For starters, let me explain port forwarding in nice plain english, that you might understand the concept of what we are going to be doing here. Port forwarding is the process of opening a hole in your router to allow internet traffic to pass through it and to your computer with no interfence. When you are connected to the internet directly (modem to computer) you are fully exposed to the glory - and wrath - of the online world. If you are part of a network, your router will not only act as a buffer between your computer and that dangerous thing that we are so addicted to, but it will also allow you to pass files and information back and forth between other machines on the same router.

Now that you have an idea of what port forwarding is, why should you use it? Many programs these days will automatically set themselves up to play nicely with your router, but they won't tell you why. On most networks, all machines connected to the router will use the same IP address to connect to the internet. This is call Network Address Translation, and there are a number of reasons this is useful, but at the same time, it can confuse a lot of internet traffic. Now for example, let's say your using Limewire and you're trying to download a song. When you start downloading the song you want, the various sources the song is coming from will attempt to connect to your computer to give you your requested file. As I explained above though, if you have more then one computer on your network, you all use the same IP address, and that could make it hard for Limewire to know which computer to pass the song to. So we use port forwarding to tell it that certain programs go to certain places on the internal network. By doing so, Limewire will connect to your IP address, which will redirect to your router, which in turn consults your port forwarding to see which internal machine to redirect to.

If you are reading this on a computer running Windows XP or newer, you probably don't need to do any manual port forwarding, since Microsoft introduced uPnP, applications can access your router and make changes automatically. If you are not using a newer version of Windows, or the application you are running does not support uPnP, then it is time to roll up your sleeves and poke around inside your router a little. I cannot give you exact instructions, as most routers are different, but I can give you a great website to help you with the specifics beyond what I can explain here. Just pick the model of your router off this list http://www.portforward.com/english/routers/port_forwarding/routerindex.htm and follow the instructions it gives you. Make sure you note what it tells you your IP address is, up near the top of the page.

If you are unsure as to what the model of router you own, take a look at it. 9 times out of 10, somewhere on the router, there will be the manufacturer, model, serial number, and quite often the MAC address as well. We don't need all that right now, but it's a good thing to know should it come up later down the road. If you do not have physical access to your router, talk with your network admin, as they will probably set up port forwarding for you.

Thats it. A quick and painless explanation of what port forwarding is and why to use it. If you still have a hard time figuring anything out, drop a comment and I'll try and help.

Traditionally ATM has a long and distinguished service record for voice communications. It is also ideally suited to multiplexing environments and can be readily configured to carry VoIP traffic streams.

In fact today we find that most consumer ADSL2+ implementations do offer a choice of PPPoE or PPPoA as their transport protocols (at least here in Perth). PPPoA stands for Point-to-Point Protocol over Asynchronous Transfer Mode.

The importance of this cannot be overlooked as it means that ATM in some form or other will be with us for some time into the future. In fact the Japanese have just recently deployed a communications satellite with an onboard ATM switch. They obviously think there is life in ATM yet.

Introducing Asynchronous Transfer Mode (ATM)

Originally intended to be a unified networking strategy Asynchronous Transfer Mode (ATM) is a connection-oriented, circuit-switched, cell relay “Jack-of-all-trades” transport protocol that uses small uniform fixed-sized cells to redress Quality of Service (QoS) issues so important to voice/video communications and the multitude of streaming applications upon which we are all so dependant.

ATM Origins and Development

During development of the standards for the Asynchronous Transfer Mode (ATM), in the mid 1980s, the goals were to create a unified networking strategy that could act as an all-round transport system for real-time video and audio as well as for image, text and email. ATM is pretty much a “Jack-of-all-trades” transport system. The two groups primarily responsible for the development of the ATM standards were the International Telecommunications Union [ITU 2004] and the ATM Forum [ATM 2004].

Over time we have seen that the majority of implementations and uses that ATM has fulfilled have been primary concerned with telephony and IP networks. Ethernet and the Internet Protocol (IP) are packet-switched network technologies that use packets of variable size referred to as frames.

ATM Protocol Basics

In marked contrast to packet-switched networking technologies; ATM is a connection-oriented, Data Link Layer (OSI Reference Model Layer 2), circuit-switched, cell relay protocol that runs over Synchronous Optical Network (SONET) Physical Layer links (OSI Reference Model Layer 1) using cells of identical and never varying size. Consistent predictability is the underlying ethos here.

Being a connection-oriented channel-based technology means that ATM must always establish a “logical” connection between the two endpoints prior to commencement of data exchange. Significantly, ATM encodes data traffic into small uniform fixed-sized cells. ATM cells are always 53 bytes in size and are comprised of 48 bytes of data and 5 bytes of header information.

ATM Cell Structure

Regardless of the original size of the packets to be transmitted ATM breaks all packets, data, and voice streams into 48-byte chunks and then adds a 5-byte routing header to each one thereby making a total of 53-bytes for each and every cell. The 5-byte header is essential for later reassembly. During development of ATM it was considered that 10% (5 bytes) of each cell (payload) being dedicated to the header for routing information was more than sufficient.

ATM multiplexes these 53-byte cells instead of the larger packets and in so doing reduces the worst-case queuing jitter by a factor of almost 30, thereby removing the need for echo cancellers. I will discuss queuing jitter along with other types of jitter shortly.

ATM Cell Formats

ATM defines two different cell formats the Network-Network Interface (NNI) and the User-Network Interface (UNI). Most ATM links use the UNI cell format.

ATM Adaption Layers (AAL)

ATM Adaptation Layers (AAL) are the rules for segmenting and reassembling packets and streams into cells. It is the AALs that provide the support for the various services delivered by ATM.

Currently, there are five different AALs and the information concerning which one is being used for each cell on a cell-by-cell basis is not contained within the cell or in the cell header. Rather, this information is negotiated by or configured at the endpoints on a per-virtual-connection basis. Here are the five different AALs and their main uses:

1. AAL1

   Constant Bit Rate (CBR) Services, Circuit Emulation

2. AAL2

   Variable Bit Rate (VBR) Services

3. AAL3

   Variable Bit Rate (VBR) Services

4. AAL4

   Variable Bit Rate (VBR) Services

5. AAL5

   Data Transport

ATM Connectivity

Because ATM is a connection-oriented channel-based technology it must establish a “logical” connection between the two endpoints prior to commencement of data exchange. ATM does this by implementing Virtual Circuits, Channels, Paths and Identifiers as follows:

• Virtual Circuits (VC)

  Virtual Circuits (VC) are admirably suited to multiplexing scenarios. Simply by including an 8-bit or 12-bit Virtual Path Identifier (VPI) and a 16-bit Virtual Channel Identifier (VCI) pair in every ATM frame's header each Virtual Circuit (VC) is uniquely identifiable.

• Virtual Channel

  An ATM Virtual Channel represents the basic means of communication between two end-points. Cells are given a unique identifier called the Virtual Channel Identifier (VCI) which is placed into the ATM cells' header. All ATM cells containing identical VCIs are transported in the same Virtual Channel.

• Virtual Path (VP)

  A Virtual Path (VP) denotes the transport of ATM cells belonging to virtual channels which share a common identifier called a Virtual Path Identifier (VPI). The VPI is included in the header of every ATM frame. In other words a Virtual Path (VP) is a bunch of Virtual Channels (VC) connecting the same end-points. These will also have a common traffic allocation.

• Virtual Path Identifier (VPI)

  The Virtual Path Identifier's (VPI) length varies depending on the interface it is sent on (inside the network or on the edge of the network.

ATM Traffic Contracts

When an ATM circuit is set up each ATM switch is informed of the traffic class of the connection. These ATM contracts constitute part of ATM's Quality of Service (QoS) mechanisms. There are four basic types of contracts:

1. Constant Bit Rate (CBR)

   A constant specified Peak Cell Rate (PCR) is set

2. Variable Bit Rate (VBR)

   An average cell rate is specified. This may peak at a certain predefined maximum level for a certain length of time before becoming problematic

3. Available Bit Rate (ABR)

   A minimum guaranteed rate is specified

4. Unspecified Bit Rate (UBR)

   Traffic is allocated all remaining transmission capacity

ATM Traffic Contract Delivery and Monitoring

Traffic Shaping

The intended objective of traffic shaping is to ensure that cell flow will meet its traffic contract and is usually done at the entry point to an ATM network.

Traffic Policing

To maintain network performance it is possible to “police” virtual circuits against their traffic contracts. Basic policing works on a cell by cell basis, but this is sub-optimal for encapsulated packet traffic. If a circuit is exceeding its traffic contract, the network can either drop the cells or mark the Cell Loss Priority (CLP) bit (to identify a cell as being discardable farther down the line).

Benefits of Using Small Fixed Size Cells

The major benefits derived from using small data cells are a reduction in queue delay and jitter; particularly in multiplexing data streams. By using small, fixed-sized cells ATM is able to transport large data files all the while maintaining minimal queuing delays. Minimal queuing delays are essential to the delivery of both voice/video communications.

Queue Delay

Queue delay related issues include problems associated with end-to-end-round-trip delays and delay variance particularly when carrying voice traffic. High traffic volumes and/or congested networks along with the arrival variance associated with variable route routing are among the main causes of queue delay issues.

Jitter

Although jitter results from queuing delay issues deviations or displacement of various aspects of high frequency pulses such as amplitude, phase timing and signal pulse width as a direct result of electromagnetic interference (EMI) and crosstalk (noise) also cause jitter. Think of jitter as being the production of “jerky” results or in video applications flicker. By using small fixed-size cells ATM is able to overcome the effects of queue delay as well as other types/sources of jitter.

Multi Purpose Transport Protocol

Asynchronous Transfer Mode (ATM) carries many different data types and formats (text, audio, video, graphics, photos etc.) from a multitude of sources and of variable sizes. When combined with standard queuing strategies, maximum queuing delays were common. This is totally unacceptable where voice and real-time video traffic is concerned.

Compression/Decompression Algorithms (Codec)

Because of the way in which many Compression/Decompression Algorithmswork special considerations need to be implemented in order to ensure they work properly as intended including:

Time

The nature of time as we humans perceive it is an analogue continuum (that is to say time is a linear progression). Once past, there is no way as yet to recover the loss.

Jitter and Queue Delay

Jitter and queue delay are of great importance because of the nature and manner of operation of the compression/decompression (codec) algorithms used in the conversion of a digitalized data stream back into an analogue audio signal. This conversion process (digital-to-analogue) is very much a “real-time, on-the-fly” process and is more attuned to” just-in-time” transport protocols.

Real-Time Streaming

In order to produce reliable, consistently “acceptable” output the codec needs the data items (the digitized voice data) to be presented to it in a predictable, regulated and evenly spaced in time data stream, hence the term “real-time streaming”.

Late Arrivals

If the data arrives after its allotted position/reception window in the time sequence (relating to that part of the data-stream) the codec will simply drop it. Not surprisingly this is unacceptable for IP telephony. Remember to keep in mind that time is analogue in nature and once a “time window” elapses, the “lost” time becomes unrecoverable.

Codec Packet Handling Options

If the transport protocol is unable to present the data as and when the codec expects it, the codec, has no choice but to assume either silence, make a “best guess” or simply drop the packet. Any way is unacceptable where voice is concerned as the conversation rapidly becomes untenable and the message does not get through.

ATM Deployment Indicators and Scenarios

ATM WAN Core Implementation

ATM production environment implementations have over time proved to be very successful in the Wide Area Network (WAN) scenarios. Numerous telecommunication providers and Internet Service Providers (ISPs) have implemented ATM in their Wide Area Network (WAN) cores.

Slow Links

For slow links less than 2M-bit/s, ATM still makes sense, which is why many ADSL systems use ATM as an intermediate layer between the physical link layer and a Layer 2 protocol like PPP or Ethernet.

Linear Audio and Video Streams

Interest in using native ATM for carrying live video and audio has increased recently. It is in these environments, where ATM can deliver the low latency and very high Quality of Service (QoS) required for handling linear audio and video streams.

Gigabit Ethernet

Today we are finding that for both new WAN implementations and for existing WAN implementation upgrades, high speed, high performance Ethernet (Gigabit Ethernet, 10Gbit Ethernet, and Metro Ethernet etc.) are rapidly replacing ATM as the technology of choice.

Relative Performance

At the time ATM was designed, 155Mbit/s (135Mbit/s payload) over fiber-optic cable was very fast in comparison to the other carrier/transport technologies available at the time. Since then however; these other technologies have evolved and are now considerably faster than they once were.

Jitter

Today; a 1,500 byte (12,000 bit) full-size Ethernet packet takes only 1.2 µs to transmit across a 10Gbit/s optical network. With this sort of speed, jitter is no longer the issue it once was. By overcoming the potential adverse effects of jitter through this ramping up of network transfer speeds we have at the same time removed the need for using small uniform cells to overcome jitter.

Complexity

Unfortunately, due to ATM's complexity it proved to be unsuitable for deployment in many of the scenarios that its creators had originally intended.

Converged Networks

The speed and traffic shaping requirements of many converged networks are also proving to be very challenging for ATM.

The first step in every security assessment and hardening process is always to conduct an environmental survey specifically tailored towards promoting a comprehensive scenario specific awareness and understanding of the prevailing functional operating climate/environment.

One all too often overlooked aspect here is physical security. One should never forget that all security starts with the physical and only then progresses to the logical if appropriate. Without further ado here are the issues and potential solutions that merit consideration with regards to all wireless networking environments and implementation scenarios.

Fixing and Camouflage

So make sure that all of your Wireless Access Points (WAPs) are physically secured. Tie downs and camouflage are great ways to do this. Both camouflaged and secreted devices (located in suspended ceilings etc) have the added security benefit of being hidden from general view.

The old adage “out of sight out of mind” immediately springs to mind. What cannot be seen is often out of mind and therefore less likely to go walk-about. WAPs can be secreted in suspended ceilings, wiring closets or fixtures such as ornaments and planter pots. This makes for an all round far more aesthetically pleasing approach.

Signal Degradation

With respect to wireless networking physical security also entails taking such factors as environmental interference from other wireless devices and cell phones etc., electromagnetic interference (EMI) from other electronic and electrical devices such as TVs, radios and public address systems, signal attenuation, degradation and for the network's wired components such as those connecting your WAPs and wireless bridges/routers to your wired network (LAN) noise and cross-talk need to be taken into consideration.

Functional Reliability

Do not overlook the need for equipment reliability and robustness along with adequate emergency situation operating functionality. It is imperative that in the event of an emergency or catastrophe that your wireless network remains fully functional unless circumstances dictate otherwise. Communication is usually the most valuable resource in times of doubt and uncertainty. Just ask the military.

Naming, Labeling and Documentation

An appropriate secure customized naming convention complete with a fully complementary secure labeling system is a must. This is generally of higher importance for a business wireless networking environment where there may be considerable numbers of roaming network member devices than is usually the case for the home wireless network.

On top of this, wireless network physical security requires the appropriate planning to ensure ready location and identification of network devices in the event of malfunctions, failures or hacking (successful or not) especially when physical access of the equipment in question becomes necessary. Of course this will include the proper documentation detailing all physical aspects of the wireless network including device location and identification markers.

Wireless Traffic Control

Another crucial principal element of physical security for all wireless networks that rates special mention here is that of traffic control. Just as one regulates the physical ebb and flow of people on any given site through orchestrated control of transport facilities and mechanisms, the same holds true for the regulation of traffic flow and control for wireless networks.

Consider this to be very much akin to a perimeter-based site/facility security strategy that deploys multiple layers of defenses for physical site access. In networking applications firewalls can do an admirable job of regulating authenticated access; very much as a fence and guard-house does for facility perimeter security. So install one and ensure that it is correctly configured.

Physical Traffic Control Mechanisms

With regards to physical traffic control for wireless networks the majority of options will be partially implemented in hardware and partially logically. The exact mix will be situation specific. Planning and due care with device placement, the selection of transmission frequency bands and power ratings will all have a role to play.

Consider that some frequencies have better physical penetration attributes than others, while more powerful signals (higher wattage) will be propagated further and will also penetrate fixtures better. There have been documented instances of wireless network signals being detectable and of service level quality at up to 125 miles from the transmission source (the official world record distance as recorded by http://www.wifi-shootout.com).

For these reasons in a high security zone one might need to deploy more specialized WAPs set to a lower transmission power rating than usual in combination with unidirectional antennae rather than omnidirectional antennae. The additional costs of these types of units are readily justifiable in terms of the additional security levels attained.

From a fiscal standpoint it is worthy of note that this small additional cost is a onetime up front encumbrance and the financial department will love the fact that these devises are far more sturdy, reliable and in general have a longer expected mean operating life thereby reducing running costs and failure induced troubleshooting and replacement rates.

Logical Traffic Control Mechanisms

Having implemented perimeter-based access verification and validation security initiatives we may well need to implement additional logical controls and network subdivisions such as Demilitarized Zones (DMZs). DMZs for instance allow for additional network traffic control, regulation, isolation and compartmentalization.

Limiting wireless devices to specific areas/zones of a network also delivers additional benefits such as greater economy and efficiency of bandwidth usage patterns and superior levels of granular administrative capabilities and ease of use.

Wireless-Free Zones

There are also many instances where wireless networking devices along with mobile communications or entertainment devices functionality are undesirable or unwelcome. The most sensitive of these areas will be related to sensitive electronic equipment such as that found in hospital trauma, intensive care, surgical units, coronary care units and life support systems. Areas where flammable materials are handled, stored or used also qualify as wireless-free zones.

In these cases and others like them we need to monitor to ensure that within a specific perimeter wireless devices are not functional and that signal leakage from wireless enabled sectors does not leak in. Perimeter threshold detection is generally considered to be the most effective solution here.

By this I mean that metaphorically speaking a line is drawn beyond which none of the above devices will pass while still turned on. Hospitals generally paint a red line on the floor, walls and ceiling to clearly mark this threshold.

Collateral Damage

When designing and planning a wireless network remember to incorporate provisions that address physical security from the health perspective by ensuring that no possible harm, collateral damage or interference can be caused by the network, its devices and its signals. Cables for example, should be secured and out of harm's way as should WAPs.

We don't, for instance want a WAP falling onto somebody from a humane perspective as well as from a litigation avoidance perspective. Nor do we want our wireless network to cause the cardiac pacemaker of a passer-by to malfunction. Here is a case where clear, readily noticeable and unambiguous notifications (signage) are our main preventative and compliance option. I guess this is more or less a disclaimer approach really.

Not only do we need to protect and guard humans from harm caused directly or indirectly by our wireless network and its components but we need to protect our wireless network from physical harm caused by humans and/or the environment as well. It is up to us to provide for our networks physical well-being as it cannot do this for itself.

Regulatory Compliance

Regulatory compliance issues also need to be addressed at all levels and all stages of a wireless network's life cycle. Local and regional standards and regulations need to be researched and fully compliant measures implemented. Policies also need to be developed, made appropriately available to those concerned and of course implemented.

Pass-Through Point Security

Just as a physical site's physical access controls may see the implementation and installation of fences and stationing of security guards at primary access points the same can often be done with wireless networks. For example there may be the opportunity to implement search mechanisms such as the pass-through points seen at airports etc. This is one way of ensuring that unknown devices do not enter within the coverage area of your wireless network.

Unfortunately, for most businesses it is often impractical to implement this type of measure as the cost and negative customer reactions may preclude it as being overly draconian. Larger chain retailers do however, employ pass-through scanning devices but they are more attuned to the detection of theft of merchandise rather than the prevention of unauthorized wireless access.

Note however, that for areas not publicly accessible and/or where sensitive materials are stored pass-through inspection security is a viable option. Espionage is a reality that must be addressed. If not the stealing of properties then the sabotage aspect may be of appropriate weight to implement pass-through surveillance mechanisms.

Much damage has been done in the past by persons posing as service or utility personal that many facilities, especially an organization's research and development and marketing divisions as well as their datacenter have seen fit to implement the pass-through security approach.

Wireless Network Presence Detection

Although a wireless network uses an invisible to the human eye medium with the right tools it becomes very observable. Tools such as Kismet for example, have very little difficulty in detecting the presence of a wireless network. Furthermore, there is very little you can do to prevent this type of detection. After all, wireless signals are transmitted over the public domain. Fortunately however, there is a lot you can do to prevent exploitation of a wireless network after detection.

The implementation of full conversation encryption including that of authentication mechanisms and connection establishment is, as far as most would-be intruders/hackers are concerned, just too much hard work considering that there are untold numbers of easier targets to be had.

Quality of Service (QoS) Geographical Access Parameters

One should always consider geographical access and connectivity requirements and parameters in conjunction with the desired timely delivery of Quality of Service (QoS) metrics. The wireless network's ideal is to provide adequate connectivity and accessibility throughout the entire area of intended coverage (no drop-out zones) and with a specified level of Quality of Service (QoS) for said area but no more.

The Quality of Service (QoS) factor may be defined by either meeting or failing to meet specific performance metrics such as transfer rates or strength of encryption.

The geographical network confinement parameters are generally characterized and measured by the degree of signal leakage beyond a specified intended perimeter of coverage. The distance, signal strength, signal quality and degree of availability both within and beyond the designated network perimeter are the parameters that define and delineate that point at which signal leakage becomes unacceptable.

Network Monitoring and Site Surveys

In monitoring the attributes of a wireless network, tools such as Airsnort, WireShark (formerly Ethereal), NetStumbler and Kismet are your friends. Use them to conduct regular site surveys to assess signal leakage. If need be take the appropriate remedial measures to ensure compliance at all times and locations.

Some organizations even go to the extent of using signal jamming technologies to ensure that any leakage is rendered useless and piggy-backing cannot take place.

Line of Sight

Line of sight requirements need to be assessed carefully from the perspectives of both the current scenario and extrapolated into making predictions of the most likely conditions that will be prevalent at various predefined times in the future. Trees for example have a habit of growing.

So where a clear line of sight exists today the possibility that this will not be so in the future must be evaluated. In the case of trees one solution might entail lopping every other year in order to preserve said clear line of sight. No matter the terms or conditions, the establishment and implementation of a documented schedule or regime that addresses these types of issues needs to be set forth.

Conclusions

Wind, vibration, the environment in general and other factors including human interference of one form or another will all conspire to throw the most carefully designed and implemented wireless network out of alignment. Persistent cognizant vigilance must be your motto and creed.

Introduction

It would be nice to live in utopia, that ideal world where nobody was a villain and misdemeanors never occurred. Unfortunately for the majority of us residing back here on planet Earth, security breaches, compromises and issues are all too real and unpleasant facts of life. Regardless of our station in life somebody is always trying to get a free lunch at our expense or trying to take advantage of us in some other way.

This being said we need to identify the objectives, acceptable standards, policies and regulatory compliance requirements that our wireless network security should deliver as intended.

Wireless Networking Security Objectives Defined

It is widely recognized that the underlying themes of all network security, and not just the wireless components, should be such that they consistently ensure adherence to the principles expressed by the CIA of Security ethos. Simply put this means the planning, implementation and maintenance of organization/network-wide Confidentiality, Integrity and Authentication (CIA).

The implications of this are that only duly authenticated authorized users have full access to all of their allocated network resources, assets, capabilities, bandwidth and Quality of Service (QoS) in line with the appropriate user rights, permissions and privileges whilst maintaining full and comprehensive organization-wide network confidentiality and integrity. The trick is in doing so seamlessly and transparently to the user.

Strategies

The implementation of security strategies and solutions consisting of multiple layers of protection by incorporating and melding a blend of physical security, multiple layers of authentication, network monitoring, traffic flow control, firewalls, intrusion detection, intrusion prevention, surveillance, logging and log analysis, specialized software, hardware and complementary technologies are widely regarded to be the fundamental pillars upon which the preservation of rock solid security for networks is built.

Make no mistake about it, this holds true for wired and wireless networks alike. By employing a security-in-depth approach many exploits can be negated. An example of where multiple layers of authentication can return handsome dividends is in wireless network access.

First line of defense is network access and connectivity controls. Users should be required to provide valid current authentication credentials in order to begin to access the wireless network. The user's wireless adapters should also be required to authenticate themselves.

Machine authentication can be implemented by simply creating a Wireless Access Point (WAP) or wireless router MAC Address filter table. Devices lacking a qualified listed MAC Address will be automatically denied network access. This level access control actually precedes any user based authentication mechanisms since the MAC Address is contained in the Layer 2 header of every packet placed onto the network.

The next line in our defenses could involve additional authentication at various points throughout the network including transit beyond the local segment. For wireless networking components this can be most easily achieved by configuring dedicated wireless only network segments or through Virtual Local Area Network segmentation (VLANs) for wireless devices.

These specialized and segregated wireless networking segments can be placed into Demilitarized Zones (DMZs) for ease of administration. It is also advisable to make sure that they are on LAN segments physically independent of the rest of the network. Secondary user passwords or passphrases can be implemented at the application level as well.

Failure to incorporate a multi-layered approach makes the likelihood of successful intrusion far more likely. If all an attacker need do is to “crack” one password or passphrase then having gained access to a wireless network component without secondary authentication mechanisms in place you can safely assume that they will have also gained full access over your entire network. This means all assets and resources including those of the wired segments.

Wired and Wireless Issues

I will now cover the major issues and areas of concern pertaining to wireless network security. Please note that this list is not intended to be absolute nor complete. New exploits and threats arise every day. Hence I have elected to present and highlight here those areas representing the greatest concern and/or those areas most likely to present future new threats and exploits.

Many of the generic issues discussed below apply equally to wireless and wired networks alike. This is especially so when the device in question is a consumer class broadband modem/router. Both the wired and wireless versions will exhibit the same basic preconfigured functionalities and default manufacturer configurations. For example manufacturers tend to use the same default administrator name, administrator password and network names as well as enabling DHCP by default.

So let's get to it and as always security starts with the physical and wireless networking is no different.

Physical Security

There are many physical security related issues regarding wireless networking security including the physical security of the device itself (accidental loss theft etc), device naming and labeling conventions, physical accessibility (so critical for troubleshooting) coverage, Quality of Service (QoS), bandwidth, signal distortion, degradation and strength, device location, type of antennae and many more. If you would like to read more then check out Wireless Networking Physical Security.

Transmission Media

Because wireless networks use a public domain transmission medium, which is freely accessible to anyone with the right tools and desire, it is imperative that additional care and attention be paid to security aspects throughout the network's entire life cycle. So it is that the appropriate time for consideration of these initiatives to commence is at the very beginning of the network's life cycle during the technical requirements analysis and evaluation, planning and design stages. The process will be ongoing from there.

Documentation

Wireless device manufacturers usually provide the device's supporting documentation either on a disc bundled with the device or available for download from the manufacturer's website. In general, this documentation usually describes first steps/getting started, minimum requirements, preparation, installation, additional security procedures and finally troubleshooting and support.

Unfortunately, the vast majority of users will either ignore or skim over this information or anything else that is not pictorially depicted in the quick start guide. Let's face it these are the realities of our plug "n" play world. The device is working and I can use it; end of deal.

Plug "n" Play

The rise in popularity of wireless networks and technologies can in no small part be attributed to plug "n" play capabilities. On the one hand this is a boon for ease of connectivity, user friendliness and all-round ease of use. Yet it is these very aspects that make plug "n" play devices across the board so susceptible to subversion and compromise.

The problem with the default plug "n" play “silent install” approach to the installation and configuration of all devices (including wireless networking devices) is that in so far as network/device security is concerned it is no approach at all.

Manufacturer Defaults

Manufacturers preload their hardware with device specific software (firmware) and a basic configuration intended to get users up and running in the shortest possible time with minimal required user input.

Factory set default configurations, parameters, options and settings of most if not all devices are in the public domain. This is due to the fact that detailed and specific device defaults lists and documentation are generally freely available on the device manufacturer's website. They can also be found on a number of other third party websites.

The big difference between the documentation, resources and tutorials etc that are published on a manufacturer's website and those published on third party websites is that on the whole the third party sites tend not to confine their listings to only those devices manufactured by a single manufacturer. They also tend to reveal more of and about the inherent flaws and potential exploits of a device that a manufacturer would prefer to “overlook”. You might say that they are a one-stop-shop.

War Driving and Wireless Network Hacking

While most of us have heard of hacking the practice of “war driving” is not so well known. So for the benefit of one and all war driving is the practice of cruising around with a wireless enabled laptop complete with a plethora of wireless networking detection and cracking tools. Many war drivers even make use of GPS to physically locate with pin-point accuracy the precise locations of any wireless networks detected.

The major distinction between the two is that war driving is all about discovering the existence of wireless networks. Hacking wireless networks on the other hand is about cracking/breaking into those wireless networks discovered through war driving or any other means such packet sniffing.

In short, the hacking of wireless networks is all about gaining access to a network whilst not being a legitimate bone fide network user with authentic access privileges and rights. This does not infer in any way that a would-be intruder is implicitly malevolent.

For example, legitimate, authorized and authentic security staff conducting site surveys, penetration testing or network preparedness assessments usually do not have “evil” intent. Still others may be attempting to access your wireless network for the thrill of it simply because it's there.

Note that the tools used for war driving and standard wireless hacking purposes are generally the same. In addition, these tools are freely available for download via the Internet usually in the form of self extracting automatic installation packages or user installable software.

What many may not realize is the degree of user friendly sophistication and capabilities that these tools have attained over the years of their existence and development. So it is that in today's wireless networking climate we must assume that attackers are by default armed with these tools. With this in mind we can construct our defenses in a manner best suited to counteracting a multiplicity of threats originating from all angles.

Conclusion

In combination a device's factory defaults and plug "n" play silent installation and setup provide a very user friendly, fast and convenient method to get a device up and running. Yet it is these very same default factory/plug "n" play device parameters, default configuration settings and behaviors that make wireless networks and wireless devices installed in this way without any further user/administrator interaction particularly inherently susceptible to compromise.

Therefore, immediately after the initial setup and installation has completed successfully the first security tasks that you should religiously attend to are the modification and/or customization of the basic manufacturer factory default settings, administrator names, passwords and configurations.

Texas Instruments Inc.

This device extends the battery life in certain types of medical tools, scales, and data acquisition applications.

Rock & Roll Hall of Fame Building- I. M. Pei

The architect tends to design buildings that depict the high-tech movement. He always works on larger scale projects and uses geometric designs to shape his buildings.

The "Butterfly Effect" - Prof. Edward Lorenz

Professor Lorenz realized that small differences in a forceful system such as the atmosphere could trigger unsuspected results. These explanations eventually led him to formulate what became known as the butterfly effect. "This term came from a paper he wrote in 1972 entitled Predictability: Does the Flap of a Butterfly's Wings in Brazil Set off a Tornado in Texas?"

Bose stereo - Professor Amar Bose

These stereo speakers are world-renowned for giving high-end performance despite their reticent size.

Ethernet - Robert Metcalf

Ethernet is a relationship between the unit frame-based computer networking technologies for (LANs). The Ethernet controls our access to certain types of data processing models, i.e. Internet.

The Internet Archive - Brewster Kahle

The Internet Archive (IA) consists of an online library containing the vast information on the Web and other multimedia resources. This information includes certain snapshots from various times from software, WebPages, audio visual and other sources.

Rockman amplifier - Tom Scholz

The Rockman is used in conjunction with headphones and an amplifier used for certain guitars. If any of you are familiar with Boston then you know who invented this.

Spacewar, the first computer game-Steve Russell

Spacewar was the first digital computer game of our time. The idea behind the game involved spaceships attempting to shoot each other while manipulating within the galaxy. I remember this game; I used to play it all the time on my Atari. I wish I still had it.

Hypertext - Prof. Vannevar Bush PhD

Hypertext is defined as words or text that leads the user to information associated with those words.

GPS (Global Positioning System) - Ivan Getting

The GPS uses satellites that transmit microwave signals. These signals enable receivers to determine certain types of pertinent information such as direction, time, speed and location.

IP transit is a formal agreement, usually in the form of a registered contract by which wholesale Internet bandwidth is sold or resold by Internet Service Providers (ISPs) and content providers.

Pricing is typically offered as a fixed or sliding scale of per megabit per second per month basis (M-bit/s/Month) and requires the purchaser to commit to a minimum volume of bandwidth. Pricing for the bandwidth can be reduced significantly by purchasing larger volumes or extending the contract term.

Modern IP transit agreements typically provide service level guarantees to almost all of the major Internet Exchange Points within a continental geography such as North America, Europe or Australia. However, these IP Transit Service Level Agreements (SLAs) still only provide best-effort delivery since they do not guarantee service from the Internet Exchange Point to the final destination.

As individual consumers, we too enter into SLAs with our particular ISP to purchase IP transit. For Asymmetric Digital Subscriber Line (ADSL) broadband services these consumer grade service level contracts are generally expressed in terms of an asymmetric capped bandwidth rate usually with some upper volume limit on a Gigabytes per month basis.

The asymmetric aspect is generally manifested as a quoted download connection rate with a much lesser upload connection rate. Bear in mind that actual data transfer rates tend to be somewhat less than the connection rate in either direction.

They also tend to be variable in that once the connection has been established the actual data transfer will begin at a rate of XM-bit/sec which is not sustained indefinitely as it will progressively decrease throughout the duration of the conversation.

You will however find that at some point this transfer rate depreciation will plateau; more often than not somewhere near the rate cited by your ISP as being that of the immediately adjacent lower metric and/or lower priced service agreement rate currently available to you from that ISP.

The result is; as I am sure you have already noticed by now, that you can download considerably quicker than you can upload. Additionally, downloading a 50MB file takes considerably longer than 50 times the time taken to download a 1MB file.

Considering that the average Internet consumer's usage habits are such that they will spend a far greater proportion of time downloading then they do uploading this disparity between the two rates of transfer is usually perceived by the consumer as being satisfactory. We just accept that that is the way it is.

Another factor that reinforces this degree of consumer “satisfaction” is that the majority of us remember years of frustration with dial-up services followed by the revolutionary advent of broadband (ADSL) and now with ADSL 2+ there truly is a gap of “light-years” between now and then. Still I have no doubt that the magic will wear off and consumers will be primed for further higher-speed always on services and technologies.

One of the driving forces in this vicious cycle is the size factor of the average file transferred over the Internet. With the “average” file size increasing as rapidly, if not more so than the capacity for the “I want it now” consumer's Internet service to deliver it now impatience will often win out. Nobody likes waiting for websites that are slow to load or files that take ages to transfer. With a click of the mouse we will generally surf on to the next site.

Holding consumer attention is something that Web masters are all only too acutely aware of. With Google, Yahoo, MSN and co. delivering so many options for a search this should come as no great surprise. StubleUpon.com is one such social networking service characterized by high user “surf-through” rates. I myself click the Stumble button if a site is slow to load. There are heaps of worthy sites yet to Stumble and so on I go.

The richness of Web 2.0 and user interactivity (feedback, comments, content contribution etc.) is such a powerful element that it further accelerates mass migration from once flavor-of-the-day bogged down social networking sites to newer better performing ones with such suddenness that it truly takes the breath away. Check out Delicious.com and the recent changes (including changing their user unfriendly name and URL) wrought there for these very reasons.

Other recent trends such as Software-as-a-Service (S-a-a-S) and many Web hosted applications; such as many of the more recent Help Desk implementations, all contribute to the richness, variety and in most instances the cost-effectiveness of the Web-based applications solutions over the traditional locally hosted varieties.

The most important element of all of the above implementation scenarios is that is very rarely investigated by the end-user is that somewhere along the line and usually at more than one point IP transit must be negotiated.

More often than not and for various reasons not readily available to the consumer this element of costing is hidden from obvious sight. It usually can be found under such headings in the small print of SLAs as “overhead”, “establishment fees”, administrative overheads” or as a component of “service fees/charges”.

However; for commercial enterprises and particularly those with very active websites such as social networking and bookmarking sites the standard consumer grade arrangement is most definitely unsatisfactory and so they will have a different type of SLA with their ISP. Up until very recently this usually meant leased lines or dedicated fiber optic cables between their premises and the ISP's exchange equipment.

I must also make note of the fact that the asymmetric nature of ADSL is not always manifested by higher data transfer rates for downloading than uploading. Sometimes it is more important for a site to have upload data transfer rates superior to its download data transfer rates.

Instances where this type of IP transit arrangement would be considered desirable include manufacture and developer download sites particularly where the content of the consumer downloadable files changes often, regularly or is deemed to be of a critical nature (antimalware sites). Generally their upload link to their consumer/customer accessible downloads and support sites would be a separate and dedicated link specifically for this purpose.

Urgent notification systems that need to rapidly disseminate variable critical content to a large number of target systems and users especially “knee-jerk” security responses to zero-day threats and other emerging vulnerabilities.

Update sites such as the Microsoft Windows Updates site and their automatic updates services would avail themselves of an IP transit Service Level Agreement (SLA) where administrative upload links to these facilities would be higher than that of the download rates. They may even use SDSL access technologies.

Another variant of Digital Subscriber Line (DSL) broadband services is Symmetric Digital Subscriber Line (SDSL). Yes it means just what it says. Data transfer rates are more or less equal in both directions (upload and download).

Today, with ADSL 2+ we find that many a small to medium business no longer requires these expensive alternatives. Web hosting services have also made an impact in this area through the provisioning of assorted quality of dynamics, metrics, 24/7, auto-responder, domain hosting services and Internet point-of-presence services that are affordably suitable for many smaller scale enterprises and individual requirements.

No doubt this is a lucrative field for the services hosting provider. A fact reflected by the number of hosting services providers including Microsoft's entry into the arena with their free domain hosting services.

Once built, upload the website and the rest is taken care of (more or less). No servers to worry about. Let the networking guys at your hosting service provider do that.

Yet another resurfacing technology that follows the Software-as-a-Service (S-a-a-S) centralized application, processing (computing) and services philosophy is terminal services. In a terminal services production environment implementation centrally located servers host the applications, deliver services and perform the bulk of processing (computing) for those clients assigned to it. This is the same sort of structure and relationship that existed between the mainframes of yesteryear and their associated user terminals.

The benefits of this type of arrangement include a dramatic reduction in the amount of data that needs to be transmitted between end-points. Client requests and server replies containing the results of processing and “dumb” client user service accessibility requests ready for onscreen display are basically all that is transmitted.

The above factors also apply to wireless networking and wireless Internet access technologies. The main distinctions between wireless network access (including the Internet) and other technologies is that it is wireless. Apart from this, access, authentication, logical connectivity, bandwidth and aggregate data throughput rates etc. and associated issues are for the most part much like the other available technologies when it comes to IP transit.

The result is that all of these factors are continually conspiring to change the face of the Internet and how we use it. For many of us, considerations and decisions relating to IP transit and the specific intricacies of the products and services offered by and stated in the Service Level Agreements (SLAs) between ourselves and our ISP rarely come to our attention. Yet there can be little doubt they are the arrangements upon which the Internet is built and commercial viability is derived.

I guess you could say that “there is no such thing as a free lunch”. One way or another somewhere along the line you the end user, still pays for your share of Internet access and use. The trick from all perspectives (consumers, business, government, enterprise and organizations of all sizes and persuasions) is to minimize these costs.

I will discuss many and varied aspects of the Internet in future articles. Until next time enjoy!!

Introducing Wide Area Networks (WANs)

A Wide Area Network (WAN) is generally considered to be a type of computer network that covers a broad area where communications links cross regional, metropolitan or national boundaries. Today, it is probably better to think of a WAN as a network that uses routers and publicly accessible communications links. Without doubt the largest and most well-known WAN is the Internet.

Wide Area Networks (WANs) are used to connect Local Area Networks (LANs) and other types of networks, including Metropolitan Area Networks (MANs), Local Area Networks (LANs), wireless and private networks. The purpose of a WAN is to enable users and computers in one location to communicate with users and computers in other, often very geographically dispersed and separated locations.

Typically a WAN will consist of a number of interconnected switching nodes that allows transmissions from any one device to be routed through these interconnected nodes to the specified destination device(s). These nodes are not concerned with the contents of data rather their interest is focused on the provision of a switching facility to move the data from node-to-node until they arrive at their intended destination.

Wide Area Network (WAN) Models

In essence there are two basic design models upon which all WAN connectivity structures and organization are based. They are:

The Centralized WAN Model - Consists of a server or group of servers in a central location and client computers or dumb terminals that connect to the server(s) which provide the bulk of the network's functionality. Figure 1 above is a logical construct of a typical centralized WAN. Note that all points lead to the centrally located servers.

Today's typical physical Point of Sale (POS) functionality such as that implemented by chain organizations such as banks and supermarkets etc is a classic example of a centralized WAN. Software-as-a-Service (SaaS) and web based applications are other examples of a centralized WAN computing model.

The Distributed WAN Model - Consists of client and server computers distributed throughout the network (see Fig.2 below). The Internet is a distributed WAN.

The three tiered network design hierarchy consisting of a core layer, a distribution layer and an access layer is implemented on top of which ever WAN connectivity and organizational structures are chosen. For more about the three tiered network design hierarchy check this article out Network Design: Hierarchies.

Building Wide Area Networks (WANs)

In order to facilitate the efficient and effective transfer of information between a WAN's end systems a number of protocols (rules that govern the transmission and reception of information between computers and network end-points) needed to be developed and implemented.

Generically speaking; a networking protocol is the formal description of a set of rules that describe, enable, govern and regulate the various characteristics, aspects, attributes and properties of an internetwork. One of the more important early WAN protocols was X.25. Although it is not used today, many of X.25's underlying protocols and functions (with modifications and improvements) are still in use by current iterations of Frame Relay.

Initially, most WANs were built using expensive leased lines. The most common production implementations of leased line based WANs involved the use of a router at each end of the leased line to connect to the LAN on one side to a hub within the WAN on the other.

Wide Area Networks (WANs) Reducing Implementation Costs

If ever the use of Wide Area Networks (WANs), including the Internet was to become widespread and accessible to the bulk of humanity (be it as individuals or collectives) something needed to be done to reduce the startup and running costs of planning, implementing and maintaining WANs. Fortunately solutions did exist.

Less costly alternatives to using expensive leased lines when building a WAN include the use of circuit switching or packet switching technologies. Here, network protocols including TCP/IP serve to deliver transport and addressing functions. While protocols such as Packet over SONET/SDH, Multiprotocol Layer Switching (MPLS), Asynchronous Transfer Mode (ATM) and Frame Relay are commonly used by Internet Service Providers (ISPs) to deliver the links that are used in WANs.

Wide Area Network (WAN) Connectivity Options

Leased Line - Provide secure but comparatively expensive Point-to-Point connectivity between two computers or Local Area Networks (LANs) using protocols such as Point-to-Point Protocol (PPP), High-Level Data Link Control (HDLC) and Synchronous Data Link Control (SDLC).

Circuit Switching - A less expensive dedicated circuit path offering bandwidth data transfer rates ranging from 28K-bit/sec to 144K-bit/sec is created between end points. On the downside call setup and connection establishment needs to be renegotiated every time access is desired because the link is not necessarily permanent. The most well known example of circuit switching WAN connectivity is dial-up connections. Point-to-Point Protocol (PPP) and Integrated Service Digital Network (ISDN) are two of the most widely used protocols for circuit switching WAN connectivity.

Packet Switching - Variable length packets are transported over a shared single point-to-point or point-to-multipoint link across a carrier internetwork using Permanent Virtual Circuits (PVC) or Switched Virtual Circuits (SVC). X.25 and Frame Relayare two examples of packet switching protocols used for WAN connectivity.

Cell Relay - Cell Relay is very similar to packet switching, but uses fixed length cells instead of variable length packets. Data is divided into fixed-length cells and then transported across virtual circuits. Unfortunately the overhead can constitute a significant proportion of the total bandwidth. Cell relay protocols such as Asynchronous Transfer Mode (ATM) (up to 155M-bit/sec) are best for simultaneous use of Voice and data.

Virtual Private Network (VPN) - With the recent reductions in Internet connectivity and concurrent increases in bandwidth and transmission rates now offered by ISPs many organizations have opted to use VPN technologies such as those on offer from the likes of Cisco Systems, New Edge Networks, Juniper, Check Point and Vyatta to interconnect their networks. One of VPN's strong points is encryption and considering the prevalence of cyber-crime today it is no surprise to find that this form of WAN is currently very popular.

Wide Area Network (WAN) Transmission Media and Links

Any given WAN may use one, more or even all of the following technologies for the transmission and transport of information:

Copper-Based Media - Telephone lines, coaxial cable, CAT cable etc

Fiber Optic-Based Cables - Single-Mode and Multi-Mode (see Fiber Optic Cableand Optical Networkingfor more).

Wireless - Radio frequency channels, microwave links, satellite channels and publically accessible wireless “hot spots”

Wide Area Network (WAN) Transmission Rates

Typically, WAN transmission rates usually have ranged from 1.2K-bits/sec to 6 M-bit/sec, although some connections such as ATM and Leased lines can reach speeds greater than 156 M-bit/sec. The advent of ADSL 2+ has upped the ante even further.

Now with transmission rates up to 30 Mbps, DSL and cable modem are two high data-transmission rate consumer Internet connections that transmit considerably faster than a dial-up modem (56 kbps). Add to this the fact that they are also generally cheaper than both ISDN and dial-up and you get a very cost-effective solution.

Wide Area Network (WAN) Access

Wide Area Networks (WANs) may be public (usually built by Internet Service Providers (ISPs) to provide Internet connectivity) while others are private (built for a specific organization). That is to say that public access to an organization's “private” network component is regulated by that organization. In contrast, access to public networks and user privileges remains largely unregulated beyond the criteria as defined by the agreement between the consumer and your Internet Service Provider (ISP).

Hence, the general public, anonymous and guest visitors, colleagues, business partners, and associates etcetera may be permitted limited privilege access to various sectors of an organization's private network but not to all of it. Functionalities, services, assets and user capabilities will vary greatly on a case-by-case network-by-network basis.

Demilitarized Zones (DMZs)

A classic example of this regulated limited access is commonly implemented in the form of Demilitarized Zones (DMZs) that allow public access to a very restricted and confined portion of an organization's private network. Here they may be able to access a web server for e-commerce, technical support or even just for casual browsing. You cannot make a sale if you cannot communicate with your customers. Even auto responders and automated shopping carts require some degree of two-way participation from both the customer and your software.

Metropolitan Area Network (MAN)

Another increasingly more common type of WAN is the Metropolitan Area Network (MAN) which is basically the same as a WAN except that its boundaries are contained within a single metropolitan area (city).

In Australia, a MAN can be viewed as a network for which standard landline telephone communications are charged at the local call rate (not STD) as all endpoints have the same area code. With broadband configured as a permanently connected service the customer only pays the local call fee for the initial setup connection or reconnection if the service is interrupted for any reason.

Examples of private Metropolitan Area Networks (MANs) would be the corporate links between various branches of the same organization (chain stores, banks) in the Perth metropolitan area. The key here is that regardless of the protocols or other technologies being used, part of the transit will be via publically accessible networks such as the Internet. The remainder will of course be contained within the boundaries of their “private LAN”.

WANs, MANs and Interoperability

Internetworking and interoperability are key factors critical to the realization of effective and readily available e-commerce portals as well as other external network resources and services. Regulatory and other compliance issues also need to be taken into consideration.

The seamless, secure interoperability of multiple systems and networks is essential in order for the general public to have free and ready access to those components of the enterprise LAN/MAN/WAN deemed desirable by that organization/enterprise.

For example; it is usually deemed to be highly desirable that the general public have rapid seamless access and interactivity with an organization's e-commerce facilities such as the shopping cart, support services if appropriate and resources such as online documentation.

The expansion of Web 2.0 functionality and the upsurge of social networking applications all rely heavily on the effective and efficient seamless integration of internetworking and interoperability technologies at all levels.

The Advantages of Fiber Optical Networking

First of all, we must note that the biggest advantage of using fiber optic networking and hence the use of fiber optic cable as a transmission medium is the high degree of immunity to noise, cross-talk and Electromagnetic Interference (EMI) that this medium provides.

Spanning Large Distances - With the fiber optic technologies currently available today signal degradation and regeneration issues are not what they once were and so the distance factor that so limits copper-based media is of negligible consequence where fiber optic transmission is concerned.

Environmental Damage - Environment factors such as moisture and Radio Frequency Interference (RFI) are also not of the same criticality as they are for copper-based media. The reasons for fiber optic cable as a transmission medium providing a high degree of immunization to noise (EMI) as opposed to other transmission media all stem from the use of light to convey the information (signals) and the construction of the medium (the fiber optic cable).

Security - Due to the degree of difficulty in “tapping” fiber optic transmission lines without being detected, fiber optic transmission media offer a more secure medium than copper-based or wireless technologies.

The result is that fiber optic transmission media are the media of choice when it comes to “long haul” applications such as intercontinental, cross-continental and oceanic (marine) backbone links. It is also the preferred medium for tier one ISP backbone links. This means that new WAN implementations and applications are now predominantly fiber optic cable based. Wireless rollouts being the major exception.

Additional information regarding fiber optic cable construction, signal propagation, signal regeneration, connectors, cable rollout and modes (single-mode and multi-mode fibers) can be found at Fiber Optic Cable.

I will now discuss the major standards and implementations of fiber optic networking starting with the Fiber Distributed Data Interface (FDDI) standard and then the Synchronous Optical Networking (SONET) and the Synchronous Digital Hierarchy (SDH).

Fiber Distributed Data Interface (FDDI)

FDDI which evolved from the IEEE 802.4 token bus timed token protocol is a fault tolerant 100Mbit/sec token passing counter-rotating dual ring LAN standard that permits data transmission between two end-point devices that can be many tens of kilometers apart.

As its name indicates, fiber optic cable is the main form of physical transmission medium used in FDDI. Although a copper-based implementation called, Copper Distributed Data Interface (CDDI) does exist. Although conceived as a LAN standard FDDI has also been used for MAN and WAN implementations.

FDDI Topology - In essence FDDI is a ring network similar to IBM's Token Ring network but with a number of critical differences. The most noticeable of which is that a FDDI uses a dual-attached, counter-rotating token ring topology (see Figure 1: FDDI).

Fault Tolerance - One ring acts as the primary transmission ring and in the original implementations was capable of delivering transmission speeds of up to 100Mbit/sec. The other or secondary ring was originally intended solely to act as a backup.

This meant that the secondary ring was inactive and remained so for as long as the primary ring was functional. In the event of failure of the primary ring the secondary ring would become active. Now all traffic goes to the secondary ring for transmission. It is this built-in redundancy that makes FDDI is a fault tolerant technology.

Higher Effective Sustained Data Throughput - Another factor in FDDI's favor was that it used a much larger frame size than Ethernet which meant that it was capable of much higher effective sustained throughput rates than standard 100Mbit/sec Ethernet. Administrators also had the option of using the secondary ring for data transport rather than having it stand idly by thereby doubling transmission capacity to 200Mbit/sec.

Coverage and Scalability - Not only can FDDI traverse large distances it also scales much better than 100Mbit/sec Ethernet. This means it provides superior support for expanding enterprise networks consisting of hundreds or thousands of users.

Fiber Distributed Data Interface II (FDDI-II) - FDDI-II is a more recent development of FDDI that has added support for circuit-switched services thereby enabling FDDI to carry both voice and video signals as well. For more on FDDI including applicable standards please see About Fiber Distributed Data Interface (FDDI).

Synchronous Optical Networking - SONET

Synchronous Optical Networking (SONET) is an established high-speed WAN alternative for communicating digital information using lasers or Light-Emitting Diodes (LEDs) over optical cable offered by several telecommunications companies.

SONET was originally developed to replace the Plesiochronous Digital Hierarchy (PDH) system for transporting large amounts of telephone and data traffic as well as providing the mechanisms that allow for interoperability between equipment from different vendors. The result is that there are multiple, very closely related standards that describe synchronous optical networking including:

Synchronous Digital Hierarchy (SDH) - The SDH standard was developed by the International Telecommunication Union (ITU) and is documented in standard G.707 and its extension G.708. SDH is used throughout the world but not in North America

Synchronous Optical Networking (SONET) - The SONET standard as defined by GR-253-CORE from Telcordia™. Primarily used exclusively in Canada and the USA where SDH has not been implemented, although it can be found in other countries.

Synchronization is Key - Through the use of atomic clocks synchronous networking data transport rates are very tightly regulated which allows for entire inter-country networks to operate synchronously while greatly reducing the amount of buffering required between elements in the network. This reduction in overhead (buffering) translates into greater effective net data throughput rates.

Encapsulation - Both SONET and SDH can be used to encapsulate earlier digital transmission standards, such as the PDH standard, or used directly to support either ATM or so-called Packet over SONET/SDH (POS) networking.

Generic Transport Containers - SDH and SONET are generic all-purpose transport containers for moving voice and data rather than just communications protocols per sec.

SDH and SONET Frame Structures

Standard packet or frame oriented data transmission frames usually consist of a header and a payload with the header of the frame being transmitted first, followed by the payload and a trailer (e.g. CRC). With synchronous optical networking both the header, which is referred to as the overhead and the payload still exist but the big difference is that the overhead is not all transmitted before the payload, rather the transmission is interleaved.

Interleaved Transmission - With interleaved transmissions the transmission of the conversation goes like this:

First of all, a portion of the overhead (header) is transmitted. This is followed by part of the payload. After which the next part of the overhead is transmitted. This is followed by the next part of the payload and so on until the entire frame has been transmitted. Figure 2: Interleaving above shows this.

SONET Frame Size and Transmission Sequence - SONET frames are 810 octets in size, transmitted as 3 octets of overhead, followed by 87 octets of payload, nine times over until 810 octets have been transmitted. The total frame transmission time is 125 microseconds.

SDH Frame Size and Transmission Sequence - SDH frames are 2430 octets in size transmitted as 9 octets of overhead, followed by 261 octets of payload, also nine times over until 2430 octets have been transmitted. Again the total frame transmission time is also 125 microseconds.

It doesn't take much brain power to see that SDH is capable of an effective data throughput rate three times that which the North American implementation of SONET can achieve.

Ethernet over Fiber Optic Cable

Today we see the Gigabit Ethernet over fiber optic cable and 10G Ethernet over fiber optic cable standards being the most common implementations of optical local area networks (LANs) currently being rolled out. They are also used extensively as the network core layer's transport medium of choice particularly Ethernet networks.

The majority of the big players in the networking hardware arena like Cisco, Juniper, and Redback etc all produce numerous products with fiber optic support including Ethernet over Fiber Optic modules. Note see Network Design: Hierarchiesfor more about network design and the functions and features of a network's core layer.

Image source

Here is the list, my personal review of some computer software programs that made our life easy.

Firefox

The Firefox Web Browser is the faster, more secure, and fully customizable way to surf the web than others.

Features:

• One-Click Bookmarking - you can search and organize Web sites quickly and easily
• Instant Web Site ID - You can avoid online scams, and suspicious transaction
• Improved Performance - You can view Web Pages faster and less memory for your computer

Yahoo Messenger

Chit Chat with your buddies and find friends in Yahoo! Yahoo Messenger is the most widely used instant messenger in the world wide web.

Features:

• Send text messages in real-time to your buddies on Yahoo or Windows Live Messenger
• Join a chat room to meet new friends while you discuss your favorite topics
• Photo Sharing - Share photos from your desktop or Flickr, then discuss them over IM while you and a friend view them together
• PC to PC calls - Make a voice call to another Yahoo! Messenger user for free
• Send text messages from Messenger to your friends mobile phones for free

Skype

No money for calls? With Skype you can chat and make free calls over the internet to other people on Skype for as long as you like, to wherever you like. You can call to mobiles using your computer. And it is absolutely free to download.

Adobe Reader

Adobe is a free software to download. This simplest of Adobe's PDF programs lets you do just about anything PDF-related (besides create new ones), including online collaboration. It includes a host of features to aid users with disabilities. Use Adobe Reader to view, search, digitally sign, verify, print, and collaborate on Adobe PDF files.

Features:

• Leverage a simplified user interface - You can view information more precisely and efficiently with the redesigned, easier to use Reader 8 interface
• More secure document workflows - Better protect documents, forms, and drawings
• Automate digital certificate administration
• Leverage existing security infrastructure

Audacity

Audacity is a free to download software you can do recording and editing of your audio interest. Audacity available for Windows, Linux, and Mac OS X operating systems.

Features:

• Record Live Audio
• Convert tape copies and records into digital recordings or Cds
• You can Edit Ogg Vorbis, MP3, WAV or AIFF sound files
• Do can copying, cutting, splicing or mixing sounds together
• Change the beat or speed tempo of your Audio files

GIMP

The GNU Image Manipulation Program, or GIMP, is the most widely used bitmap editor in the printing industries. GIMP is a graphics, photo images, logos editor. Cropping, resizing, altering color, brightness adjusting, combing multiple images, and converting into different format files. It is often used as a free software replacement for Adobe Photoshop. But it is not designed to be Photoshop clone.

Features:

• Customizable Interface
• Photo Enhancement
• Digital Retouching

iTunes

iTunes is a software free to download. A digital music or media player introduced by Apple Inc. The program used for playing and organizing mp3, digital music, and video files. This software can connect to the iTune store via internet to purchase download music, videos, TV shows, iPod games, audio books, movie trailers, ring tones, and more.

Features:

• iPod music downloader
• Media player

AIM

Advanced Information Management (AIM). It is one of the most widely used free Instant Messenger program.

Features:

• AIM Plug-ins
  • Whimsicals - They're web applications that let you interact with your Buddies, send & receive IMs, & more all from a web browser.
  • IM fight - Fight your buddy.
  • AIM share - Blast your buddy list.
  • AIM WIMZI - Put a chat window anywhere.
  • QQ games - Fun and play with your buddies.

WinAmp

WinAmp the most famous media player after WPM. Play music, video, movie files, DVDs. Lots of Skin to choose for their new version. WinAmp offers 50 free mp3 download for downloading the software. You can also search for skins and plug-ins, access thousands of shout cast Radio stations, get free Music and Videos and search the Web using Winamp Search.

Feature:

• Offers free download of music and videos in their toolbar
• Remote Music and Video Playback and Sharing
• Play list the Best Music on the Web with Media Monitor
• Winamp Toolbar enables browser control of Winamp
• Album Art Support for Portable Devices

Thunderbird

Thunderbird is an ultimate open source desktop mail app support by mozilla. Its pluggable interface lets developers freely build extensions to make it ever more useful.

Features:

• Message tagging - Thunderbird 2 allows you to tag messages with descriptors such as to Do or Done
• Advanced Folder Views - offers a variety of ways for you to organize and display your folders, whether by favorites, recently viewed or folders containing unread messages
• Message history navigation - Show toolbar allows you to click forward and back much like in your Web browser
• Saved Research - Thunderbird has a “saved” folder allows you to store your file searched

Over the course of the next few days I will be presenting a series of articles dealing with the many and varied aspects, concerns, issues, strategies, policies, threats and countermeasures that constitute password security.

Many systems today, still rely on password only authentication. Thus, defending yourself and your organization against the ravages of breaches of password security becomes of heightened importance. Having a single point of failure/attack (the logon name/password combo) does leave one more exposed to the efforts of cybercrime.

Honesty - Being True to Yourself

If you are not going to assess your current password security status honestly then do not even bother. You will probably just waste a whole pile of blood sweat and tears on useless ineffective time consuming misdirected and most definitely misguided pies in the sky.

The type of honesty that I refer to is the kind of honesty that is so necessary to a realistic and accurate assessment of your current password security status. Assess yourself honestly. You do not have to let anyone else know the details of your dirty laundry.

So please, do yourself a favor and do this right. For, only after appraising your current password security status will you be able to identify areas of weakness that need prompt attention.

Hard Password Copies (Paper)

Maintaining a hard copy (paper) of your passwords and locking it in your desk is not as secure a practice as you might think. You cannot guarantee that nobody will attempt to break into your desk. The locks on most desks are merely a trivial inconvenience to those with a little know how.

An envelope opener and a matter of five to ten seconds tops is usually all that it takes to open the majority of desk drawers. Failing to lockup your desk compounds the crime. It may save damage to your desks lock but will do nothing to save your password hard copy.

Do not leave a hard copy of your passwords in close association and physical proximity to your computer e.g. on your desk or beside PC or monitor. It is a very bad idea. Leaving a hard copy of your logon and password details in open public view is worse. Then again, the practice of writing your logon name and password on a post-it-note and attaching the post-it-note to the PC or monitor is probably the worst of all.

Human laziness, carelessness and a casual attitude toward security, particularly where user accounts are concerned is one of the most pervasive issues facing security on an ongoing basis. It is no secret that over the years, post-it-notes along with other password hard copies have provided a profitable source of information to would be password attackers.

Recommended countermeasures concerning practices relating to hard copies of passwords and other authentication credentials should not be necessary since the best advice of all is that you should never maintain a hard copy of authentication details period.

Electronic, Magnetic and Optical Password Copies

While not as risky as maintaining hard copies of your authentication details considerable care needs to be taken when storing electronic, magnetic or optical copies of this information. You should always encrypt authentication data when storing it in an electronic, magnetic or optical format.

As with paper hard copies, any physical copy of any data is liable to additional risk of theft. Many thieves find it easier to steal physical objects compared to electronic objects. They may consider your PC to big to put in their pocket but CDs, USB flash drives, floppies disks and external hard drives are another matter all together.

Recommendations to help protect the electronic, magnetic and optical physical copies of your data will always begin with physical security measures such as using data vaults, lock and key and off-site storage etc. You should also only store this information in an encrypted format to increase your data protection strategies. Password locking files is also important.

Security-In-Depth

Using a security-in-depth strategy entails the implementation of more than one mechanism in your defenses. You can build defenses based around password authentication to open a channel after which you use additional passwords to gain additional access privileges.

Here is an example to illustrate the security-in-depth approach using password authentication systems. You log onto the network using one password, which in association with your logon user name will, once authenticated, allow you access to basic network assets, services and resources.

If some time later you need access to a resource requiring a higher privilege level, such as a database, you may need to supply another user name with a different password. In this way, we now have a two-tiered hierarchy of access privileges to specific resources. Still password-based but immeasurably more secure than just a one password accesses all system provides.

Now suppose you wish to gain access to sensitive information held within that database. In which case, you will need to supply another different user name and password. A third layer of password protection access has now taken place.

Your level of security has increased yet again and the best bit is that it is not going to cost you anything. Most operating systems, including Windows, Linux and Apple MAC along with specialty application software (MS Word, Open Office, security suites etc), will support this strategy natively out of the box.

A classic example of this would be your email account. Your operating system will supply the first password protected authentication level at logon. Your email service provider will require another password protected authentication when you wish to check your email.

WARNING: A word of caution however, most email password authentication processes occur unencrypted which is a very bad idea. Anybody with a “packet sniffer” utility can capture the traffic and view it in plain text at their leisure.

To overcome this you can configure more secure communications channels of use multifactor authentication systems, which I do recommend. They will be the topic of my next article.

Conclusions

NEVER disclose account information such as logon names and passwords. At all times and under all circumstances you must ensure that this type of information (authorization credentials) remains known only to your security, administration and support personal and then only on a need to know basis.

NEVER keep hard copies of passwords and other authentication details. It is a practice wrought with danger.

ALWAYS store data in an encrypted format

ALWAYS afford authentication credentials maximal protection and spare no effort in these endeavors, as they will deliver heightened levels of security across the board to your entire system/network

ALWAYS implement multiple layers of password-protected authentication. A security-in-depth approach is applicable to practically every system with a little careful planning.

Until next time when I will discuss multifactor authentication systems, enjoy!