TCP/IP Model (Internet Protocol Suite) | Network Fundamentals Part 6
You’ve seen the OSI model, now see the TCP/IP model! It started as a competitor but has grown into a suite of commonly used protocols. It has gained popularity over OSI in a practical sense, as it was quick to standardize. The OSI model was slower and missed out. We’re going to look at the four (or is it five?) layers of the TCP/IP model, and see how they contrast to OSI. The answers to the quiz questions, a must for CCENT and CCNA candidates, can be found at:
We’re not all security experts, but we still need to be aware of security itself, in order to protect ourselves in the digital age. So, welcome to the Basics of Encryption (Part 1), where we get a very gentle introduction into the world of cryptography. If you want to know what is cryptography, then this video is for you! Cryptography / Encryption has been around for years. Consider the Caesar Cipher and Enigma, both forms of substitution cipher. These were used during wartime to convert plain text to cipher text, without enemy forces understanding the original message. And although old, both of these forms of encryption help us to gain an understanding into modern encryption. These days encryption is more complicated, using prime numbers to create keys that are near impossible to guess, and too hard to compute. That is of course, if you use them correctly...
In modern cryptography, ciphers are algorithms that explain the process to encrypt and decrypt our information. Learn more about Cryptography and Encryption Basics in this video. There are many ciphers out there, including AES, DES, 3DES, SSL, TLS, RC4, and more. When you’re thinking about encryption, you’re likely thinking of symmetric encryption. This is where a key is used to encrypt, and the same key is used for decryption. So, as you can imagine, the larger the key, the harder it is to break encryption. And some of they keys we use today are massive! These ciphers may be stream ciphers, or block ciphers. Block ciphers are more common these days. While stream ciphers create a large value called the One Time Pad, and encrypt the entire piece of information at once, block ciphers first break the information into fixed sized blocks. Once the data is broken into blocks, they are each encrypted one at a time. The way this is done is called the mode of operation, and some modes are more secure than others. These include ECB, CBC, GCM, and others. But let’s not forget that there are other types of encryption. For example, hashing algorithms work in one direction only (that is, they are non-reversible), and they don’t require a key. What’s the point of that? They can be used to create a unique value to represent a piece of information, which in itself has some very interesting uses.
Learn how to keep your Network secure by understanding the basics of Public Key Encryption, SSL and Cipher Suites. This video is for you! There’s symmetric cryptography, and asymmetric cryptography (Also called public key encryption). And they work in different ways. Symmetric uses keys that are shared with all parties that need to encrypt and decrypt the information. Sharing the keys among everyone can be tricky to do securely. On the other hand, asymmetric encryption is completely different. This uses a pair of keys, public and private, which are always used together. Either can encrypt, but the other is used to decrypt. The problem is that this is a very slow process. Good thing we can combine the two to get the best of both worlds. We can use public key encryption to generate and share private keys (as well as perform authentication), and then we can use these keys with a symmetric cipher for the bulk of the secret information. These ciphers, along with a security protocol (like SSL, TLS, Kerberos, IPSec), a mode of operation, and a hashing algorithm, make up a cipher suite. But it’s probably easier to understand with an example, such as an HTTPS connection between a client and a web server. The client and server will send a ‘client hello’ and ‘server hello’ message, which includes random numbers, suitable cipher suites, and the server’s certificate. If they agree to proceed, the client can then generate the pre-master key, encrypt it with the servers' public key, and send it. Both sides can then use their three numbers to generate session keys, which are used with the symmetric cipher for the bulk of encryption. But any of these ciphers can be found to be insecure in the future. There are a few tricks to learn to keep your systems secure...
Overview of this video:
0:26 Symmetric vs Asymmetric (public key encryption)
3:36 Security Protocols and Cipher Suites
6:23 An SSL Connection
9:07 Staying Secure
We can manage proactively, and we can manage reactively. SNMP is a protocol that can help us with both. A management server will use SNMP polling to collect information from devices on our network. This builds charts and dashboards to help us evaluate the health of our network. If a device has a problem, it may even send an SNMP trap to the management server. The server can then take an appropriate action, like alert us. SNMP information is stored in a hierarchical structure called a MIB (Management Information Base). This is a collection of objects called OIDs (Object Identifiers). These describe the information that can be collected from devices, and how to interpret it. When a poll is sent, the server will also specify a community string. This string is a simple form of authentication. Unfortunately, it is stored in plan-text, both in the message and in the configuration. There are three versions of SNMP. v1 came first, and v2 extended this by adding support for 64-bit counters. v3 added real authentication and encryption. v3 is recommended in most cases.
Sending Logs to a Syslog Server | Network Fundamentals Part 23
Your devices are constantly working, and constantly generating events. These events are marked with logs. Where do these logs go? Some of them will stay on the local device, but in a well maintained network, we can also send out logs to a syslog server. Putting all our logs in one place will help us to correlate problems across many devices. Syslog is a well known format for logging. Lots of devices can use them. There are two important aspects; Facilities and severity levels. A facility represents the process that generates the log. The severity level refers to how important a log is. There are eight levels, named emergency, alert, critical, error, warning, notification, information, and debug. Debug logs are benign while emergency logs are very important. To help remember the levels, think of the mnemonic Every Awesome Cisco Engineer Will Need Icecream Daily.
Does Network Time Really Matter? | Network Fundamentals Part 22
Does it matter if our routers, switches, and other devices on the network have the correct time and date? Why, yes it does! Think of logging and troubleshooting, which makes use of timestamps. Think of security applications like Kerberos and certificates. And think of scheduling events. We can configure time manually on each router or switch. Unfortunately, this is time-consuming and often inaccurate. So, we have an alternative, called Network Time Protocol, or NTP. NTP servers provide the correct time to NTP clients on request. NTP servers are organized into layers called stratum. Each stratum of NTP servers acts as a client to synchronize their time and date with a server in the stratum above. We can configure clients to use a local NTP server in our network (perhaps a Domain Controller), or we can configure them to use a server on the internet (perhaps from pool.ntp.org). We can even select a preferred NTP server and have others configured as backups. Synchronizing can take a while on the first attempt (perhaps 10 minutes), so you will need to be patient!
We have a lot of private IP address in our networks. But, we can only use public IP addresses on the internet. So how can our privately-addressed devices access the publicly-addressed internet? With a technology called Network Address Translation, or NAT. NAT has the ability to rewrite the source and/or destination IP address in the IP header. A complimentary technology called Port Address Translation (PAT) can change the source and destination ports in a TCP or UDP header. A NAT can by static or dynamic. A static NAT will match an original IP with the same translated IP every time. Dynamic NAT on the other hand, will use a different mapping each time. Sometimes we don’t have enough public IP’s to map to, so we will need to use a different aspect of NAT, called port overloading. This is sometimes called masquerading. Port overloading lets us assign a different port number to each translation, so we can conserve the number of public IP’s that we’re using. A key concept in NAT is understanding where the traffic starts from. Is it starting within the network, and heading out? Or is is starting somewhere on the internet, and heading into our network. This makes it easier to understand bidirectional and unidirectional NAT. Be sure to check out the labs (links below) if you want to try this out yourself.
Overview of this video:
0:27 What is NAT?
1:41 How NAT Works
5:07 Configuring Static NAT
9:24 Configuring Dynamic NAT
13:15 Port Address Translation
16:20 Port Overload
Time to see some dynamic routing in action! We’re going to start with RIP, or Routing Information Protocol. It’s a simple protocol that’s been around for a long time. RIP is a type of Distance Vector Routing Protocol. This has a different approach to a Link State Protocol like OSPF. While Link State protocols have each router build a full map of the network, Distance Vector protocols are more concerned with just the next hop. They have ‘sign posts’ pointing the way. To run RIP, the process must be started with ‘router rip’. This is also where most RIP configuration goes. This includes ‘version 2’, to limit the router to RIPv2 only, ‘no auto-summary’ to prevent automatic summarization to classful boundaries, and network statements to enable RIP on interfaces, and to advertise their connected routes. If we don’t want RIP running on all interfaces, we can use ‘passive-interface’ or ‘passive-interface default’ to stop the updates being sent and received, while still allowing connected routes to be advertised. Of course, we could also consider authentication between neighbours. We can configure this using MD5, which uses an encrypted password. Each dynamic routing protocol uses a metric. This is a way to measure how good a link is. The routing protocol will use this metric to decide which path is best. RIP uses hop count as its metric. It’s important to prevent routing loops. Distance Vector protocols do this by using the ‘split horizon’ rule. This prevents a router from sending an update for a network out an interface that the network update was received on. If there are bad networks, RIP can ‘poison’ the route by setting the metric to 16. 16 hops is invalid in RIP terms. This causes other routers to know that this route is bad and shouldn’t be used. If a router or a network fails, the network needs to ‘converge’. Convergence is the process that routers go through to find alternative paths during a failure, or to add new paths when new networks come online. We want convergence to be as quick as possible. And we shouldn’t forget the default route. Rather than configure a static route everywhere, we can get RIP to share the default route with the rest of the network. Be sure to try the labs, they will be worth your time!
Overview of this video:
0:21 RIP Basics
1:19 Distance Vector and Link State
2:56 RIP Configuration
10:18 Passive Interfaces and Authentication
14:26 Metrics
17:12 Split Horizon and Route Poisoning
19:40 Convergence
22:36 Default Route Distribution
23:40 Labs
Routing Protocols and Traffic Forwarding | Network Fundamentals Part 19
Ready to continue your routing journey? Surely you’ve noticed that it can be a pain to configure static routes all the time. It takes forever, they’re difficult to troubleshoot, they don’t adapt to network changes very well, and it’s easy to make a typo. The alternative is dynamic routing. Dynamic routing protocols, such as RIP, EIGRP, OSPF, and BGP help us as they’re more aware of what’s going on. For example, if there’s a fault, they are able to route traffic along a different path. We’ll be diving into RIP in the next video, but before we do that, you need to understand a few rules that routers follow. The first is called Longest Prefix Match (LPM). This states that if the destination IP address matches more than one route in the routing table, the route with the longest subnet mask will be chosen. The second is Administrative Distance (AD). Each source of routing information has an AD value assigned to it. So, if a route is learned from more than one source (for example, RIP and OSPF), the router will look at the administrative distance of both protocols, then it will decide that it prefers OSPF more, and put that route into the routing table. We can manipulate administrative distance in some cases. We can create static routes with different AD’s, in order for them to become floating static routes. If the primary route (wherever it’s learned from) is lost, the floating static route can take its place.
