Network Concepts and Troubleshooting: A field guide for understanding IP networks - PowerPoint PPT Presentation


PPT – Network Concepts and Troubleshooting: A field guide for understanding IP networks PowerPoint presentation | free to download - id: 66d194-YmQwM


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Network Concepts and Troubleshooting: A field guide for understanding IP networks


Title: PowerPoint Presentation Author: Laren Metcalf Last modified by: Rich Created Date: 11/19/2013 5:41:32 PM Document presentation format: Custom – PowerPoint PPT presentation

Number of Views:100
Avg rating:3.0/5.0
Slides: 44
Provided by: LarenM
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Network Concepts and Troubleshooting: A field guide for understanding IP networks

Network Concepts and Troubleshooting A field
guide for understanding IP networks
Laren Metcalf - Dir. IP Services
Networking History
Ethernet Started as 10 Mbit
  • Ethernet shared topology using coax cable, RG58
    for thin net, RG-8 for thick net, terminated with
    a resister on each end. Connect a station using
    a tap into the coax

10 Base 5 Thick net
10 Base 2 Thin net
CSMA/CD Carrier Sense Multiple Access with
Collision Detect
Shared media- Collision Detect Check for idle on
media Send If collision stop transmission
frame Send Jam signal (32 bit binary
pattern) Wait a backoff period Retry
Max distance 185 meters (607 ft) Max nodes of
Max distance 500 meters (1640 ft) Max nodes 100
NIC Network Interface Card MAC Media Access
Control. Each device has a unique MAC address
Networking History
Ethernet 10 Base T, 100 Base T, 1000 Base T
Power Over Ethernet IEEE 802.3 af/at/
  • Ethernet over Coax was not flexible enough so 10
    BASE-T developed using 8 wire standard twisted
    pair cabling using pins 1, 2, 3, and 6. Gigabit
    uses all four pairs.

Every port is a separate bridge domain. Packets
dont go out all ports, only to the destination
MAC address
10 Base T RJ45 8 wire
Network Switch
POE/POE Power Over Ethernet IEEE 802.3 af/at
Distance is 100 meters, 328 ft., extenders for
distance 802.3 af max 15.4 Watts, 802.3at max
34.20 Watts Voltage Range 44-57 V Max Current 350
mA 600 mA 4 Power class levels negotiated at
initial connection Class/mA 0/0-4, 1/9-12,
2/17-20, 3/26-30, 4/36-44
IP Phone getting power from network switch over
RJ45 connection 5 Volts _at_ 7 Watts
Wireless Access Point getting power from the RJ45
connection _at_ 15 Watts
Power extenders boost power, boost noise
Can use to go 200 meters, 300 meters, Better to
get power and POE switch closer to device
Home Network
The fastest growing segment of the market.
Simpler but still has to follow the rules
Outside carrier connection comes in through a
Connections are made in the back of the home
router. It could be a wireless device as well
Speed issues, applications are driving speeds up
on the edge, then to the provider, then across
the provider network.
WAN port
Broadcom is coming out with a 2X2 MIMO chip,
BCM4354 for smartphones, Called 5G WiFi MIMO.
Current chips are 1x1 MIMO.
Smart TV
Classification of Traffic
  • Each application on a network, data, voice,
    video, can have separate QoS
  • VLANS, virtual LANs, used to separate each

When using multiple applications that require
isochronous, consistent communications, Classify
your data
Access Point
Video VLAN Traffic needs to be identified and
prioritized Voice VLAN Devices need to be in a
vlan with high priority Data VLAN Low priority
data, web browsing, email
Access Point Just like a switch offering
Data VLAN Low QoS
Trunk vs. Access Ports
  • Trunk ports have multiple vlans and connect
    switch to switch, multiple vlans
  • If only one vlan is required on the port they can
    assign a vlan that applies to all traffic.
  • Untagged means no vlan embedded in them, port
    assigns vlan
  • Tagged Packets have the vlan imbedded in the
    packet using 802.1q

802.1q packet
Access Tagged Voice vlan
Access Tagged Data vlan
Networking Media Types
Gigabit/10 gigabit/40 gigabit/ 100 gigabit
  • 10 Gbit SFP Fiber
  • 10 GBASE-SR Short Range 850nm 400 m
  • 10 GBASE-LR Long Range 1310 nm 10 Km
  • 10 GBASE-ER Ext Reach 1550 nm 40 km
  • 10 GBASE-ZR ZR Reach 1550 nm 80 km

1 Gbit SFP Fiber SX black/beige lever
850nm 550 m LX Blue extractor lever
1310 nm 10 Km EX Blue extractor lever
1550 nm 40 km ZX Blue extractor lever
1550 nm 80 km
40 Gbit QSFP 40GBase -SR4 Short Range OM3/OM4
100/125m 40GBase-LR4 Long Range 1310 nm
10 Km 40GBase-ER4 Ext Reach 1310 nm
40 km 40GBASE-T Cat8 copper 4 pair Copper
100 Gbit Fiber 100GBase-SR4 Short Range
OM3/OM4 00/125m 100GBase-LR4 Long Reach 1310
nm 10 km 100GBase-ER4 Ext Reach 1310 nm 40
Remains a carrier platform. Vendors with
products Arista, Brocade, Huawei, Cisco
(limited), Juniper (limited)
Wireless Networking
WiFi - 802.11 a/b/g/n/ac
  • 802.11 a/b 11Mbit Old and slow. Devices using
    this require other wireless devices capable of
    faster speeds to slow down. 3 non overlapping
  • 802.11 g 54 Mbit (22.5 Mbit X 2), uses 2.4 GHz
    radio. Wide band (2 20MHz channels for a 40 MHz
    channel) for higher speed (simulated n), but it
    will conflict with channels in multiple AP
    environment. 3 non overlapping channels.
    802.11n in 2.4 GHz uses 82 of the channels 40
    MHz wide channels
  • 802.11 n 72Mbit/150 Mbit MIMO allows 300Mb,
    450Mb, and 600Mb. 5GHz. MIMO Most common is
    3X33, 3 Tx antennas, 3 Rx antennas, 3 streams
  • 802.11 ac 433.3 Mbit per stream, 1300Mbit total.
    80 or 160 MHz channels versus 40 MHz in 802.11 n.
    Limited distance. Wider channels, more steams
  • Future 802.11ad WiGig 60 MHz channels and 7
    Gbit speed, 802.11af based on 802.11ac, geo
    discovery for optimal connection, 568.9 Mbit

MIMO - Spatial Multiplexing using multiple
antennas Tx Rx Strms Requirements Adaptive
Beamforming manipulates the phase and amplitude
of the signal at each transmitter and rejects
unwanted signals Precoding Multi-stream
beamforming, improves the received signal quality
at the decoding stage, spatial multiplexing
creates spatial beam patterns in same frequency
channel Space-Time coding/processing separates
each antenna element 802.11n has max of 4X4 MIMO
and channel width of 40 MHz.
8 spatial streams with 80 MHz channel
width 256-QAM modulation, up from 64-QAM in
802.11n Quadrupling spectral efficiency over
Wireless Networking
WiFi 2.4GHz
2.4GHz only has 13 channels (US) with 3 that
dont overlap. Power and channel are critical
for it to function in multi radio environment.
SNR Power determines the signal to noise ratio
critical for communication
SNR of -40db Excellent, -25 to 40 very good, -15
to 25 low, -10 to 15 very low
Wireless Networking
802.11n 5GHz 7x more channels
5 GHz 24 non overlapping channels, use dynamic
frequency selection (DFS) and transmit power
control (TPC) to avoid interference with weather
radar and military applications.
Wireless Wifi
inSSIDr tool to see wireless power and channel
Wireless Wifi
Xirrus Wifi Inspector FREE from Xirrus
Next Section OSI 7 Layer model
OSI 7 Layer model
Soup to Nuts - Everything
OSI 7 Layer model
Specialized Applications
Simplify - Break it Down
Load Balancers
  • Network Access

OSI 7 Layer model
  • The dividing line between the end device and the

Network Access
Example TCP/IP Transmission Control Protocol /
Internet Protocol
Example LAN, WAN, Wireless LAN, SONET, ATM
OSI 7 Layer model
  • TCP/IP Protocols

  • Example FTP connection

Example Email
  • Outlook client requests email data from the mail

  • Security Are
    Firewalls enough? Theyve been
    around for 20 years!!

Perimeter Defense is still needed, theyve
evolved and arent perfect.
Stateful Inspection CBAC Context Based Access
Inspects packets from the external network, only
allowing traffic when the connection is initiated
from the inside network. Examines network,
transport, and application layer information,
deep packet inspection, DPI.
Platforms -
New platforms Palo Alto, FireEye, granular
network and device permissions. Application
aware Older - Checkpoint, Cisco, Juniper,
Sonicwall, Fortinet, Watchguard Linux iptables
Basis for most linux firewalls, packet
filtering, IPCop, Shorewall (iptables with a
GUI), UFW (iptables netfilter). Dont ignore
Vyatta, m0n0wall,
Access List
Filter by IP address or transport protocol. Not
a secure method to block traffic, no monitoring
and tracking of sessions, only ability to see
hits on the access list rules.
NAT Network Address Translation
One to one NAT, one to many NAT (conserve Ip
addresses). Not a secure method to block traffic.
  • Security

Intrusion Detection/ Intrusion Prevention IDS/IPS
Detect it and you can
address it
  • Systems are inline with traffic and monitor for
    attacks as they occur.
  • Must have a signature database updates are
  • Day Zero attacks How can they be detected?
  • Forensics Capture the traffic and reconstruct
    what was compromised, understand the scope and
    extent of the attack
  • Seen as high end appliances, only in large
    enterprise and uber secure networks
  • IDS/IPS components in security/firewall devices
    including wireless
  • It only takes a signature database and DPI

  • Security

Small and Midsize Companies vs Large corporations
  • They do what they can Anti Virus, Perimeter
    Firewall, compliance requirements
  • Viruses and malware are spreading and evolving,
    attack patterns are changing
  • Since 2008 viruses have taken off, come in
    through mobile device with corporate email
  • Do it yourself hacker kits, identify what they
    want to do a whole new level of sophistication
  • Security companies get called in and block known
    attacks and find unknown attacks only after
    forensics (decoding packet traces to and from
  • The nature of Wireless makes it easiest target.
    Aircrack tools for WEP and WPA cracking just
    needs enough data to sift through to figure out
    the keys.

Types of threats
  • Android OS HEUR.Trojan-Spy- intercept SMS
    messages and upload to a server with encrypted
    URL Appears on Android phone as a Blue shield
    named Android Security Suite Premium
  • Adobe PDF reader used to deliver malicious
    payloads which evade malware and intrusion
    detection software, prior to version 9.
  • Linksys/Cisco Moon worm connects to port 8080,
    loads a worm 2MB in size, scans for 670 different
    networks, try to infect other systems, new code
    for fix, disable remote management.
  • DDoS attacks 100 Gbpsec using an old NTP
    command requesting data be sent to another
    server. Amplification directs thousands of NTP
    servers to a targeted system. Up 371 in last 30
  • Mt.GOX, the worlds largest bitcoin exchange,
    coin stealer on MAC or Windows,
    TibanneSocket.exe, seeks out bitcoins.conf and
    wallet.dat and send them to a command server in
    Bulgaria. Hackers posted a zip file supposed to
    be a data dump and tools found on Mark Karpeles
    (Bitcoins CEO) personal blog and reddit account
    that would allow access MtGox data but they
    turned out to be Bitcoin wallet stealing malware.
  • Facebook See your friends naked Over 2
    million people fell for this. It showed a
    picture of one of your contacts saying click here
    to see a video of them naked. Brought the user
    to a youtube page stating they needed to upgrade
    their flash player, if they downloaded it malware
    loaded that steals your photos and adds a browser
    extension to spread the scam.

If you get caught
Companies offer rewards
  • Facebook and Microsoft rewards hackers finding
    security holes
  • Wurm online offering 13,000 bounty for info on a
    DDoS attack
  • Most hacking not reported, banks and institutions
    fear publicity
  • Hacker joined a DDoS attack for one minute and
    fined 183,000 for causing website to be down for
    15 minutes
  • Hacker could face 10 years in prison for breaking
    into a intelligence company, Stratfor
  • Aaron Swartzs worldwide attention for felony
    charges for hacking MIT academic files led to his

Financial Malware most popular threat in
2013 1400 Financial Institutions in 88 targeted
by Banking Trojan in 2013 337 increase
Antivirus firm Symantec has released a Threat
report, called The State of Financial Trojans
2013. Over 1,400 financial institutions have
been targeted and millions of computers have been
compromised around the globe with 71.5 of US
banks as the most targeted of all analyzed
  • First 3 quarters of 2013
  • Number of computers compromised
  • 2M Zbot Gameover
  • 125K Cridex
  • 33K Shylock
  • 26K Spyeye
  • 21K Bebloh
  • 9K Mebroot
  • 2K - Tilon

The Botnet Population is Huge According to
a study by McAfee, "at least 12 million computers
around the world (are) compromised by botnets."
That means the botnet operators are controlling a
population rougly the size of Guatemala
SCADA Supervisory control and data acquisition
  • Power companies are working to secure their
    systems, but OS remains publicly available
  • Kaspersky Lab developing Secure OS for Scada
  • SHODAN search engine designed for seeking out
    vulnerable insdustrial systems including SCADA.
    It finds systems connected to the internet

  • Understanding TCP Syn Attack
  • Sender transmits a volume of connections that
    cant be completed

TCP works like a phone call, called connection
oriented protocol
In a SYN flood attack the malicious client sends
the SYN packet to the server without the intent
of setting up a connection. It doesnt wait for
a SYN-ACK packet, it sends another SYN packet
trying to setup another connection. The server
keeps the connection active for 2 minutes before
letting it go and as new SYN requests come in the
server will eventually be unable to keep up and
will either refuse new connections or reboot.
It can be used for nefarious activity, same
scenario with a phone call
  • About DDoS attacks

DoS attack multiplied Multiple attacks launched
from many computers unknowingly infected with a
virus or Trojan allowing them to be controlled by
a bot herder. An attacker can issue commands
to the entire herd ordering them to attack a
specific target. Immediately the target goes down
and doesnt come back up until
Low Orbit Ion Cannon
LOIC Hive Mind allows a single user to
control a network of LOIC deamons distributed
globally Tools like Low Orbit Ion Cannon make it
easy for anyone to maliciously take a nearly any
size target anywhere offline. DDoS attacks are
escalating and occurring for reasons of
extortion, political and ideological agenda, anti
competitive intitatives, and suppression of free
  • Mitigation of DDoS Filter/Control/Back Hole
  • Purpose Built packet filter

Linux Server ps aux grep I HTTPwc -1 ?
Identify the traffic, if its port 80 Netstate
lpngrep 80awk print 5 sort ? If there
are more than 30 sessions you are under
attack Iptables A INPUT s ltAttacking Network
IP Addressgt -j DROP ?Stop the attacking
network OR Route add ltIPgt gw lo Route
add net ltIP/maskgt gw lo This can be
used to implement a bogon, bogus IP address block
  • Screen traffic on border routers
  • Drop packets that
  • Have internal IP addresses from your network
  • Are from known black hat sources
  • Incomplete or malformed
  • Are for services not utilized
  • - Only allow traffic you should see, i.e.
    HTTP/port 80
  • Utilize a DNSBL list
  • - A known list of IP addresses associated with
    spamming, zombie computers
  • Cisco has a white paper on RTBH, remotely
    triggered black hole filtering

Use BGP to map a route prefix to null in the
redistribute static section STATIC-TO-BGP match
tag 66 route-map STATIC-TO-BGP permit 10 set ip
next-hop Ip route Null0 Tag 66
Use IP route statement to black hole a route Ip
route Null0
Simple hosts file blocking using
  • Hosts file the first internet dns. On all
    Windows, Unix, Macs
  • Located C\Windows\System32\drivers\etc

  • Anything Else?

Target PoS systems, credit card info scraped to
an internal server compromised by hackers Eset, a
company based in the Czech Republic, found a worm
designed to steal AutoCAD drawings and transmit
them to China. More than 10,000 ACAD/Medre.A
infections have been found in Latin America NSA
spies on Huawei servers, communication between
top company officials, internal documents, and
source code of individual Huawei products The
US and Australia have barred Huawei from
broadband projects over espionage fears Ciscos
own VPN product has a vulnerability in the client
enabling access to malicious sites and allow an
attacker to execute remote code using ActiveX or
Java. They issues a patch and also warned of a
software downgrade vulnerability allowing a
hacker to change to an earlier exploitable
version of the software US-CERT issued an
advisory that some 64-bit Intel based systems are
susceptible to local privilege escalation attack
to allow control over virtual machines AhnLab,
Inc., a South Korean security vendor, issued a
warning about variations to the SpyEye Trojan and
ZeuS bot that attempts to steal personal banking
data Stuxnet, Flame both used against Iran
stunting its ability to build nuclear weapons
  • New Security Products

ThreatSecure from ThreatTrack Security detects
malware based on anomalous network behavior.
This is the next generation of day zero
countermeasures a step above using signature
based defenses. McAfee unveiled new next
generation firewall defense leveraging
acquisition StoneSofts malware detection engine.
It updates endpoint protection for endpoints when
threat is detected. Fortinet upgrades OS to
version 5 adding integrated reporting, protection
vs. targeted attacks, faster SSL inspection, and
strong authentication. HP unveils Threat Central,
a security intelligence platform allowing sharing
of threat data integrating with HP Tippingpoint
and Arcsight appliances. Huawei Rolls out
Anti-DDoS appliance for carriers and datacenters.
1 Tbpsec, and protection from application layer
mobile devices and outbound DDoS Barracuda
announces NG Firewall for Windows Azure cloud
platform coupled with the Web Application
Firewall to provide app security and secure
remote access.
  • Best Practices

Layered Protection Perimeter Firewall,
antivirus, IDS/IPS, desktop firewall, OS
patches Reduce the attack Surface Restricting
applications, devices access to resources and
allowed to connect example BYOD only access
to outside facing portal and internet Browser
plugins Patch them and monitor and eliminate
the holes. Most hacked is Microsoft Internet
Explorer, Adobe Reader, Acrobat, and Flash.
Vulnerabilities are documented and maintained,
stay up to date and try alternatives. Block P2P
The simplest method to distribute malware is
hidden files in peer to peer networks. Eliminate
any P2P file sharing with resources including
Application and Device Control (ADC) component at
the desktop. Turn off Autorun Stop
Conficker/Downadup and other network based worms
from jumping from USB keys and network
drives Monitor, Analyze, Patch, Repeat
  • Calix MSAP
  • Multi Service Access Platform
  • GPON Gigabit Passive Optical Network.
  • Supports multiple services in their native
  • Gigabit Ethernet 2.448 Gbit downstream/1.25 Gbit
  • Equal, fixed time slots for all endpoints using

Home Network
Every home is an IP network with an outside IP to
the Internet
There are two parts to an IPv4 address Network
and Mask
Almost all network devices have default IP of with subnet mask of
Internal IP subnet used for home network
In IPv4 this is represented as
? Device ?
Network Hosts
IP Address Mask
External IP on Internet through Carrier connection
Network Tools
Test the outside network Ping DNS Server IP, ping
a known web page Now check your
browser -
What to do to test local network Do I have an
IP address? Ipconfig Ping Im
good on the local network!
Management, topology, device discovery
Solarwinds, Whats up gold, NetInfo,
ls TechRepublic http//
Wireshark Protocol analysis
Free download Capture traffic Wired,
wireless, Bluetooth, USB
S-flow monitoring protocols
IPv4 Address Primer
Each Number in an IP address represents an Octet
There are 4 octets in an IP address. Each octet
can be represented in an 8 bit binary number
The mask represents the dividing line where the
network number ends and the host identifier begins
The last octet is used for identifying hosts. In
this example the host is 130. Hosts can be
numbered from 1-254
The last octet can be used as the broadcast to
all hosts in a subnet using 255, all 1s in binary
IPv4 Address Primer
Using variable Masks
By manipulating the mask you can conserve IP
addresses, only using what you need.
You can break up your subnet into
multiple subnets using a longer mask
IPv6 Addressing
Intended to replace IPv4 to deal with long
anticipated IPv4 address exhaustion
2013 only 2 of users reaching Google services
used an IPv6 address
IPv6 allows 2128, or 3.4 X 1038 address using a
128 bit IP address vs. IPv4 using 32 bit
Uses 8 groups of four hexadecimal digits
separated by colons
20010db885a3000000008a2e03707334 - All
leading zeros can be dropped shortening the
address to 2001db885a38a2e3707334
3 Types of networking methodologies Unicast
Identifying each individual network
interface Anycast Identifies a group of
interfaces, usually at different locations using
nearest first Multicast Used to deliver one
packet to many interfaces Broadcast is not
implemented in IPv6
Carrier Broadband GSM, CDMA
Long Term Evolution (LTE) -
Currently marketed as 4G LTE. LTE Advanced
increased speeds to 3.3 Gbit/sec with MIMO (1.2
Gbit/sec per stream).
Point to Point / Backhaul RF Bands GHz 2.5,
5.4, 5.8, 638 provide throughputs of from 50
Mbpsec to 300 Mbps depending on range
Rural Broadband
Finley IP Services Organization
Pre Sales
Post Sales
  • Tech Support 855-4FINLEY Document calls, useage
    by customer and time tracking
  • Project Implementation from Installation thru
  • - Project tracking with weekly call
  • Documentation on status and completion dates
  • Assign Finley resource
  • Maintain customer communication copying Finley
    Proj Mgr or project tracking mgr.

Structure and Organization Finley Services and
Product offerings Partner Relationships for
services delivery Customer Facing IT Consulting
Design and planning Project Management (design,
drawings, function) Trade Shows RFP
response Finley IP Training
Products and Services
Networking Products
Acitve Data Products on our customer
networks Includes Switches, Routers, Firewalls,
Servers, Wireless as well as multi service access
systems service providers
Networking Services
Design, Installation, Support, troubleshooting End
to End Networking Customer Training Managed
Services We run their network including staff
augmentation Security Firewall hack-ability
testing, compliance, and audits
Questions ?
(No Transcript)