.

There are two EVPN-based DCI deployment models detailed in this document:

• BGP-EVPN-based L2 extension

• BGP-EVPN-based L2 and L3 extension

The BGP-EVPN-based L2 and L3 extension DCI (Data Centre Interconnect) deployment model is designed for interconnecting BGP-EVPN-based (IP fabric) Data centers by extending the control plane between sites. 

Advantage:

• With EVPN, service providers can encounter developing demands for higher speeds, sophisticated QoS and guaranteed SLAs.
• It helps with data center interconnect, cloud and virtualization services.
• It supports High Availability (HA) Technology to avoid the potential failure on connection.

Control Plane:

The control plane is the part of a network that carries signaling traffic and is responsible for routing. Control packets initiate from a router or are destined within a router. 

Functions of the control plane comprise system configuration and management.

-DR

Basics of VXLAN

VXLAN 

Virtual Extensible LAN protocol

Virtual Extensible LAN is a network virtualization technology that addresses the scalability issues associated with big cloud computing or networking organizations.

VXLAN technology permits to segment the network as VLANs do, but it provides benefits that VLANs cannot.

The present VLAN have maximum 4094 VLAN limits on its scalability, whereas VXLAN offers up to 16 Million Scalability. 

 VXLAN offers to extend Layer 2 networks across Layer 3 infrastructure by way of MAC-in-UDP encapsulation and tunneling. VXLAN enables flexible workload placements by way of the Layer 2 extension. 

For Data Centers Virtualized hosts are increasingly adopting VXLAN now a days.

Benefits

• Increased scalability.
• Improved network utilization.
• VXLAN is standards-based and is  defined in RFC 7348, so you’re not locked into a specific vendor/OEM when you ask for VXLAN.
• VXLAN can deliver millions of Layer 2 segments, and VXLAN enables the network to handle massive traffic loads in cloud and multi-tenant environments, along with providing the same isolation and segmentation as older VLANs.

-DR

Basics of DHCP

Basics of DHCP

Dynamic Host Configuration Protocol (DHCP) a service provided by a server in which the server allocates the client an IP address upon its request.

DHCP required three components to work

• DHCP Server
• DHCP Client
• DHCP Protocol

Dynamic allocation of IPs carried out by assigning IPs from a predefined scope of addresses and for a specific length of time to all devices in a network.

DHCP server: A device running the DHCP service in a network that holds IP addresses and related configuration information. 

DHCP client: The host/ user that receives configuration information from a DHCP server. This can be a computers and mobile devices that requires connectivity to the network.

IP address pool: The series of addresses that are available to DHCP clients. Addresses are normally handed out serially from lowest to highest.

Lease: The length of time for which a DHCP client holds the IP address information. When a lease expires, the client renews it.

DHCP relay: A router or host that listens for client messages being broadcast on that network and then forwards them to a configured server. The server then sends responses back to the relay agent that passes them along to the client. This can be used to centralize DHCP servers instead of having a server on each subnet.

The DHCP protocol: It enables host systems/clients in a TCP/IP network to be configured automatically for the network during the system booting.

Benefits

• Reduced IP Conflict
• Systematic IP Address Management
• Enables centralized client server architecture
• As the DHCP server uses multithreading to processes of many client requests simultaneously, it supports large network operation. 

In computer science, multithreading is the capability of a central processing unit (CPU) to run multiple threads of program execution concurrently.

Cons

• As DHCP server has no secure mechanism for authentication of the client, it can gain unauthorized access to IP addresses by presenting credentials such as client identifiers which belong to other DHCP clients.
• DHCP packets cannot travel across router.

-DR

Basics of DNS

DNS 

Domain Name System

The Domain Name System (DNS) is a hierarchical naming system for computers, services, or other resources connected to the Internet or a network. It links with various information with domain names allotted to each of the participating systems.

It is maintained by distributed database system and uses the client server model.

DNS is as a part of Windows Network recognized as Domain Name System. DNS is a hierarchical system based on a tree structure named DNS namespace. 

Each DNS namespace has to have a root that can have infinite number of subdomains. The root is an empty string. Every node in the DNS namespace has a specific address by which it can be identified, called a FQDN. The dot is the standard separator between domain labels. The dot also separates the root from the subdomains, but is usually omitted by end-user and automatically added by DNS client service during a query. There are three types of internet top-level domains, organizational, geographical and reverse . 

Network administrator creates two types of zones in DNS, forward or reverse lookup. 

• In forward lookup zone the FQDN is mapped to an IP address, this is a conventional zone. 
• In reverse lookup zone the IP address is mapped to FQDN.

FQDN

Fully Qualified Domain Name is a complete domain name for any system. It can be comprised of several elements such as a hostname and a domain name.

A FQDN designates the specific location of an object within the DNS hierarchy as well it communicates the host’s position relative to the root of the DNS namespace. An FQDN enables each entity connected to the internet (computer, server, etc.) to be uniquely identified and located within the internet framework.

Generally, an FQDN is required to make a computer, device, resource, etc. accessible on the internet. However, defining an FQDN in local system isn’t sufficient to bring it online. You need to update the DNS record in the DNS settings so the DNS knows the specific location of that specific device.

-DR

Basics of Web Application Firewall

WAF

Web Application Firewall Basics

Web application firewalls are built to offer web applications security by applying a set of rules to an HTTP exchange. These rules aim to protect against vulnerabilities in the application by filtering out malicious traffic. This differs from a standard firewall. 

It protects web applications by filtering and monitoring HTTP traffic between a web application and the Internet.

As applications are online, they have to keep certain ports open to the internet. This means attackers can try specific website attacks against the application and the associated database, such as cross-site scripting (XSS), SQL injection, file inclusion, cross site forgery. 

While proxy firewalls generally protect clients, WAFs protect servers. Another great feature of WAFs is that they detect distributed denial of service (DDoS) attacks in their early stages, absorb the volume of traffic and identify the source of the attack.

By deploying a WAF in front of a web application, a safeguard is placed between the web application and the Internet. While a proxy server protects a customer machine’s identity by using an intermediary, a WAF is a type of reverse-proxy, protecting the server from exposure by having customers pass through the WAF before reaching the server.

It can be implemented in three different ways;

• Network based WAF or Hardware based

• Host based WAF or Software based

• Cloud based WAF

-DR

Basics of PPP

PPP

Point to Point Protocol

PPP is a communication protocol of the data link layer, used to transmit multiprotocol data between two straight connected or point-to-point connected computers.

It is used for point-to-point link and is of standard RFC 1661 and is one of the WAN (wide area network) protocol. 

When PPP is castoff on a link, it will transform with the other side of the link. PPP negotiation involves of three phases: LCP, Authentication, and NCP.

It have three Main features;

• A method for encapsulating multi-protocol datagrams.
• A Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection.
• A family of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols.

PPP uses HDLC as a basis for encapsulating datagrams over point-to-point links.

PPP uses its specific security mechanisms that can be used to authenticate connection requests, allowing the implementation to protect the device from unauthorized use. The security mechanisms supported by PPP are password authentication and a challenge-handshake.

High-Level Data Link Control (HDLC) is a bit-oriented code-transparent synchronous data link layer protocol. It offers both connection-oriented and connectionless service.

-DR

Basics of IPV6

IPV6

Internet Protocol Version 6

IPv6 was created by the Internet Engineering Task Force (IETF), an international group that develops technical standards for the Internet. The core specification for the IPv6 protocol was first published in 1995 as RFC 1883, and has seen a number of enhancements and updates subsequently then. It formally became a full standard in 2017.

An Internet Protocol Version 6 address (IPv6 address) is a numerical address that is used to recognize a network interface of a computer sharing in an IPv6 computer network. IP addresses are included in the packet header to indicate the source and the destination of each packet. 

The IP address of the destination is used to make choices about routing IP packets to other networks. IPv6 is the successor to the first addressing infrastructure of the Internet IPv4. 

IPV4 have the IP address = 32 Bit

IPV6 have the IP address= 128 Bit

Unicast Address: Unicast Address classifies a single network interface. A packet sent to unicast address is delivered to the interface identified by that address.

Multicast Address: Multicast Address is used by multiple hosts, called as Group, obtains a multicast destination address. If any packet is sent to this multicast address, it will be circulated to all interfaces corresponding to that multicast address.

Anycast Address: Anycast Address is allocated to a group. Any packet sent to anycast address will be delivered to only one member interface.

IPV6 Address Format (Unicast)

Bits	48 or more	16 or few	64
Field	Routing Prefix	Subnet ID	Interface identifier

IPV6 Address Format (Multicast)

Multicast addresses of IPv6 use the prefix ff00::/8.

Bits	8	4	4	112
Field	Prefix	Flags	Scope	Group ID

An IPv6 address is denoted as eight groups of four hexadecimal digits, each group representing 16 bits. 

An example of an IPv6 address is:

2008:0db8:85a3:0000:0100:8a2e:0370:7234

IPv6 uses 128-bit addresses over the 32-bit addresses of IPv4, allowing for a substantially larger number of possible addresses. With each bit equivalent to a ‘0’ or ‘1’, this hypothetically allows 2^128 combinations or 340 trillion, trillion, trillion addresses. By contrast, IPv4 permits 2^32 combinations for a maximum of approximately 4.7 billion addresses.

The key difference between IPV4 and IPV6 is that more address space. 

The extended addressing size of IPv6 will allow the trillions of new Internet addresses desired to support connectivity to variety range of new devices. 

Features of IPV6

• New Header format
• Larger address space
• Stateful and Stateless address configuration
• IPsec header support
• Prioritized traffic delivery depending upon the class
• Can be extended with new headers with new features 

-DR

Basics of WAN

WAN

Wide Area Network

A wide area network (WAN) is a geographically distributed private large network that interconnects multiple local area networks (LANs). In an enterprise or corporate, a WAN may consist of connections to a company's headquarters, branch offices, co-location facilities, cloud services and other facilities.

It differs from LAN in case of distance. LAN have a single geographic area or boundary, whereas WAN have several geographic area. 

Presently WAN technology has been implemented at various countries and state levels. 

The primary component of WAN is the medium of transmission, that service provider assigns whether it could be leased lines or fibre optic cable to cover and connect with each others. It could be circuit switching or packet switching.

Wide area network (WAN) is a telecommunication network that can connect multiple devices from multiple locations and across the globe. It can be assumed as combination of LANs and other networks.

It can be used for day to day business need and for offices having many branches. 

Types of WAN Technologies:

The WAN is dependable on various technologies as mentioned below;

Packet Switching, Router, Frame relay, TCP/IP Protocol, Router, SONET/SDH, MPLS, ATM

Organizations connect their LANs to form a WAN is by using the medium called a leased line. A leased line is a direct network connection rented from a large network provider or ISP. 

Basic Bandwidths used for WAN and their connection speeds mentioned;

• Digital Signal (DS0): 64Kbps
  
• T1: 1.544Mbps
  
• E1: 2.048Mbps
  
• T3: 44.736Mbps
  
• OC-3: 155.52Mbps
  
• OC-12: 622.08Mbps
  
• OC-48: 2488.32Mbps 

Most WAN protocols used are Frame Relay, ISDN, LAPD, HDLC, PPP, PPPoE, Cable, DSL, MPLS and ATM.

Network Designing Consideration

There are some key considerations while designing a network as mentioned below;

• Speed of Internet
• Power Requirement
• Security and standards
• Scalability & Reliability
• Redundancy and Availability
• Feature and Functionality
• Connectivity Model
• ICT devices and Infrastructure
• Monitoring and Control
• Troubleshooting & Fault repair
• Cost and Business Model

 -DR

 

Computer Servers | Part-1

Computer Server

A server is a computer or device that offers resources, data, services, or programs to other computers in a network.

A client is also one  computer or device that primarily depends on that parent device named Server. It send request to the server over a network and gets response from it in form of data and information. 

There are various types of server available based on its operation requirement. Those are as mentioned below;

• File Servers
• Print Servers
• Application Servers
• Database servers
• Web Servers
• DNS Servers
• Mail Servers
• Virtual Servers
• Proxy Servers
• Management Server

Server hardware were changed since the use of it. Several types of server hardware are available as; 

• Mainframe Server
• Blade Server
• Rack Server
• Standing Server
• Hypervisor or virtual server

A server have the same components as a computer system i.e. Operating System, RAM, HDD, CPU, Motherboard, Graphics Card, Network Card, etc. 

Name of some Operating Systems: Unix, Ubuntu, RHEL, CentOS, Solaris, Windows Server 2012, Windows server 2019 etc. 

The important one which are being used on frequent, as below;

Application Server: 

An application server is a server designed to run IT, business applications. Application servers often run resource-intensive applications that are shared by a large number of users.

Web Server:

A web server is a server that processes program and data to respond the requests to a client system or users over internet. It uses HTTPS and The primary function of  is to store, process and deliver web pages to users. 

Database Server:

A Database server runs with applications of ORACLE, SQL in the backend and within a restricted zone are high powered, store all the structured data and manage them including managing the backups of those data. All the data from the application server is stored in the DB server. It works in a client-server model.

Email Server:

An email server, or simply a mail server, is an application or computer in a network whose main purpose is to act as a virtual post office. The server stores incoming email for distribution to local users and sends out outgoing messages. This uses a client-server application model to send and receive messages using Simple Mail Transfer Protocol (SMTP).

DHCP Server:

A DHCP Server is a network server that automatically provides and assigns IP addresses, default gateways and other network parameters to client devices.

DNS Server:

When users type domain names into the URL bar in their browser, DNS servers are responsible for translating those domain names to numeric IP addresses, leading them to the correct website.

NTP Server:

Ideally a protocol used in systems and can be used dedicatedly in servers for Network Time Protocol (NTP) is an internet protocol used to synchronize with computer clock time sources in a network.

Proxy Server:

The proxy server is a computer on the internet that accepts the incoming requests from the client and forwards those requests to the destination server.

This was all basics about servers. You can refer further to read more. Thanks! 

-DR