By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objectives: - Given a scenario, use the appropriate statistics and sensors to ensure network availability. - Explain the purpose of organizational documents and policies. - Explain high availability and disaster recovery concepts and summarize which is the best solution. Topics: Organizational Documents and Policies Wiring and Port Locations Troubleshooting Using Wiring Schematics Physical and Logical Network Diagrams Baseline Configurations Policies, Procedures, Configurations, and Regulations Policies Password-Related Policies Procedures Change Management Documentation Configuration Documentation Regulations Labeling High Availability and Disaster Recovery Backups Full Backups Differential Backups Incremental Backups Snapshots Backup Best Practices Using Uninterruptible Power Supplies Why Use a UPS? Power Threats Beyond the UPS Cold, Warm, Hot, and Cloud Sites High Availability and Recovery Concepts Active-Active Versus Active-Passive Monitoring Network Performance Common Performance Metrics SNMP Monitors Management Information Base (MIB) Network Performance, Load, and Stress Testing Performance Tests Load Tests and Send/Receive Traffic Stress Tests Performance Metrics Network Device Logs Security Logs Application Log System Logs History Logs Log Management Patch Management Environmental Factors This guide covers CompTIA Network+ objectives 3.1, 3.2, and 3.3. This guide examines two important parts of the role of a network administrator: documentation and the tools to use to monitor or optimize connectivity. Documentation, although not glamorous, is an essential part of the job. This guide also looks at ensuring high availability, using statistics appropriately, and disaster recover concepts. Organizational Documents and Policies - Explain the purpose of organizational documents and policies. 1. Which network topology focuses on the direction in which data flows within the physical environment? 2. In computing, what are historical readings used as a measurement for future calculations referred to as? 3. True or false: Both logical and physical network diagrams provide an overview of the network layout and function. 4. True or false: Acceptable use policies define what controls are required to implement and maintain the security of systems, users, and networks.
Answers: 1. The logical network refers to the direction in which data flows on the network within the physical topology. The logical diagram is not intended to focus on the network hardware but rather on how data flows through that hardware. 2. An essential part of the administrator’s role is keeping and reviewing baselines. 3. True. Both logical and physical network diagrams provide an overview of the network layout and function. 4. False. Security policies define what controls are required to implement and maintain the security of systems, users, and networks. Acceptable use policies (AUPs) describe how the employees in an organization can use company systems and resources: both software and hardware.
Remember that this objective begins with “Explain the purpose.” This means that you need to know and appreciate the role organizational documents and policies play in keeping a business up and running.
Administrators have several daily tasks, and new ones often crop up. In this environment, tasks such as documentation sometimes fall to the background. It’s important that you understand why administrators need to spend valuable time writing and reviewing documentation.
Having a well-documented network offers a number of advantages: - Troubleshooting: When something goes wrong on the network, including the wiring, up-to-date documentation is a valuable reference to guide the troubleshooting effort. The documentation saves you money and time in isolating potential problems. - Training new administrators/technicians: In many network environments, new administrators are hired, and old ones leave. In this scenario, documentation is critical. New administrators do not have the time to try to figure out where cabling is run, what cabling is used, potential trouble spots, and more. Up-to-date information helps new administrators quickly see the network layout. - Working with contractors and consultants: Consultants and contractors occasionally may need to visit the network to make recommendations for the network or to add wiring or other components. In such cases, up-to-date documentation is needed. If documentation is missing, it would be much more difficult for these people to do their jobs, and more time and money would likely be required. - Inventory management: Knowing what you have, where you have it, and what you can turn to in the case of an emergency is both constructive and helpful.
Quality network documentation does not happen by accident; rather, it requires careful planning. When creating network documentation, you must keep in mind who you are creating the documentation for and that it is a communication tool. Documentation is used to take technical information and present it in a manner that someone new to the network can understand. When planning network documentation, you must decide what you need to document. Imagine that you have just taken over a network as administrator. What information would you like to see? This is often a clear gauge of what to include in your network documentation.
All networks differ and so does the documentation required for each network.
However, certain elements are always included in quality documentation: - Floor plan: This diagram need not be complicated; it should simply show where everything is. It is a layout of the area and what would be found in each location. A good way to think of this plan is that it would be a useful tool to hand to new junior administrators on their first day at work to familiarize them with where resources can be found. - Network topology: Networks can be complicated. If someone new is looking over the network, it is critical to document the entire topology. This includes both the wired and wireless topologies used on the network. Network topology documentation typically consists of a diagram or series of diagrams labeling all critical components used to create the network. These diagrams utilize common symbols for components such as firewalls, hubs, routers, and switches.
The figure below, for example, shows standard figures for, from left to right, a firewall, a hub, a router, and a switch. Diagram symbols for a firewall, a hub, a router, and a switch
- Wiring layout and rack diagrams: Network wiring can be confusing. Much of it is hidden in walls and ceilings, making it hard to know where the wiring is and what kind is used on the network. Therefore, it is critical to keep documentation on network wiring up to date. Diagram what is on each rack and any unusual configurations that might be employed. - IDF/MDF documentation: It is not enough to show that there is an intermediate distribution frame (IDF) and/or main distribution frame (MDF) in your building. You need to thoroughly document any and every free-standing or wall-mounted rack and the cables running between them and the end-user devices. - Server configuration: A single network typically uses multiple servers spread over a large geographic area. Documentation must include schematic drawings of where servers are located on the network and the services each provides. This includes server function, server IP address, operating system (OS), software information, and more. Essentially, you need to document all the information you need to manage or administer the servers. - Network equipment: The hardware used on a network is configured in a particular way—with protocols, security settings, permissions, and more. Trying to remember them would be a difficult task. Having up-to-date documentation makes it easier to recover from a failure. - Network configuration, performance baselines, and key applications: Documentation also includes information on all current network configurations, performance baselines taken, and key applications used on the network, such as up-to-date information on their updates, vendors, install dates, and more. - Detailed account of network services: Network services are a key ingredient in all networks. Services such as Domain Name Service (DNS) and Dynamic Host Configuration Protocol (DHCP), and more are an important part of documentation. You should describe in detail which server maintains these services, the backup servers for these services, maintenance schedules, how they are structured, and so on. - Site survey report: A site survey is typically associated with wireless networking and used to identify access points and security settings. These surveys can be used to help you design and deploy an efficient network. - Audit and assessment report: An audit and assessment report is used to see how well your operations/settings match what you intended them to. For more information, see “Network Device Logs” later in this guide. - Standard operating procedures/work instructions: Finally, documentation should include information on network policy and procedures. This information includes many elements, ranging from who can and cannot access the server room, to network firewalls, protocols, passwords, physical security, cloud computing use, mobile device use, and so on.
Be sure that you know the types of information that should be included in network documentation Wiring and Port Locations Network wiring schematics are an essential part of network documentation, particularly for midsize to large networks, where the cabling is certainly complex. For such networks, it becomes increasingly difficult to visualize network cabling and even harder to explain it to someone else. A number of software tools exist to help administrators clearly document network wiring in detail.
Several types of wiring schematics exist. They can be general, as shown in the figure below, or they can be very specific, indicating the actual type of wiring used, the operating system on each machine, and so on. The more generalized they are, the less they need updating, whereas very specific schematics often need to be changed regularly. A general wiring schematic
For the exam, be familiar with the look of a general wiring schematic such as the one shown in the figure above.
TABLE: Wiring Details
Cable
Description
Installation Notes
1
Category 6 plenum-rated cable
Cable runs 50 feet from the MDF to IDF. Cable placed through the ceiling and through a mechanical room. Cable was installed 02/26/2019, upgrading a nonplenum Category 5e cable.
2
Category 6a plenum cable
Horizontal cable runs 45 feet to 55 feet from IDF to wall jack. Replaced Category 5 cable February 2019. Section of cable run through the ceiling and over fluorescent lights.
3
Category 6 UTP cable
All patch cable connectors were attached in-house. Patch cable connecting the printer runs 45 feet due to printer placement.
4
8.3-micron core/ 125-micron cladding single mode
Connecting fiber cable runs 2 kilometers between the primary and secondary buildings.
Quality network documentation software handle the task of network wiring - all the wiring documentation diagrams and you should have a good idea of the network wiring. Reading schematics and determining where wiring runs are an important part of the administrator’s role. Expect to see a schematic on your exam. Port locations should be carefully recorded and included in the documentation as well. SNMP can be used directly to map ports on switches and other devices; it is much easier, however, to use software applications that incorporate SNMP and use it to create ready-to-use documentation. A plethora of such programs are available; some are free and many are commercial products. Troubleshooting Using Wiring Schematics Some network administrators do not take the time to maintain quality documentation. This failure to keep updated information will haunt them when it comes time to troubleshoot some random network problems. Without any network wiring schematics, the task will be frustrating and time-consuming. The information shown in Figure 8.2 might be simplified, but you could use that documentation to evaluate the network and make recommendations. Caution When looking at a wiring schematic, pay close attention to where the cable is run and the type of cable used if the schematic indicates this information. If a correct cable is not used, a problem could occur Network wiring schematics are a work in progress. Although changes to wiring do not happen daily, they do occur when the network expands or old cabling is replaced. It is imperative to remember that when changes are made to the network, the schematics and their corresponding references must be updated to reflect the changes. Out-of-date schematics can be frustrating to work with Physical and Logical Network Diagrams In addition to the wiring schematics, documentation should include diagrams of the physical and logical network design. Recall from “Network Technologies, Topologies, and Types” that network topologies can be defined on a physical or a logical level. The physical topology refers to how a network is physically constructed—how it looks. The logical topology refers to how a network looks to the devices that use it—how it functions. Network infrastructure documentation isn’t reviewed daily; however, this documentation is essential for someone unfamiliar with the network to manage or troubleshoot the network. When it comes to documenting the network, you need to document all aspects of the infrastructure. This includes the physical hardware, physical structure, protocols, and software used. You should be able to identify a physical and logical diagram. You need to know the types of information that should be included in each diagram.
The physical documentation of the network should include the following elements: - Cabling information: A visual description of all the physical communication links, including all cabling, cable grades, cable lengths, WAN cabling, and more. - Servers: The server names and IP addresses, types of servers, and domain membership. - Network devices: The location of the devices on the network. This information includes the printers, hubs, switches, routers, gateways, and more. - Wide-area network: The location and devices of the WAN and components. - User information: Some user information, including the number of local and remote users. As you can see, many elements can be included in the physical network diagram.
The figure below shows a physical segment of a network. A physical network diagram
You should recognize the importance of maintaining documentation that includes network diagrams, asset management, IP address utilization, vendor documentation, and internal operating procedures, policies, and standards. Networks are dynamic, and changes can happen regularly, which is why the physical network diagrams also must be updated. Networks have different policies and procedures on how often updates should occur. Best practice is that the diagram should be updated whenever significant changes to the network occur, such as the addition of a switch or router, a change in protocols, or the addition of a new server. These changes impact how the network operates, and the documentation should reflect the changes. There are no hard-and-fast rules about when to change or update network documentation. However, most administrators want to update whenever functional changes to the network occur. The logical network refers to the direction in which data flows on the network within the physical topology. The logical diagram is not intended to focus on the network hardware but rather on how data flows through that hardware. In practice, the physical and logical topologies can be the same. In the case of the bus physical topology, data travels along the length of the cable from one computer to the next. So, the diagram for the physical and logical bus would be the same. This is not always the case. For example, a topology can be in the physical shape of a star, but data is passed in a logical ring. The function of data travel is performed inside a switch in a ring formation. So the physical diagram appears to be a star, but the logical diagram shows data flowing in a ring formation from one computer to the next. Simply put, it is difficult to tell from looking at a physical diagram how data is flowing on the network.
In today’s network environments, the star/hub-and-spoke topology is a common network implementation. Ethernet uses a physical star topology but a logical bus topology. In the center of the physical Ethernet star topology is a switch. It is what happens inside the switch that defines the logical bus topology. The switch passes data between ports as if they were on an Ethernet bus segment. In addition to data flow, logical diagrams may include additional elements, such as the network domain architecture, server roles, protocols used, and more.
The figure below shows how a logical topology may look in the form of network documentation. A logical topology diagram
The logical topology of a network identifies the logical paths that data signals travel over the network. Baseline Configurations Baselines play an integral part in network documentation because they let you monitor the network’s overall performance. In simple terms, a baseline is a measure of performance that indicates how hard the network is working and where network resources are spent. The purpose of a baseline is to provide a basis of comparison.
For example, you can compare the network’s performance results taken in March to results taken in June, or from one year to the next. More commonly, you would compare the baseline information at a time when the network is having a problem to information recorded when the network was operating with greater efficiency. Such comparisons help you determine whether there has been a problem with the network, how significant that problem is, and even where the problem lies. To be of any use, baselining is not a one-time task; rather, baselines should be taken periodically to provide an accurate comparison. You should take an initial baseline after the network is set up and operational, and then again when major changes are made to the network. Even if no changes are made to the network, periodic baselining can prove useful as a means to determine whether the network is still operating correctly. All network operating systems (NOSs), including Windows, macOS, UNIX, and Linux, have built-in support for network monitoring. In addition, many third-party software packages are available for detailed network monitoring. These system-monitoring tools provided in an NOS give you the means to take performance baselines, either of the entire network or for an individual segment within the network. Because of the different functions of these two baselines, they are called a system baseline and a component baseline. To create a network baseline, network monitors provide a graphical display of network statistics. Network administrators can choose a variety of network measurements to track. They can use these statistics to perform routine troubleshooting tasks, such as locating a malfunctioning network card, a downed server, or a denial-of-service (DoS) attack. Graphing, and the process of seeing data visually, can be much more helpful in identifying trends than looking at raw data and log files. Collecting network statistics is a process called capturing. Administrators can capture statistics on all elements of the network. For baseline purposes, one of the most common statistics to monitor is bandwidth usage. By reviewing bandwidth statistics, administrators can see where the bulk of network bandwidth is used. Then they can adapt the network for bandwidth use. If too much bandwidth is used by a particular application, administrators can actively control its bandwidth usage. Without comparing baselines, however, it is difficult to see what is normal network bandwidth usage and what is unusual. Remember that baselines need to be taken periodically and under the same conditions to be effective. They are used to compare current performance with past performance to help determine whether the network is functioning properly or if troubleshooting is required. Policies, Procedures, Configurations, and Regulations Well-functioning networks are characterized by documented policies, procedures, configurations, and regulations. Because they are unique to every network, policies, procedures, configurations, and regulations should be clearly documented. Policies By definition, policies refer to an organization’s documented rules about what is to be done, or not done, and why. Policies dictate who can and cannot access particular network resources, server rooms, backup media, and more. Although networks might have different policies depending on their needs, some common policies include the following: - Network usage policy: This policy defines who can use network resources such as PCs, printers, scanners, mobile devices, and remote connections. In addition, the usage policy dictates what can be done with these resources after they are accessed. No outside systems will be networked without permission from the network administrator. - Internet usage policy: This policy specifies the rules for Internet use on the job. Typically, usage should be focused on business-related tasks. Incidental personal use is allowed during specified times. - Bring-your-own-device (BYOD) policy: Bring-your-own-device (BYOD) policies define what personally owned mobile devices (laptops, tablets, and smartphones) employees are allowed to bring to their workplace and use. Mobile device management (MDM) and mobile application management (MAM) systems can be used to help enterprises manage and secure the use of those mobile devices in the workplace and to interact with privileged company information and applications. Two things the policy needs to address are onboarding and offboarding. Onboarding the mobile device is the set of procedures gone through to get it ready to go on the network (scanning for viruses, adding certain apps, and so forth). Offboarding is the process of removing company-owned resources when it is no longer needed (often done with a wipe or factory reset).
For the exam, be familiar with onboarding and offboarding. - Email usage policy: Email must follow the same code of conduct as expected in any other form of written or face-to-face communication. All emails are company property and can be accessed by the company. Personal emails should be immediately deleted. - Personal software policy: No outside software should be installed on network computer systems. All software installations must be approved by the network administrator. No software can be copied or removed from a site. Licensing restrictions must be adhered to. - Password policy: Detail how often passwords must be changed and the minimum level of security for each (number of characters, use of alphanumeric character set, longer phrases, and so on). - Acceptable use policy (AUP): Acceptable use policies (AUPs) describe how the employees in an organization can use company systems and resources, both software and hardware. This policy should also outline the consequences for misuse. In addition, the policy (also known as a use policy) should address installation of personal software on company computers and the use of personal hardware, such as USB devices. - User account policy: All users are responsible for keeping their password and account information secret. All staff are required to log off and sometimes lock their systems after they finish using them. Attempting to log on to the network with another user account is considered a serious violation. - International export controls: A number of laws and regulations govern what can and cannot be exported when it comes to software and hardware to various countries. Employees should take every precaution to make sure they are adhering to the letter of the law. - Data loss prevention (DLP): Losses from employees can quickly put a company in the red. All employees should understand that it is their responsibility to make sure all preventable losses are prevented. - Incident response plan: When an incident occurs, all employees should understand it is their responsibility to be on the lookout for it and report it immediately to the appropriate party. - Disaster recovery plan: Just as you should have a plan in place for responding to incidents, so, too, do you need one for disasters. This topic is explored in further detail in the section “High Availability and Disaster Recovery” later in this guide. - Business continuity plan (BCP): When an incident occurs, it is too late to consider policies and procedures then; this must be done well ahead of time. Business continuity should always be of the utmost concern. Business continuity is primarily concerned with the processes, policies, and methods that an organization follows to minimize the impact of a system failure, network failure, or the failure of any key component needed for operation. Business continuity planning (BCP) is the process of implementing policies, controls, and procedures to counteract the effects of losses, outages, or failures of critical business processes. BCP is primarily a management tool that ensures that critical business functions (CBFs) can be performed when normal business operations are disrupted. - Nondisclosure agreements (NDAs): NDAs are the oxygen that many companies need to thrive. Employees should understand the importance of them to continued business operations and agree to follow them to the letter, and spirit, of the law. - Service-level agreements (SLAs): A service-level agreement (SLA) is an agreement between you or your company and a service provider, typically a technical support provider. SLAs are also usually part of network availability and other agreements. They stipulate the performance you can expect or demand by outlining the expectations a vendor has agreed to meet. They define what is possible to deliver and provide the contract to make sure what is delivered is what was promised. - Memorandum of understanding (MOU): A memorandum of understanding (MOU) is an agreement between two or more parties that indicates what the relationship is between the parties. It is sometimes a precursor to a contract, but is often used in place of it when a contract would not do (such as defining the relationship between departments of the same organization). - Safety procedures and policies: Safety is everyone’s business, and all employees should know how to do their job in the safest manner while also looking out for other employees and customers alike. - Ownership policy: The company owns all data, including users’ email, voice mail, and Internet usage logs, and the company reserves the right to inspect them at any time. Some companies even go so far as controlling how much personal data can be stored on a workstation or mobile device.
This list is just a snapshot of the policies that guide the behavior for administrators and network users. Network policies should be clearly documented and available to network users. Often, these policies are reviewed with new staff members or new administrators. As they are updated, they are rereleased to network users. Policies are regularly reviewed and updated. You might be asked about network policies. Network policies dictate network rules and provide guidelines for network conduct. Policies are often updated and reviewed and are changed to reflect changes to the network and perhaps changes in business requirements. Password-Related Policies Although biometrics and smartcards are becoming more common, they still have a long way to go before they attain the level of popularity that username and password combinations enjoy. Usernames and passwords do not require any additional equipment, which practically every other method of authentication does; the username and password process is familiar to users, easy to implement, and relatively secure. For that reason, they are worthy of more detailed coverage than the other authentication systems previously discussed. Biometrics are not as ubiquitous as username/password combinations, but they are coming up quickly. Some smartphones, for example, offer the ability to use a fingerprint scanner and/or gestures to access the system instead of username and password. Features such as these are expected to become more common with future releases. Passwords are a relatively simple form of authentication in that only a string of characters can be used to authenticate the user. However, how the string of characters is used and which policies you can put in place to govern them make usernames and passwords an excellent form of authentication. Password Policies All popular network operating systems include password policy systems that enable the network administrator to control how passwords are used on the system. The exact capabilities vary between network operating systems. However, generally they enable the following: - Minimum length of password: Shorter passwords are easier to guess than longer ones. Setting a minimum password length does not prevent a user from creating a longer password than the minimum; however, each network operating system has a limit on how long a password can be. - Password expiration: Also known as the maximum password age, password expiration defines how long the user can use the same password before having to change it. A general practice is that a password be changed every 30 days. In high-security environments, you might want to make this value shorter, but you should generally not make it any longer. Having passwords expire periodically is a crucial feature because it means that if a password is compromised, the unauthorized user will not indefinitely have access. - Prevention of password reuse: Although a system might cause a password to expire and prompt the user to change it, many users are tempted to use the same password again. A process by which the system remembers the last 10 passwords, for example, is most secure because it forces the user to create completely new passwords. This feature is sometimes called enforcing password history. - Prevention of easy-to-guess passwords: Some systems can evaluate the password provided by a user to determine whether it meets a required level of complexity. Enabling this function prevents users from having passwords such as password, 12345678, their name, or their nickname.
The figure below shows an example of configuring a security policy in Windows for password complexity. Configuring a password security policy.
You must identify an effective password policy. For example, a robust password policy would include forcing users to change their passwords on a regular basis Password Strength No matter how good a company’s password policy, it is only as effective as the passwords created within it. A password that is hard to guess, or strong, is more likely to protect the data on a system than one that is easy to guess, or weak. If you are using only numbers and letters—and the OS is not case sensitive—36 possible combinations exist for each entry, and the total number of possibilities is 366. That might seem like a lot, but to a password-cracking program, it’s not much security. A password that uses eight case-sensitive characters, with letters, numbers, and special characters, has so many possible combinations that a standard calculator cannot display the actual number. There has always been a debate over how long a password should be. It should be sufficiently long that it is hard to break but sufficiently short that the user can easily remember it (and type it). In a normal working environment, passwords of 8 characters are sufficient. Certainly, they should be no fewer than 6 characters. In environments in which security is a concern, passwords should be 10 characters or more. Users should be encouraged to use a password that is considered strong. A strong password has at least eight characters; has a combination of letters, numbers, and special characters; uses mixed case; and does not form a proper word. Examples are 3Ecc5T0h and e1oXPn3r. Such passwords might be secure, but users are likely to have problems remembering them. For that reason, a popular strategy is to use a combination of letters and numbers to form phrases or long words. Examples include d1eTc0La and tAb1eT0p. These passwords might not be quite as secure as the preceding examples, but they are still strong and a whole lot better than the name of the user’s pet.
The National Institute of Standards and Technology (NIST) offers both requirements and recommendations when it comes to passwords. Their requirements include an eight-character minimum length, and changing passwords only if there is evidence of compromise. They also recommend that new passwords be screened against a list of known compromised passwords, password hints and knowledge-based security questions be skipped, and a limit placed on the number of failed authentication attempts that are allowed. Their recommendations, on the other hand, increase the password length to at least 64 characters, suggest character composition rules be skipped (they are an unnecessary burden for end-users), printable ASCII characters be allowed in addition to UNICODE characters (to now include emojis), and copy/paste functionality be enabled in password fields to facilitate the use of password managers. Procedures Network procedures differ from policies in that they describe how tasks are to be performed. For example, each network administrator has backup procedures specifying the time of day backups are done, how often they are done, and where they are stored. A network is full of a number of procedures for practical reasons and, perhaps more important, for security reasons. Administrators must be aware of several procedures when on the job. The number and exact type of procedure depend on the network. The network’s overall goal is to ensure uniformity and ensure that network tasks follow a framework. Without this procedural framework, different administrators might approach tasks differently, which could lead to confusion on the network.
Network procedures might include the following: - Backup procedures: Backup procedures specify when they are to be performed, how often a backup occurs, who does the backup, what data is to be backed up, and where and how it will be stored. Network administrators should carefully follow backup procedures. - Procedures for adding new users: When new users are added to a network, administrators typically have to follow certain guidelines to ensure that the users have access to what they need to do their job, but no more. This is called the principle of least privilege. - Privileged user agreement: Administrators and authorized users who have the ability to modify secure configurations and perform tasks such as account setup, account termination, account resetting, auditing, and so on need to be held to high standards. - Security procedures: Some of the more critical procedures involve security. Security procedures are numerous but may include specifying what the administrator must do if security breaches occur, security monitoring, security reporting, and updating the OS and applications for potential security holes. - Network monitoring procedures: The network needs to be constantly monitored. This includes tracking such things as bandwidth usage, remote access, user logons, and more. - Software procedures/system life cycle: All software must be periodically monitored and updated. Documented procedures dictate when, how often, why, and for whom these updates are done. When assets are disposed of, asset disposal procedures should be followed to properly document and log their removal. - Procedures for reporting violations: Users do not always follow outlined network policies. This is why documented procedures should exist to properly handle the violations. This might include a verbal warning upon the first offense, followed by written reports and account lockouts thereafter. - Remote-access policy and network admission procedures: Many workers remotely access the network. This remote access is granted and maintained using a series of defined procedures. These procedures might dictate when remote users can access the network, how long they can access it, and what they can access. Network admission control (NAC)—also referred to as network access control—determines who can get on the network and is usually based on 802.1X guidelines. Change Management Documentation Change management procedures might include the following: - Document reason for a change: Before making any change at all, the first question to ask is why. A change requested by one user may be based on a misunderstanding of what technology can do, may be cost prohibitive, or may deliver a benefit not worth the undertaking. - Change request: An official request should be logged and tracked to verify what is to be done and what has been done. Within the realm of the change request should be the configuration procedures to be used, the rollback process that is in place, potential impact identified, and a list of those who need to be notified. - Approval process: Changes should not be approved on the basis of who makes the most noise, but rather who has the most justified reasons. An official process should be in place to evaluate and approve changes prior to actions being undertaken. The approval can be done by a single administrator or a formal committee based on the size of your organization and the scope of the change being approved. - Maintenance window: After a change has been approved, the next question to address is when it is to take place. Authorized downtime should be used to make changes to production environments. - Notification of change: Those affected by a change should be notified after the change has taken place. The notification should not be just of the change but should include any and all impacts to them and identify whom they can turn to with questions. - Documentation: One of the last steps is always to document what has been done. This documentation should include information on network configurations, additions to the network, and physical location changes. These procedures represent just a few of the ones that administrators must follow on the job. It is crucial that all these procedures are well documented, accessible, reviewed, and updated as needed to be effective. Configuration Documentation One other critical form of documentation is configuration documentation. Many administrators believe they could never forget the configuration of a router, server, or switch, but it often happens. Although it is often a thankless, time-consuming task, documenting the network hardware and software configurations is critical for continued network functionality. Two primary types of network configuration documentation are required: software documentation and hardware documentation. Both include all configuration information so that should a computer or other hardware fail, both the hardware and software can be replaced and reconfigured as quickly as possible. The documentation is important because often the administrator who configured the software or hardware is unavailable, and someone else has to re-create the configuration using nothing but the documentation. To be effective in this case, the documentation must be as current as possible. Older configuration information might not help. Organizing and completing the initial set of network documentation are huge tasks, but they are just the beginning. Administrators must constantly update all documentation to keep it from becoming obsolete. Documentation is perhaps one of the less-glamorous aspects of the administrator’s role, but it is one of the most important. Regulations The terms regulation and policy are often used interchangeably; however, there is a difference. As mentioned, policies are written by an organization for its employees. Regulations are actual legal restrictions with legal consequences. These regulations are set not by the organizations but by applicable laws in the area. Improper use of networks and the Internet can certainly lead to legal violations and consequences. The following is an example of network regulation from an online company: Transmission, distribution, uploading, posting or storage of any material in violation of any applicable law or regulation is prohibited. This includes, without limitation, material protected by copyright, trademark, trade secret or other intellectual property right used without proper authorization, material kept in violation of state laws or industry regulations such as social security numbers or credit card numbers, and material that is obscene, defamatory, libelous, unlawful, harassing, abusive, threatening, harmful, vulgar, constitutes an illegal threat, violates export control laws, hate propaganda, fraudulent material or fraudulent activity, invasive of privacy or publicity rights, profane, indecent or otherwise objectionable material of any kind or nature. You may not transmit, distribute, or store material that contains a virus, ‘Trojan Horse,’ adware or spyware, corrupted data, or any software or information to promote or utilize software or any of Network Solutions services to deliver unsolicited email. You further agree not to transmit any material that encourages conduct that could constitute a criminal offense, gives rise to civil liability or otherwise violates any applicable local, state, national or international law or regulation. For the exam and for real-life networking, remember that regulations often are enforceable by law. Labeling One of the biggest problems with documentation is the time needed to do it. To shorten this time, users, through human nature, take shortcuts and use code or shorthand when labeling devices, maps, reports, and the like. Although these shortcuts can save time initially, they can render the labels useless if a person other than the one who created the labels looks at them or if a long period of time has passed since they were created and the author cannot remember what the label now means. To prevent this dilemma, it is highly recommended that each organization create standard labeling rules and enforce them at all levels. You have been given a physical wiring schematic that shows the following: High Availability and Disaster Recovery - Explain high availability and disaster recovery concepts and summarize which is the best solution. 1. What is the difference between an incremental backup and a differential backup? 2. True or false: A brownout is total failure of the power supplied to the server. 3. What are hot, warm, and cold sites used for? 4. True or false: The MTTR is the measurement of the anticipated or predicted incidence of failure of a system or component between inherent failures, whereas the MTBF is the measurement of how long it takes to repair a system or component after a failure occurs. 5. What is the concept of simultaneous management and utilization of multiple available paths for the transmission of streams of data called?
Answers: 1. With incremental backups, all data that has changed since the last full or incremental backup is backed up. The restore procedure requires several backup iterations: the media used in the latest full backup and all media used for incremental backups since the last full backup. An incremental backup uses the archive bit and clears it after a file is saved to disk. With a differential backup, all data changed since the last full backup is backed up. The restore procedure requires the latest full backup media and the latest differential backup media. A differential backup uses the archive bit to determine which files must be backed up but does not clear it. 2. False. A total failure of the power supplied to the server is called a blackout. 3. Hot, warm, and cold sites are designed to provide alternative locations for network operations if a disaster occurs. 4. False. The MTBF is the measurement of the anticipated or predicted incidence of failure of a system or component between inherent failures, whereas the MTTR is the measurement of how long it takes to repair a system or component after a failure occurs. 5. Multipathing is the concept of simultaneous management and utilization of multiple available paths for the transmission of streams of data.
Even the most fault-tolerant networks can fail, which is an unfortunate fact. When those costly and carefully implemented fault-tolerance strategies fail, you are left with disaster recovery. Disaster recovery can take many forms. In addition to disasters such as fire, flood, and theft, many other potential business disruptions can fall under the banner of disaster recovery. For example, the failure of the electrical supply to your city block might interrupt the business functions. Such an event, although not a disaster per se, might invoke the disaster recovery methods. The cornerstone of every disaster recovery strategy is the preservation and recoverability of data. When talking about preservation and recoverability, you must talk about backups. Implementing a regular backup schedule can save you a lot of grief when fault tolerance fails or when you need to recover a file that has been accidentally deleted. When it’s time to design a backup schedule, you can use three key types of backups: full, differential, and incremental. Backups Backups are equivalent to an insurance policy for a server, workstation, or any other data-containing device. Most of the time, they are nothing but time-/resource-consuming entities that make you wonder why you are wasting your time doing them. When disaster happens, however, you realize immediately their worth and kick yourself for not doing them with even more frequency. Full Backups The preferred method of backup is the full backup method, which copies all files and directories from the hard disk to the backup media. There are a few reasons why doing a full backup is not always possible. First among them is likely the time involved in performing a full backup. During a recovery operation, a full backup is the fastest way to restore data of all the methods discussed here, because only one set of media is required for a full restore. Depending on the amount of data to be backed up, however, full backups can take an extremely long time when you are backing up and can use extensive system resources. Depending on the configuration of the backup hardware, completing this backup can considerably slow down the network. In addition, some environments have more data than can fit on a single medium. Therefore, doing a full backup is awkward because someone might need to be there to change the media. The main advantage of full backups is that a single set of media holds all the data you need to restore. If a failure occurs, that single set of media should be all that is needed to get all data and system information back. The upshot of all this is that any disruption to the network is greatly reduced. Unfortunately, its strength can also be its weakness. A single set of media holding an organization’s data can be a security risk. If the media were to fall into the wrong hands, all the data could be restored on another computer. Using passwords on backups and using a secure offsite and onsite location can minimize the security risk. Differential Backups Companies that don’t have enough time to complete a full backup daily can use the differential backup. Differential backups are faster than a full backup because they back up only the data that has changed since the last full backup. This means that if you do a full backup on a Saturday and a differential backup on the following Wednesday, only the data that has changed since Saturday is backed up. Restoring the differential backup requires the last full backup and the latest differential backup. Differential backups know what files have changed since the last full backup because they use a setting called the archive bit. The archive bit flags files that have changed or have been created and identifies them as ones that need to be backed up. Full backups do not concern themselves with the archive bit because all files are backed up, regardless of date. A full backup, however, does clear the archive bit after data has been backed up to avoid future confusion. Differential backups notice the archive bit and use it to determine which files have changed. The differential backup does not reset the archive bit information. Incremental Backups Some companies have a finite amount of time they can allocate to backup procedures. Such organizations are likely to use incremental backups in their backup strategy. Incremental backups save only the files that have changed since the last full or incremental backup. Like differential backups, incremental backups use the archive bit to determine which files have changed since the last full or incremental backup. Unlike differentials, however, incremental backups clear the archive bit, so files that have not changed are not backed up. Both full and incremental backups clear the archive bit after files have been backed up. The faster backup time of incremental backups comes at a price—the amount of time required to restore. Recovering from a failure with incremental backups requires numerous sets of media—all the incremental backup media sets and the one for the most recent full backup. For example, if you have a full backup from Sunday and an incremental for Monday, Tuesday, and Wednesday, you need four sets of media to restore the data. Each set in the rotation is an additional step in the restore process and an additional failure point. One damaged incremental media set means that you cannot restore the data. TABLE: Backup Strategies
Category 5E 350 MHz plenum-rated cable
Cable runs 50 feet from the MDF to the IDF.
Cable placed through the ceiling and through a mechanical room.
Cable was installed 01/15/2018, upgrading a nonplenum cable.
Category 5E 350 MHz nonplenum cable
Horizontal cable runs 45 feet to 55 feet from the IDF to a wall jack.
Cable 6 replaced Category 5e cable February 2018.
Section of cable run through ceiling and over fluorescent lights.
Category 6a UTP cable
Patch cable connecting printer runs 15 feet due to printer placement.
8.3-micron core/125-micron
Connecting fiber cable runs 2 kilometers cladding single mode between the primary and secondary buildings.
Backup Type
Advantage
Disadvantage
Data Backed Up
Archive Bit
Full
Backs up all data on a single media set. Restoring data requires the fewest media sets.
Depending on the amount of data, full backups can take a long time.
All files and directories are backed up.
Does not use the archive bit, but resets it after data has been backed up.
Differential
Faster backups than a full backup.
The restore process takes longer than just a full backup.
A differential backup uses more media sets than a full backup.
All files and directories that have changed since the last full backup.
Uses the archive bit to determine the files that have changed, but does not reset the archive bit.
Incremental
Faster backup times
An incremental backup requires multiple disks; restoring data takes more time than the other backup methods.
The files and directories that have changed since the last full or incremental backup.
Uses the archive bit to determine the files that have changed, and resets the archive bit.
Snapshots In addition to the three types of backups previously discussed, there are also snapshots. Whereas a backup can take a long time to complete, the advantage of a snapshot—an image of the state of a system at a particular point in time—is that it is an instantaneous copy of the system. This snapshot is often accomplished by splitting a mirrored set of disks or by creating a copy of a disk block when it is written to preserve the original and keep it available. Snapshots are popular with virtual machine implementations. You can take as many snapshots as you want (provided you have enough storage space) to be able to revert a machine to a “saved” state. Snapshots contain a copy of the virtual machine settings (hardware configuration), information on all virtual disks attached, and the memory state of the machine at the time of the snapshot. This makes the snapshots additionally useful for virtual machine cloning, allowing the machine to be copied once—or multiple times—for testing. Think of a snapshot as a photograph, which is where the name came from, of a moment in time of any system. Backup Best Practices Many details go into making a backup strategy a success. The following are issues to consider as part of your backup plan: - Offsite storage: Consider storing backup media sets offsite so that if a disaster occurs in a building, a current set of media is available offsite. The offsite media should be as current as any onsite and should be secure. - Label media: The goal is to restore the data as quickly as possible. Trying to find the media you need can prove difficult if it is not marked. Furthermore, labeling can prevent you from recording over something you need to keep. - Verify backups: Never assume that the backup was successful. Seasoned administrators know that checking backup logs and performing periodic test restores are part of the backup process. - Cleaning: You need to occasionally clean the backup drive. If the inside gets dirty, backups can fail. A backup strategy must include offsite storage to account for theft, fire, flood, or other disasters. Using Uninterruptible Power Supplies No discussion of fault tolerance can be complete without a look at power-related issues and the mechanisms used to combat them. When you design a fault-tolerant system, your planning should definitely include uninterruptible power supplies (UPSs). A UPS serves many functions and is a major part of server consideration and implementation. On a basic level, a UPS, also known as a battery backup, is a box that holds a battery and built-in charging circuit. During times of good power, the battery is recharged; when the UPS is needed, it’s ready to provide power to the server. Most often, the UPS is required to provide enough power to give the administrator time to shut down the server in an orderly fashion, preventing any potential data loss from a dirty shutdown. Why Use a UPS? Organizations of all shapes and sizes need UPSs as part of their fault-tolerance strategies. A UPS is as important as any other fault-tolerance measure. Three key reasons make a UPS necessary: - Data availability: The goal of any fault-tolerance measure is data availability. A UPS ensures access to the server if a power failure occurs—or at least as long as it takes to save a file. - Protection from data loss: Fluctuations in power or a sudden power-down can damage the data on the server system. In addition, many servers take full advantage of caching, and a sudden loss of power could cause the loss of all information held in cache. - Protection from hardware damage: Constant power fluctuations or sudden power-downs can damage hardware components within a computer. Damaged hardware can lead to reduced data availability while the hardware is repaired. Power Threats In addition to keeping a server functioning long enough to safely shut it down, a UPS safeguards a server from inconsistent power. This inconsistent power can take many forms. A UPS protects a system from the following power-related threats: - Blackout: A total failure of the power supplied to the server. - Spike: A short (usually less than 1 second) but intense increase in voltage. Spikes can do irreparable damage to any kind of equipment, especially computers. - Surge: Compared to a spike, a surge is a considerably longer (sometimes many seconds) but usually less intense increase in power. Surges can also damage your computer equipment. - Sag: A short-term voltage drop (the opposite of a spike). This type of voltage drop can cause a server to reboot. - Brownout: A drop in voltage that usually lasts more than a few minutes.
Many of these power-related threats can occur without your knowledge; if you don’t have a UPS, you cannot prepare for them. For the cost, it is worth buying a UPS, if for no other reason than to sleep better at night. Beyond the UPS Power management is not limited only to the use of UPSs. In addition, to these devices, you should employ power generators to be able to keep your systems up and running when the electrical provider is down for an extended period of time. Redundant circuits and dual power supplies should also be used for key equipment. Any device fitted with multiple outputs that is specifically designed to distribute electric power is known as a power distribution unit (PDU), and they are often plentiful in datacenters for supplying power to racks. The two main types of PDUs are “Basic” and “Intelligent”; the latter is any that is networked (allowing for remote management of power metering, toggling an outlet on/off, and so on). You want to make sure that power can stay up and running in the event of a crisis, so two other areas to pay attention to are the heating, ventilation, and air conditioning (HVAC) and the fire suppression system. It will do little good to keep the computers and servers running if you cannot keep the temperature within an operating range and provide safety in the event a fire occurs. Redundant systems should be considered for both of these crucial areas and regularly maintained. Cold, Warm, Hot, and Cloud Sites A disaster recovery plan might include the provision for a recovery site that can be quickly brought into play. These sites fall into three categories: hot, warm, and cold. The need for each of these types of sites depends largely on the business you are in and the funds available. Disaster recovery sites represent the ultimate in precautions for organizations that need them. As a result, they do not come cheaply. The basic concept of a disaster recovery site is that it can provide a base from which the company can be operated during a disaster. The disaster recovery site normally is not intended to provide a desk for every employee. It’s intended more as a means to allow key personnel to continue the core business functions. In general, a cold recovery site is one that can be up and operational in a relatively short amount of time, such as a day or two. Provision of services, such as telephone lines and power, is taken care of, and the basic office furniture might be in place. But there is unlikely to be any computer equipment, even though the building might have a network infrastructure and a room ready to act as a server room. In most cases, cold sites provide the physical location and basic services. Cold sites are useful if you have some forewarning of a potential problem. Generally, cold sites are used by organizations that can weather the storm for a day or two before they get back up and running. If you are the regional office of a major company, it might be possible to have one of the other divisions take care of business until you are ready to go. But if you are the only office in the company, you might need something a little hotter. For organizations with the dollars and the desire, hot recovery sites represent the ultimate in fault-tolerance strategies. Like cold recovery sites, hot sites are designed to provide only enough facilities to continue the core business function, but hot recovery sites are set up to be ready to go at a moment’s notice. A hot recovery site includes phone systems with connected phone lines. Data networks also are in place, with any necessary routers and switches plugged in and turned on. Desks have installed and waiting desktop PCs, and server areas are equipped with the necessary hardware to support business-critical functions. In other words, within a few hours, the hot site can become a fully functioning element of an organization. The issue that confronts potential hot-recovery site users is that of cost. Office space is expensive in the best of times, but having space sitting idle 99.9 percent of the time can seem like a tremendously poor use of money. A popular strategy to get around this problem is to use space provided in a disaster recovery facility, which is basically a building, maintained by a third-party company, in which various businesses rent space. Space is usually apportioned according to how much each company pays. Sitting between the hot and cold recovery sites is the warm site. A warm site typically has computers but is not configured ready to go. This means that data might need to be upgraded or other manual interventions might need to be performed before the network is again operational. The time it takes to get a warm site operational lands right in the middle of the other two options, as does the cost. A hot site mirrors the organization’s production network and can assume network operations at a moment’s notice. Warm sites have the equipment needed to bring the network to an operational state but require configuration and potential database updates. A cold site has the space available with basic services but typically requires equipment delivery. One of the newer types of sites being marketed is a cloud site. Similar to a warm site, a cloud site is available when needed. The difference between the cloud site and the warm site is that the warm site is often dedicated to the company while a cloud site is controlled by a provider who may market availability of it to many different companies (like an insurance policy) knowing that the odds are good that only one will need it at a time. High Availability and Recovery Concepts Critical business functions refer to those processes or systems that must be made operational immediately when an outage occurs. The business can’t function without them, and many are information intensive and require access to both technology and data. When you evaluate your business’s sustainability, realize that disasters do indeed happen. If possible, build infrastructures that don’t have a single point of failure (SPOF) or connection. If you’re the administrator for a small company, it is not uncommon for the SPOF to be a router/gateway, but you must identify all critical nodes and critical assets. The best way to remove an SPOF from your environment is to add in redundancy. Know that every piece of equipment can be rated in terms of mean time between failures (MTBF) and mean time to recovery (MTTR). The MTBF is the measurement of the anticipated or predicted incidence of failure of a system or component between inherent failures, whereas the MTTR is the measurement of how long it takes to repair a system or component after a failure occurs. The recovery time objective (RTO) is the maximum amount of time that a process or service is allowed to be down and the consequences still considered acceptable. Beyond this time, the break in business continuity is considered to affect the business negatively. The recovery point objective (RPO) is the maximum time in which transactions could be lost from a major incident—how much you are willing to walk away from in order to get everything up and running again. Both RTO and RPO have to be balanced in coming up with a policy for how to deal with incidents. For the exam, make sure you know the differences between MTBF, MTTR, RTO, and RPO. Know what the acronyms stand for and what they mean.
Some technologies that can help with availability are the following: - Fault tolerance is the capability to withstand a fault (failure) without losing data. This can be accomplished through the use of RAID, backups, and similar technologies. Popular fault-tolerant RAID implementations include RAID 1, RAID 5, and RAID 10. - Load balancing is a technique in which the workload is distributed among several servers. This feature can take networks to the next level; it increases network performance, reliability, and availability. A load balancer can be either a hardware device or software specially configured to balance the load. Remember that load balancing increases redundancy and therefore data availability. Also, load balancing increases performance by distributing the workload - Multipathing is the concept of simultaneous management and utilization of multiple available paths for the transmission of streams of data. By increasing the available paths that data can take, often by introducing redundancy, it is possible to decrease the likelihood of a path’s failure bringing operations down. - Redundant hardware is a key component of making sure systems have a chance of staying up in the event of a failure of any one component. Redundancy can apply to switches, routers, firewalls, and literally any other piece of hardware that network operations are dependent upon. - Network interface card (NIC) teaming is the process of combining multiple network cards for performance and redundancy (fault tolerance) reasons. This can also be called bonding, balancing, or aggregation. - Port aggregation is the combining of multiple ports on a switch; it can be done one of three ways: auto, desirable, or on. - Clustering is a method of balancing loads and providing fault tolerance. Use vulnerability scanning and penetration testing to find the weaknesses in your systems before others do. Make sure that end user awareness and training are priorities when it comes to identifying problems and that you stress adherence to standards and policies. Those policies should include the following: - Network policies: Similar to AUPs, these policies describe acceptable uses for the network resources. - Security policies: Security policies define what controls are required to implement and maintain the security of systems, users, and networks.
These policies should be used as guides in system implementations and evaluations. One of particular note is a consent to monitoring policy in which employees and other network users acknowledge that they know they’re being monitored and consent to it. As you study for the exam, three topics to pay attention to are adherence to standards and policies, vulnerability scanning, and penetration testing. All these policies are important, but those that relate to first responders and deal with data breaches are of elevated importance. Active-Active Versus Active-Passive When it comes to high availability, solutions fall into two types of approaches: active-active and active-passive. The difference between the two is pretty straightforward: if the devices to be used in the event of a failure are in use normally, that is active-active because they are both currently active. An example would be nodes in a cluster: they are all currently in use and can carry on in the event of a failure. If, on the other hand, a device is not is use currently but becomes activated by a failure (a failover), that is active-passive. An example would be having multiple phone carriers or Internet service providers (ISPs) able to provide service to a facility and using only one unless their service goes out, in which case the others are activated. Redundancy and availability can be contracted with multiple ISPs to create diverse paths and make sure you can stay up in the event an ISP experiences a failure. You can also use redundancy with routers through the use of Virtual Router Redundancy Protocol (VRRP) and First Hop Redundancy Protocol (FHRP). The Virtual Router Redundancy Protocol (VRRP) is used to automatically assign routers to hosts. It creates virtual routers (abstract representations of multiple routers) that act as a group. The default gateway on a host is configured to the virtual router rather than a physical router, and so if the physical router fails, a redundant choice is already built in to the group. There are several First Hop Redundancy Protocols (FHRP); one of the more popular is the Hot Standby Router Protocol (HSRP) that is exclusive to Cisco. All work by allowing a default router address to be configured to be used in the event that the primary router fails. For the exam, be able to explain the differences between VRRP and FHRP. Monitoring Network Performance - Given a scenario, use the appropriate statistics and sensors to ensure network availability. 1. What can be used to capture network data? 2. True or false: Port scanners detect open and often unsecured ports. 3. True or false: Interface monitoring tools can be used to create “heat maps” showing the quantity and quality of wireless network coverage in areas. 4. True or false: Always test updates on a lab machine before rolling out on production machines. 5. What is it known as when you roll a system back to a previous version of a driver or firmware?
Answers: 1. Packet sniffers can be used by both administrators and hackers to capture network data. 2. True. Port scanners detect open and often unsecured ports. 3. False. Wireless survey tools can be used to create heat maps showing the quantity and quality of wireless network coverage in areas. 4. True. Always test updates on a lab machine before rolling out on production machines. 5. Rolling a system back to a previous version is known as downgrading and is often necessary when dealing with legacy systems and implementations.
When networks were smaller and few stretched beyond the confines of a single location, network management was a simple task. In today’s complex, multisite, hybrid networks, however, the task of maintaining and monitoring network devices and servers has become a complicated but essential part of the network administrator’s role. Nowadays, the role of network administrator often stretches beyond the physical boundary of the server room and reaches every node and component on the network. Whether an organization has 10 computers on a single segment or a multisite network with several thousand devices attached, the network administrator must monitor all network devices, protocols, and usage—preferably from a central location. Given the sheer number and diversity of possible devices, software, and systems on any network, it is clear why network management is such a significant consideration. Although a robust network management strategy can improve administrator productivity, increase uptime, and reduce downtime, many companies choose to neglect network management because of the time involved in setting up the system or because of the associated costs. If these companies understood the potential savings, they would realize that neglecting network management provides false economies. Network management and network monitoring are essentially methods to control, configure, and monitor devices on a network. Imagine a scenario in which you are a network administrator working out of your main office in Spokane, Washington, and you have satellite offices in New York, Dallas, Vancouver, and London. Network management allows you to access systems in the remote locations or have the systems notify you when something goes awry. In essence, network management is about seeing beyond your current boundaries and acting on what you see. Network management is not one thing. Rather, it is a collection of tools, systems, and protocols that, when used together, enables you to perform tasks such as reconfiguring a network card in the next room or installing an application in the next state. Common Performance Metrics The capabilities demanded from network management vary somewhat among organizations, but essentially, several key types of information and functionality are required, such as fault detection and performance monitoring. Some of the types of information and functions that network management tools can provide include the following: - Temperature: You should make certain that devices are running within the acceptable range. Usually, the biggest problem is heat, so you need to get rid of it to keep systems from overheating or encountering chip creep. - Utilization: Once upon a time, it was not uncommon for a network to have to limp by with scarce resources. Administrators would constantly have to trim logs and archive files to keep enough storage space available to service print jobs. Those days are gone, and any such hint of those conditions would be unacceptable today. For you to keep this from happening, one of the keys is to manage utilization and stay on top of problems before they escalate. Several areas of utilization to monitor are as follows: - Bandwidth/throughput: There must be enough bandwidth to serve all users, and you need to be alert for bandwidth hogs. You want to look for top talkers (those that transmit the most) and top listeners (those that receive the most) and figure out why they are so popular. NetFlow data can be used to ascertain this information and allow you to decide how to best respond. NetFlow is a network protocol analyzer developed by Cisco. - Storage space: Free space needs to be available for all users, and quotas may need to be implemented. - Network device CPU: Just as a local machine will slow when the processor is maxed out, so will the network. - Network device memory: It is next to impossible to have too much memory. You should balance loads to optimize the resources you have to work with. - Wireless channel utilization: Akin to bandwidth utilization is channel utilization in the wireless realm. As a general rule, a wireless network starts experiencing performance problems when channel utilization reaches 50 percent of the channel capacity. - Latency: One of the biggest problems with satellite access is trouble with latency (the time lapse between sending or requesting information and the time it takes to return). Satellite communication experiences high latency due to the distance it has to travel as well as weather conditions. While latency is not restricted solely to satellites, it is one of the easiest forms of transmission to associate with it. In reality, latency can occur with almost any form of transmission. - Jitter: Closely tied to latency, jitter differs in that the length of the delay between received packets differs. While the sender continues to transmit packets in a continuous stream and space them evenly apart, the delay between packets received varies instead of remaining constant. This issue can be caused by network congestion, improper queuing, or configuration errors. - Fault detection: One of the most vital aspects of network management is knowing if anything is not working or is not working correctly. Network management tools can detect and report on a variety of faults on the network. Given the number of possible devices that constitute a typical network, determining faults without these tools could be an impossible task. In addition, network management tools might not only detect the faulty device but also shut it down. This means that if a network card is malfunctioning, you can remotely disable it. When a network spans a large area, fault detection becomes even more invaluable because it enables you to be alerted to network faults and to manage them, thereby reducing downtime.
Most of this discussion involves your being alerted to some condition. Those alerts can generally be sent to you through email or Short Message Service (SMS) to any mobile device. - Performance monitoring: Another feature of network management is the ability to monitor network performance. Performance monitoring is an essential consideration that gives you some crucial information. Specifically, performance monitoring can provide network usage statistics and user usage trends. This type of information is essential when you plan network capacity and growth. Monitoring performance also helps you determine whether there are any performance-related concerns, such as whether the network can adequately support the current user base. - Security monitoring: Good server administrators have a touch of paranoia built in to their personality. A network management system enables you to monitor who is on the network, what they are doing, and how long they have been doing it. More important, in an environment in which corporate networks are increasingly exposed to outside sources, the ability to identify and react to potential security threats is a priority. Reading log files to learn of an attack is a poor second to knowing that an attack is in progress and being able to react accordingly. One thing to look for is changes in raw data values; these changes can be identified through comparisons of cyclic redundancy check (CRC) values. Look for CRC errors, as well as giants (packets that are discarded because they exceed the medium's maximum packet size), runts (packets that are discarded because they are smaller than the medium's minimum packet size), and encapsulation errors. - Link state status: You should regularly monitor link status to make sure that connections are up and functioning (or down, if expected to be). Breaks should be found and identified as quickly as possible to repair them or find workarounds. A number of link status monitors exist for the purpose of monitoring connectivity, and many can reroute (per a configured script file) when a down condition occurs. - Interface monitoring: Just as you want to monitor for a link going down, you also need to know when an interface has problems. Particular problems to watch for include errors, utilization problems (unusually high, for example), discards, packet drops, resets, and problems with speed/duplex. An interface monitoring tool is invaluable for troubleshooting problems here. - Maintenance and configuration: Want to reconfigure or shut down the server located in Australia? Reconfigure a local router? Change the settings on a client system? Remote management and configuration are key parts of the network management strategy, enabling you to centrally manage huge multisite locations. - Environmental monitoring: It is important to monitor the server room, and other key equipment, for temperature and humidity conditions. Humidity control prevents the buildup of static electricity and reduces the chances of electronic components becoming vulnerable to damage from electrostatic shock; not only can very low humidity lead to increased static electricity, but it can also contribute to health problems, such as skin irritation. Environmental monitoring tools can alert you to any dangers that arise here. The American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) recommends that relative humidity be maintained below 60 percent and the relative humidity should be greater than 30 percent.
For the exam, recognize the role humidity plays in controlling electrostatic shock. - Power monitoring: A consistent flow of reliable energy is needed to keep a network up and running. A wide array of power monitoring tools are available to help identify and log problems that you can then begin to resolve. - Wireless monitoring: As more networks go wireless, you need to pay special attention to issues associated with them. Wireless survey tools can be used to create heat maps showing the quantity and quality of wireless network coverage in areas. They can also allow you to see access points (including rogues) and security settings. These can be used to help you design and deploy an efficient network, and they can also be used (by you or others) to find weaknesses in your existing network (often marketed for this purpose as wireless analyzers).
Many tools are available to help monitor the network and ensure that it is properly functioning. Some tools, such as a packet sniffer, can be used to monitor traffic by administrators and those who want to obtain data that does not belong to them. The following sections look at several monitoring tools. SNMP Monitors An SNMP management system is a computer running a special piece of software called a network management system (NMS). These software applications can be free, or they can cost thousands of dollars. The difference between the free applications and those that cost a great deal of money normally boils down to functionality and support. All NMS applications, regardless of cost, offer the same basic functionality. Today, most NMS applications use graphical maps of the network to locate a device and then query it. The queries are built into the application and are triggered by pointing and clicking. You can actually issue SNMP requests from a command-line utility, but with so many tools available, this is unnecessary. Using SNMP and an NMS, you can monitor all the devices on a network, including switches, hubs, routers, servers, and printers, as well as any device that supports SNMP, from a single location. Using SNMP, you can see the amount of free disk space on a server in Jakarta or reset the interface on a router in Helsinki—all from the comfort of your desk in San Jose. Such power, though, brings with it some considerations. For example, because an NMS enables you to reconfigure network devices, or at least get information from them, it is common practice to implement an NMS on a secure workstation platform, such as a Linux or Windows server, and to place the NMS PC in a secure location. Management Information Base (MIB) SNMP uses databases of information called MIBs to define what parameters are accessible, which of the parameters are read-only, and which can be set. MIBs are available for thousands of devices and services, covering every imaginable need. Object identifiers (OIDs) uniquely identify managed objects within an MIB hierarchy. Quite simply, an OID is an address used to identify each node in a tree structure. The addresses are integers separated by periods, corresponding to the path from the root through the series of ancestor nodes, to the node. Each node in the tree is controlled by an assigning authority who can create child nodes and delegate assigning authority for the child nodes. To ensure that SNMP systems offer cross-platform compatibility, MIB creation is controlled by the International Organization for Standardization (ISO). An organization that wants to create MIBs can apply to the ISO. The ISO then assigns the organization an ID under which it can create MIBs as it sees fit. The assignment of numbers is structured within a conceptual model called the hierarchical name tree. When studying for the Network+ exam, be sure that you know SNMP and its use of traps, object identifiers (OIDs), and management information bases (MIBs). Network Performance, Load, and Stress Testing To test the network, administrators often perform three distinct types of tests: Performance tests Load tests Stress tests
These test names are sometimes used interchangeably. Although some overlap exists, they are different types of network tests, each with different goals. Performance Tests A performance test is, as the name suggests, all about measuring the network’s current performance level. The goal is to take ongoing performance tests and evaluate and compare them, looking for potential bottlenecks. For performance tests to be effective, they need to be taken under the same type of network load each time, or the comparison is invalid. For example, a performance test taken at 3 a.m. will differ from one taken at 3 p.m. The goal of performance testing is to establish baselines for the comparison of network functioning. The results of a performance test are meaningless unless you can compare them to previously documented performance levels. Load Tests and Send/Receive Traffic Load testing has some overlap with performance testing. Sometimes called volume or endurance testing, load tests involve artificially placing the network under a larger workload. For example, the network traffic might be increased throughout the entire network. After this is done, performance tests can be done on the network with the increased load. Load testing is sometimes done to see if bugs exist in the network that are not currently visible but that may become a problem as the network grows. For example, the mail server might work fine with current requirements. However, if the number of users in the network grew by 10 percent, you would want to determine whether the increased load would cause problems with the mail server. Load tests are all about finding a potential problem before it happens. Performance tests and load tests are actually quite similar; however, the information outcomes are different. Performance tests identify the current level of network functioning for measurement and benchmarking purposes. Load tests are designed to give administrators a look into the future of their network load and to see whether the current network infrastructure can handle it. Performance tests are about network functioning today. Load tests look forward to see whether performance may be hindered in the future by growth or other changes to the network. Stress Tests Whereas load tests do not try to break the system under intense pressure, stress tests sometimes do. They push resources to the limit. Although these tests are not done often, they are necessary and—for administrators, at least—entertaining. Stress testing has two clear goals: It shows you exactly what the network can handle. Knowing a network’s breaking point is useful information when you consider network expansion. It enables you to test your backup and recovery procedures. If a test knocks out network resources, you can verify that your recovery procedures work. Stress testing enables you to observe network hardware failure. Stress tests assume that someday something will go wrong, and you will know exactly what to do when it happens. Performance Metrics Whether the testing being done is related to performance, load, or stress, you have to choose the metrics you want to monitor and focus on. Although a plethora of options are available, the most common four are the following: - Error rate: This metric identifies the frequency of errors. - Utilization: This metric shows the percentage of resources being utilized. - Packet drops: This metric shows how many packets of data on the network fail to reach their destination. - Bandwidth/throughput: This metric involves the capability to move data through a channel as related to the total capability of the system to identify bottlenecks, throttling, and other issues. Network Device Logs In a network environment, all NOSs and most firewalls, proxy servers, and other network components have logging features. These logging features are essential for network administrators to review and monitor. Many types of logs can be used. The following sections review some of the most common log file types. On a Windows Server system, as with the other operating systems, events and occurrences are logged to files for later review. Windows Server and desktop systems use Event Viewer to view many of the key log files. The logs in Event Viewer can be used to find information on, for example, an error on the system or a security incident. Information is recorded into key log files; however, you will also see additional log files under certain conditions, such as if the system is a domain controller or is running a DHCP server application. Event logs refer generically to all log files used to track events on a system. Event logs are crucial for finding intrusions and diagnosing current system problems. In a Windows environment, for example, three primary event logs are used: security, application, and system. Be sure that you know the types of information included in the types of log files. Security Logs A system’s security log contains events related to security incidents, such as successful and unsuccessful logon attempts and failed resource access. Security logs can be customized, meaning that administrators can fine-tune exactly what they want to monitor. Some administrators choose to track nearly every security event on the system. Although this might be prudent, it can often create huge log files that take up too much space.
The figure below shows a security log from a Windows system. A Windows security log from Windows 10
The figure below shows that some successful logons and account changes have occurred. A potential security breach would show some audit failures for logon or logoff attempts. To save space and prevent the log files from growing too big, administrators might choose to audit only failed logon attempts and not successful ones.
Each event in a security log contains additional information to make it easy to get the details on the event: - Date: The exact date the security event occurred. - Time: The time the event occurred. - User: The name of the user account that was tracked during the event. - Computer: The name of the computer used when the event occurred. - Event ID: The event ID telling you what event has occurred. You can use this ID to obtain additional information about the particular event. For example, you can take the ID number, enter it at the Microsoft support website, and gather information about the event. Without the ID, it would be difficult to find this information. To be effective, security logs should be regularly reviewed. Application Log An application log contains information logged by applications that run on a particular system rather than the operating system itself. Vendors of third-party applications can use the application log as a destination for error messages generated by their applications. The application log works in much the same way as the security log. It tracks both successful events and failed events within applications. The figure below shows the details provided in an application log. An application log in Windows 10
The figure below shows that two types of events occurred: general application information events and warning event events. Vigilant administrators would likely want to check the event ID of both the event and warning failures to isolate the cause. System Logs System logs record information about components or drivers in the system, as shown the figure below. This is the place to look when you are troubleshooting a problem with a hardware device on your system or a problem with network connectivity. For example, messages related to the client element of Dynamic Host Configuration Protocol (DHCP) appear in this log. The system log is also the place to look for hardware device errors, time synchronization issues, or service startup problems. A system log in Windows 10 History Logs History logs are most often associated with the tracking of Internet surfing habits. They maintain a record of all sites that a user visits. Network administrators might review these for potential security or policy breaches, but generally these are not commonly reviewed. Another form of history log is a compilation of events from other log files. For instance, one history log might contain all significant events over the past year from the security log on a server. History logs are critical because they provide a detailed account of alarm events that can be used to track trends and locate problem areas in the network. This information can help you revise maintenance schedules, determine equipment replacement plans, and anticipate and prevent future problems. Application logs and system logs can often be viewed by any user. Security logs can be viewed only by users who use accounts with administrative privileges. Log Management In a discussion of these logs, it becomes clear that monitoring them can be a huge issue. That is where log management (LM) comes in. LM describes the process of managing large volumes of system-generated computer log files. LM includes the collection, retention, and disposal of all system logs. Although LM can be a huge task, it is essential to ensure the proper functioning of the network and its applications. It also helps you keep an eye on network and system security. Configuring systems to log all sorts of events is the easy part. Trying to find the time to review the logs is an entirely different matter. To assist with this process, third-party software packages are available to help with the organization and reviewing of log files. To find this type of software, you can enter log management into a web browser, and you will have many options to choose from. Some have trial versions of their software that may give you a better idea of how LM works. Syslog is a message logging standard that has been around for many years. The tool used for creating log entries in UNIX/Linux-based systems is conveniently named syslog, but other tools can also be used. Syslog allows separation between three entities: the software that generates the message, the system that stores it, and the software used to analyze or report it. Every message is labeled with identifiers such as a code indicating the software type generating the message and a severity level. A severity level of 0 is an emergency, 1 is an alert, 2 is critical, 3 is error, 4 is warning, 5 is a notice, 6 is information only, and 7 is for debugging. Patch Management All applications, including productivity software, virus checkers, and especially the operating system, release patches and updates often designed to address potential security weaknesses. Administrators must keep an eye out for these patches and install them when they are released. The various types of updates discussed in this section apply to all systems and devices, including mobile devices and laptops, as well as servers and routers. Special server systems (and services) are typically used to deploy mass updates to clients in a large enterprise network. Discussion items related to this topic include the following: - OS updates: Most operating system updates relate to either functionality or security issues. For this reason, it is important to keep your systems up to date. Most current operating systems include the capability to automatically find updates and install them. By default, the automatic updates feature is usually turned on; you can change the settings if you do not want this enabled. Always test updates on a lab machine before rolling out on production machines. - Firmware updates: Firmware updates keep the hardware interfaces working properly. Router manufacturers, for example, often issue patches when problems are discovered. Those patches need to be applied to the router to remove any security gaps that may exist. The figure below shows an example of checking a router’s firmware. Checking a router’s firmware
Just as security holes can exist with operating systems and applications (and get closed through patches), they can also exist in firmware and be closed through updates - Driver updates: The main reason for updating drivers is that you have a piece of hardware that is not operating correctly. The failure to operate can be caused by the hardware interacting with software it was not intended to prior to shipping (such as OS updates). Because the problem can be from the vendor or the OS provider, updates can be automatically included (such as with Windows Update) or found on the vendor’s site. - Feature changes/updates: Not considered as critical as security or functionality updates, feature updates and changes can extend what you could previously do and extend your time using the hardware/software combination you have. - Major versus minor updates: Most updates are classified as major (must be done) or minor (can be done). Depending on the vendor, the difference in the two may be telegraphed in the numbering: an update of 4.0.0 would be a major update, whereas one of 4.10.357 would be considered a minor one. As a general rule, the smaller the number of the update, the less significant it is. - Vulnerability patches: Vulnerabilities are weaknesses, and patches related to them should be installed correctly with all expediency. After a vulnerability in an OS, a driver, or a piece of hardware has been identified, the fact that it can be exploited is often spread quickly: a zero-day exploit is any attack that begins the very day the vulnerability is discovered. If attackers learn of the weakness the same day as the developer, they have the ability to exploit it until a patch is released. Often, the only thing that you as a security administrator can do between the discovery of the exploit and the release of the patch is to turn off the system. Although this approach can be a costly undertaking in terms of productivity, it can be the only way to keep the network safe. - Upgrading versus downgrading: Not all changes need to be upgraded. If, for example, a newly applied patch changes the functionality of a hardware component to the point that it will no longer operate as you need it to, you can consider reverting back to a previous state. This approach is known as downgrading and is often necessary when dealing with legacy systems and implementations.
For the exam, know that removing patches and updates is considered downgrading.
Before you install or remove patches, it is important to do a configuration backup. Many vendors offer products that perform configuration backups across the network on a regular basis and allow you to roll back changes if needed. Free tools are often limited in the number of devices they can work with, and some of the more expensive ones include the capability to automatically analyze and identify the changes that could be causing any problems. Environmental Factors Environmental concerns include considerations about temperature, humidity, electrical, and water/flood risks. Computer rooms should have fire and moisture detectors. Most office buildings have water pipes and other moisture-carrying systems in the ceiling. If a water pipe bursts (which is common in minor earthquakes), the computer room could become flooded. Water and electricity don’t mix. Moisture monitors would automatically kill power in a computer room if moisture were detected, so the security professional should know where the water cut-offs are located. Many computer systems require temperature and humidity control for reliable service. Large servers, communications equipment, and drive arrays generate considerable amounts of heat. An environmental system for this type of equipment is a significant expense beyond the actual computer system costs. Humidity control prevents the buildup of static electricity in the environment. If the humidity drops too low, electronic components are extremely vulnerable to damage from electrostatic shock. Most environmental systems also regulate humidity; however, a malfunctioning system can cause the humidity to be almost entirely extracted from a room. Make sure that environmental systems are regularly serviced.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.