Thursday, September 30, 2010
iSCSI SAN for ESX Server - Guide
Build a Cheap iSCSI SAN for ESX Server .
Companies producing storage subsystems for three years now repeat directly connected storage systems (DAS) is not enough flexibility, they create bottlenecks, and at the same time, the time required to administer them fairly large. The future of networked storage systems, which will have a repository anywhere on your network. And iSCSI technology is precisely designed to move storage to a new level. But if iSCSI is so beneficial, why we do not see widespread use? The fact is that except for very expensive infrastructure Fibre Channel, which is required for high-speed solutions, there is also a technical barrier. To understand the reasons for such slow spread of iSCSI, should consider in detail the protocol itself and its evolution.
The iSCSI protocol provides for the encapsulation of data in the IP-packets, which allows transmitting information on existing networks in the same way as in the case of an ordinary locally-attached storage device, such as UltraSCSI. Because of the wide variety of networks, IP (PAN, WLAN, LAN via Ethernet or Fibre Channel, WAN, MAN and LAN), storage area network (storage area network, SAN) based on the iSCSI protocol can easily overcome any distance because it is limited only performance networks used.
With this in mind it is understandable that the SAN is usually not extending beyond the limits of fast networks, which gives the mentioned technical barriers. Memory serving many customers should have the necessary bandwidth for this. Ethernet network at 100 Mbps, for example, could easily cope with iSCSI technically, but her performance is too little. Fibre Channel, by contrast, is too expensive technology for small and medium businesses.
The rapid development of Gigabit Ethernet, in fact, creates the foundation for applications iSCSI. While the most powerful and advanced gigabit network using optical, Gigabit Ethernet over copper will accelerate the transition from direct attached storage to network storage. This infrastructure is backward compatible, and pleasantly pleased its price. iSCSI stands for Internet SCSI, with SCSI, in turn, stands for Small Computer System Interface "(small computer system interface), towering over the other storage interfaces DAS in the professional field.
Connectivity:
The concept of iSCSI has arisen due to the fact that the interfaces such as ATA or SCSI limited to one computer and a maximum length of cable. So the flexibility of business applications, as well as corporate-level tasks is very limited. Ideally, the storage subsystem is better to withdraw from specific servers, to increase flexibility and to avoid bottlenecks. As a result, administrators can add, move, backup, restore and reconfigure the storage system without reference to any servers. And the use of existing network infrastructure for such stores - even a very good idea.
Of course, you can spend several hundred dollars on a SCSI cable or, worse, a lot of money on cables and accessories Fibre Channel. Today, Fibre Channel has become the main interface for professional applications and SAN because of the high bandwidth and large working distance. Indeed, the Fibre Channel connection can extend up to 30 meters in length using twisted copper pairs or up to 10 km during the transition to fiber-optic cable and transmission rate can be 2 Gbps or 4 Gbps. So the Fibre Channel network is quite capable to connect several buildings, while ensuring a very high speed and performance.
In addition, Fibre Channel can connect two devices on a point-point, used in conjunction with switches or work in controlled topologies resembling Token Ring. Finally, the technology is successfully coping with cells (cell) ATM, IP packet or SCSI, using their own frames (they are not compatible with Ethernet). For these reasons, Fibre Channel, and is dominated by the corporate sector.
But the components of Fibre Channel makes sense to buy only high-end environments: data or large databases. Infrastructure can be used as an interface between the hard drives and controllers, or to connect systems and storage units within the SAN (or both at once). However, if your corporate environment does not require extreme speeds, the additional spending meaningless. Why not, then select the Hardware Serial ATA, as well as the infrastructure is not dwell on the Gigabit Ethernet.
Storage
Today, professional storage system developed in the same direction as the printer a few years ago. We used to connect the printer directly to the computer through the parallel port interface or USB. In a corporate environment, printers located in the most convenient places. For example, next to the groups of workers, who often printed, or next to a computer made available for printing.
Then, when there were printers with network interface (same interface with the HP LaserJet JetDirect), made possible a more flexible arrangement and management. And printers have become independent of the computer. Storage systems are moving in the same direction. Today, if a user starts to miss the space, he adds hard drives. However, there were problems with the location and the stored data, available capacity or situations related to the file server downtime.
Indeed, today even small businesses should consider switching from file servers to networked storage (NAS) or flexible storage within a storage area network (SAN). Such networking solutions increase flexibility, scalability, availability. Increase and the possibility of redundancy and the physical location of the server no longer plays a role.
OpenFiler
Openfiler is an operating system based on CentOS and rPath x86 machines designed to convert into a complete NAS or SAN can handle up to 60 TB of data via the web interface you can easily create and manage the functions of storage, using 3 protocols such as NFS, SMB / CIFS, WebDAV, HTTP / 1.1, FTP and iSCSI. Openfiler can be integrated into existing networks using authentication mechanisms such as LDAP, Active Directory, NIS and Hesiod. It 'can also configure various RAID levels (0, 1, 5, 6 and 10).
With Openfiler is an easy-to-use operating system for a file server based on open-source base. Openfiler is a basis for rPath Linux and the installation is more than 15 minutes to be not. The system can be administered via a web user interface. Openfiler supports a variety of popular protocols to store data in the network, for example, CIFS / SMB, NFSv3 and NFSv4, FTP, and WebDAV.
Openfiler 2.3 is presented with a new surface. But even in the non-viewable areas has done a lot. So the system now supports multiple devices for network connectivity and the latest controller from 3ware, Areca, Adaptec and LSI. The Home-shares can be managed using network ACLs and keep the quotas due to new filters better view. iSCSIs (Internet Small Computer System Interface) can manage not only pleasant, but also their capacity to adapt dynamically. FTP and rsync settings can be made from now on a global scale.The easy option is using a open source storage management operating system called as Open Filer. If you want to virtualize correctly, you come to a SAN around, because all the virtualization methods that work with more than one host need a common block backend for data storage, if you called live migration (or VMotion, VMware wants to use).
I had an older server (dual-CPU, 2.4GHz, 2GB RAM, ICP RAID controller, 10 plates, 2xIntel-Gbit NIC) 'left', which I wanted to repurpose the iSCSI target. Earlier I had played once before with IET, the iSCSI Enterprise Target and its counterpart, the open-iSCSI initiator, therefore knows that it is and that the performance is adequate, but I did not feel like the whole lot again manually do so had to produce something finished.
Openfiler is the only known to me ready and cost-neutral solution that provides iSCSI, so the choice was not difficult. Openfiler is an rPath Linux-based NAS / SAN appliance that not only iSCSI, but also other protocols speaks (NFS, SMB / CIFS, FTP, HTTP / WebDAV, etc.)
Installation is quick of hand, negative, I only notice that there is no sensible automatic partition method, but you have to manually create the three partitions (/ boot, swap and /) according to the instructions. If you use this method to automatically partition you have a huge partition for /, but nothing left for the actual task, namely to serve as a filer.
Openfiler Setup:
OpenFiler is an open source NAS that can be installed on a computer no longer used to recover a bit hardware. Just a PC, a small hard drive to install the operating system and one or more large hard drives for use as archival. Installing OpenFiler is very simple. Just download the ISO file from the manufacturer's website , burn it and start the PC boot directly from CD-ROM. The procedure is very similar to those of all other Linux systems currently online. It 'can choose to perform an installation in a chart or in text mode (especially for computer dating or who does not like the graphical interface).
Will be asked the usual things like language, area, disk partitioning (an automated process cannot go nuts with partitions, a procedure manual is available for advanced users), network adapter settings and password for the root user.
After installing just restart your computer (without the CD-ROM) and a text interface will show us that the system is ready to listen and to be administered via the web at https: / / xxx.xxx.xxx . XXX: 446 (instead of xxx enter the IP address of your network card already configured).
From any network location so you can open your favorite browser at that address, accept any notices warning of the connection of insecurity due to the fact that the encrypted connection was made without a certificate generated by certain entities, and you will go to page login. To enter the site configuration openfiler NAS type user name and password as the word password (which can later be changed by the user).
At this point it is necessary to configure the NAS Server. This procedure is suitable for consumers with extensive expert. The manufacturer's site, in addition to the FAQ and documentation, there is also a forum where you can find answers to common configuration problems. For people who need specialized technical assistance is available to buy support packages or manuals directly from the manufacturer.
Steps :
•After installing Openfiler and rebooted, we can connect via Web console for remote administration system.
•Then type in the address bar of your browser: https: / /
•Default user for the administration is openfiler with password
•You will end up in the GUI to admin status page
•From this page you control the hardware monitoring system, its uptime, its average load, etc. .., and access to other configuration pages.
•On this page you can configure system settings such as IP address, networks or VLANs that may have access to storage, set a high-availability/replication partners which replicate data for redundancy, set the clock system, drive a UPS, upgrade and have an access to a shell ssh.
•On this page you can create storage volumes, each with a file system and a possible RAID configuration.
•OpenFiler uses the Linux Logical Volume Manager (LVM ) As a volume manage and supports both ext3, xfs and iscsi. In my particular case I created an entire book that I added later as iscsi storage to my VMware ESX server. Follow a short post on how to add volumes created by openfiler on VMware ESX.
•The next tab is the fee that allows you to precisely set the quota for each volume created, for example if openfiler is used in a corporate environment with different departments within you can allocate a quota of 2GB each user group marketing and differently for each user group's engineering to allocate a quota of 10GB.
•By the share manager can create subdirectories by assigning specific volumes of different network services to share.
•Example: The marketing department essentially uses the Windows client and then their shared network folder is by using only the service openfiler SMB / CIFS, but the department engineering using Linux and Mac clients, so their resources will be shared with Services SMB / CIFS and NFS.
•This example highlights the flexibility, ease of use and power of the excellent Openfiler.
•From the home page of the service manager can enable or disable network services offered by openfiler, for example if you use only as Openfiler NFS server can turn off other services such as SMB / CIFS to save memory to the system.
•You can enable Openfiler to be a target server for iSCSI connections, configure the service to drive a UPS, and then shutdown the system in case of power failure or enable LDAP authentication of the service users, etc.
•Finally there is the account manager that allows you to define the type of authentication.
•You can use Openfiler as LDAP server where users and groups are defined locally, or you can Openfiler can point to an external LDAP server or NT Active Directory to authenticate users / groups.
•One of the most interesting Openfiler is the ability to create a Distributed Replicated Block Device (DRBD) with another Openfiler in a synchronous or asynchronous data backup and High Availability (HA), creating a fault-tolerant data-storage cluster.
Some Conclusion for Openfiler :
•Anticlimax after the reboot: The standard 2.6.19 kernel with smears from 32-bit SMP systems and does not even boot. The problem has been known for a long time, but was not resolved, although it would be easy to create a new Install-CD.
•I get the indication that a uniprocessor kernel in the system you may easily customize the GRUB is the path, and the system also starts.
•Openfiler is administered via a semi-compliant web front end, although the total and forth in the volume management seems a little chaotic to.
•The update of the system can also be done via the interface, but I use the other method a direct SSH login. This is then updated the kernel (the new SMP solves the problem but not too) and then immediately turns off iscsi_trgt.
•If you install this again, will turn one another, not so recent kernels installed, which is present at least once as a non-SMP version.
•Here I also collect first experiences with Conary, the package management of rPath.
SCSI
The hardware used by VMware iSCSI initiator support physical iSCSI host bus adapter (HBA), Qlogic QLA4050 iSCSI HBA e.g. An iSCSI HBA connects to the SAN via Ethernet and TCP / IP network ready. The hardware initiator does not appear in the network configuration of the ESX hosts. Instead, he appears as a storage adapter in the storage configuration.
Functions of the hardware iSCSI initiator :
•ESX Server Boot from iSCSI SAN is only possible with the iSCSI initiator Hardware.
•Multipathing support for failover, but no load balancing
•Support for VMotion, VMware HA and VMware DRS
The configuration of the software iSCSI initiator in VMware ESX requires a VMkernel port and a service console port. Both must be on the same subnet. With ESXi is only one VMkernel port is necessary. The correct configuration of the VMkernel port can be the medium vmkping be reviewed command. When multipathing is defined as the use of multiple independent physical links (paths) between host and storage system. If an active path fails then an alternative path is utilized to connect to maintain. Such a process is called path failover (Failover Path). VMware ESX does not currently support Microsoft MPIO or Multiple Connections per Session. However, there are two options to use multipathing mechanisms.
And the iSCSI connoisseur will immediately recognize this a first error: _ are not allowed in IQNs, however, did not catch the Openfiler, so that one is here only once before the wall. Interestingly, Open-iSCSI is not interested in Linux for it, while Microsoft initiators with a (misleading) error message, but quite rightly, complained.
Discovery with SendTargets was no problem, but after logging onto the target nothing happens. No new record, not a block device, only the terse message that there are now scsi2 host adapter.
Openfiler is an operating system dedicated to network storage, equipped with a management interface accessible via the web. Offers comprehensive storage capabilities, and NAS (Network Attached Storage) and SAN (Storage Area Network) into a single integrated framework. Openfiler uses any standard x86 servers (both 32 and 64 bit) and converts it into a powerful network storage appliance capable of providing cross-platform compatibility in heterogeneous network environments by supporting the most popular storage protocols (e.g. CIFS and NFS), and providing support for Windows, Linux and Unix.
SAN Melody Lite -
SANmelody is software that turns a Windows server platform as a true virtualized storage. In fact, installing SANmelody access services in standard mode SAN iSCSI (Internet Small Computer Systems Interface) or Fibre Channel. Remember iSCSI is a standard for interoperability between different storage systems that otherwise would not be compatible. SANmelody configuration requires a basic entry-level to work. It installs on a server running Windows 2000, XP or Server 2003 with a network interface and including at least 512 MB of RAM. It does not work with 64-bit versions of these operating systems. The software does not differentiate the type of disc used for storage that can be SCSI or Sata.
We can thus implement a storage server comprising inexpensive SATA disks. This is one of the advantages of this solution, the other being the ability to install configurations on older or entry level. For optimal operation of the server, Datacore recommends not to use the disk's boot Windows as storage media. SANmelody Lite is dedicated to small businesses, workgroups and intensive user environments with three or more PCs that need extra disk capacity or move the disk from one system to another. This software uses the iSCSI protocol to allow Windows machines, Apple and UNIX / Linux lack of ability to access additional disk space over a LAN, just like other drives were installed internally, but slow performance, compatibility issues or complexity often associated with network shares.
SANmelody Lite enables users of PC networks, however small they may be, to enjoy the same benefits in terms of flexibility, performance and effective management of those records that were previously the exclusive domain of network administrators Storage (SAN) high-end large companies.
The skills needed to implement SANmelody are minimized, which makes it perfect for small structures. Recall that for SOHO and telecommuters, a variation called SANmelody Lite is available. It is also possible to test a trial version of the software for 30 days. Moreover, it took us less than half an hour to install and implement SANmelody server. In addition to the documentation, including a step-by-step explanation of the installation, we particularly liked its ease of administration. Indeed, the software uses the MMC interface (Microsoft Management Console) to which it integrates.
Once installed, it only remains to allocate the storage space and this is where virtualization. Indeed, resources are shared regardless of physical location. It allocates partitions to servers that are configured to turn back on the score (which actually looks like a volume) that is assigned to them. For storage software solution, SANmelody shown good performance during backups. There is no latency and cache management can be configured to speed up transfers. SANmelody is an excellent alternative to acquiring a dedicated storage array and a great way to recycle older servers with storage servers by adding a few record
SANmelody Lite offers the following advantages:
•It is an inexpensive software that offers the key benefits of SANs, the cost of extra hardware and less.
•It requires only basic Windows skills, he moved easily and quickly.
•It allocates disk or a part of the space of disk drives optimally to each computer over the network.
•SANmelody Lite allows companies to accomplish more tasks over a given period. It utilizes the PC resources to improve the performance of tasks requesting more disks.
•It supports IPSec encryption to secure transactions and manages the audit Mon-client to allow the disk servers to allocate disk space safely, without compromising the confidentiality of data.
•It runs on PCs with Intel and AMD standard Ethernet and Gig-E and all storage devices supported Windows disk (IDE, SCSI, FC, SATA).
•It improves disk management and turns it into service across the network coexist with other Windows services, such as file sharing and printing, with minimal impact.
SANmelody is on the market longer than Open-E iSCSI, and is more powerful solution iSCSI. However, to implement SANmelody need a fully functional server, including the system hard drive and a license for the operating system. In addition, prices for SANmelody comes with $ 1178, which is approximately two times higher than the Open-E iSCSI Enterprise edition. In addition, $ 864 to spend on upgrading, which will provide options to create images and automatic initialization (it will allocate the available capacity dynamically). Nice features. But for supporting multi-terabyte arrays and multiple processors will have to pay more.
Conclusion
Except for the entry-level version, SANmelody supports Fibre Channel and offers a number of functions to which the Open-E is still far: you can specify automatic processing failures (auto failover) and asynchronous replication IP (asynchronous IP replication), which allows you to automatically replicate data over the Internet that is always available to create a mirrored storage. Not a bad idea for applications that require maximum uptime. On the next page you can view a list of available versions. By the way, if SANmelody not be able to meet your needs, then pay attention to SANsymphony. This application is aimed at large-scale enterprises.
Wednesday, September 29, 2010
How to move a DomainController to another site?
this case you need to change the IP of a DC and move it to another AD site
--> Assuming it only has the DC/GC role.... <--
(steps with a @ are not mandatory but is just a safe measure as I have seen some occasions where those steps were needed...)
Steps to change the IP of a DC AND move the DC to another site:
1.@ Create a copy of the NETLOGON.DNS in %WINDIR%\system32\config and rename it to NETLOGON.DNS.TXT and move to another machine or print it (when done you can delete the .OLD file) (also see for an explanation of SRV RRs: http://www.petri.co.il/active_directory_srv_records.htm)
2.@ Deregister the SRV RR for the DC that is going to be moved into another AD site
1.NLTEST /DEDEREGDNS: (e.g. NLTEST /DEDEREGDNS: DCNAME.DOMAIN.COM)
3.@ Stop the NETLOGON service on the DC
1.Use services.msc
OR
2.Use a command prompt with: NET STOP NETLOGON
4.@ Cleanup the SRV RRs that are mentioned in NETLOGON.DNS.TXT but still exist in DNS (scavenging, if enabled, will remove the records but that could take some time and some old records will be replaced by new records)
5.Move the server object of the DC to the other site. Make sure the AD site exists and that the subnets that exist are also defined in AD and assigned to that AD site!
1.Start AD Sites and Services from the command line like: DSSITES.MSC /SERVER:
2.For other steps see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/17af6280-573e-4043-9bd9-96fe3d13f4df.mspx)
6.@ Force OUTBOUND AD replication on the DC that is going to be moved
1.From the command line (options are case sentive!): REPADMIN /SYNCALL/A /e /d /q /P
7.Change the TCP/IP settings (IP address, DNS IP, WINS IP, etc)
8.Shutdown the DC
9.@ Cleanup connections objects on another DC the moved DC has with other DCs and other DCs have with the moved DC (after some time the KCC will do this as it checks it replication topology each 15 min.)
10.@ On each DC where you removed the connection objects run "Check Replication Topology"
1.For steps see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/bb462fa2-a889-47f2-869c-2aeb06cfc5bf.mspxand/or http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/f30e2a81-4e9a-454b-9fb5-20f70f6dae10.mspx)
11.Move the DC physically to the other site and turn it on
12.@ Wait at least 5 min. (the KCC runs 5 min. after the DC starts and from that point on it runs each 15 min.) or force the DC to check the replication topology
1.From the command line: REPADMIN /KCC
13.@ Force the registration of its DNS records
1.From the command line: IPCONFIG /REGISTERDNS
2.From the command line (options are case sentive!): NBTSTAT -RR
3.From the command line: NLTEST /DSREGDNS
14.@ Force INBOUND AD replication on the DC that was moved
1.From the command line (options are case sentive!): REPADMIN /SYNCALL/A /e /d /q
15.@ Force OUTBOUND AD replication on the DC that was moved
1.From the command line (options are case sentive!): REPADMIN /SYNCALL/A /e /d /q /P
16.@ Check the health of the DC that was moved
1.From the command line:
1.DCDIAG /V /C /D > DCDIAG_OUTPUT.TXT
2.NETDIAG /V /DEBUG > NETDIAG_OUTPUT.TXT
2.Open DCDIAG_OUTPUT.TXT and NETDIAG_OUTPUT.TXT and check for errors and if any troubleshoot and solve them
3.Also check the event logs
--> Assuming it also has the DNS server role.... <--
If it also has the DNS server role you might need to change:
1.The forwarding configuration of DNS servers that forward DNS requests to the moved DNS server
2.DNS zone delegations from other (parent) DNS servers to the moved DNS server for it DNS zones
3.If applicable don't forget DNS zone specific configurations set by DNSCMD.EXE
4.Etc. etc....
--> Assuming it also has the DHCP server role.... <--
If it also has the DHCP server role you might need to change:
1.Unauthorize it before shutting the server down
1.For steps see: http://technet2.microsoft.com/WindowsServer/en/library/b3a60969-541e-412f-95b9-d609d863039c1033.mspx?mfr=true
2.Additional info:
1.http://support.microsoft.com/?kbid=306925
2.http://support.microsoft.com/?kbid=303351
3.http://technet2.microsoft.com/WindowsServer/en/library/9a4157c4-3c2f-4871-9ffe-7d405781f2cf1033.mspx?mfr=true
2.Authorize it after booting it up again
1.For steps see: http://technet2.microsoft.com/WindowsServer/en/library/9f713d6c-d7e5-42a0-87f7-43dbf86a17301033.mspx?mfr=true
2.Additional info:
1.http://support.microsoft.com/?kbid=306925
2.http://support.microsoft.com/?kbid=303351
3.http://technet2.microsoft.com/WindowsServer/en/library/9a4157c4-3c2f-4871-9ffe-7d405781f2cf1033.mspx?mfr=true
--> Assuming it also has the WINS server role.... <--
If it also has the WINS server role you might need to change:
1.You might need to change the replication partners that replicate with the moved DC for WINS, etc.
--> Other considerations.... <--
Other changes that might be needed:
1.You might also need to change things on other servers like DNS/WINS IPs in TCP/IP settings of those servers if the moved DC hosts DNS/WINS
2.You might need to adjust DHCP scopes if those scopes reference the moved DC if it hosts DNS/WINS
--> In short ;-)).... <--
What I really mean is that you need to look at it from a relation perspective. In other words: what and how is the relation of other servers with the moved server and what and how is the relation of the moved server with other servers.
•this is also a good reference when just changing the IP of the DC!
--> Assuming it only has the DC/GC role.... <--
(steps with a @ are not mandatory but is just a safe measure as I have seen some occasions where those steps were needed...)
Steps to change the IP of a DC AND move the DC to another site:
1.@ Create a copy of the NETLOGON.DNS in %WINDIR%\system32\config and rename it to NETLOGON.DNS.TXT and move to another machine or print it (when done you can delete the .OLD file) (also see for an explanation of SRV RRs: http://www.petri.co.il/active_directory_srv_records.htm)
2.@ Deregister the SRV RR for the DC that is going to be moved into another AD site
1.NLTEST /DEDEREGDNS:
3.@ Stop the NETLOGON service on the DC
1.Use services.msc
OR
2.Use a command prompt with: NET STOP NETLOGON
4.@ Cleanup the SRV RRs that are mentioned in NETLOGON.DNS.TXT but still exist in DNS (scavenging, if enabled, will remove the records but that could take some time and some old records will be replaced by new records)
5.Move the server object of the DC to the other site. Make sure the AD site exists and that the subnets that exist are also defined in AD and assigned to that AD site!
1.Start AD Sites and Services from the command line like: DSSITES.MSC /SERVER:
2.For other steps see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/17af6280-573e-4043-9bd9-96fe3d13f4df.mspx)
6.@ Force OUTBOUND AD replication on the DC that is going to be moved
1.From the command line (options are case sentive!): REPADMIN /SYNCALL
7.Change the TCP/IP settings (IP address, DNS IP, WINS IP, etc)
8.Shutdown the DC
9.@ Cleanup connections objects on another DC the moved DC has with other DCs and other DCs have with the moved DC (after some time the KCC will do this as it checks it replication topology each 15 min.)
10.@ On each DC where you removed the connection objects run "Check Replication Topology"
1.For steps see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/bb462fa2-a889-47f2-869c-2aeb06cfc5bf.mspxand/or http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/f30e2a81-4e9a-454b-9fb5-20f70f6dae10.mspx)
11.Move the DC physically to the other site and turn it on
12.@ Wait at least 5 min. (the KCC runs 5 min. after the DC starts and from that point on it runs each 15 min.) or force the DC to check the replication topology
1.From the command line: REPADMIN /KCC
13.@ Force the registration of its DNS records
1.From the command line: IPCONFIG /REGISTERDNS
2.From the command line (options are case sentive!): NBTSTAT -RR
3.From the command line: NLTEST /DSREGDNS
14.@ Force INBOUND AD replication on the DC that was moved
1.From the command line (options are case sentive!): REPADMIN /SYNCALL
15.@ Force OUTBOUND AD replication on the DC that was moved
1.From the command line (options are case sentive!): REPADMIN /SYNCALL
16.@ Check the health of the DC that was moved
1.From the command line:
1.DCDIAG /V /C /D > DCDIAG_OUTPUT.TXT
2.NETDIAG /V /DEBUG > NETDIAG_OUTPUT.TXT
2.Open DCDIAG_OUTPUT.TXT and NETDIAG_OUTPUT.TXT and check for errors and if any troubleshoot and solve them
3.Also check the event logs
--> Assuming it also has the DNS server role.... <--
If it also has the DNS server role you might need to change:
1.The forwarding configuration of DNS servers that forward DNS requests to the moved DNS server
2.DNS zone delegations from other (parent) DNS servers to the moved DNS server for it DNS zones
3.If applicable don't forget DNS zone specific configurations set by DNSCMD.EXE
4.Etc. etc....
--> Assuming it also has the DHCP server role.... <--
If it also has the DHCP server role you might need to change:
1.Unauthorize it before shutting the server down
1.For steps see: http://technet2.microsoft.com/WindowsServer/en/library/b3a60969-541e-412f-95b9-d609d863039c1033.mspx?mfr=true
2.Additional info:
1.http://support.microsoft.com/?kbid=306925
2.http://support.microsoft.com/?kbid=303351
3.http://technet2.microsoft.com/WindowsServer/en/library/9a4157c4-3c2f-4871-9ffe-7d405781f2cf1033.mspx?mfr=true
2.Authorize it after booting it up again
1.For steps see: http://technet2.microsoft.com/WindowsServer/en/library/9f713d6c-d7e5-42a0-87f7-43dbf86a17301033.mspx?mfr=true
2.Additional info:
1.http://support.microsoft.com/?kbid=306925
2.http://support.microsoft.com/?kbid=303351
3.http://technet2.microsoft.com/WindowsServer/en/library/9a4157c4-3c2f-4871-9ffe-7d405781f2cf1033.mspx?mfr=true
--> Assuming it also has the WINS server role.... <--
If it also has the WINS server role you might need to change:
1.You might need to change the replication partners that replicate with the moved DC for WINS, etc.
--> Other considerations.... <--
Other changes that might be needed:
1.You might also need to change things on other servers like DNS/WINS IPs in TCP/IP settings of those servers if the moved DC hosts DNS/WINS
2.You might need to adjust DHCP scopes if those scopes reference the moved DC if it hosts DNS/WINS
--> In short ;-)).... <--
What I really mean is that you need to look at it from a relation perspective. In other words: what and how is the relation of other servers with the moved server and what and how is the relation of the moved server with other servers.
•this is also a good reference when just changing the IP of the DC!
Sunday, September 26, 2010
Installing WSUS 3.0 Server in Windows Server 2008 SP2
Today I'll show you how to install a WSUS 3.0 server on Windows Server 2008 R2 x64. WSUS is a system of distribution and reporting of Microsoft patches. I perform a simple implementation, WSUS can be installed on Windows XP, Windows Server 2003 Windows Server 2008 but now comes as a role and we just download a program to make the reports (Let me explain then.) It can be installed on a local database included in the WSUS or you can even install a SQL server and install the database locally or remotely.
WSUS it will ride on a computer with 1 GB of RAM, 1 CPU and 2 disks (C: \ 20 GB to host operating system, database and page file and D: \ 20 GB where downloaded patches will be placed by default) . With these specifications we have a system update patches for about 300 servers. In the event that the server farm or Workstation you please update from WSUS is higher you will have to create the disk d: \ with a larger size, I recommend that installs SQL Server to host the database on it and you put the base course Data in D: \ as well. DO NOT have to spend.
Start from a base operating system with Windows Server 2008 R2 X64. In the previous article you may know as the base. (In case you do not be a BASE not worry, the steps are exactly the same to install WSUS, but remove from ROLES screen instead of from the beginning of the article (not complicated so do not be alarmed).
Start your machine from the BASE.
After setting the language, click on next. The following screen will appear :
Mark I accept the Licence Terms and Start.
Put the password and click on the blue icon.
Click on OK. Now we have the system booted.
Now change the server name, ip and configure an insert in the domain, remember that the name will have the link to customers so they can download the patches. Ie I move you that we will create a group policy in domain controller and assign it to an OU setting where the server will download the updates that will be created. For example, the server name might be LocalWindowsUpdate. I only say this so that no misunderstanding in the client configuration.
This is where the process really begins Role WSUS installation. First of all we have Internet connection to allow the program to install properly. To test the following file will download and install from the link below:
http://www.microsoft.com/downloads/e...displaylang=en
When we are sure that the server has access to internet:
Click on Add roles
Mark Windows Server Update Services.
Click on Add Required Role Services
nxt
Now modify the unit for which you better go and click on Next.
This screen shows the possibility of letting the web server operating on port 80 or change it by 8530, if the same server and a web server disposals might interest you select the latter option, otherwise click on Next.
We review the summary and click on Next.
Click on Finish.
Depending on whether or not you have automatic updates enabled you see this warning. I will activate it from the control panel and go. Click on Close to complete the installation.
WSUS it will ride on a computer with 1 GB of RAM, 1 CPU and 2 disks (C: \ 20 GB to host operating system, database and page file and D: \ 20 GB where downloaded patches will be placed by default) . With these specifications we have a system update patches for about 300 servers. In the event that the server farm or Workstation you please update from WSUS is higher you will have to create the disk d: \ with a larger size, I recommend that installs SQL Server to host the database on it and you put the base course Data in D: \ as well. DO NOT have to spend.
Start from a base operating system with Windows Server 2008 R2 X64. In the previous article you may know as the base. (In case you do not be a BASE not worry, the steps are exactly the same to install WSUS, but remove from ROLES screen instead of from the beginning of the article (not complicated so do not be alarmed).
Start your machine from the BASE.
After setting the language, click on next. The following screen will appear :
Mark I accept the Licence Terms and Start.
Put the password and click on the blue icon.
Click on OK. Now we have the system booted.
Now change the server name, ip and configure an insert in the domain, remember that the name will have the link to customers so they can download the patches. Ie I move you that we will create a group policy in domain controller and assign it to an OU setting where the server will download the updates that will be created. For example, the server name might be LocalWindowsUpdate. I only say this so that no misunderstanding in the client configuration.
This is where the process really begins Role WSUS installation. First of all we have Internet connection to allow the program to install properly. To test the following file will download and install from the link below:
http://www.microsoft.com/downloads/e...displaylang=en
When we are sure that the server has access to internet:
Click on Add roles
Mark Windows Server Update Services.
Click on Add Required Role Services
nxt
Click on Install
Mark I accept the terms of the license agreement and click on Next.
Here we put the path where you downloaded the Updates. Think of holding a lot and think they are the patches for each language you have in your organization. (I recommend storing it in a drive other than C: \ and thus you can expand at your whim (Remember that Windows Server 2008 now you can resize partitions directly from Windows)).
If not enough space disposable, you also have the option to uncheck the Store updates locally but every time that you have to upgrade a computer to download these patches from Windows Update and the bandwidth of the line is affected. Now modify the unit for which you better go and click on Next.
This screen shows the possibility of letting the web server operating on port 80 or change it by 8530, if the same server and a web server disposals might interest you select the latter option, otherwise click on Next.
We review the summary and click on Next.
Click on Finish.
Depending on whether or not you have automatic updates enabled you see this warning. I will activate it from the control panel and go. Click on Close to complete the installation.
Basic Steps To Secure Network Infrastructure
Basic Steps To Secure Network Infrastructure
Securing your network infrastructure is a process, not a task. It is something that, once started, does not end. You must remain constantly vigilant to the threats against your network and continuously undertake actions to prevent any compromises. Because of the scale of the undertaking, hardening your network infrastructure is not an endeavor you should undertake lightly.
Depending on the size and complexity of your environment, you might spend weeks or even months planning before you make any changes. At the same time, if you are looking at how to harden your network, you probably recognize that you have security issues that need to be addressed, even if you aren’t sure exactly what those issues are or how to fix them. This can put you in a bind in that you may have issues that really need to be addressed immediately, before the full-scale hardening process begins.
So what are some things you should do immediately, right now, without any hesitation?
In this guide, we will look at six things you should do right now, before you do anything else.
There are many tasks you can perform as part of the systematic hardening process. These are all generally big-ticket items—for example, hardening your routers and switches or implementing DMZs and perimeter network devices. These tasks take time, sometimes months from the initial planning and design phase to the implementation. Although all these tasks are necessary, you should undertake six tasks, in particular, before you do anything else on your network.
Review your network design - If you don’t know what your network design looks like, how your devices are interconnected, how the data flows in your enterprise, you will never be able to successfully protect your network. The first step to hardening your network is to understand it.
Implement a firewall - If you don’t have a firewall, stop reading this guide right now and go buy or build one and implement it on your network. I’m deadly serious here. Implementing a firewall has the most impact of any task you can perform for hardening your network infrastructure because it allows you to define a perimeter. NGFW will helps visibility , application identity , more advance threat defense features .
Implement access control lists (ACLs) - You should be restricting and controlling all traffic entering and exiting your network from the outside world. At the same time, you should be restricting traffic between internal network segments. If there isn’t a business justification for the traffic, block it. You should be filtering traffic with ACLs not only on your external firewalls and routers, but on your internal firewalls and routers as well.
Turn off unnecessary features and services - Although traditionally the realm of servers and applications, unnecessary services equally plague your network infrastructure devices. If you don’t have a reason to be running a particular service on your network equipment, don’t do it.
Implement virus protection - Today’s worms and viruses, though directed at applications and computers, have the uncanny side effect of often causing Distributed Denial of Service (DDoS) attacks against routers and switches because of how they attempt to replicate. The easiest way to protect against these kinds of attacks is to ensure that every system from Windows to Unix, desktop to server, runs virus protection. Don’t forget to implement virus protection on your gateway devices, such as SMTP gateways, to prevent email–based viruses and worms as well.
Good APT Solutions like PA Traps/ CarbonBlack /Fireeye Endpoint Security Engine will helps latest threats and it can identify threats before it get infected/Exploited /
Secure your wireless connections - Wireless connectivity presents a unique problem to securing your network. If you aren’t sure why you are running wireless, turn it off. Revisit the issue once you know why you are implementing a wireless network. If you have to run wireless, ensure that you implement encryption and authentication to prevent unauthorized users from connecting and/or intercepting and reading your wireless communications.
Review Your Network Design
“In order to know where you are going, you have to know where you came from.” This is true for hardening your network infrastructure. In order to effectively protect your resources, you must know how your network is designed. You must know how your routers are interconnected, where your network ingress points are, where your various resources are located, and so on. Only once you know this information you can effectively protect those resources. In addition, if your network does become compromised, knowing how everything is connected will help you in determining how to recover from it or how to isolate the problem to specific network segments. At the same time, I’m not proposing that the first thing you should do is redesign your network. Remember, we are looking at things you can do right now to make an immediate impact on the security of your network.
Because every network is different, it is impossible for me to provide you a comprehensive review of a network design. I can, however, provide you with 21 questions you should be asking as you review your network design. These questions will help you better understand where and how your network can be hardened.
Where are your Internet connections? Today’s networks commonly have multiple Internet connections. Review your network design and identify all your Internet connections. These can range from your enterprise Internet connection to a backup/redundant connection for your company, all the way down to a DSL or cable modem connection used as a temporary backup exclusively for your sales force. Be prepared to locate “surprises,” such as unauthorized connections to your network in executive suites. Identify these ingress points because those are where you will implement your firewalls.
Where are your external connections? External connections range from traditional frame relay and ATM connections to dedicated serial T1/T3 lines to the Internet connections addressed previously. They are typically used to connect remote offices or external business partners. These are all potential ingress points on your network. Consequently, you need to implement firewalls at those connections as well as potentially employ encryption for the data traversing them.
What networks/subnets are you using? Identify the IP addressing scheme and the location of all your subnets. Are you using dynamic addressing products and protocols such as VitalQIP and DHCP? DHCP networks, although they provide significant ease of resource addressing, create a security issue. Anyone can connect to your DHCP network and immediately begin attempting to gain access to your network resources by exploiting weak security that might exist elsewhere on your network.
What routing protocols are you employing? The routing protocols you use will identify the methods you can implement to protect those protocols. The steps you take to harden Routing Information Protocol (RIP), for example, are not necessarily the same as the steps to harden Open Shortest Path First (OSPF). Are you redistributing routes between protocols? Knowing what protocols you are running, where they are running, and how they are configured will dictate how to harden the protocols.
Are you running Spanning Tree Protocol? Spanning Tree Protocol, like your routing protocols, contains a tremendous amount of information about your network that any hacker would give his two front teeth to get. Identify where you are running Spanning Tree Protocol so that you can decide whether you need to be running it in that location.
Where is your Intrusion Detection/Protection System (IDS/IPS) located? You need to know what you are monitoring for and where you are monitoring. Are you only monitoring with network-based intrusion detection systems (NIDSs) or are you also using host-based intrusion detections systems (HIDSs)? Where are you performing these functions, and more important, where are you not?
Where are you performing content filtering? Knowing where and how you are performing content filtering is critical in preventing web-based exploits from entering your network. This is commonly done at your Internet connections, but it might make sense for you to do this in other locations, such as between extranet partners.
Are you implementing NAT, and where are you implementing NAT? Network Address Translation (NAT) is commonly implemented at your Internet connections; however, with growth and acquisitions, companies are using NAT on their internal network segments more and more. NAT can present problems with IPsec encryption as well as increased network complexity. Knowing where you are implementing NAT can illustrate areas of your network that you need to keep an eye on, in particular, to make sure NAT is working securely and properly.
What VLANs are in use? Virtual Local Area Networks (VLANs) can be a saving grace to large networks, making it much easier to logically separate resources. At the same time, VLANs can dramatically increase the complexity of a network, consequently allowing security problems to be hidden by the complexities of the VLAN. A common example of this is having VLANs for networks of different security levels (that is, inside and outside or inside and DMZ) running on the same switch fabric. This is a bad thing because switches have historically shown a propensity to allow traffic to traverse between VLANs when it shouldn’t. Knowing where you have VLANs will help you harden those VLANs
Where is your server resources located? If your server resources are located on a dedicated subnet away from your users, it’s much easier to implement ACLs or similar filters to protect those resources. Knowing where your critical server resources are located will allow you to strategize a method to protect those resources.
Do you provide VPN/remote access connectivity? VPN/remote access connectivity is one of the biggest threats to your network’s security posture. This is due in large part to the fact that you rarely have control of the equipment that is connecting via your VPN connections. Employee’s home networks are rarely protected as they should be, and when those systems connect via VPN to your corporate network, it becomes susceptible to compromise. Knowing where your VPN/remote access connectivity occurs allows you to focus on where to protect against remote exploits.
What vendor’s equipment are you using? Different vendors are susceptible to different exploits. Likewise, different vendors implement different methods to secure their equipment. Knowing what vendor’s equipment you have on your network will allow you to develop a reasonable policy for hardening that equipment.
What network devices are you using? Routers require different security measures than switches do. Switches require different security measures than hubs do. By identifying the devices employed on your network, you can develop a security policy that addresses the specific issues of each device type on your network.
What are your device naming conventions? Although a relatively mundane item, device naming conventions can be a real problem in large environments where you need to figure out what a device is or where it might be located by name alone. Using names of fish and trees, as one company I worked at, serves only to make identifying where a problem or security issue is occurring much more difficult than it needs to be. At the same time, using names that lead people to critical or sensitive servers or resources can also be an issue. You need to strike a balance between function and anonymity.
What circuit types do you employ? Point-to-point connections and frame relay connections require different methods of hardening. Identifying the various circuit types you are using will allow you to define a policy that doesn’t overlook a circuit type.
What network protocols and standards are in use? Are you using Hot-Swap Router Protocol (HSRP)? What about Data-Link Switching (DLSw)? Do you still need to run Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX)? By examining the network protocols and standards in use on your network, you can identify security issues unique to each protocol or standard.
Do you have dedicated management segments? Using dedicated management segments is one of the best methods to protect your devices from remote management exploits. Where are these segments, and most important, who has access to them? Knowing this information will help ensure that people do not inadvertently gain management access to your equipment.
Where are your critical segments? Backbone connections, critical Line of Business (LOB) segments, human resources (HR) segments, and so on, need to be identified so that you can ensure not only that the data on those segments is protected, but that those segments are reliable and redundant. Connections between subnets and segments—particularly critical subnets and segments—represent locations where filtering and access lists should be implemented to protect those subnets and segments
What kind of AAA mechanism are you using on your network? Are you using common passwords (for example, enable secret passwords) or are you performing user-based authentication? Do you have RADIUS or TACACS+ for authentication, authorization, and accounting?
What kind of enterprise monitoring/management products are you using? Many management protocols such as SNMP and Syslog transmit their data in an unencrypted and therefore insecure fashion. Identifying what management products you are using, where they are located, and what devices they communicate with will allow you to determine the most effective method for securing the traffic.
Where are your wireless connections? Wireless represents a significant security issue on a corporate network. Know where you have wireless access points set up so that you can identify and secure that access.
Implement a Firewall
If you can do nothing else to harden your network, you need to implement a firewall. The reason for this is simple: a firewall is the single device that can do more to keep unauthorized traffic from entering a network than any other device. Now you might have heard that firewalls aren’t effective anymore because so many things use port 80 to pass traffic; however, those situations are a small, small portion of all the threats that exist from which a firewall can protect you. In addition, when implementing an application-filtering firewall, you can gain the ability to filter application content, identifying legitimate web requests from illegitimate web requests. Finally, remember that a firewall, although the best single choice you can make, is most effective as a component of security, being complemented by an intrusion detection/prevention system (IDS/IPS) and content filters.
Although many folks think of a firewall as something used to protect their network from Internet-based threats do not overlook the value of using firewalls at other locations on your network. For example, you can use a firewall on your WAN perimeter to filter traffic to and from frame relay or point-to-point circuit connections across a public internetwork. Likewise, you can implement a firewall to filter traffic between internal LAN segments, protecting critical business resources such as HR servers and application servers from unauthorized traffic. There are a few types of firewalls to consider:
Application proxies
Stateful packet-inspecting/filtering gateways
Hybrid firewalls
1. Application Proxies
Application proxies are identified by their ability to read and process an entire packet to the application level and make filtering decisions based on the actual application data, not just the packet header. Application proxies receive all incoming packets and completely decode them to the Application layer. The actual application data can then be scrutinized to determine whether it is legitimate data. If this data is legitimate, the firewall will rebuild the packet and forward it accordingly. Because of this capability, application proxy firewalls can apply a significant amount of intelligence before making a filtering decision.
One drawback is that this type of filtering introduces latency to network communications and requires significant amounts of processing power. Another drawback is that unless the firewall has the proxy capability for a given protocol or service, it might not be able to facilitate communications with the given protocol or service. Secure Computing Sidewinder G2, Microsoft’s Internet Security & Acceleration (ISA) Server 2000, CyberGuard firewall/VPN appliances, and Symantec Enterprise Firewall are examples of application proxy firewalls.
2. Stateful Packet-Inspecting/Filtering Gateways
Packet-inspecting/filtering gateways are generally not able to process the packet to the application level to make a filtering decision. Instead, packet-inspecting/filtering gateways tend to process the data to the Network/Transport layer and make filtering decisions based on the protocol and port numbers contained in the packet header only. Packet-inspecting/filtering gateways also typically implement a stateful packet inspection model, which allows the firewall to maintain a record of the state of all conversations occurring through the firewall, automatically permitting responses for legitimate outbound requests. IPtables, IPchains, SonicWALL, Clavister, and many of your SOHO firewalls such as Linksys and D-Link are examples of packet-inspecting/filtering gateways
3. Hybrid Firewalls
Now-a-days most of the firewalls fall into the hybrid category. Although they typically perform stateful packet filtering/inspecting for making most filtering decisions, they may have some application proxy functionalities built in for specific high-risk protocols and services such as HTTP and FTP. Most of the firewalls on the market today are hybrid firewalls. Examples of hybrid firewalls are Check Point Firewall-1 NG, Cisco Secure PIX, and Netscreen Deep Inspection Firewall.
Which Firewall Should You Implement?
There is no right answer as to which firewall to use for your environment. This is one of the rare cases when I really can’t give you a definitive answer. You will need to make a decision based on your requirements and your environment. For example, if you require extremely high throughput, a packet-filtering firewall would be a good choice to implement. If you are using standard protocols and require the most rigorous application inspection, an application proxy would be a good choice to implement. In some environments, you might even need both—a packet-filtering firewall to perform initial packet inspection on all traffic, and an application proxy behind that to perform the more detailed application filtering. Regardless of which type of firewall you decide is best for your environment, however, if you do not currently have a firewall, make sure you get one. Any of the firewalls mentioned are better than having none at all.
Implement Access Control Lists
Properly implemented access control lists (ACLs) on your routers provide packet-filtering capabilities without the stateful functionality of a full-featured firewall. Consequently, I think of ACLs on routers as being part of a firewall system, where the router is performing initial packet-filtering functionality in front of a firewall that is providing the full-bore stateful filtering or application proxy functionality.
Here are some types of access you should filter with your ACLs immediately:
Block RFC1918 addresses at your perimeter, including the following:
0.0.0.0/8
10.0.0.0/8
169.254.0.0/16
172.16.0.0/20
192.168.0.0/16
Block bogon addresses - The term bogon refers to packets addressed to/from a bogus network. Bogons represent the addresses that have not been allocated by the Internet Assigned Numbers Authority (IANA) and Regional Internet Registries (RIRs) to Internet service providers (ISPs) or organizations for use. A current list of bogon networks can be found at http://www.iana.org/assignments/ipv4-address-space. Any entry with the term “reserved” or “unallocated” should be blocked as a bogon. You will need to periodically update the bogons you are blocking because those addresses get assigned to legitimate ISPs and organizations for use.
Implement spoof protection
Implement TCP SYN attack protection
Implement LAND attack protection
Implement Smurf attack protection
Block multicast traffic if it is not needed.
Implement ACLs to control Virtual Type Terminal (VTY) access (Telnet and SSH).
Implement ACLs to control who can manage the router via SNMP
Turn Off Unnecessary Features and Services
One point of security that has been hammered on within the desktop/server world is the need to turn off unnecessary services. Unfortunately, people commonly overlook the fact that it is not just the desktops and servers that are potentially running unnecessary services—your network devices are also likely doing this. Here is a list of services you should look for on your network equipment and turn off if you are not actively using them:
Cisco Discovery Protocol (CDP)
TCP and UDP small servers
Finger server
HTTP server
Bootp server
Network Time Protocol (NTP) service
Simple Network Management Protocol (SNMP) services
Configuration auto-loading
IP source routing
Proxy ARP
IP directed broadcast
IP unreachable, redirects, and mask replies
Router name and DNS name resolution services
Implement Virus Protection
Virus protection and implementing virus protection typically fall within the realm of the server/desktop administrator. Indeed, in large environments, if you are responsible for the network infrastructure, you may never be involved in any virus-protection discussions. Unfortunately, today’s worms and viruses are having a larger impact on the network infrastructure, which means you need to become concerned with the status of virus protection on your network. In addition, you can install virus-protection gateway devices and virus-protection applications in conjunction with your existing firewalls and gateways to prevent viruses from entering your network. You should be involved in advocating these systems being implemented.
The methods that many of the worms use to self-replicate (for example, by scanning an entire subnet and attempting to connect to every IP address on that subnet) have the uncanny ability to result in a denial of service (DoS) on many routers. The reason for this is pretty straightforward. When a router receives a packet destined for a subnet that it is directly connected to, the router will generate an ARP request for the destination MAC address. In the case of these worms, often the destination is not online, but the router has no way of knowing this and issues the ARP request anyway. The router then must wait for a response, or wait for the ARP request to time out before it can drop the packet in question. As the router gets hit with thousands of these requests, it fills its buffers and input/output queues with these packets waiting for the timeout periods to occur. Often this consumes the entire free RAM on a router. The end result is that the router starts dropping legitimate traffic because it cannot queue the traffic, and/or the router will no longer accept VTY sessions because it does not have enough free RAM to house those sessions. Both of these circumstances result in a DoS against the router. In fact, when you think about it, the way that these worms work is a great example of just how effective a distributed denial of service (DDoS) attack can be.
If you are not running virus protection on all your systems—Windows, Unix, Linux, and Macintosh based—you need to be.
Don’t forget your gateway virus protection when talking about implementing virus protection on all your systems. This allows you to catch and stop a significant amount of viruses attempting to enter your network at your network ingress points. TrendMicro, Network Associates, and Symantec all have gateway virus protection you can implement. Don’t overlook the value of implementing virus protection on your gateways and firewalls.
The only way to effectively prevent your network from being susceptible to virus- and worm-based DDoS attacks is to keep the systems that propagate the worms from being infected in the first place and to attempt to prevent the viruses from entering your network to begin with.
Secure Your Wireless Connections
What you can do right now is to locate and remove all wireless access points that you do not need or did not plan properly. This may sound like a little bit of overkill, but it isn’t. If you have not developed a wireless security plan and implemented your wireless network by restricting IP addresses and implementing encryption and authentication, you need to unplug everything and start all over again building a secure wireless network. If you must run wireless, you can do the following four tasks to harden your wireless network against attack:
Require a written wireless security policy that allows only IT supported wireless products that are only implemented by IT. If an employee goes out and buys the latest, cheapest personal wireless access point or router, that should be grounds for dismissal.
Only allow authorized MAC addresses to connect to your wireless network
Require Wired Equivalent Privacy (WEP), WiFi Protected Access (WPA), or 802.11i for encryption. Be aware that WEP has been compromised, but is better than clear text.
Require authentication via shared secret key, 802.1x, RADIUS authentication, or certificates as supported by your devices.
Summary
Securing your network infrastructure is going to be a long process that involves examining all your network infrastructure equipment and evaluating what vulnerabilities exist as well as identifying how to harden your equipment against those vulnerabilities. However, you can undertake six tasks to start making an immediate impact on the security of your network.
First, you must review your network design so that you know what you are dealing with. This will serve as a roadmap of what needs to be done. Next, you need to implement a firewall. A firewall is the best thing you can introduce into your environment to address security. After that, you should implement ACLs on your equipment. Restrict not only the traffic that can pass through the system, but also who has access to the system. At the same time, review all your network equipment and ensure that any unnecessary services and features have been turned off or disabled. Protocols like Spanning Tree Protocol are very good at what they do, but if you do not need that functionality, turn those features off. Although likely not in the realm of the network infrastructure engineer; virus protection can make your life much easier. Insist that virus protection be installed and configured on all systems in your enterprise. Also, make sure there is a regular schedule for updating the virus signatures and scanning engine to protect against new viruses. Last but not least, secure your wireless connections. Wireless today is really just an open door to your network, inviting unauthorized access to anyone who happens to be in range of your wireless access point. If you don’t need wireless access, don’t use it. If you do, make sure you have properly secured your wireless access points. If you aren’t sure whether your wireless access points are secured, turn them off and start again.
Security is a complex process; however, these six tasks are all relatively easy to perform and will make an immediate and noticeable impact on your overall security posture
Securing your network infrastructure is a process, not a task. It is something that, once started, does not end. You must remain constantly vigilant to the threats against your network and continuously undertake actions to prevent any compromises. Because of the scale of the undertaking, hardening your network infrastructure is not an endeavor you should undertake lightly.
Depending on the size and complexity of your environment, you might spend weeks or even months planning before you make any changes. At the same time, if you are looking at how to harden your network, you probably recognize that you have security issues that need to be addressed, even if you aren’t sure exactly what those issues are or how to fix them. This can put you in a bind in that you may have issues that really need to be addressed immediately, before the full-scale hardening process begins.
So what are some things you should do immediately, right now, without any hesitation?
In this guide, we will look at six things you should do right now, before you do anything else.
There are many tasks you can perform as part of the systematic hardening process. These are all generally big-ticket items—for example, hardening your routers and switches or implementing DMZs and perimeter network devices. These tasks take time, sometimes months from the initial planning and design phase to the implementation. Although all these tasks are necessary, you should undertake six tasks, in particular, before you do anything else on your network.
Review your network design - If you don’t know what your network design looks like, how your devices are interconnected, how the data flows in your enterprise, you will never be able to successfully protect your network. The first step to hardening your network is to understand it.
Implement a firewall - If you don’t have a firewall, stop reading this guide right now and go buy or build one and implement it on your network. I’m deadly serious here. Implementing a firewall has the most impact of any task you can perform for hardening your network infrastructure because it allows you to define a perimeter. NGFW will helps visibility , application identity , more advance threat defense features .
Implement access control lists (ACLs) - You should be restricting and controlling all traffic entering and exiting your network from the outside world. At the same time, you should be restricting traffic between internal network segments. If there isn’t a business justification for the traffic, block it. You should be filtering traffic with ACLs not only on your external firewalls and routers, but on your internal firewalls and routers as well.
Turn off unnecessary features and services - Although traditionally the realm of servers and applications, unnecessary services equally plague your network infrastructure devices. If you don’t have a reason to be running a particular service on your network equipment, don’t do it.
Implement virus protection - Today’s worms and viruses, though directed at applications and computers, have the uncanny side effect of often causing Distributed Denial of Service (DDoS) attacks against routers and switches because of how they attempt to replicate. The easiest way to protect against these kinds of attacks is to ensure that every system from Windows to Unix, desktop to server, runs virus protection. Don’t forget to implement virus protection on your gateway devices, such as SMTP gateways, to prevent email–based viruses and worms as well.
Good APT Solutions like PA Traps/ CarbonBlack /Fireeye Endpoint Security Engine will helps latest threats and it can identify threats before it get infected/Exploited /
Secure your wireless connections - Wireless connectivity presents a unique problem to securing your network. If you aren’t sure why you are running wireless, turn it off. Revisit the issue once you know why you are implementing a wireless network. If you have to run wireless, ensure that you implement encryption and authentication to prevent unauthorized users from connecting and/or intercepting and reading your wireless communications.
Review Your Network Design
“In order to know where you are going, you have to know where you came from.” This is true for hardening your network infrastructure. In order to effectively protect your resources, you must know how your network is designed. You must know how your routers are interconnected, where your network ingress points are, where your various resources are located, and so on. Only once you know this information you can effectively protect those resources. In addition, if your network does become compromised, knowing how everything is connected will help you in determining how to recover from it or how to isolate the problem to specific network segments. At the same time, I’m not proposing that the first thing you should do is redesign your network. Remember, we are looking at things you can do right now to make an immediate impact on the security of your network.
Because every network is different, it is impossible for me to provide you a comprehensive review of a network design. I can, however, provide you with 21 questions you should be asking as you review your network design. These questions will help you better understand where and how your network can be hardened.
Where are your Internet connections? Today’s networks commonly have multiple Internet connections. Review your network design and identify all your Internet connections. These can range from your enterprise Internet connection to a backup/redundant connection for your company, all the way down to a DSL or cable modem connection used as a temporary backup exclusively for your sales force. Be prepared to locate “surprises,” such as unauthorized connections to your network in executive suites. Identify these ingress points because those are where you will implement your firewalls.
Where are your external connections? External connections range from traditional frame relay and ATM connections to dedicated serial T1/T3 lines to the Internet connections addressed previously. They are typically used to connect remote offices or external business partners. These are all potential ingress points on your network. Consequently, you need to implement firewalls at those connections as well as potentially employ encryption for the data traversing them.
What networks/subnets are you using? Identify the IP addressing scheme and the location of all your subnets. Are you using dynamic addressing products and protocols such as VitalQIP and DHCP? DHCP networks, although they provide significant ease of resource addressing, create a security issue. Anyone can connect to your DHCP network and immediately begin attempting to gain access to your network resources by exploiting weak security that might exist elsewhere on your network.
What routing protocols are you employing? The routing protocols you use will identify the methods you can implement to protect those protocols. The steps you take to harden Routing Information Protocol (RIP), for example, are not necessarily the same as the steps to harden Open Shortest Path First (OSPF). Are you redistributing routes between protocols? Knowing what protocols you are running, where they are running, and how they are configured will dictate how to harden the protocols.
Are you running Spanning Tree Protocol? Spanning Tree Protocol, like your routing protocols, contains a tremendous amount of information about your network that any hacker would give his two front teeth to get. Identify where you are running Spanning Tree Protocol so that you can decide whether you need to be running it in that location.
Where is your Intrusion Detection/Protection System (IDS/IPS) located? You need to know what you are monitoring for and where you are monitoring. Are you only monitoring with network-based intrusion detection systems (NIDSs) or are you also using host-based intrusion detections systems (HIDSs)? Where are you performing these functions, and more important, where are you not?
Where are you performing content filtering? Knowing where and how you are performing content filtering is critical in preventing web-based exploits from entering your network. This is commonly done at your Internet connections, but it might make sense for you to do this in other locations, such as between extranet partners.
Are you implementing NAT, and where are you implementing NAT? Network Address Translation (NAT) is commonly implemented at your Internet connections; however, with growth and acquisitions, companies are using NAT on their internal network segments more and more. NAT can present problems with IPsec encryption as well as increased network complexity. Knowing where you are implementing NAT can illustrate areas of your network that you need to keep an eye on, in particular, to make sure NAT is working securely and properly.
What VLANs are in use? Virtual Local Area Networks (VLANs) can be a saving grace to large networks, making it much easier to logically separate resources. At the same time, VLANs can dramatically increase the complexity of a network, consequently allowing security problems to be hidden by the complexities of the VLAN. A common example of this is having VLANs for networks of different security levels (that is, inside and outside or inside and DMZ) running on the same switch fabric. This is a bad thing because switches have historically shown a propensity to allow traffic to traverse between VLANs when it shouldn’t. Knowing where you have VLANs will help you harden those VLANs
Where is your server resources located? If your server resources are located on a dedicated subnet away from your users, it’s much easier to implement ACLs or similar filters to protect those resources. Knowing where your critical server resources are located will allow you to strategize a method to protect those resources.
Do you provide VPN/remote access connectivity? VPN/remote access connectivity is one of the biggest threats to your network’s security posture. This is due in large part to the fact that you rarely have control of the equipment that is connecting via your VPN connections. Employee’s home networks are rarely protected as they should be, and when those systems connect via VPN to your corporate network, it becomes susceptible to compromise. Knowing where your VPN/remote access connectivity occurs allows you to focus on where to protect against remote exploits.
What vendor’s equipment are you using? Different vendors are susceptible to different exploits. Likewise, different vendors implement different methods to secure their equipment. Knowing what vendor’s equipment you have on your network will allow you to develop a reasonable policy for hardening that equipment.
What network devices are you using? Routers require different security measures than switches do. Switches require different security measures than hubs do. By identifying the devices employed on your network, you can develop a security policy that addresses the specific issues of each device type on your network.
What are your device naming conventions? Although a relatively mundane item, device naming conventions can be a real problem in large environments where you need to figure out what a device is or where it might be located by name alone. Using names of fish and trees, as one company I worked at, serves only to make identifying where a problem or security issue is occurring much more difficult than it needs to be. At the same time, using names that lead people to critical or sensitive servers or resources can also be an issue. You need to strike a balance between function and anonymity.
What circuit types do you employ? Point-to-point connections and frame relay connections require different methods of hardening. Identifying the various circuit types you are using will allow you to define a policy that doesn’t overlook a circuit type.
What network protocols and standards are in use? Are you using Hot-Swap Router Protocol (HSRP)? What about Data-Link Switching (DLSw)? Do you still need to run Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX)? By examining the network protocols and standards in use on your network, you can identify security issues unique to each protocol or standard.
Do you have dedicated management segments? Using dedicated management segments is one of the best methods to protect your devices from remote management exploits. Where are these segments, and most important, who has access to them? Knowing this information will help ensure that people do not inadvertently gain management access to your equipment.
Where are your critical segments? Backbone connections, critical Line of Business (LOB) segments, human resources (HR) segments, and so on, need to be identified so that you can ensure not only that the data on those segments is protected, but that those segments are reliable and redundant. Connections between subnets and segments—particularly critical subnets and segments—represent locations where filtering and access lists should be implemented to protect those subnets and segments
What kind of AAA mechanism are you using on your network? Are you using common passwords (for example, enable secret passwords) or are you performing user-based authentication? Do you have RADIUS or TACACS+ for authentication, authorization, and accounting?
What kind of enterprise monitoring/management products are you using? Many management protocols such as SNMP and Syslog transmit their data in an unencrypted and therefore insecure fashion. Identifying what management products you are using, where they are located, and what devices they communicate with will allow you to determine the most effective method for securing the traffic.
Where are your wireless connections? Wireless represents a significant security issue on a corporate network. Know where you have wireless access points set up so that you can identify and secure that access.
Implement a Firewall
If you can do nothing else to harden your network, you need to implement a firewall. The reason for this is simple: a firewall is the single device that can do more to keep unauthorized traffic from entering a network than any other device. Now you might have heard that firewalls aren’t effective anymore because so many things use port 80 to pass traffic; however, those situations are a small, small portion of all the threats that exist from which a firewall can protect you. In addition, when implementing an application-filtering firewall, you can gain the ability to filter application content, identifying legitimate web requests from illegitimate web requests. Finally, remember that a firewall, although the best single choice you can make, is most effective as a component of security, being complemented by an intrusion detection/prevention system (IDS/IPS) and content filters.
Although many folks think of a firewall as something used to protect their network from Internet-based threats do not overlook the value of using firewalls at other locations on your network. For example, you can use a firewall on your WAN perimeter to filter traffic to and from frame relay or point-to-point circuit connections across a public internetwork. Likewise, you can implement a firewall to filter traffic between internal LAN segments, protecting critical business resources such as HR servers and application servers from unauthorized traffic. There are a few types of firewalls to consider:
Application proxies
Stateful packet-inspecting/filtering gateways
Hybrid firewalls
1. Application Proxies
Application proxies are identified by their ability to read and process an entire packet to the application level and make filtering decisions based on the actual application data, not just the packet header. Application proxies receive all incoming packets and completely decode them to the Application layer. The actual application data can then be scrutinized to determine whether it is legitimate data. If this data is legitimate, the firewall will rebuild the packet and forward it accordingly. Because of this capability, application proxy firewalls can apply a significant amount of intelligence before making a filtering decision.
One drawback is that this type of filtering introduces latency to network communications and requires significant amounts of processing power. Another drawback is that unless the firewall has the proxy capability for a given protocol or service, it might not be able to facilitate communications with the given protocol or service. Secure Computing Sidewinder G2, Microsoft’s Internet Security & Acceleration (ISA) Server 2000, CyberGuard firewall/VPN appliances, and Symantec Enterprise Firewall are examples of application proxy firewalls.
2. Stateful Packet-Inspecting/Filtering Gateways
Packet-inspecting/filtering gateways are generally not able to process the packet to the application level to make a filtering decision. Instead, packet-inspecting/filtering gateways tend to process the data to the Network/Transport layer and make filtering decisions based on the protocol and port numbers contained in the packet header only. Packet-inspecting/filtering gateways also typically implement a stateful packet inspection model, which allows the firewall to maintain a record of the state of all conversations occurring through the firewall, automatically permitting responses for legitimate outbound requests. IPtables, IPchains, SonicWALL, Clavister, and many of your SOHO firewalls such as Linksys and D-Link are examples of packet-inspecting/filtering gateways
3. Hybrid Firewalls
Now-a-days most of the firewalls fall into the hybrid category. Although they typically perform stateful packet filtering/inspecting for making most filtering decisions, they may have some application proxy functionalities built in for specific high-risk protocols and services such as HTTP and FTP. Most of the firewalls on the market today are hybrid firewalls. Examples of hybrid firewalls are Check Point Firewall-1 NG, Cisco Secure PIX, and Netscreen Deep Inspection Firewall.
Which Firewall Should You Implement?
There is no right answer as to which firewall to use for your environment. This is one of the rare cases when I really can’t give you a definitive answer. You will need to make a decision based on your requirements and your environment. For example, if you require extremely high throughput, a packet-filtering firewall would be a good choice to implement. If you are using standard protocols and require the most rigorous application inspection, an application proxy would be a good choice to implement. In some environments, you might even need both—a packet-filtering firewall to perform initial packet inspection on all traffic, and an application proxy behind that to perform the more detailed application filtering. Regardless of which type of firewall you decide is best for your environment, however, if you do not currently have a firewall, make sure you get one. Any of the firewalls mentioned are better than having none at all.
Implement Access Control Lists
Properly implemented access control lists (ACLs) on your routers provide packet-filtering capabilities without the stateful functionality of a full-featured firewall. Consequently, I think of ACLs on routers as being part of a firewall system, where the router is performing initial packet-filtering functionality in front of a firewall that is providing the full-bore stateful filtering or application proxy functionality.
Here are some types of access you should filter with your ACLs immediately:
Block RFC1918 addresses at your perimeter, including the following:
0.0.0.0/8
10.0.0.0/8
169.254.0.0/16
172.16.0.0/20
192.168.0.0/16
Block bogon addresses - The term bogon refers to packets addressed to/from a bogus network. Bogons represent the addresses that have not been allocated by the Internet Assigned Numbers Authority (IANA) and Regional Internet Registries (RIRs) to Internet service providers (ISPs) or organizations for use. A current list of bogon networks can be found at http://www.iana.org/assignments/ipv4-address-space. Any entry with the term “reserved” or “unallocated” should be blocked as a bogon. You will need to periodically update the bogons you are blocking because those addresses get assigned to legitimate ISPs and organizations for use.
Implement spoof protection
Implement TCP SYN attack protection
Implement LAND attack protection
Implement Smurf attack protection
Block multicast traffic if it is not needed.
Implement ACLs to control Virtual Type Terminal (VTY) access (Telnet and SSH).
Implement ACLs to control who can manage the router via SNMP
Turn Off Unnecessary Features and Services
One point of security that has been hammered on within the desktop/server world is the need to turn off unnecessary services. Unfortunately, people commonly overlook the fact that it is not just the desktops and servers that are potentially running unnecessary services—your network devices are also likely doing this. Here is a list of services you should look for on your network equipment and turn off if you are not actively using them:
Cisco Discovery Protocol (CDP)
TCP and UDP small servers
Finger server
HTTP server
Bootp server
Network Time Protocol (NTP) service
Simple Network Management Protocol (SNMP) services
Configuration auto-loading
IP source routing
Proxy ARP
IP directed broadcast
IP unreachable, redirects, and mask replies
Router name and DNS name resolution services
Implement Virus Protection
Virus protection and implementing virus protection typically fall within the realm of the server/desktop administrator. Indeed, in large environments, if you are responsible for the network infrastructure, you may never be involved in any virus-protection discussions. Unfortunately, today’s worms and viruses are having a larger impact on the network infrastructure, which means you need to become concerned with the status of virus protection on your network. In addition, you can install virus-protection gateway devices and virus-protection applications in conjunction with your existing firewalls and gateways to prevent viruses from entering your network. You should be involved in advocating these systems being implemented.
The methods that many of the worms use to self-replicate (for example, by scanning an entire subnet and attempting to connect to every IP address on that subnet) have the uncanny ability to result in a denial of service (DoS) on many routers. The reason for this is pretty straightforward. When a router receives a packet destined for a subnet that it is directly connected to, the router will generate an ARP request for the destination MAC address. In the case of these worms, often the destination is not online, but the router has no way of knowing this and issues the ARP request anyway. The router then must wait for a response, or wait for the ARP request to time out before it can drop the packet in question. As the router gets hit with thousands of these requests, it fills its buffers and input/output queues with these packets waiting for the timeout periods to occur. Often this consumes the entire free RAM on a router. The end result is that the router starts dropping legitimate traffic because it cannot queue the traffic, and/or the router will no longer accept VTY sessions because it does not have enough free RAM to house those sessions. Both of these circumstances result in a DoS against the router. In fact, when you think about it, the way that these worms work is a great example of just how effective a distributed denial of service (DDoS) attack can be.
If you are not running virus protection on all your systems—Windows, Unix, Linux, and Macintosh based—you need to be.
Don’t forget your gateway virus protection when talking about implementing virus protection on all your systems. This allows you to catch and stop a significant amount of viruses attempting to enter your network at your network ingress points. TrendMicro, Network Associates, and Symantec all have gateway virus protection you can implement. Don’t overlook the value of implementing virus protection on your gateways and firewalls.
The only way to effectively prevent your network from being susceptible to virus- and worm-based DDoS attacks is to keep the systems that propagate the worms from being infected in the first place and to attempt to prevent the viruses from entering your network to begin with.
Secure Your Wireless Connections
What you can do right now is to locate and remove all wireless access points that you do not need or did not plan properly. This may sound like a little bit of overkill, but it isn’t. If you have not developed a wireless security plan and implemented your wireless network by restricting IP addresses and implementing encryption and authentication, you need to unplug everything and start all over again building a secure wireless network. If you must run wireless, you can do the following four tasks to harden your wireless network against attack:
Require a written wireless security policy that allows only IT supported wireless products that are only implemented by IT. If an employee goes out and buys the latest, cheapest personal wireless access point or router, that should be grounds for dismissal.
Only allow authorized MAC addresses to connect to your wireless network
Require Wired Equivalent Privacy (WEP), WiFi Protected Access (WPA), or 802.11i for encryption. Be aware that WEP has been compromised, but is better than clear text.
Require authentication via shared secret key, 802.1x, RADIUS authentication, or certificates as supported by your devices.
Summary
Securing your network infrastructure is going to be a long process that involves examining all your network infrastructure equipment and evaluating what vulnerabilities exist as well as identifying how to harden your equipment against those vulnerabilities. However, you can undertake six tasks to start making an immediate impact on the security of your network.
First, you must review your network design so that you know what you are dealing with. This will serve as a roadmap of what needs to be done. Next, you need to implement a firewall. A firewall is the best thing you can introduce into your environment to address security. After that, you should implement ACLs on your equipment. Restrict not only the traffic that can pass through the system, but also who has access to the system. At the same time, review all your network equipment and ensure that any unnecessary services and features have been turned off or disabled. Protocols like Spanning Tree Protocol are very good at what they do, but if you do not need that functionality, turn those features off. Although likely not in the realm of the network infrastructure engineer; virus protection can make your life much easier. Insist that virus protection be installed and configured on all systems in your enterprise. Also, make sure there is a regular schedule for updating the virus signatures and scanning engine to protect against new viruses. Last but not least, secure your wireless connections. Wireless today is really just an open door to your network, inviting unauthorized access to anyone who happens to be in range of your wireless access point. If you don’t need wireless access, don’t use it. If you do, make sure you have properly secured your wireless access points. If you aren’t sure whether your wireless access points are secured, turn them off and start again.
Security is a complex process; however, these six tasks are all relatively easy to perform and will make an immediate and noticeable impact on your overall security posture
Voice over IP
INTRODUCTION
In this paper outlined the work of research on the technology Voice over IP, which combines two historically separate worlds: the transmission of voice and data. It is carrying voice, data previously converted, between distant points. This would allow use network data to make phone calls, and develop a single network that is responsible for issuing all types of communication, whether voice or data. It is clear that having a network instead of two, is beneficial for any operator to offer both services. The strong growth and implementation of network IP in both local and remote, the development of technical advanced voice digitization, mechanisms of control and traffic prioritization, protocol transmission time real, and the study of new standards enable quality of service in IP networks, have created an environment where it is possible to transmit telephony over IP so no way signify the disappearance of telephone networks circuit mode, but should, at least temporarily, a phase coexistence between. This monograph is comprised of four chapters, which exhibits information relevant to Voice Over IP technology.
As technology, Voice over IP ( VoIP ) has spent several years in the market. However, it was not until the emergence of innovative new services based on this technology as the integration of voice and data has become a reality, which, for businesses, has meant a saving of costs and a communications more efficient and effective. It is expected that in 2005 the VoIP market will move more than 10,000 million dollars, especially given that perceptions of the corporate world are more favorable.
Definition
The products of telephony Internet is called: IP Telephony (IP telephony) Voice Over Internet, Voice over the Internet (VOI) - or Voice over IP, Voice over IP (VOIP).
Voice over IP (VoIP, Voice over IP) is a technology that allows transmission of voice over IP networks as data packets. IP Telephony is an immediate application of this technology in a manner that allows the use of ordinary telephone calls over IP networks or other packet networks using a PC, gateways and standard telephones. In general, communication services - voice, fax, voice messaging applications - that are transported via IP networks, Internet normally, instead of being transported via the telephone network. The VoIP (Voice over IP) this acronym refers to the technology used to send voice information in digital form in discrete packets over Internet protocol (IP stands for Protocol Internet), rather than through the telephone network usual. Before proceeding, you may want to clarify what is a connection protocol. A connection protocol is a set of rules, a "language in common" that both parties agree to use to be able to communicate, is like saying: Now we will communicate in English, and we agree that this is English, or it is a convention.
The industry of Voice over IP is in a stage of rapid growth. The evolution of the use of Voice over IP will come with the development of infrastructure and communication protocols. In 2010, a quarter of global calls will be based on IP. Over time, the voice and data applications have required different networks using different technologies. However, lately there have been numerous efforts to find a solution that provides a satisfactory support for both types of transmission over a single network. Voice over IP telephony is a technology that can be enabled through a data network packet switching, protocol via IP (Internet Protocol). The real advantage of this technology is the transmission of free speech as it travels as data.
VoIP technology can revolutionize internal communications by offering:
•Access to corporate networks from small offices through integrated networks of voice and data attached to branches.
•Corporate directories based on the Intranet with messaging services and personal numbers for those who must travel.
•Directory Services-based conferencing and graphics from the system desktop.
•Virtual private networks and gateways managed to replace voice Virtual Private Networks ( VPN ).
--------------------------------
VoIP (Voice over IP) provides new opportunities for those able to anticipate and act quickly enough to overcome the confusion that surrounds this remarkable technology as used Voice over IP. It is important to know how to use the VoIP (Voice over IP), you basically buy a device that visually is a black box that connects one side to the telephone equipment and the other to the PC ( computer ), but also IP phones are available. Of course you need to install a software for that device works. This device is almost always sold in the same stores that sell computers. There are two connection options:
•One party has VoIP (Voice over IP) and the other not.
•Both parties are VoIP (Voice over IP)
If both parties are VoIP (Voice over IP) call is free, it is called VoIP (Voice over IP) VoIP (Voice over IP), only have to dial the phone number and nothing else. If the caller only has VoIP (Voice over IP), then uses a card that is purchased online (online). The above card is a card of plastic or cardboard such as those sold in stores, rather it is a virtual card you buy and load on the Internet.
The model of Voice over IP consists of three main elements:
•The client - This element establishes and terminates voice calls. Encodes, packages and transmits the output information generated by the user's microphone. It also receives, decodes and reproduces the voice information input by the user's speakers or headphones. Note that the client component is available in two basic forms: the first is a suite of software running on a PC that you control through a graphical user interface (GUI) and the second client may be a "virtual" who resides in the gateway.
•Servers - The second element of Voice over IP is based on servers, which handle a wide range of operations, complex databases, in real time and outside it. These operations include user authentication, appraisal, accounting , pricing, collection, distribution of profits, routing, management 's overall service, charging customers, service control, registration of users and directory services among others.
•Gateways - The third element is formed by the Voice over IP gateways, which provide a communication bridge between users. The role of a main gateway is to provide the interfaces with appropriate traditional telephony, serving as a platform for virtual clients.
These teams also play an important role in access security, accounting, control of quality of service (QoS, Quality of Service) and improve it.
Characteristics of Voice over IP
For its structure provides the following standard features:
•Allows control of network traffic, so less chance of the occurrence of significant declines in the performance of data networks.
•Provides links to the traditional telephone network.
•Being supported on IP technology has the following advantages:
◦Is independent of the type of network physics that supports it. Allows integration with existing large IP networks.
◦Is independent of the hardware used.
◦Lets be implemented in both software and hardware, with the particularity that the hardware would eliminate the initial impact for the common user.
Voice over IP Protocols
Today, there are two protocols for transmitting voice over IP, both define the way in which such devices must communicate with each other, and includes specifications for codecs (coder-decoder) audio to convert an audio signal to a digitized pad and vice versa.
H.323
H.323 is the standard established by the International Telecommunications Union (ITU) which is comprised of a highly complex and extensive protocol, which also include voice over IP, provides specifications for video-conferencing and real-time applications, including other variants.
Session Initiation Protocol (SIP)
Session Initiation Protocol (SIP) was developed by the IETF (Internet Engineering Task Force) specifically for IP telephony, which in turn takes advantage of other existing protocols to handle part of the process of conversion, a situation that applies to H.323 as it defines its own protocols bases.
The Standard Voice over IP
Long, those responsible for communications companies have in mind the possibility of using their data infrastructure for the transport of internal voice traffic the company . However, the emergence of new standards and the improvement and cheapening of voice compression technology, which is ultimately causing its implementation.
Having found that from a PC with elements multimedia , you can make phone calls over the Internet, we believe that IP telephony is little more than a toy, because the quality of voice that we obtain through Internet is very poor . However, if in our company have a data network that has a large enough bandwidth, we can also think of using that network for voice traffic between the various delegations of the company. The advantages we would get to use our network to transmit both voice and data are evident:
•Communications cost savings because calls between the various delegations of the company would go free.
Actually the integration of voice and data in one network is an old idea, have long since emerged solutions from different manufacturers, using multiplexers, WAN networks allow the use of business data (typically point connections to-point and frame-relay) for the transmission of voice traffic. The lack of standards and long-term depreciation of such solutions has not allowed a wide introduction of the same.
•Internet. The state 's current network does not allow professional use for voice traffic.
•Public IP network. The operators offer businesses the connectivity to interconnect their local area networks as IP traffic is concerned. Can be considered as similar to the Internet, but with a higher quality of service and significant security enhancements. Operators are even offering guarantees low delay and / or bandwidth, making them very interesting for voice traffic.
•Intranet. IP network implemented by the company. Usually consist of several LAN networks ( Ethernet switching, ATM , etc.) that are interconnected by WAN Frame-Relay/ATM type, point to point lines, ISDN remote access, etc.. In this case the company has under its control virtually all network parameters, making it ideal for use in the transport of voice.
The IMTC VoIP Forum has reached an agreement that allows interoperability of different elements in a network can be integrated VoIP (Voice over IP). Due to the existence and the ITU H.323 standard, which covered most of the requirements for the integration of voice, it was decided that was the basis H.323 VoIP (Voice over IP). Thus, the VoIP (Voice over IP) should be considered as a clarification of H.323, so that in case of conflict , in order to avoid differences between the standards, it was decided that H.323 would have priority over VoIP (Voice over IP). The VoIP (Voice over IP) has as main objective to ensure interoperability between equipment from different manufacturers, fixing issues such as silence suppression, encoding of the voice and direction, establish new elements to enable connectivity to the traditional telephone infrastructure. These items relate primarily to the directory services and the transmission of signaling tone multifrequency (DTMF).
So far we have seen the possibility of using our IP network to connect the PBX to the same, but the fact that VoIP is supported in a level 3 protocol such as IP, allows flexibility in configurations that in many cases is undiscovered. One idea that appears immediately is that the traditional role of the switchboard would be distributed among the various elements of the VoIP network. In this scenario, technologies such as CTI (computer-telephony integration) will have a much simpler implementation. Will the passage of time and imagination of the people involved in these environments, which will be defining applications and services based on VoIP. We can now from a number of items already available in the market and, according to different designs allow us to build VoIP applications. These elements are:
•IP phones.
•Adapters PC.
•Hubs Telephone.
•Gateways (gateways RTC / IP).
•Gatekeeper.
•Multiple audio conference units. (MCU Voice)
•Directory Services.
The functions of the various components are easily understandable in view of the previous figure, but it is worth emphasizing some ideas. The Gatekeeper is an optional element in the network, but when present, all other items that contact the network should make use of it. Its function is to manage and control the resources of the network, so that there is no saturation conditions thereof. The Gateway is an essential element in most networks because its mission is to connect the VoIP network to the analog telephone network or ISDN. We can consider the Gateway as a box on one side has an interface LAN and the other has one or more of the following interfaces:
•FXO. For connection to or extensions on the basic telephone network.
•FXS. For connection to link analog phones or PBX.
•E & M. For specific connection to PBXs.
•BRI. ISDN basic access (2B + D).
•PRI. ISDN primary rate access (30B + D).
•G703/G.704. (E & M digital) specific connection to switchboards to 2 Mbps
The various components can reside on separate physical platforms, or we can find several elements coexisting in the same platform. Thus it is quite common to find together Gatekeeper and Gateway. We can also see how Cisco has implemented the Gateway functions in the router. An important aspect to highlight is that of delays in transmission of voice. Keep in mind that the voice is not very tolerant with them. In fact, if the delay introduced by the network is more than 300 milliseconds, it is almost impossible to have a fluent conversation. Because local area networks are not prepared in principle to this type of traffic, the problem may seem severe. Keep in mind that IP packets are variable length data traffic is often bursty. To try to ignore situations in which the voice is lost because we have a burst of data on the network, has developed the RSVP protocol, whose main function is to chop the large data packets and give priority to voice packets when congestion in a router. While this protocol will greatly assist the multimedia traffic over the network, it should be noted that RSVP does not guarantee quality of service as in advanced networks such as ATM to provide QoS as standard.
We can summarize by saying that VoIP is a technology that has all the elements for rapid development. As shown we can see that companies like Cisco, have incorporated it into its product portfolio, IP phones are already available and major global operators, as well as Telefonica, are actively promoting IP services to businesses, offering voice quality through thereof. On the other hand we already have a standard that guarantees interoperability between different manufacturers. The conclusion seems logical : we must consider how we can implement VoIP on our network.
Conclusion
To establish a voice communication using the Internet, the first thing you need is to establish the connection between the two user terminals equipped with the same or compatible software, you want to communicate, ie to establish an IP session, from Hence, the voice is digitized, compressed to occupy less bandwidth, and transmitted over the network like a data flow. Communication can be multimedia and transferred files or watch video while chatting. The appeal represents this approach is that in this case the rates that apply are those of the Internet, local fare is always at both ends and in many cases flat rate instead of the phone, depending on distance and airtime. The user accepts the lower quality of communication, which is offset by the cost savings you get. There are two other modes that occur in the case of establishing communication between a phone and a PC or between two telephones, using the Internet. In the first case it is necessary to have a gateway connection to the Internet on one side and one on the RTC, which digitize the voice and if not, to compress and package and perform the translation between IP addresses and numbers the RTC, making the process simultaneously in both directions. In the case of calls between phones via the Internet, the process is similar, using two gateways, one at each end, with several companies offering these services taking advantage of the economic advantages enjoyed by normal route voice calls through the network
In this paper outlined the work of research on the technology Voice over IP, which combines two historically separate worlds: the transmission of voice and data. It is carrying voice, data previously converted, between distant points. This would allow use network data to make phone calls, and develop a single network that is responsible for issuing all types of communication, whether voice or data. It is clear that having a network instead of two, is beneficial for any operator to offer both services. The strong growth and implementation of network IP in both local and remote, the development of technical advanced voice digitization, mechanisms of control and traffic prioritization, protocol transmission time real, and the study of new standards enable quality of service in IP networks, have created an environment where it is possible to transmit telephony over IP so no way signify the disappearance of telephone networks circuit mode, but should, at least temporarily, a phase coexistence between. This monograph is comprised of four chapters, which exhibits information relevant to Voice Over IP technology.
As technology, Voice over IP ( VoIP ) has spent several years in the market. However, it was not until the emergence of innovative new services based on this technology as the integration of voice and data has become a reality, which, for businesses, has meant a saving of costs and a communications more efficient and effective. It is expected that in 2005 the VoIP market will move more than 10,000 million dollars, especially given that perceptions of the corporate world are more favorable.
Definition
The products of telephony Internet is called: IP Telephony (IP telephony) Voice Over Internet, Voice over the Internet (VOI) - or Voice over IP, Voice over IP (VOIP).
Voice over IP (VoIP, Voice over IP) is a technology that allows transmission of voice over IP networks as data packets. IP Telephony is an immediate application of this technology in a manner that allows the use of ordinary telephone calls over IP networks or other packet networks using a PC, gateways and standard telephones. In general, communication services - voice, fax, voice messaging applications - that are transported via IP networks, Internet normally, instead of being transported via the telephone network. The VoIP (Voice over IP) this acronym refers to the technology used to send voice information in digital form in discrete packets over Internet protocol (IP stands for Protocol Internet), rather than through the telephone network usual. Before proceeding, you may want to clarify what is a connection protocol. A connection protocol is a set of rules, a "language in common" that both parties agree to use to be able to communicate, is like saying: Now we will communicate in English, and we agree that this is English, or it is a convention.
The industry of Voice over IP is in a stage of rapid growth. The evolution of the use of Voice over IP will come with the development of infrastructure and communication protocols. In 2010, a quarter of global calls will be based on IP. Over time, the voice and data applications have required different networks using different technologies. However, lately there have been numerous efforts to find a solution that provides a satisfactory support for both types of transmission over a single network. Voice over IP telephony is a technology that can be enabled through a data network packet switching, protocol via IP (Internet Protocol). The real advantage of this technology is the transmission of free speech as it travels as data.
VoIP technology can revolutionize internal communications by offering:
•Access to corporate networks from small offices through integrated networks of voice and data attached to branches.
•Corporate directories based on the Intranet with messaging services and personal numbers for those who must travel.
•Directory Services-based conferencing and graphics from the system desktop.
•Virtual private networks and gateways managed to replace voice Virtual Private Networks ( VPN ).
--------------------------------
VoIP (Voice over IP) provides new opportunities for those able to anticipate and act quickly enough to overcome the confusion that surrounds this remarkable technology as used Voice over IP. It is important to know how to use the VoIP (Voice over IP), you basically buy a device that visually is a black box that connects one side to the telephone equipment and the other to the PC ( computer ), but also IP phones are available. Of course you need to install a software for that device works. This device is almost always sold in the same stores that sell computers. There are two connection options:
•One party has VoIP (Voice over IP) and the other not.
•Both parties are VoIP (Voice over IP)
If both parties are VoIP (Voice over IP) call is free, it is called VoIP (Voice over IP) VoIP (Voice over IP), only have to dial the phone number and nothing else. If the caller only has VoIP (Voice over IP), then uses a card that is purchased online (online). The above card is a card of plastic or cardboard such as those sold in stores, rather it is a virtual card you buy and load on the Internet.
The model of Voice over IP consists of three main elements:
•The client - This element establishes and terminates voice calls. Encodes, packages and transmits the output information generated by the user's microphone. It also receives, decodes and reproduces the voice information input by the user's speakers or headphones. Note that the client component is available in two basic forms: the first is a suite of software running on a PC that you control through a graphical user interface (GUI) and the second client may be a "virtual" who resides in the gateway.
•Servers - The second element of Voice over IP is based on servers, which handle a wide range of operations, complex databases, in real time and outside it. These operations include user authentication, appraisal, accounting , pricing, collection, distribution of profits, routing, management 's overall service, charging customers, service control, registration of users and directory services among others.
•Gateways - The third element is formed by the Voice over IP gateways, which provide a communication bridge between users. The role of a main gateway is to provide the interfaces with appropriate traditional telephony, serving as a platform for virtual clients.
These teams also play an important role in access security, accounting, control of quality of service (QoS, Quality of Service) and improve it.
Characteristics of Voice over IP
For its structure provides the following standard features:
•Allows control of network traffic, so less chance of the occurrence of significant declines in the performance of data networks.
•Provides links to the traditional telephone network.
•Being supported on IP technology has the following advantages:
◦Is independent of the type of network physics that supports it. Allows integration with existing large IP networks.
◦Is independent of the hardware used.
◦Lets be implemented in both software and hardware, with the particularity that the hardware would eliminate the initial impact for the common user.
Voice over IP Protocols
Today, there are two protocols for transmitting voice over IP, both define the way in which such devices must communicate with each other, and includes specifications for codecs (coder-decoder) audio to convert an audio signal to a digitized pad and vice versa.
H.323
H.323 is the standard established by the International Telecommunications Union (ITU) which is comprised of a highly complex and extensive protocol, which also include voice over IP, provides specifications for video-conferencing and real-time applications, including other variants.
Session Initiation Protocol (SIP)
Session Initiation Protocol (SIP) was developed by the IETF (Internet Engineering Task Force) specifically for IP telephony, which in turn takes advantage of other existing protocols to handle part of the process of conversion, a situation that applies to H.323 as it defines its own protocols bases.
The Standard Voice over IP
Long, those responsible for communications companies have in mind the possibility of using their data infrastructure for the transport of internal voice traffic the company . However, the emergence of new standards and the improvement and cheapening of voice compression technology, which is ultimately causing its implementation.
Having found that from a PC with elements multimedia , you can make phone calls over the Internet, we believe that IP telephony is little more than a toy, because the quality of voice that we obtain through Internet is very poor . However, if in our company have a data network that has a large enough bandwidth, we can also think of using that network for voice traffic between the various delegations of the company. The advantages we would get to use our network to transmit both voice and data are evident:
•Communications cost savings because calls between the various delegations of the company would go free.
Actually the integration of voice and data in one network is an old idea, have long since emerged solutions from different manufacturers, using multiplexers, WAN networks allow the use of business data (typically point connections to-point and frame-relay) for the transmission of voice traffic. The lack of standards and long-term depreciation of such solutions has not allowed a wide introduction of the same.
Undeniably, the definitive implementation of the IP protocol from business to domestic and the emergence of a standard, VoIP (Voice over IP) could not be expected. The emergence of VoIP (Voice over IP) together with the lowering of the DSP's ( Processor Digital Signal), which are key in the compression and decompression of voice, are the elements that have made possible the launch of these technologies. For this boom there are other factors, such as the emergence of new applications or definitive commitment for VoIP (Voice over IP) vendors such as Cisco Systems and Nortel, Bay Networks. Moreover mobile operators are offering or plan to offer in the near future, IP services to enterprises. It said so far, we see that we can find three different types of networks IP:
•Internet. The state 's current network does not allow professional use for voice traffic.
•Public IP network. The operators offer businesses the connectivity to interconnect their local area networks as IP traffic is concerned. Can be considered as similar to the Internet, but with a higher quality of service and significant security enhancements. Operators are even offering guarantees low delay and / or bandwidth, making them very interesting for voice traffic.
•Intranet. IP network implemented by the company. Usually consist of several LAN networks ( Ethernet switching, ATM , etc.) that are interconnected by WAN Frame-Relay/ATM type, point to point lines, ISDN remote access, etc.. In this case the company has under its control virtually all network parameters, making it ideal for use in the transport of voice.
The IMTC VoIP Forum has reached an agreement that allows interoperability of different elements in a network can be integrated VoIP (Voice over IP). Due to the existence and the ITU H.323 standard, which covered most of the requirements for the integration of voice, it was decided that was the basis H.323 VoIP (Voice over IP). Thus, the VoIP (Voice over IP) should be considered as a clarification of H.323, so that in case of conflict , in order to avoid differences between the standards, it was decided that H.323 would have priority over VoIP (Voice over IP). The VoIP (Voice over IP) has as main objective to ensure interoperability between equipment from different manufacturers, fixing issues such as silence suppression, encoding of the voice and direction, establish new elements to enable connectivity to the traditional telephone infrastructure. These items relate primarily to the directory services and the transmission of signaling tone multifrequency (DTMF).
So far we have seen the possibility of using our IP network to connect the PBX to the same, but the fact that VoIP is supported in a level 3 protocol such as IP, allows flexibility in configurations that in many cases is undiscovered. One idea that appears immediately is that the traditional role of the switchboard would be distributed among the various elements of the VoIP network. In this scenario, technologies such as CTI (computer-telephony integration) will have a much simpler implementation. Will the passage of time and imagination of the people involved in these environments, which will be defining applications and services based on VoIP. We can now from a number of items already available in the market and, according to different designs allow us to build VoIP applications. These elements are:
•IP phones.
•Adapters PC.
•Hubs Telephone.
•Gateways (gateways RTC / IP).
•Gatekeeper.
•Multiple audio conference units. (MCU Voice)
•Directory Services.
The functions of the various components are easily understandable in view of the previous figure, but it is worth emphasizing some ideas. The Gatekeeper is an optional element in the network, but when present, all other items that contact the network should make use of it. Its function is to manage and control the resources of the network, so that there is no saturation conditions thereof. The Gateway is an essential element in most networks because its mission is to connect the VoIP network to the analog telephone network or ISDN. We can consider the Gateway as a box on one side has an interface LAN and the other has one or more of the following interfaces:
•FXO. For connection to or extensions on the basic telephone network.
•FXS. For connection to link analog phones or PBX.
•E & M. For specific connection to PBXs.
•BRI. ISDN basic access (2B + D).
•PRI. ISDN primary rate access (30B + D).
•G703/G.704. (E & M digital) specific connection to switchboards to 2 Mbps
The various components can reside on separate physical platforms, or we can find several elements coexisting in the same platform. Thus it is quite common to find together Gatekeeper and Gateway. We can also see how Cisco has implemented the Gateway functions in the router. An important aspect to highlight is that of delays in transmission of voice. Keep in mind that the voice is not very tolerant with them. In fact, if the delay introduced by the network is more than 300 milliseconds, it is almost impossible to have a fluent conversation. Because local area networks are not prepared in principle to this type of traffic, the problem may seem severe. Keep in mind that IP packets are variable length data traffic is often bursty. To try to ignore situations in which the voice is lost because we have a burst of data on the network, has developed the RSVP protocol, whose main function is to chop the large data packets and give priority to voice packets when congestion in a router. While this protocol will greatly assist the multimedia traffic over the network, it should be noted that RSVP does not guarantee quality of service as in advanced networks such as ATM to provide QoS as standard.
We can summarize by saying that VoIP is a technology that has all the elements for rapid development. As shown we can see that companies like Cisco, have incorporated it into its product portfolio, IP phones are already available and major global operators, as well as Telefonica, are actively promoting IP services to businesses, offering voice quality through thereof. On the other hand we already have a standard that guarantees interoperability between different manufacturers. The conclusion seems logical : we must consider how we can implement VoIP on our network.
Conclusion
To establish a voice communication using the Internet, the first thing you need is to establish the connection between the two user terminals equipped with the same or compatible software, you want to communicate, ie to establish an IP session, from Hence, the voice is digitized, compressed to occupy less bandwidth, and transmitted over the network like a data flow. Communication can be multimedia and transferred files or watch video while chatting. The appeal represents this approach is that in this case the rates that apply are those of the Internet, local fare is always at both ends and in many cases flat rate instead of the phone, depending on distance and airtime. The user accepts the lower quality of communication, which is offset by the cost savings you get. There are two other modes that occur in the case of establishing communication between a phone and a PC or between two telephones, using the Internet. In the first case it is necessary to have a gateway connection to the Internet on one side and one on the RTC, which digitize the voice and if not, to compress and package and perform the translation between IP addresses and numbers the RTC, making the process simultaneously in both directions. In the case of calls between phones via the Internet, the process is similar, using two gateways, one at each end, with several companies offering these services taking advantage of the economic advantages enjoyed by normal route voice calls through the network
Subscribe to:
Posts (Atom)