Advanced network administration best practices for IT Lessons

1. Establishing your network configuration As the senior network administrator, junior administrators and technicians will look to you for the overall organization of the network infrastructure. In this lesson, you'll explore how networks are constructed and managed. 2. Ensuring security for the network The greatest challenge in using security measures is keeping your network reasonably safe from threats while maintaining network functionality and productivity. In this lesson, you'll find out how to keep your network secure.

The purpose of this class is to outline the best practices that senior network administrators should follow. This includes configuring and operating the network, as well as managing network usage and organizing the roles and responsibilities of IT department staff. We'll cover a broad spectrum of subjects and concepts including configuration, security, documentation and management.

3. Working with operational management IT documentation includes operational plans for network functioning and all the policies that define network access and use. In this lesson, you'll learn how to create effective documentation, as well as how to assign roles and responsibilities. 4. Controlling email Email is a vital service to users, but it's also a major security concern for most senior network administrators. In this lesson, you'll learn how to take charge of this powerful and problematic network application. 5. Monitoring and maintaining the network It's inevitable that your network needs change and grow. In this lesson, you'll learn how to monitor your network, modify the infrastructure and keep a tight rein over how software is installed and updated on networked computers.

Establishing connection configurations

Establishing your network configuration

As the senior network administrator, junior administrators and technicians will look to you for the overall organization of the network infrastructure. In this lesson, you'll explore how networks are constructed and managed. This class is geared toward the senior network administrator of a small to medium-sized organization. It describes the best practice factors every network administrator should follow. These elements include the overall configuration of the network itself as well as managing network usage and organizing roles and responsibilities of the IT department staff. To achieve this purpose, this class will cover a broad spectrum of subjects and concepts, including configuration, security, documentation, and management. Although the responsibilities of this role may seem daunting, this class will help prepare you to perform all of the necessary functions and duties of a senior network administrator. The variety of network and connectivity designs and configurations used in a business environment is staggering. This lesson doesn't try to address all possible configurations; rather, it covers the basics you'll need to know as an administrator to establish and create an appropriate connection configuration. You might not use all of the typical connection solutions available, such as wireless, but it's still prudent to examine all of the common options. Remember that this isn't an exhaustive study in network design.
Begin with dependable desktops

6. Recovering from disaster with backup and restore The best way to recover from a disaster is to be prepared before it happens. In this lesson, you'll learn how to create a recovery plan that'll have your network up and running as quickly as possible after a disaster strikes.

HP business desktop PCs are not only easily networked, but feature a long lifecycle and extensive configuration options, as well as high performance and managebility. HP 7000 series desktop PCs

In this lesson, you'll learn just enough to get your feet wet. You'll have plenty of time to go for a swim as you delve deeper into network management in this class.

Connection configuration

It's a foregone conclusion that if you establish no other network connection type, you'll be configuring a LAN (local area network) for your organization. While the vast majority of us work in a networked environment every day, LAN design and configuration requires a skilled administrator. Networking an office or office suite is more than playing a game of "connect the dots." Creating a network that meets your needs the first time will prevent expansion and troubleshooting headaches down the road. You need a clear vision of the user, service, and application requirements for the LAN. So let's take a look at some of the more common elements in LAN design.

Desktop buying guide

Design defined as a business goal

Before designing a LAN, it's important to define your customer's goals for the network. A customer, for example, is a department of your organization if you're administering an internal IT department or a business in your community if you're a consultant. Before committing to a specific network schematic and selecting media and internetworking equipment, you must discover how your customer expects the network to perform and how it prioritizes tasks and applications. Business and technical goals become close partners as you enter this phase of network design. Important elements to consider are affordability, availability, manageability, security, and scalability. Also, your customer will most likely specify a particular performance or service level for the network. All of these factors must be taken into consideration when designing the logical network topology and before constructing the physical network. Unless your customer has a large budget (which is quite unusual), the factors of affordability, availability, and time to completion will force serious trade-off decisions in your design. Before discussing these factors with your customer, it's prudent to research your customer's business. For example, learning your business customer's internal politics will help you quickly identify the true decision makers, who are the people with the authority to accept or reject your design proposal. Also, understanding this group will help you present a design that meets their requirements. Keep in mind that they won't necessarily make design suggestions that are technically feasible, and perhaps not within budgetary constraints. To learn your customer's goals for the network, ask the customer to define an overall business goal in a short, compressed statement by answering the following: How do you measure success relative to a network? Which applications will you use and which are mission critical?

It's important to get a clear picture of which applications and services your customer expects to use over the network. This includes user applications and services such as email, file sharing and transfer, and database access as well as system applications such as authentication, directory services, and software distribution. Have the customer rank applications as being extremely critical, somewhat critical, and not critical. How will your employees access the network? Do you want to integrate data and voice communication?

Customer decision-making usually involves business politics as well as business goals. You need to discover which managers and departments have goals that conflict with each other, and technological preferences based on "ideology" rather than sound business goals and design, and identify the supporters and opponents of the project.

Budget and staffing limitations may sometimes have a harsh effect on your design. Your proposal must not only be within the customer's monetary scope but the customer must also have or be capable of recruiting the necessary support staff. If this is an in-house project, you likely will support the network you're designing; however, a corporate customer will need to develop its own day-to-day support system. Another limiting factor is scheduling -- when does the customer need to have the network constructed and operational? Work with the customer to develop the final due date as well as milestone points.

LAN network design

Your customer's goals and need for critical application and service access will help determine the types of data transmissions used on the LAN. The three transmission types are unicast, multicast, and broadcast. If, for example, the requirements for your network design include heavy use of multimedia traffic, the network will have to be created to manage bandwidth-consuming broadcast traffic. Additionally, multimedia broadcast traffic requires every device on the network to use CPU (central processing unit) cycles to determine if the traffic is meant for them. Data broadcasts use smaller-sized frames and don't have the same processing requirements on a networked device. Multimedia broadcast frames, by comparison, are usually several megabits in size.

LAN addressing occurs at Layers 2 and 3 of the OSI (Open Systems Interconnection) reference model. Although MAC (Media Access Control) addresses are coded on the NICs (network interface cards) of networked devices, part of your design is to develop a Network layer addressing scheme. Your addressing and subnet schemes are dependent, to a degree, on the number of users on individual network segments and how many subnets are required by the customer to accomplish their goals.

When creating a network design for a department, office, or campus, architecture of your switch fabric will determine how bandwidth and throughput are allocated to different parts of the structure. This combines both hardware and software to move data efficiently throughout the network minimizing delay by allowing switching paths to be controlled. Placement of switches allows you to contain collision domains, filter traffic by priority, and select half or full-duplex mode based on need. The use of STP (Spanning Tree Protocol) on a switched network is required to prevent broadcast loops across interswitch channels. Your design should accommodate the delay caused by slow STP convergence. You can also bias the selection of the root switch to fit your requirements rather than allow automatic election to take place. This lesson assumes you're designing an Ethernet network using a physical and logical star topology. Although other network topologies and types exist, they're not as common and it's unlikely that you'll be required to develop a plan using ring or bus types. Virtual LANs and STP will be covered later in this lesson.

Of greater importance is the hierarchical network design. In general, networks are created at three different levels: core, distribution, and access. A graphic of

this design is shown in Figure 1-1.

Figure 1-1: Hierarchical network design. High reliability Fault tolerance Quick adaptability High redundancy factors

The core layer of your network is the high-speed switched backbone that enables vital corporate transmissions. Qualities of this layer include: The distribution layer represents the conduit between the core and access layers. The characteristics typically seen at this layer are security, department or workgroup access, routing between VLANs, and broadcast and multicast domain containment. The access layer allows end users access to local network segments. Qualities at this layer can include division of collision domains, and switched and shared bandwidth. In small office environments, this layer allows smaller branch offices to connect to the central office using such WAN (wide area network) technologies as ISDN (Integrated Services Digital Network) and frame relay. Figure 1-2 shows an example of the access layer in action. The distribution layer actually has many different roles in a network design but doesn't have to contain all the possible roles.

Figure 1-2: Branch office accessing central office.

This layered model can be implemented in a switched and routed hierarchical design. Figure 1-3 shows a switched design.

Figure 1-3: Switched design.

Figure 1-4 shows a routed hierarchical design.

Designing virtual and wireless networks

Figure 1-4: Routed hierarchical design. Enlarge image

Although LANs are still the most common network configuration, your business may need to implement a more complex network design, in the form of a virtual or wireless network, or a combination of designs.

VLAN network design

Is WLAN right for you?

VLANs (virtual LANS) give you the ability to create divisions in both your physical and logical networks by using switching software. Not all switches support VLANs, so if your design requires them, purchase switches with VLAN support. You can use VLANs to create virtual workgroups comprised of computers that don't have to be located near each other.

The simplest method of creating a VLAN is to assign specific switch ports to a particular VLAN. This is usually referred to as static or port-based VLAN assignment. You can also use dynamic membership assignment based on the MAC address of particular hosts. This gives you the advantage of being able to physically move an individual computer to a different port or switch and still have it retain its VLAN membership. Individual VLANs cannot communicate with each other, even if located physically on the same switch. You can only communicate off a VLAN by going through a router.

This how-to guide from HP walks you through the steps needed to evaluate the role wireless networking technologies might play in your organization's overall networking solution, and helps you understand what it will take to implement a wireless networking solution. Set up a wireless LAN How-to guide

VLAN trunking allows you to create VLANs with member hosts attached to different physical switches. This expands your ability to assign VLAN memberships in terms of physical location and network segment. The VLAN tagging process allows the trunked switches to mark the data frames as belonging to a specific VLAN.

Trunked switches use VTP (Virtual Trunk Protocol) to keep track of the creation, modification, and deletion of VLANs on the network. Switches use VTP to update their VLAN databases, allowing the switches on your network to communicate with each other so that each switch contains the same changes to their VLAN database and all switches have the same "view" of the network. Not only is switch-positioning affected in your design by a requirement for VLANs, but switch access to routers is also impacted because traffic to and from VLANs must be passed through a router. Actually, the management VLAN or VLAN 1 communicates with the switches and provides VLAN updates using VTP.

VPN design

VPN (virtual private network, or virtual private networking) is a method that lets a remote user communicate privately to the central office over a public telecommunications network such as the internet. If your customer's requirements include telecommuters or traveling "road warriors" who do much of their work from remote business sites, you need to build VPN into your design. You can also use VPN as an alternative to expensive leased lines to allow small branch offices to communicate to the central office. There are three main types of VPN solutions you can implement in your design:

WLAN design

WLANs (wireless LANs) are common on business networks today; however, they can pose a significant security risk because wireless security still lags behind its wired equivalent. It's best to include a wireless component in your design only if you can reasonably ensure that critical network traffic doesn't travel through the airwaves. Also, you can improve wireless security if you adjust power levels on wireless APs (access points) so that the transmission radius doesn't spill outside the business environment. Directional antennas can also reduce access to RF (radio frequency) data signals, at least in bridging

Security best practices will be covered in Lesson 2.

Remote access VPN: Also known as VPDN (Virtual Private Dialup Network), this VPN is used by telecommuters and traveling users. Traditionally, this VPN type was accessed via dial-up directly into the central office network; however, this isn't very cost-effective because they use toll calls. More commonly, the user makes a connection to its ISP (internet service provider) and then the corporate office across the internet. Site-to-site VPN: Typical users of a site-to-site VPN are branch offices connecting to the main office. This is a lower-cost alternative to using leased lines to connect offices. This method is also used for corporate intranets and extranets, the latter being used by other companies partnered with your customer. Firewall-based VPN: This type of VPN is deployed as a site-to-site solution. This isn't technically different from a site-to-site VPN; however, it includes firewalls to provide for greater security needs.

APs.

If you use wireless connections in a business environment, the following are minimum security precautions:

If you're implementing your network design in a building that isn't and can't be cabled with Category 5 or 6 cabling due to expense, a wireless infrastructure may be your only option. For example, older motels that want to offer guests free high-speed internet access often select a wireless solution as an inexpensive alternative to the costly job of cabling their building or buildings.

Overseeing networking devices

Regardless of these protections, think of your WLAN as an untrusted network sitting outside of your firewall.

Implement MAC address filtering and WEP (Wired Equivalency Privacy). However, WAP (Wireless Application Protocol) provides much better encryption and is preferred over WEP. Require wireless users to authenticate to a RADIUS (Remote Authentication Dial-In User Service) server. Include VPN with WLAN use.

Networking devices include hubs, switches, routers, and firewalls. These are all examples of hardware (and arguably software in at least some cases) that enable computer networking or provide a service related to performance or security. This is opposed to networked devices such as PCs, servers, and network printers that also provide a network service but are not strictly required for the functioning of the overall network infrastructure. Servers can be considered a networking device to the degree that they provide the network with directory services, DHCP (Dynamic Host Configuration Protocol), DNS (Domain Name System), and other services that are required for other devices to use the network successfully.

Networking devices

Device management generally involves the first three layers of the OSI model, which cover devices from hubs to routers. The responsibilities of a network administrator and systems administrator overlap to a degree at the Transport layer, however, depending on the network and organization. Network support can also include services such as DNS, WINS (Windows Internet Naming Service), DHCP, storage, and directory services because such services are deeply integrated into the overall functioning of the network. Depending on which vendor manufactured your devices, there are usually integrated tools and log files you can use to oversee the functioning of these devices. It's rare that you'll have the opportunity to design and build a network from scratch and far more likely that you'll maintain and upgrade an existing network. Change and configuration management is vitally important in most cases. Network documentation will be discussed in Lesson 3.

Looking for products for your LAN, WAN, or WLAN, or for networking management and solutions? Look no further than the ProCurve Networking Portfolio index at HP. HP ProCurve networking portfolio

The CLI (command-line interface) is a common tool for switch and router management. Each network device vendor provides proprietary software for its devices, so the command structure varies depending on the devices you purchased. You need to be skilled using your preferred vendor's CLI. Basic switch settings that you must configure include IP (Internet Protocol) address,

subnet mask, and default gateway. Also, part of device management is VLAN management, system time management, and voice configuration (if relevant). Other features or services that require switch configuration are port analyzers, flooding controls, SNMP (Simple Network Management Protocol), managing ARP (Address Resolution Protocol) and MAC address tables, STP, and TACACS+ (Terminal Access Controller Access Control System+).

Direct management of any network is usually preferred to remote management, for security reasons. If you must manage remotely (which includes routers as well), do the following: Use SSH (Secure Shell) instead of Telnet. Although Telnet has been widely used for years, it's not secure. SSH provides a much higher level of security with little inconvenience. Back up the switch's configuration file. As you make changes, it's possible that you can introduce an error that renders the switch unusable. Configuration files are usually text-based files, so restoring them is simple.

Router oversight shares some overlap with switch management. Configuration files are text-based and the console interface is similar, especially if you use the same vendor for your switches and routers. A reliable CLI is sometimes easier for an experienced network administrator to use than some GUIs (graphical user interfaces). Some of the features and services you need to configure and monitor on a router are ACLs (access control lists), interface addressing, monitoring network traffic, managing the dynamic routing protocol, and SNMP. You should also use the Syslog utility to collect router console messages. You can monitor router traffic with MRTG (Multi Router Traffic Grapher), which is free software licensed under the GNU General Public License. MRTG enables you to review network traffic patterns to quickly determine if you're experiencing an unusual traffic load. You can find out more about MRTG at the MRTG website. OSPF (Open Shortest Path First): Routes within the hierarchical network infrastructure. BGP (Border Gateway Protocol): Routes in interdomains. EGP (Exterior Gateway Protocol): Routes between multiple domains.

Deciding which routing protocol to use can occasionally be a puzzle, depending on where the router is placed on the network. The following are the most commonly used routing protocols: Other common routing protocols include IGRP (Interior Gateway Routing Protocol), EIGRP (Enhanced Interior Gateway Routing Protocol), and RIP (Routing Information Protocol).

Using centralized management and automation

Hubs are simple devices compared to switches and routers; however, more intelligent hubs require some management. You can configure intelligent hubs for SNMP, traffic monitoring, stacking, user accounts, and device security. You can upgrade some hubs with a management module that allows additional features to be added. You can also access the management console on a switch or hub using the same method -- by connecting a computer to the device using its serial port. As you know, managing a network involves a great deal of work, especially if the network involves a campus environment or central and branch offices. You can waste a lot of time simply traveling from one location to the next. It's much more time and cost-effective to manage your network from a central location. Also, you can automate routine tasks using scripts or other methods, saving you the time required to manually perform these operations.

Scripting reference

The specifics of writing automation scripts are beyond the scope of this

SNMP is the workhorse of device management on a network. SNMP is an Application layer protocol that provides for the exchange of management data between devices on the network. SNMP allows network administrators to monitor and manage network device performance as well as troubleshoot device issues. Once you install or enable SNMP agent software on a managed device, the device can be monitored from another point on the network by the NMS (Network Management System). SNMP uses a MIB (Management Information Base), which is a collection of information organized in a hierarchical structure and describes various qualities about the managed device. Each piece of information is considered a managed object and is identified by object identifiers. Object identifiers are values that uniquely identify the managed object in the information base. Each individual managed object represents a single quality or characteristic on the managed device. SNMP queries managed devices periodically to assess the condition of these devices. The NMS can send numerous requests to a device without receiving a response. The agent uses SNMP traps on a managed device to report some significant event to the NMS, such as when CPU usage goes over a particular amount. As discussed earlier in this lesson, before you can implement a network solution, you must have a plan. The same is true for automation. Although automation has the benefits of reducing the amount of time it takes to perform tasks, reducing errors, and freeing up the time of IT staff, it only works as well as it's designed. Your automation plan should be part of your overall design plan for the network, and you should prepare to spend a significant amount of time and effort in its development. SNMP is considered the de facto network device management standard. Network monitoring will be covered in more detail in Lesson 5. A managed device is a server, switch, router, hub, workstation, or network printer.

class. However, you can learn about automating TCP/IP networking on clients, for example, by visiting the Microsoft Automating TCP/IP Networking on Clients website.

Automation is essentially a programming task and, like all programming tasks, it should be completely developed and tested before being put into production. Lack of attention to even a few details can result in you spending the same amount of time fixing a problem that you had hoped to save. The tasks you can automate with administration scripts are almost endless. A partial list includes: Updating software Synchronizing folders Automating backups and archiving Managing DNS Cleaning up Active Directory Archiving logs, including web server logs Planning and documentation will be presented in more detail in Lesson 3.

You can automate updating tasks, such as Microsoft Windows Automatic Updates, after spending just a few minutes in the GUI.

Some software programs such as the Mozilla Firefox web browser are now largely self-updating; however, there is no single, overall standard for updating all software on a device.

A best practice is to not allow Windows Automatic Updates on a production network. Instead, test patches and hotfixes in a test environment to determine their effect, including any problem issues, before updating your production network.

Moving on

In this lesson, you learned about network connection planning and design, and how to work with a customer to integrate organizational goals into network development. You also reviewed different types of networks such as LANs, VPNs, VLANs, and WLANs, and explored hierarchical network design. Before moving on, complete the assignment and take the quiz for this lesson. Then, head over to the Message Board to share your experiences and questions with your classmates and instructor. In Lesson 2, you'll tackle security best practices on a network, including testing security and locking down access. Network design links at Network Computing Networking tutorials at CLN.org Networking terms at Networking Knowledge Base Network infrastructure white papers at Bitpipe

Assignment #1

Using a web browser, visit the following sites and review the specified information: Compile notes about significant features and details as you visit each website, and apply the information to your own network, if applicable. Question 1: Which layer of hierarchical network design provides security and routing between VLANs? A) B) C) D) A) B) A) B) Question 2: True or False: Site-to-site VPN provides an inexpensive alternative to leased lines when connecting a branch office to a main office but isn't used by traveling employees connecting to the main office from numerous different customer locations. Question 3: Device management generally involves which layers of the OSI model? (Check all that apply.) Physical Data Link True False Core Distribution Access Connection

Quiz #1

C) D) A) B)

Question 4: True or False: You install an SNMP agent on the NMS and enable it to query managed devices on the network.

Use security best practices

The risk analysis

Ensuring security for the network

True False

Network

Transport

The greatest challenge in using security measures is keeping your network reasonably safe from threats while maintaining network functionality and productivity. In this lesson, you'll find out how to keep your network secure. Network security best practice is more than a laundry list of dos and don'ts. It's a conceptual structure that organizes the tasks necessary to establish, maintain, and modify the procedures involved in the security of your network. Although a detailed treatment of this subject would fill volumes (go to Amazon.com and search for books on "Network Security Best Practices"), we include the foundational concepts and review them in this lesson.
Security resources from HP

Before you begin configuring ACLs on your routers and blocking ports on your firewall, you need to understand the levels of risk represented at the different access points to the network. Although a risk analysis doesn't necessarily find every vulnerable point or take into account every conceivable method of attack, it can help you find likely entry points, assign a risk level, and suggest an appropriate means of defense at those points. The vulnerable elements of a network are the network itself, network services, resources such as DNS or authentication, and data. You can categorize these levels in a variety of ways. For purposes of this course, risk is categorized at levels 1, 2, and 3 -- with 1 being the highest risk and 3 being the lowest -- and described as follows: Risk level 1: Any network systems or data accessed or damaged at this level would result in a catastrophic loss of productivity and security to the organization. Lost data and services take an excessive amount or time and effort to recover and restore -- or even be impossible to restore -- and services and equipment require major repair or complete replacement. Imagine if large portions of eBay's customer database were to disappear. Risk level 2: Systems and data accessed or damaged at this level would represent a moderate impact on productivity and security. Any lost or damaged data or compromised systems require an intermediate amount of time and effort to restore and recover. The damage would be significant but not catastrophic. For example, consider a situation in which data saved to a file-sharing server over the last 24 hours was corrupted. Risk level 3: Any network systems or data accessed or damaged by an unauthorized person that is easily restored, and you're able to effectively prevent the intruder from further access into the system. If these areas were attacked, or if data were lost, it wouldn't represent a significant loss of productivity, business security, or profit. This is the equivalent of someone accessing a folder of electronic marketing materials from several vendors.

Whether you need help with assessing your vulnerabilities, or with writing or implementing your security policy, HP offers a collection of robust resources to help you define the right security practices for your business. Security protection

The definition of "excessive amount of time" varies depending on how much an organization pays for network downtime. For example, how much would it cost Amazon.com if it lost all internet access for one hour?

Assigning risk levels to the hierarchical network system

As described in Lesson 1, your network infrastructure can be organized into three levels depending on functionally: core, distribution, and access. Each of these areas represents a type of risk based on how it functions and the impact on network security if it's compromised:

Assigning risk levels to network applications and services

It's also important to consider the level of impact that disruption of network services would have on the business environment. In Lesson 1, you learned that, as part of your network infrastructure design, you had to determine how critical various applications are to the business customer. Risk levels correspond to how much the business depends on access to these applications.

Core: This is a level 1 risk area. Any operations disrupted in the core layer will interfere with your high-speed business backbone and WAN access. Devices that operate at this layer include ATM (Asynchronous Transfer Mode) switches. Distribution: This is a level 1 risk area. Any operations disrupted at this layer will interfere with routing, VLAN access, and general network security. The distribution layer is the conduit between the core and access layers. If the distribution layer is invaded, it could allow unauthorized entry to the entire network. Devices that operate at this layer include network routers. Access: This is a level 1 and level 2 risk area, depending on which devices are accessed or compromised. Operations disrupted at this layer will interrupt end-user access to network services and data, preventing them from accomplishing necessary business tasks. Devices that operate at this layer include switches and servers.

Creating a network security group

Servers that provide DHCP or DNS are considered a level 2 risk. Although the temporary loss of those services would make a significant impact, they can be recovered in a reasonable time. Email can run the gamut from level 1 to 3, depending on whether it's a lower-risk external email server or a higher-risk internal server. Data and database servers can be either risk levels 1 or 2 depending on how significant that information -- and access to that information -- is to the customer. The compromise of a firewall is considered a level 1 breach. You might have a security technician or manager as part of your IT staff; however, network security is everyone's responsibility. If you have a security chief, assign that person the task of creating a network security group, whose task is to review significant issues regarding network security. The group should also create relevant policies and procedures regarding security. This team could be comprised of your entire IT staff or a subgroup of your staff, depending on the size of your department. The senior administrator should be a regular member of that team or may choose to receive reports after every meeting. The security group, if it's a subset of your overall staff, should interface regularly with the entire IT department to advise them of the current security situation of the network and find out if they have any questions or issues to address.

Helping users to help themselves

The security group is responsible for setting and updating network security policy for users and administrators, and establishing, monitoring, and testing network security procedures. The security group is your first line of defense if a security incident occurs. If your staff is relatively small, you'll likely wear the security chief hat, and your entire staff will comprise your security group. How to develop network policies and procedures, including those affecting

With HP services like Total Education One and IT Professional Help Desk for SMB, users are able to quickly identify and solve their own computer problems, without having to rely on you. HP Total Education One

Proactive and reactive measures

Although it's desirable to prevent any network intrusion, it's quite ambitious to assume you can stop them all. However, this doesn't mean that you shouldn't develop the most effective preventive measures available for your network. This is a job for your network security group, and you or your security chief needs to assign specific tasks to team members. Basic proactive tasks of your group include: Assigning roles and responsibilities to your staff will be covered in Lesson 3. Setting and changing firewall and SNMP configurations Creating and managing ACLs Evaluating and installing updated software, particularly security patches Changing passwords on all network devices and servers regularly Limiting access to network devices to necessary personnel only

security, will be addressed in Lesson 3.

Remember that, if feasible, you should always test any software upgrades in a test environment that's isolated from your production network. After you observe the response of a patch or hotfix and eliminate potential problems, you can update your entire network. If you suspect that an unauthorized member of the IT staff or another department has obtained access to a device, change the password immediately and conduct a review of how the breach happened. Even a relatively well-meaning person can misconfigure a switch or router, bringing portions of the network to its knees.

Security monitoring is like network monitoring except that instead of doing a regular review searching for any significant change in operations, the review is focused on detecting any change that may indicate a breach of network security. Monitor firewalls in real-time because even a small interruption in their functioning leaves the sensitive areas of the network vulnerable. Any suspicious network change monitored by a nonsecurity group member should be reported immediately to security staff.

The key to a reactive security measure is quick detection and response to the intrusion. The response, once an intrusion is detected, is to recover the lost data or service as quickly as possible, and determine the point of entry and correct the situation that allowed unauthorized access. The affected device or systems might have to be shut down to prevent further access until the problem is corrected. Your security group should respond first and be available 24/7. Other reactive tasks include contacting your carrier and trying to trace the attack to its source. In some cases, you must contact law enforcement and, in all cases, notify the relevant managers and legal staff. Determine just how much damage was done by reviewing all records of the event including logs, active user accounts, and "sniffer" traces. Log files and other records may contain information about the current incident and a history of similar attacks not previously detected. You may have to limit user accounts or even temporarily disable internet access. Also, even if you believe only one area of the network was affected, review all other systems and look for signs of intrusion.

Testing your security measures

Implementing a good network security plan is all well and good, but how do you know it actually works? You could wait for an unauthorized person to launch an attack to see if your measures are effective; however, if they aren't and a serious breach occurs, you may have some explaining to do. It's prudent that you test your security defenses to determine if they respond as predicted. You should, at the least, test your network security after you initially establish your system and anytime you make a change. It's better to run tests regularly, even if you haven't recently modified the system. Changes to the network may have occurred over time and had an effect on security. One important question to consider is: Who will perform the security testing? The natural candidates are in your internal security group. After all, they designed and implemented the system. They should be well positioned to know what to test. The advantages of using your own group are to save time and money, plus to leverage internal staff to do the job. Some disadvantages include how your team conceives of security for the network. They might only test for attacks they anticipate, but because of their position, don't have an outsider's perspective on the network. Also, when you design your own security and believe you've done a good job, you might not want to discover and admit that it has holes.

Get the help you need to protect your business

Identifying and mitigating risks to your business -wireless or otherwise -- can be time consuming and have an associated learning curve. Business protection services from HP give you both time and knowledge resources that you can use to identify risks and to put the right protections in place. HP Smart Desktop Management service

Periodically, you should hire an outside security consultant to perform a security audit on your network. This can be somewhat ego-bruising because you're allowing an outside group to set the standard for how well you've designed your network security system and how testing should be accomplished. The major advantage in using a consultant is that they have no vested interest in how well or how "not-so-well" your security performs. They'll attempt to penetrate your network as effectively as they can and might find vulnerable areas you wouldn't ordinarily consider. Once you receive their report, you can make the recommended changes, providing for a higher level of security. Although hiring an outside consultant must be within budget (and you may consider the cost prohibitive), think about how much it would cost the company if an undetected security hole resulted in an intrusion that deleted all human resources records.

There are a variety of techniques you can use to test network security. The following sections describe most common methods used in security best practices.

Vulnerability scanning Penetration testing

This is an advanced form of port scanning that not only scans ports and hosts but also identifies the associated vulnerabilities. This type of scanner also attempts to provide a remedy for the detected vulnerability rather than having a technician or administrator interpret the results as they would when performing a standard port scan. As the name implies, this form of testing attempts to bypass or otherwise breach the security measures you've put in place. This is a test that can provide invaluable information but shouldn't be conducted lightly. Perform this

test only after considerable planning and approval by senior staff. This test is very time- and labor-intensive and great care should be taken to make sure the test doesn't accidentally cause real damage to systems or data. Penetration testing can help in finding previously unknown access points to the network that could be exploited by an attacker. Sometimes, an outside intruder called an ethical hacker may breach some part of your system. When you detect and question an ethical hacker, the hacker might explain that the purpose of the attack was to show you your network's vulnerabilities. Unless you hired this person as a consultant to perform this type of testing, generally consider their actions to be unwanted and illegal.

Virus detection

This is a test most often performed on mail servers or servers that specifically scan for viruses as traffic enters the network. A complete test of this system isn't always possible because new malicious software is almost constantly being developed or modified and released into the wild. Perform this virus detection test in a test environment that mimics your actual mail server or firewall. An unsuccessful test on your production system (in which the virus goes undetected) can result in an infection of your actual system.

In a virus detection test, you introduce selected viruses to the server to determine if they are detected and isolated, and to make sure that the system continues to function.

File-integrity testing

File-integrity checkers examine files and databases to determine whether unauthorized changes have been made, which may indicate an intrusion or data corruption. Checkers calculate and save a checksum for every file in the system in its database. These checksums can be regularly recalculated to determine whether an unauthorized change has occurred. To effectively use this tool, you first have to establish a baseline for the data, which must be secure up to that point. If you establish a baseline for the integrity checker on data that's been compromised, subsequent test results won't be reliable.

Intrusion detection

ID (intrusion detection) is a method of testing and monitoring that attempts to detect security breaches based on changes in network activity. The changes you attempt to monitor are those that are usually associated with a network attack, as opposed to other changes related to general performance. Intrusion detection can be host- or network-based. Users use host-based ID by installing ID software onto the device you want to monitor, and then use log files or auditing agents to collect and review data, looking for possible intrusion. Network-based ID monitors traffic on the network-segment level rather than an individual device, looking for patterns that indicate a security breach.

Password cracking

You can use one or more password-cracking programs on your network to detect users who have set weak passwords. Ideally, you should have a policy regarding how to set strong passwords; however, not all users comply with policies. A password-cracking program can also verify that users with sensitive

Practice service and access lockdown

access to network devices and servers have set their passwords to a sufficient complexity that'll prevent them from easily being discovered.

One of the responsibilities of a senior network administrator is to determine the level of access various users and departments have to devices, services, and applications on the network. You're expected to support the various types of hardware and applications necessary for the organization to perform its tasks and function profitably, so to what degree should you limit access? If your customer wants to add an application to the system or if the customer is selecting applications during system design, you need to discuss and evaluate which ones will be best suited based on the customer's business goals and their practical implementation in the network design. By the time those decisions are made and the application software has been deployed, you should have made an agreement as to which applications your department will support. That usually works fine; however, in most work environments, there are some users who believe that they need to work with different applications. When your department (the IT department) advises a user that you don't support what they want to use, they install it on their workstation anyway. This often leads to problems. The type of software they use may conflict with other applications on the network causing faults or other difficulties. Or, the user might cause a problem on their own computer but be reluctant to call for IT support, knowing that you would find out what they've done.

When crashes happen

Even in a locked down environment, system crashes happen from time to time, and a good network administrator knows that the first priority is to get your systems back up and running in a timeframe that you can live with. HP Care Pack Services allow you to get back in the game, faster. HP Care Pack services

There are numerous examples of users making unauthorized changes to their computers, or the computing environment, that have adverse effects on the system. Being allowed to make unbridled changes creates an atmosphere that usually isn't conducive to productivity -- at least some users will take advantage of their "freedom" by performing nonwork-related computer tasks such as playing games and downloading MP3s. Unauthorized downloads could also result in the infection and spread of viruses and malware on the network. Locking down the user environment by implementing specific software policies enables you to determine which types of software will run on the system and limit who can run various programs. You can also prevent the accidental or purposeful deletion of important data files, which would result in the loss of productivity. In a Windows Active Directory environment, you can use GPOs (Group Policy objects) to set security levels to either allow or disallow the running of different software types. GPOs can be applied either to a group of computers or to individual users as needed. You should also prohibit the installation of personal devices on the network. A classic example is the user who wants to have wireless access to the network. They install an unauthorized wireless access point to accomplish their task but inadvertently allow a war driver outside the building access as well. You can prevent this by using MAC filters on your switches so that only devices whose MAC addresses are contained in the switch's database will have their traffic switched on the network. Also, restrict physical and remote access to your networking devices to authorized staff only. If taken to the extreme, allowing users unrestricted access to make system additions and changes will result in a completely chaotic user environment.

Locking down access to the network has other advantages. You can limit which network applications the user can or can't use. For example, if your company wants to restrict use of an instant messaging program, you can block the relevant port on your firewall, preventing it from communicating. It's a good

practice to start by blocking all ports and then opening only those that you absolutely need for business practice. Of course, most companies allow more access to the network and internet than is strictly needed to perform necessary tasks; however, the level of security you implement and enforce needs to be established based on your customer's goals and needs.

Security lockdown has a dark side as well. A network that's severely locked down can result in necessary software applications that fail to run when opened or that won't open at all. You might also cause important data to not be saved, resulting in its loss. When you try to deploy new software, you could be blocked from doing so. Also, a severely locked-down environment is harder to troubleshoot. The same is true to network access that's locked down too tightly. You could prevent needed access to vital internet sites for the sales department, for example, or otherwise inhibit necessary telecommunications channels. As mentioned in Lesson 1, security and usability have an inverse relationship.

Moving on

In this lesson, you learned how to provide security for your network. You explored network security best practices, creating a security group, testing your security measures, and locking down system services and access. Before moving on, complete the assignment and take the quiz for this lesson. Also, take some time to visit the Message Board and post questions and comments for your classmates and instructor. In Lesson 3, you'll address the role of the network administrator as an organizational manager. This will include topics such as how to create operational plans, establishing policies and procedures, and assigning roles and responsibilities to your staff.

Assignment #2

A great deal of information is available about ID on the SANS website, including basic information such as terms, theory, and research; how scanners and scan patterns work; management and legal issues related to ID, and more.

Quiz #2
A) B) A) B)

Go to the SANS FAQ web page and look for information on ID. Although you don't have to read the page exhaustively, review the section or sections that you find more interesting or relevant to how you would use this tool on your network. Feel free to share what you found with your classmates and instructor on the Message Board. You might also find some information you'll want to add to your network security arsenal.

Question 1: True or False: The distribution layer of a network infrastructure can be a risk level 1, 2, or 3, depending on the types of devices operating at that layer and their function. Question 2: Which of the following are legitimate reactive security measures? (Check all that apply.) C) Contacting your carrier and attempting to trace an attack to its source Contacting law enforcement agencies to report the attack Disconnecting your network from the internet True False

D) A) B) A) B)

Question 3: True or False: Intrusion detection works by installing ID software onto an individual host so you can monitor an entire network segment. Question 4: Locking down a network involves which of the following? (Check all that apply.) C) True False Using GPOs to prevent or allow users to run certain applications

Shutting down a compromised server or system

Create operational plans and reports

Working with operational management

D) Locking server and telecommunications closets and only allowing authorized IT staff physical access to internetworking devices

Blocking ports to prevent some services from accessing the internet

Setting MAC address filters on your firewall to allow only authorized devices access to the network

IT documentation includes operational plans for network functioning and all the policies that define network access and use. In this lesson, you'll learn how to create effective documentation, as well as how to assign roles and responsibilities. The overall document that outlines all of the regular maintenance tasks and other periodic activities that must take place on a network is the network operations plan. This is the master plan for network maintenance and predicted growth and expansion. You can use planning software, such as Microsoft Project or a simple spreadsheet program, to create and maintain this document. Regardless of the chosen software, include key variables such as task, priority, funding, assigned staff, resources required, task duration, dependencies, and so on.
Updating your server infrastructure

The network operations plan is your "calendar" for network tasks. Although the plan can be relatively static, you should review it regularly to verify that tasks are being completed in an appropriate and timely manner. You may have to modify the plan periodically to take in to account unforeseen events or changes in the company's business goals that affect network design and performance expectations. Don't take changes to the plan lightly, however. Because an operations plan is linked to a company's business plan, any proposed changes should involve company decision makers before being implemented. As you accomplish tasks listed on the plan, make sure that this information is updated. You can create operations plans specific to individual staff members so that each person on your team has a personal blueprint of what's expected of them.

When it comes time to update your server infrastructure, ProLiant servers from HP can help you do that quickly and cost-effectively. HP ProLiant ML310 G4 server series

Network and change audits

Server buying guide

In addition to a network operations plan, you should also periodically conduct network and change audits. Whether you're creating a network from the ground up or are coming onboard as the senior administrator, you should conduct a complete audit of all hardware, software, equipment, supplies, areas of staff responsibility, assignment lists, and user groups. This gives you a baseline document that tells you what kind of inventory you have on hand and helps you keep track of property. You'll also know which projects your IT staff is working on and who's responsible for specific tasks, and have a blueprint of network users, group memberships, and privileges assigned to those users and

groups.

Managing IT assets via audits can be difficult in a large organization. After all, you can't manage something if you don't know it exists. Network audits and asset management is about the senior IT administrator "discovering" the network. One of the keys to discovering network assets or at least minimizing the "loss" of aspects of your network is communication and documentation.

When you make any changes to the network, you should make sure a change audit is conducted and those changes recorded to ensure your information remains current.

For example, you order 50 PCs but only 40 arrive and the shipping department loses the invoice, which you're not aware of. You roll out 30 PCs right away and have someone store the others for future needs. In five weeks, when you need to install the other 20 PCs, you discover you have only 10. You've now got a big problem to solve because the details of the shipment are no longer fresh in your mind and you must involve several people -- including accounting staff in your company and the vendor's -- to resolve the problem of the missing PCs. You can easily avoid this type of situation by keeping detailed records and conducting regular audits. There are a number of important elements that you should include in your auditing plan:

Access and logon audits

Network operating systems such as Microsoft Windows, Novell NetWare, Linux, and Unix have the ability to record when a directory or file has been accessed. This form of audit -- an access audit -- would be difficult to accomplish if you planned to manually review each directory and file on the system. However, server systems usually generate security logs that record suspicious activity on the system. If you suspect something of this nature, you can enable auditing on the server and select the type of events you want to monitor. You can also configure the scope of the audit in terms of users or

Although asset management software can save you money, it can also be an expensive purchase. If your business is relatively small, the direct cost of purchasing this software might not be compensated by a gain in savings. Consult with your company's accounting department and CIO (chief information officer) to see if management software is the best way to track network assets.

Purpose and scope of the audit: This will tell you why the audit is necessary and how wide a net you're planning to throw. For example, are you auditing a single site or multiple sites? Staff members responsible for specific auditing tasks: Recording who's responsible for what helps to minimize confusion and ensures that each task has ownership. Auditing details: How the audit will be managed, the cost of the audit, and the schedule for when audits will be updated. Inventory: Consider using asset management software to discover and keep track of your inventory. This kind of software can discover which devices are in use, which software is installed on the devices, and where the devices are located. You can also use it to integrate invoicing and purchase order tracking into your auditing system. Licenses and leases: You can also use asset management software to track licenses and leases. This is very important if you're developing a licensing scheme with a company such as Microsoft. You'll need to know which licenses you have so you can negotiate the most advantageous agreement. Using software to track licenses and leases can also help you avoid using unlicensed software.

groups (such as the Everyone group or only selected groups).

You may want to perform a similar assessment -- a logon audit -- if you suspect an unauthorized person has tried to log on to one or more of your systems. Most server systems also record that data in a security log, enabling you to review which accounts the user tried to log on, determine if the attempts were successful, and track the IP address of the host used in the logon attempt. This form of auditing is an important subset of your operational documentation because it establishes a record of attempted security breaches over time.

Network utilization reports

You can only manage network utilization if you're aware of utilization trends over time. The first thing you need to do -- so that these reports will be useful -is to take a baseline of network operations. You should create a baseline when you first develop your network or when you make a major change. Here's how:

After you create a baseline, repeat the utilization audit periodically and generate update reports. Noting changes over time, especially a general increase in network use, can be used as a justification for requesting additional equipment to match the growing need for network access.

1. Start the network performance and monitoring tools. You'll have to determine the sampling interval so that it's long enough to garner significant data but not so long that it creates an additional network load. 2. Record several data points at different times to get a sense of the utilization peaks and lows on the network. Most network operating systems come with built-in tools for monitoring and management. 3. Monitor utilization at particular physical points on the network. Areas where you'll want to measure traffic are server network interfaces, particularly your application server, access points to hubs, switches, and routers, and network interfaces on randomly selected client computers.

Incident reports

This is one type of document that no network administrator wants to have to create, but it's inevitable. An incident is any event that causes an impairment or breach of the overall network or some portion of it. Creating incident reports enables you to gather all of the information about a problem that can be used to develop a solution. This is especially true if the incident was an attempted or successful break-in. Legal department staff and law enforcement officials might need the incident report to take action against the perpetrator. These kinds of reports are also necessary to help you find and correct gaps in your security, or any problems with the network design. You can often use a standardized form to create an incident report, and then have all persons who are involved in discovering the issue complete a form. Make sure you have a record of who completed these forms, the type of problem discovered, and the data, equipment, and software that was accessed or impaired. Also, keep a record of how the problem was initially discovered (such as via security logs, and so on), the symptoms that indicated an issue existed, and the actions taken in response.

Network utilization monitoring will be covered in more detail in Lesson 5.

Network diagramming and site surveys

When you initially design and develop a network, one of the most important documents you'll create is the overall network diagram. This is usually comprised of a set of documents, depending on the size of your infrastructure and level of detail you want to show. You can use different types of software to create network diagrams, such as Microsoft Visio or Dia. Ideally, you should create an overall logical drawing of your network and then more detailed diagrams of each specific section. Also, create a diagram of the relationship of networking devices in your telecommunications closet. You can even create detailed graphics that show the port assignments, including VLAN assignments, on your switches. You should also record this information in a text-only document; however, the network diagram will give you an at-a-glance view of how the server closet is set up. Update your network diagrams whenever you update your network.

If you plan to construct a WLAN, you need to prepare a site survey before you begin the design process. A wireless site survey is an assessment of a physical environment and how RF signals behave throughout that environment. You need specific information about how radio signals operate in various parts of the structure where you plan to implement your WLAN. Factors to consider are the existence of current wired and wireless networks, business requirements for wireless networks, bandwidth requirements, roaming requirements, security requirements, development and operating budget, and the type of facility. Conducting a site survey requires the use of mobile wireless equipment that measures signal strength and data rates at different points in the facility. Look for areas of "radio shadow" and other factors that can significantly impact the quality and reliability of your wireless connections and thus placement of your wireless equipment. Also, if the building is already wired for electricity, you need to locate the wireless APs and other wireless equipment near a source of power.

Establish network policies and procedures

Once you have all necessary readings and measurements, record the information in the form of a report and present it to your customer along with recommendations on how the WLAN should be designed.

A procedure is a course of action designed to accomplish a goal, and a policy is the plan or statement recording a rule or procedure. This is the area of network documentation that provides the IT staff and end users -- from the CEO to shipping department personnel -- with a set of rules and plans for network operations. Your policies and procedures should address network access, security, firewalls, web usage, and so on. The most common types of policies are network use, security, and performance.

Network use policy

A network use policy must be read and signed by all employees of your company. If you're creating or modifying your organization's network use policy, you'll most likely be working with the administration, HR, and legal departments. A network use policy defines the privileges and restrictions involved in accessing and using a company's network, including internet access.

The purpose of a business network is to accomplish the business goals of the organization. Regardless, a company may allow employees a certain amount of personal usage such as casual web surfing during their lunch hour or

checking their personal email account; however, the more freedom you allow users on the network, the greater the risk. Unrestricted internet access at work sets the environment for users who conduct illegal business dealings, look for another job, surf adult websites, and other activities that affect productivity, put network security at risk, or make the company potentially libel for legal action. How and under which circumstances a user may access the network Which activities are not permitted The consequences of violating the network use policy

A network use policy should specify:

Usually, employees are provided with some sort of training or informational workshop that acquaints them with network use policy. Employees are given a written copy of the policy and are required to sign a form stating that they've read and understand the policy. This protects the company should the user later inappropriately use their network access for unethical or illegal purposes and ultimately can be used as the basis to discipline the user up to and including dismissal from the organization.

Security policy

A security policy defines the rules and procedures required to keep a network safe from outside intrusion as well as being compromised internally by an authorized user or unauthorized personnel. A security policy is usually comprised of a series of documents because the topic of network security is quite broad, covering everything from password policy to email usage. Depending on the level of security your company requires, you can create a general security policy document that describes the overall requirements to keep the network safe, or create security policy modules addressing specific procedures that provide security at various points on the network. A good security policy should describe:

All security policies must be documented and presented to every individual in the company who's responsible for carrying them out. In many cases, this will include all end users, although many security policies and procedures are carried out only by IT staff, such as a policy regarding the rules and operation of your firewall.

How particular security procedures will be enacted and monitored. The person or persons responsible for implementing the policy. How it will be managed. The consequences of breaching the security policy, which includes the consequences to the network as well as the individual who caused the breach. Consequences could include disciplinary action if the breach involved a user and notifying law enforcement, especially if the breach was caused deliberately by an unauthorized person.

Performance policy

A performance policy defines how resources are made available and used on a network. This may address network use access to some extent, and the user groups and applications involved in network performance. Performance policy defines which services and applications are given priority in the event of limited network availability. For example, you configure your routers and switches to give a higher priority to network traffic based on IP address or port number, ensuring that those

forms of traffic are queued first. You give your mission-critical applications the highest priority. This is all part of a performance policy. Your performance policy should also record how application traffic is prioritized, such as which mechanisms your networking devices use to provide QoS (quality of service) on the network.

Assigning roles and responsibilities

You can also specify in your performance policy how connection types are prioritized. It's common to give the highest priority to WAN traffic, allowing your web presence and e-commerce to be maintained.

Depending on the size and configuration of your IT department, you may have only a few people to supervise or several teams. If you're starting an IT department from the ground up, you have a lot more control over who will be on your staff than if you're hired into an existing department. Even then, you can determine if the roles your staff members hold will remain the same or change based on your assessment of the department's and company's needs. Hiring new staff or changing current staff assignments and responsibilities requires you to work closely with your company's HR department. An entire body of laws and standards are involved in labor relations, and your HR representative can be a great asset to you in this area. The skills that lead a person into the role of senior IT administrator don't always transfer very well into the management of people. Regardless, a senior IT administrator must have excellent technical and people skills, so use whatever resources you have available to stay on top of your game.

If you have a small staff, you have to assign multiple roles to individuals; in a large department, you may assign individuals to specialized roles, such as network security administrator. Regardless of the size of your department, each member of your staff will likely have multiple responsibilities for maintaining some portion of the network in their assigned role. Typical job roles you may have to supervise include: Technical support call center: This is usually a phone-based system in which technicians receive and log support requests from end users. The technicians generate trouble tickets and assign these tickets to PC support staff, who then respond physically or over a remote connection to diagnose and repair the issue. PC support specialist: This person is responsible for supporting the end user. He needs to be familiar with hardware and application installation, maintenance, and support, and respond to trouble tickets generated by technical support. Network engineer: This person is responsible for supporting some portion of the network infrastructure or, in a small organization, all of the major roles. This can include managing switch and router configuration and operations, supervising different areas of network security such as the firewall and antivirus server, and maintaining servers such as applications, email, and file and print. In a very small IT department, the senior IT administrator might take on some of these roles to help balance the workload.

In a small company, a PC support specialist is the person responding to the initial call center phone request.

Depending on the size of your organization and specific business goals, you might also supervise the web designer, network security technician, and programmers, for example. So how do you decide who takes on which roles?

Role assignment based on education and experience

You can hire or assign network roles based on the education and experience level of the person involved. When assigning roles, review what a person has learned through a formal educational setting and relevant experience obtained since graduation. The methods you use to assess whether a person is right for a job are reviewing and verifying the information on their rsum and doing a standard interview.

Role assignment based on skills and talents

There are times when you may not have the luxury of hiring someone with an extensive background in desktop support or network engineering. If you have a limited budget, for example, you might not be able to offer a competitive salary and benefits package to those prospective employees. However, a fair number of IT staffers started down the technical proficiency road by tearing apart PCs when they were fairly young. Many of them acquired adequate or superior skill sets through means other than a formal education or expensive certifications, and who may be quite willing to start at the bottom of the pay scale in return for bona fide experience. Because these candidates usually don't have verifiable credentials, you'll have to rely more on the experience they report and on the interview. Additionally, you can pose technical problems to the candidate to see how they perform. Depending on your time frame and resources, you can even put them in front of a computer that you have introduced a fault into and ask the candidate to diagnose and repair the problem.

Role assignment based on training needs

You may work in a setting that allows or requires you to hire trainees or interns, such as at a university or other school that trains students for technical roles. In this case, you might seek someone who's a superior student or a person who shows a significant aptitude for IT work. The benefit of hiring a trainee or intern is that you can assign them to lower-level types of tasks that are usually backburnered due to insufficient staff availability. The flip side is that you're expected to provide training and guidance. This takes staff time and energy away from the actual administration of the network.

Hands-on problem solving is also a great assessment method for the candidate with a formal education and background.

Consultants

Periodically, you may have network tasks that don't require a full-time permanent staff person to accomplish, such as one-time or occasional network diagnostic or configuration tasks. To get the job done, you may need to hire an outside specialist or consultant to perform the necessary activities. It's wise to research the consultant or consulting firm to ensure that they're sufficiently skilled and ethical, and won't misuse their position to endanger network security. Part of your contract with the consultant should include an NDA (nondisclosure agreement), which states that the consultant promises not to reveal any information about your network configuration and security procedures. A consultant should submit a bid to you for the amount of time the project will take and the cost. You can take bids from multiple consultants to negotiate the most favorable arrangement.

The lowest bid is not necessarily the best bid. You must ensure safety and efficiency of network operations during any project, even if it costs a little more. Of course, in this matter, you'll also have to refer to your budget. Also be sure

that you're comparing similar services -- a low bid might not actually include all of the services you thought you had asked for.

Temps

If you need additional staff on a short-term basis for a specific project, consider hiring temporary contract workers. These workers don't have to be high-level experts, such as a consultant. For example, you might hire contract workers for assistance with a large-scale rollout, such as deploying 50 new workstations for a new department or upgrading from an older to a newer version of an operating system. To hire contract workers, you contact a staffing agency to place a request for the number of workers you need, specifying their skill level and experience. Your initial point of contact is with the hiring agency rather than individual workers; however, the conditions of the contract would be similar to one you sign with consultants -- contract workers are also expected to sign and abide by NDAs. You pay a fee to the agency, and the agency remunerates the workers.

Multiple roles and responsibilities

In a small department, you and your staff may have to serve many different roles. One problem is that each person may not be equally capable in all the roles they have to fill. A staff person may be well acquainted with managing multiple server platforms but struggle with firewall and ID system configurations. You can attempt to resolve these issues in a few ways:

One concern is that a newly trained person may decide to seek employment elsewhere, taking your training investment with them! To minimize the potential, consider requesting that staff sign an agreement stating they won't leave the firm within a certain number of months after having completed training. This would give you the opportunity to benefit more from the education you provided.

If you have two or more staff members whose skills complement each other, have them cross-train, sharing their skills and bringing each other up to comparable levels. If you, as the senior administrator, possess those skills, provide support and training yourself. Provide for outside training for staff, if your budget allows.

Moving on

In this lesson, you learned about procedural network administration, including operational plans, network and change audits, incident reports, and network diagrams. You also learned about policy and procedure development, and the importance of assigning roles and responsibilities to IT staff. In Lesson 4, you'll delve into email management, including maintaining and securing email and controlling spam.

Assignment #3

Before moving on, complete the assignment and take the quiz for this lesson. Stop by the Message Board to discuss this lesson and other lessons with your classmates and instructor.

For this assignment, visit the following IT small business websites and read articles or news items that are relevant to Lesson 3:

Keep notes about your findings, and then go to the Message Board and discuss your findings and how they're relevant to Lesson 3..

Quiz #3
A) B) A) B) A) B) C) D)

Question 1: What are some of the key variables usually included in a network operations plan? (Check all that apply.) Question 2: True or False: An access audit records logon attempts by unauthorized personnel. True False Priority Funding Asset number Dependencies

You might not find an article, news story, or other item that exactly fits the subjects presented in Lesson 3. However, try to find something that's as close as possible. The point is to find information in the "real world" that's associated with what you're learning.

IT Manager's Journal Small Business Trends Small Business IT World Network World Small and Medium Business Center

Question 3: A member of the company's sales staff has been discovered using internet access to surf adult websites. The salesperson has potentially breached which policies? (Check all that apply.) C) D) Question 4: One of your network technicians is responsible for configuring and monitoring the switches and routers in the network infrastructure. The tech is highly proficient in this area. Recently, you assigned the tech the additional responsibility of conducting and reviewing backup and restore operations on all servers. The tech is not familiar with the hardware and software involved. No one else in your department can train this tech; however, you're familiar with those systems. What are the two best methods of training the tech? (Check all that apply.) A) B) Network use policy Security policy Password policy Performance policy

Maintaining email

Controlling email
C) D)

Train the tech yourself.

Give the tech the documentation on those systems and ask that she "learn the skills on her own. Send the tech to a training seminar. Assume the tasks of backup and restore yourself.

Email is a vital service to users, but it's also a major security concern for most senior network administrators. In this lesson, you'll learn how to take charge of this powerful and problematic network application. There are many vital issues involved in managing and maintaining an email system, and a myriad of tasks that an IT department must perform to ensure continual end-user access to email. Management of your email system isn't just a matter of technical complexity but of regulatory law as well. For example, SEC (Securities and Exchange Commission) Rule 17a-4 outlines the

A server for every role

A selection from HP's line of ProLiant servers can fill any role your infrastructure

requirements governing how any electronic messaging system (emails and instant messaging included) are stored and managed. The following sections briefly describe the main considerations of an email system.

Storing email

For details about SEC Rule 17a-4, visit the U.S. Securities and Exchange Commission website.

requires, from an email server to a domain controller and beyond. HP ProLiant DL320 G5 server series

Even in small to medium-sized business environments, the demand for email storage capacity is considerable. The typical volume of email storage is now in the petabyte range, requiring that you provide larger hard drive volumes to store all the data. Unfortunately, greater storage space means greater expense, and you face the usual conflict of need versus cost. Because you don't have an infinite amount of space on your email server to store messages, how do you manage this problem?

Deleting email

Security vulnerability assessment for SMB

Emails have a habit of multiplying at an alarming rate. Although emails on a business server represent formal corporate records, the content, in fact, can be anything from a sales proposal to the latest joke buzzing around the internet. In other words, every email on the server isn't really necessary. A common solution to a burgeoning number of email messages is to limit the amount of space each end user may use on the mail server, and to send users warning messages as they near their allotted limit. This allows users to select which emails they no longer need and to clean out their folders.

You may encounter a few users who, for various reasons, either refuse to delete unneeded emails or just neglect to tackle the job. To counter this problem, you can create a policy that states that emails in accounts that are full will be deleted automatically, or manually by IT staff. Consult with your HR and legal departments, as well as other key administrators, before enacting a policy that allows for email deletion by anyone other than the end user. Because emails are official records, randomly deleting such records could cause business and legal complications for the company and the end user.

If your company decides not to implement a deletion policy, at the least, inform your users that once the limit is reached, emails that are sent to them will bounce back to the sender, which can cause confusion, delays, and frustration. Your company's clients and other associates can get a particularly negative impression of your company if they must endure repeated email bounce-backs.

Archiving email

Rather than deleting emails to make room on the server, you can require that users archive older emails when their storage space is nearing the limit. Microsoft Outlook, for example, offers this option to end users. Archiving removes selected email messages off the mail server and stores them on the user's hard drive in .pst format. This option is usually voluntary though, and you may encounter some users who decide not to archive their email.

Another option is for you to configure your server to transfer all emails older than a certain date to a backup mail server to free up space on the primary mail server. If certain emails need to be retrieved, they can be restored to the mail server from backup storage.

Ultimately, the most reasonable solution to your storage space dilemma is to combine the deletion of unneeded emails and archival of required messages.

Accessing email

Storage and access are two sides of the same coin. It's difficult to address one without mentioning the other. Your users have to be able to retrieve their stored emails from the server to read and manipulate their messages. This isn't the same as a user's ability to check the server for new mail.

As mentioned previously, emails represent official company records, and there are times when it's vital for a user to locate and open a particular email that's already been read. You must have the ability to organize and control how stored emails are accessed, particularly in an important business transaction or in response to a subpoena or court order. Failing to do so can result in significant cost to your company. As the number of stored emails grows, they tend to get scattered around the mail server's hard drive, making locating a particular email difficult. Your method of email organization and retrieval is only as good as your storage method. Here are some options: Using your mail server: The simplest solution, in one respect, is to store all company email on your mail server. The end users can access their email, regardless of age, and the information is searchable either by header or body content, making individual messages easy to locate. Although this may appear simple and easy, the drawback is that your server must always have adequate storage space. Even if users judiciously delete unneeded emails, this is not a very practical solution. Using a backup server: Another solution is to back up the email server to another storage device, storing older messages there. Although this solves the storage problem on the primary mail server, it creates others. If you use tape media for backup and restore operations, for example, your end users lose the ability to easily search for a particular email. You might have to restore the entire contents of the tape on which the desired email is believed to be located to access it. Also, this method requires a significant amount of time to restore and access a particular email. If you need the information fast, this isn't a good solution. Using an archive server: Instead of having emails archived as PST files on the user's hard drive, you can use a dedicated archive server for this purpose. If your users archive their emails onto their individual hard drives and you need to recover one email (for legal purposes, for example), you have to get it directly from the user's computer. This may not appear to be a problem, but it's compounded if you don't know which user has it. Perhaps you only know who the email was from, when it was received, or the subject. Also, what if the needed email was deleted after being archived onto the user's computer? Using an archive server allows you to keep all older emails in a single, searchable location for easy access, and allows the IT department rather than the end user to be in control of storage and retrieval. Remember, the emails belong to the company, not the individual user.

HP ProLiant Storage Servers support the use of third-party archiving software called DataArchiver, which is produced by CommVault. You can visit the HP ProLiant Storage Servers web page to learn more.

Practicing spam control

Outside of virus-infected attachments, spam is perhaps your biggest emailrelated problem. Spam has gone beyond the nuisance "junk mail" stage and developed into a full-blown intrusion. Unwanted email traffic reduces your bandwidth, needlessly clogs your mail server, and wastes the time of your staff and end users. Plus, if your mail server gets turned into a spam relay (described later in this section), you've got a real dilemma.

Preventing spam

There are a number of ways you can minimize or prevent the amount of spam your network receives. Here are the common methods:

Create a policy whereby no user is ever allowed to respond to a piece of spam, especially by clicking a link that states it will be used to remove them from a spammer's mail list. This is a sure way for the spammer to confirm that the email address is valid. Once the spammer establishes this, the spammer can easily overload your mail server.

Educate the end user: The first, best step is not a technical solution. You'll recall from Lesson 3 that part of your role is to create and implement network use policies for all end users. One policy should address under which conditions end users disclose their company email addresses. You can significantly reduce the amount of spam your mail server receives by restricting users from posting their email addresses on public websites. To facilitate this, encourage users to use a secondary or personal email address rather than their primary business email address when engaging in communications that aren't strictly business-related.

Preventing spam relaying

Keeping your mail server from being used as a spam mail relay is a critical job. An open relay is a mail server that, intentionally or otherwise, allows anyone to

Filter spam at the mail server: You can use various software applications to filter email at the point it enters your system, routing any mail identified as spam to a separate destination. Usually, spam filters examine the header and body for any key words or terms that usually appear in spam mail. Because no spam filter is perfect, some spam will still get through. Also, some mail identified as spam may actually be legitimate mail. For this reason, don't configure your spam filter to automatically delete mail tagged as spam. You should review any mail marked as spam to make sure no legitimate mail has made it into the spam folder. Filter spam at the client: You can also filter mail using the mail client on each individual PC in your organization. Filtering at the client rather than the server though can result in much more work for your IT staff, depending on how many computers you're responsible for. When it's reasonable to filter at the client level, you can use Microsoft Outlook's built-in spam filter feature, or install a third-party spam filtering program to accomplish the same purpose. Create a black list: Some organizations keep lists of known spammers, and you can access one of these lists and use it to filter out any mail from them. This solution is best to employ on your mail server or a gateway device, such as a firewall, to prevent spam from entering your system. You can find an example of such lists at Email-policy.com. Conduct reverse DNS lookups: This solution isn't quite as effective as it once was. In the past, spammers frequently used spoofed or invalid IP addresses that didn't match the domain name they were accessing. Using reverse DNS lookups, if your mail server received mail from an IP address that didn't match the domain name, the mail would be tagged as spam. However, spammers use spoofed IP addresses less frequently now. Also, this method can result in some false positives, marking legitimate mail as spam.

send email through it. Companies and organizations that don't have the technical expertise available can inadvertently allow their mail servers to become open relays, allowing spammers to take full advantage of the mail server.

A relay uses your bandwidth and degrades your server's performance. Plus, if you're identified (however falsely) as a spammer, you'll be added to a black list. That means that mail originating at your mail server will be identified as spam by at least some businesses, preventing or at least delaying email communications with your partners and customers and impeding commerce. Here are some strategies you can implement to protect your mail server: Limit relaying: Restrict your mail server relay service to use only specific IP addresses or, even better, require authentication. Change default passwords: Even if you require authentication, if your postmaster account's password is set at the default, it won't be long before a spammer figures it out and freely sends spam through your server. Change the default password, rename the account, or even disable it to prevent it from being used against you.

See Lesson 2 for more details about password security.

Securing email
Email use policy

Network monitoring will be covered in Lesson 5.

Securing your email system, in general, includes some of the same practices applied to preventing spam, and general network security practices described in Lesson 2. Some email-specific security issues and procedures are covered in the next section.

Keep up with security patches: Periodically, vulnerabilities are discovered in software, and spammers along with others can exploit those vulnerabilities and waltz right through your security. Make sure your mail server is patched with the latest updates.

Set time-out for failed SMTP commands: Spammers try to use invalid SMTP commands to gain control of mail servers. If you allow spammers to issue an unlimited number of commands, they may eventually compromise your server. Most mail server software has a feature that, when configured, drops the connection after a certain number of failed commands. You can also disable the use of particular commands that might be used by spammers. Block known spammer IP addresses: This is the same concept as creating a black list. You can identify the IP addresses from which spam originates and block those addresses at your firewall. You may also consider blocking a range of addresses because spammers use numerous IP addresses within a single or multiple IP ranges. Monitor your mail server: Periodically monitor traffic to and from your mail server using a packet sniffer, such as Snort or Ethereal. You can then determine if your server has been compromised or if an attempt is underway to turn it into a spam relay.

Wi-Fi security

Educating your end users and enforcing pertinent email rules and guidelines are essential to securing your mail system. Therefore, construct an email use policy as part of your network use policy that outlines the uses and misuses of the system. Include acceptable use policies, such as not opening email attachments and not replying to spam. Make sure users understand that the company owns and is responsible for maintaining emails, not the end user. Even though an email is addressed to a particular user, the company owns it. The user functions as an agent of the company and not as an autonomous entity. All emails sent and received using the company's network and mail server belong to the organization and are considered official documents.

Check out HP's wireless security guide which covers basic Wi-Fi concepts and terminology and discusses how important security issues are for proper deployment and use of this powerful and flexible networking technology. Practical Wi-Fi security -

Part of the appropriate use section should include the prohibition of including unprofessional language in company emails, including racist and sexist remarks, profanity, or any other offensive language. Also prohibit using company emails to circulate jokes, chain letters, or other similar material. Some users will undoubtedly balk at this rule; however, these kinds of unofficial emails can tax the network and use valuable storage space on your server. You should also prohibit users from using email for a personal business or other individual gain. As part of the policy, include a privacy and confidentiality clause stating that any information contained in organizational emails is privileged and belongs to the company. This includes trade secrets or any other information that, if released, would result in security being compromised and loss of profits.

How-to guide

Securing the mail server

Some of the methods you can use to protect your mail server are outlined in Lesson 2. However, they're worth repurposing for mail server security:

Visit Email-policy.com for more information about writing email use policies.

Remote access to email

Remote users, such as those who travel for business or telecommute, need to access their emails, but doing so adds another layer of server and network vulnerability. Ensure that email traffic is encrypted using the strongest form of encryption available and that both sending and receiving emails are encrypted. Limit who can connect to your mail server by requiring remote users to connect to the network using VPN. Require that valid email users have to authenticate to the network before accessing their emails.

Panda SendmailSecure is an ideal solution to protect your mail system from viruses, spam, and DDoS attacks, among other threats. It's effective on any Linux platform running on HP BladeSystem, Integrity, and ProLiant servers.

Enable virus and spyware protection software and keep their definitions up to date. Keep all mail server security patches current to prevent a malicious person from exploiting a known vulnerability. Configure your firewall to detect DDoS (distributed denial of service) attacks to prevent a hacker or cracker from bringing down your mail server. Remove any interactive accounts from the mail server to prevent an outside agency from accessing them and thus the mail server. Keep your mail server separate from other servers, such as a web server, file sharing server, and so on. In a small organization, sometimes it seems to make sense to use one physical server to provide multiple services to the network; however, if an intruder compromises some other service, they potentially have access to all the services running on the server.

Testing your email security methods

Test any security method you want to implement before rolling it out to the production environment. You can't afford to assume that your security system will work, no matter how well you think you've designed it. Testing methods were covered in Lesson 2 and include vulnerability scanning, penetration testing, virus detection, intrusion detection, and password cracking. You can also perform integrity checks on emails to make sure that a message you've received is the same one that was sent to you.

Moving on

In this lesson, you explored email management, covering mail storage and access issues, minimizing spam, and securing your mail server.

Assignment #4

Before moving on, complete the assignment and take the quiz for this lesson. Then, head over to the Message Board to share your experiences with your classmates and instructor.

In Lesson 5, you'll learn about monitoring and maintaining the network, including how to monitor network utilization, maintaining network services, and controlling how software is installed.

Lesson 4 refers to SEC Rule 17a-4, which outlines the requirements governing how any electronic messaging system is managed. To learn more about the details of Rule 17a-4, use a search engine to determine how this rule affects the position of a senior network administrator. Consider these questions: Keep notes while reviewing information about SEC Rule 17a-4 and cite your source(s). Then, discuss your findings and questions with your classmates and instructor on the Message Board. 1. Does this rule affect all businesses or only certain types? 2. How, in general, are emails to be stored? 3. Which facets of this rule are significant to your business?

Solution

Lesson 4 refers to SEC Rule 17a-4, which outlines the requirements governing how any electronic messaging system is managed. To learn more about the details of Rule 17a-4, use a search engine to determine how this rule affects the position of a senior network administrator. Consider these questions: Keep notes while reviewing information about SEC Rule 17a-4 and cite your source(s). Then, discuss your findings and questions with your classmates and instructor on the Message Board. Question 1: Which of the following are valid locations for storing archived mail? (Check all that apply.) A) B) A) B) C) D) Mail server Backup server Archive server PC's hard drive (as .pst files) 1. Does this rule affect all businesses or only certain types? 2. How, in general, are emails to be stored? 3. Which facets of this rule are significant to your business?

Quiz #4

Question 2: Which of the following are effective ways to minimize or prevent the receipt of spam mail by your end users? (Check all that apply.) Prohibit end users from replying to spam mail Limit open relay on the mail server

C) D) A) B) A) B)

Question 3: True or False: Using reverse DNS lookups is an effective way of detecting spam. True False DDoS attacks Viruses Spyware

Filter spam on the mail server Filter spam on the client

Question 4: Which of the following are problems that can plague a mail server? (Check all that apply.)

Monitoring network utilization

Collisions

Monitoring and maintaining the network

C) D) Exploitation of a known vulnerability

It's inevitable that your network needs change and grow. In this lesson, you'll learn how to monitor your network, modify the infrastructure and keep a tight rein over how software is installed and updated on networked computers. Network utilization monitoring involves network availability and the actual load during key periods. You need to have the proper monitoring tools, know how to use them, and know what to look for. What are acceptable utilization rates, and what are some of the indicators of network problems? Although the answers to these questions can be extensive, monitoring collisions and network-intensive traffic, such as broadcasts, multicasts, and unicasts, can indicate network utilization issues. A collision domain is a single LAN segment in which all network traffic interacts and where datagrams can potentially interfere with each other. This traffic is bounded by layer 2 devices such as switches and bridges. For example, all networked devices interconnected by a layer 1 hub exist within a single collision domain, whereas only two directly communicating devices connected through a layer 2 switch are in a collision domain. Traffic from any other devices connected through that switch aren't involved. Although the careful design and implementation of a switch fabric on your network can greatly reduce collision traffic, you can't completely eliminate collisions. Network administrators working on smaller networks with a limited operating budget or who must use legacy hardware may need to use hubs, which can increase the likelihood of collisions.
Staying ahead of the game

HP's server expertise helps you build your network administration toolkit to efficiently meet the demands of your customers. Servers & Storage expertise center

Hubs often come with built-in collision counters that enable you to monitor the number of collisions per unit of time. You can also configure other devices, such as firewalls, to measure collision rates on a network. What appears to be collision traffic though might be a broadcast storm issued by a device with a malfunctioning NIC, or the device may be measuring packet fragments. You can use switches to your advantage in the latter scenario by setting them to fragment-free. This prevents the switches from forwarding packet fragments from all ports -- which is normal operation for broadcast traffic -- thus reducing or eliminating these apparent collisions.

Broadcasts, multicast, and unicast traffic

Broadcast, multicast, and unicast traffic can interfere with normal bandwidth utilization on your network. Although broadcast and other "cast" traffic is normal and necessary on a network, too much traffic can have a detrimental effect. Ironically, while extensive use of switches on a network can control collision traffic, it can actually contribute to an excess of broadcast traffic because layer 2 switches pass all broadcasts through all their ports. Containing broadcast traffic begins in the design phase of your network, and planning the configuration of network segments in your infrastructure bounded by layer 3 routers limits broadcast traffic.

Numerous protocols, such as NetBIOS (Network Basic Input/Output System), ARP, SAP (Service Advertising Protocol), and RIP, send broadcasts. Excessive broadcast traffic reduces network bandwidth and wastes CPU cycles in all your networked devices because they have to process the broadcast datagrams they receive. To minimize this problem, you can use routers to bound broadcast domains, and set RMON or analyzer alarms to signal you when broadcasts exceed a certain rate per second.

Other network-intensive traffic

Although the previous examples are predictable and, to some degree, unavoidable effects of an Ethernet network, there are some forms of network traffic that reduce throughput and are completely avoidable. Peer-to-peer file sharing, for example, is a popular method of downloading music and other bandwidth-intensive files that can have a crippling effect on legitimate network use. The first step you should take to avoid this and similar misuses of the network is to create and implement an appropriate network use policy. As you learned in Lesson 3, requiring end users to agree to use the network only in the manner in which the organization deems consistent with business goals will help to reduce these problems. You should include a specific clause in the policy that forbids the use of any peer-to-peer file sharing software. Requiring users sign a network use policy won't eliminate misuse; however, it's an effective way to reduce problems and provides a basis of disciplining willful offenders.

If you're running an IPv6 network, you also need to monitor anycast traffic.

You can also close the ports that use this form of traffic, preventing peer-topeer requests from accessing the internet. Simultaneously, you can monitor these requests and determine which IP address(es) they're coming from, allowing you to notify specific users that they're potentially violating policy.

There are legitimate forms of traffic that can also cause drains on available resources. Streaming video, audio, and video conferencing traffic can pose significant bandwidth availability issues. You don't always have control of the use or timing of these events because scheduling is usually controlled by other departments. For example, if the sales department manager scheduled a highlevel video conference with four branch offices from 9:00 a.m. to 10:00 a.m. and the HR manager set up a webinar to begin at 9:30 a.m., the network will slow down greatly once the webinar begins. You can set a policy to have such bandwidth-intensive network use cleared through your department first, but be willing to work flexibly with key company decision makers, each of whom have their own priorities. If you can make the IT department a partner with the other departments rather than an "adversarial" gatekeeper, you'll have more success at eliciting cooperation in scheduling these activities.

Network monitoring best practices

What's the secret to network monitoring best practices? Modern network management relies increasingly on a real-time view of network utilization rather than sampling. This is largely due to increased network speeds plus the nature of rapidly changing shifts in network traffic types and loads. This involves both performance and application issues along all critical paths. If congestion occurs, you need to have the ability to respond quickly to an imminent or current issue rather than an event that's already occurred. You should also prioritize monitoring by mission-critical access and applications, which are usually defined by financial cost to the company should those services become limited or unavailable.

Best practices suggest setting in motion proactive methods such as bandwidth management or network provisioning to define predetermined limits to network use. You can use a protocol analyzer to establish a baseline for network traffic activity over time, and then measure times of low and high network usage. This will help you predict periods of potential congestion and develop an appropriate plan for managing traffic during those times. You can prioritize traffic based on IP address, protocol type, and service type, among others. This is usually accomplished by configuring routers and switches to queue traffic based on prioritizing packets relative to those qualities. You can also use third-party software to implement a QoS scheme that informs you of where traffic is originating and being sent to, and what kind of traffic it is. Then, you set policies to manage that traffic based on applications, users, groups, and other identifiers. QoS and similar methods were covered in Lesson 1.

Maintaining services on the network

Several services must be running and correctly functioning for a network to operate. These services include DNS, DHCP, WINS (assuming a Microsoft Windows environment), and RRAS. Naturally, many types of software applications are usually available on a LAN, but without the basic services just mentioned, your end users will not be able to access the applications or complete their work.

Server management

As with general network utilization and availability, maintaining basic network services is largely a matter of monitoring these services and issuing trouble tickets when something is reported to be amiss. Take a look at these services (in the next sections) one by one to get an idea of what it takes to maintain their health.

DNS

HP ProLiant server management software is designed to help you more effectively manage servers in your office and at remote locations. HP ProLiant Essentials software

DNS is the method used to provide name resolution on networks. The service runs on a variety of NOS (network operating system) platforms including Unix, Linux, Windows, and NetWare. Usually, NOSs come with software or utilities, such as Windows DNS server performance counters, that help you monitor and test DNS services. You need to determine which DNS operations you want monitored and then set performance counters or SNMP traps to alert you when various performance factors cross significant thresholds. The primary measuring stick for DNS is the overall functioning of the service, which includes the number of queries and responses processed by the DNS server. Other elements you should monitor include: The number of queries and responses by transport protocol using TCP and UDP (User Datagram Protocol) counters Dynamic update and secure dynamic update counters, which measure client

Make sure you regularly review the DNS server logs. Also, because the service runs on server hardware, stay on top of basic hardware maintenance such as backups, disk defragmentation, and other hardware tasks. Even when the service and server are operating correctly, client computers can't use name resolution if they can't contact the DNS server. Maintaining reliable DNS services depends on maintaining general network operations.

In a Windows environment that includes a WINS server, you should also measure queries and responses (called records) made to the WINS server. Additionally, verify that the A record (address record) is associated with the correct IP address. WINS is discussed later in this section.

registration and update functions performed by network nodes Recursive lookups Zone transfers Memory usage

DHCP

DHCP simplifies the administration of IP address assignment to network nodes by assigning addresses dynamically on the network. On a medium-to-large network, the use of DHCP is mandatory. DHCP failure is costly because without dynamic address assignment, nodes can't communicate. As with a DNS server, you should monitor the overall health of the DHCP service, including system load and service utilization. Some of the elements you should monitor include: Messages sent and received by the DHCP service Amount of time messages take to be processed Number of message packets dropped due to delays and timeouts Imagine the task of manually configuring 75 computers with IP addresses. It's much easier to monitor and troubleshoot a single DHCP server.

You should also verify that network nodes are receiving dynamic address assignments and that the addressing is correct. Failure of a node to receive an address or any other configuration information -- such as addresses to the DNS servers, default gateway, and so on -- can indicate a problem with the DHCP server, an incorrectly configured node, or a network connection failure. As with DNS, reliable DHCP service is related to the general health of the network and server hardware.

Types of DHCP message packets include discovers, offers, requests, informs, acks, nacks, declines, and releases. These are usually monitored by counters on a per-section basis and collected either by the counter or in the DHCP server logs.

WINS

Although Microsoft Windows Server 2003 networks and domains are supposed to make exclusive use of DNS for name resolution, you might encounter some legacy equipment or applications that require a WINS server. WINS, like DNS, provides name resolution services on Windows networks, and many of the tasks involved in monitoring and maintaining this service are similar to those you use for DNS. You should monitor the following: Name registration Renewal and release counters Server start time

Review the Windows Event Viewer logs to keep track of all significant events involving the WINS service. You can also examine the WINS database mappings in the WINS console. WINS database entries represent a single computer, group, internet group, domain, or multihomed entry. You can also view the following: The record name Type of record IP address associated with the mapping Whether the record is active or released Whether the record is statically or dynamically mapped Record owner Database version Expiration date of the mapping

Replication statistics Extinction statistics

RRAS (Routing and Remote Access Service)

RRAS is a Windows service that allows remote connection to the main network over a public network using VPN tunnels with PPTP (Point-to-Point Tunneling Protocol) and L2TP (Layer 2 Tunneling Protocol) for encryption. RRAS enables both remote client access and site-to-site access for secure connections between a branch and main office. You can manage and maintain RRAS using some basic tools, such as:

Controlling software installation and updates

Other command-line tools you can use to monitor and troubleshoot RRAS are probably quite familiar to you, such as Arp, Hostname, Nbtstat, Netstat, Pathping, Route, and Tracert. You also need to configure and monitor encryption, authentication, routing remote access, and multilink traffic. Without access to RRAS, VPN, and RADIUS, remote users or remote sites can't establish a secure link over public telco (telecommunications) lines. All types of software periodically require security patches and hotfixes; however, it's not a good practice to install all software updates the moment they become available, especially in a production environment. Best practice suggests that, if possible, you maintain a small test network and install all new software and software updates on that network first. You then observe the results and determine if the new software or update caused a problem. After you're satisfied that the new or updated software functions properly, you may implement it in your production environment. Each major NOS comes with a variety of software management tools.

RRAS Admin: Although not an MMC (Microsoft Management Console), a utility that uses a similar interface with nodes displayed in the left pane of the interface as a tree structure and details of a selected node displayed in the right pane ROUTEMON: A command-line tool that allows you access to routing management Netsh: A command-line utility on Microsoft Windows 2000 and Windows Server 2003 platforms that allows you to access the server's network configuration either remotely or locally

Microsoft

Windows servers come with several different tools designed for patch management and software distribution. These utilities enable you to assess, test, implement, and review patches and other software installations consistently, which allows you to control how and when your systems are updated. These utilities include the following:

Novell

Novell offers ZENworks Linux Management to optimize software deployment in environments up to enterprise-class. ZENworks supports Novell's relatively newly released SUSE Linux Enterprise Server 9, providing fine control and scheduling of software updates as well as dependency analysis and conflict resolution. You can access ZENworks Linux Management from a web interface or via the command-line, and control updates and software distribution to different groups of machines from a centralized location. You can use ZENworks with the YaST administration utility, which manages operating systems elements, network services, and third-party application solutions. An alternative to the YaST graphical package management tool is y2pmsh. y2pmsh is not installed in SUSE by default; however, you can add it using YaST. Like any package manager, y2pmsh installs, uninstalls, and upgrades RPM (RPM Package Manager) packages, but you can also use it to create packages as well.

Microsoft SUS (Software Update Services): This service enables you to update your operating systems in a secure and controlled environment but doesn't provide a comprehensive solution package. With SUS, you can access and download any updates or service packs available on Microsoft's update website. After you select and approve the packages, SUS deploys them to preconfigured servers and workstations. SUS works for deploying critical and security updates and service packs -- you must update and manage application software using a different process, such as SMS. Microsoft SMS (Systems Management Server) 2003: SMS provides a greater degree of control than SUS, enabling you to assess, identify, evaluate, plan, and deploy software updates providing guidance and automation tools to help in establishing the process for software management. Machines exist in SMS "managed space," which allows only those machines to be affected by the updates. SMS can also locate and identify those unmanaged machines on the network running server platforms so that you can plan to include them as managed devices. Platforms supported by SMS for management include Microsoft SQL Server 2000, Microsoft Virtual Server 2005, and Microsoft Virtual PC 2004. Additionally, Microsoft Office 2000/XP/2003 are also supported and managed under SMS.

Red Hat Linux

The other major Linux vendor in the commercial market is Red Hat. Red Hat Enterprise Linux 4 uses the Package Management Tool in the X Window System to control the installation of software packages on its platforms. Packages are organized as collections of packages, which you can install as a single entity (automatically) or specific portions (manually).

Learn more about y2pmsh at Linux.com.

You can also control package management with RPM via the command-line. RPM uses short commands to install, uninstall, and upgrade RPM packages, keeping a database of all installed packages. You can use RPM to upgrade individual components without having to reinstall the entire package. RPM also comes with querying options that enable you to discover which package file belongs where and where it originated. You can also verify the validity of a software package and access software sources as distributed by the original authors.

As you can see, software management is highly dependent on the operating system platform you're using in your network infrastructure. If you work in a mixed (heterogenous) operating system environment, you might find it unwieldy to use different tools native to each class of operating system to manage

network functions. In that case, consider migrating to one system to take advantage of a centralized management system, or use third-party software that enables you to use a common management tool for a mixed operating system environment.

Centeris produces a software package that enables you to manage Windows and Linux servers from a familiar MMC-like interface.

Moving on

In this lesson, you learned about network utilization monitoring, vital network services, and methods for managing software and update deployments. In Lesson 6, you'll find out how to recover from a disaster using backup and restore procedures -- from laying the foundation for a backup, to optimizing backup performance, to testing your recovery plan.

Assignment #5

Before moving on, complete the assignment and take the quiz for this lesson. Stop by the Message Board to discuss topics in this lesson with your classmates and instructor.

Select a package manager you're interested in and research it on the web. Determine the advantages and disadvantages of your chosen package manager. Cite your sources and be prepared to share your findings on the Message Board. Here are some sources you might find helpful: Patch Management using SUS Patch Management using SMS 2003 Novell ZENworks 6.6 Linux Management Package Management using SUSE's y2pmsh Red Hat's Package Management Tool

Quiz #5
A) B) A) B) A) B) C) D) C) D) C)

Question 1: To prevent a switch from passing apparent broadcast traffic that mimics collisions through all of its ports, which switch setting should you use? Question 2: Which service reports name registration, renewal, and release as well as replication and extinction statistics? Question 3: Which utilities can you use to monitor RRAS? (Check all that apply.) ROUTEMON Telnet RRAS Admin DNS DHCP WINS RRAS Cut-through Store and forward Fragment-free Packet switching

D) A) B)

Question 4: True or False: RPM is a graphical tool used in the X Window System in Red Hat. True False

Laying the foundation for backups

Recovering from disaster with backup and restore

No course in network administration best practices would be complete without a discussion of the backup and restore system. Accidents and disasters will happen periodically, and you're responsible for ensuring that your network is ready when they occur. You can read a newspaper or watch TV on any given day to learn about the latest natural disaster, incident of data theft, or some other problem that could affect your network. Planning for problems and setting a backup and restore plan into motion is part of a network administrator's responsibilities. In the next section, you'll look into what it takes to lay a foundation for a backup plan.

Netsh

The best way to recover from a disaster is to be prepared before it happens. In this lesson, you'll learn how to create a recovery plan that'll have your network up and running as quickly as possible after a disaster strikes.

No need to reinvent the wheel

Backing up user data

The foundation for an effective backup strategy begins with centralized storage. You must be sure that all critical business data is being stored on a centralized server rather than on local PC hard drives. In a small office environment, you might be tempted to install individual tape devices on PCs and direct end users or power users to conduct daily backups. Unfortunately, this places the responsibility on the user rather than the IT department, and you may not get 100 percent compliance. Without complete assurance that all business data is being backed up, you may have holes in your backup strategy and thus your recovery policy. In the event of a disaster, some critical data could be lost forever, impacting the company's ability to do business and maintain profitability. In a Windows Active Directory environment, you can rely on a centralized backup solution for client data by setting Active Directory group policies to redirect data from local storage on the PC to your centralized server. This requires no intervention by the user and is a transparent process. You can redirect your end users' My Documents folder to a folder on the central server, ensuring that all user data is backed up when the server is backed up. Mobile users can use the Offline Files feature in Microsoft Windows 2000 and Windows XP Professional to cache a copy of the network file on their hard drives that is automatically uploaded to the network share once the user connects to the network.

There is a reason that tape backup is so popular: it's affordable, reliable, scalable for any size business, and can be programmed for scheduled unattended backup, making it the ideal choice for your business. DAT tape drives

Tape & Optical storage

Preserving network availability during backups

Generally, backups require a significant amount of bandwidth, somewhat inhibiting other forms of network traffic. This is one of the main reasons why backups are scheduled during off hours when few or no users are accessing the network. A common problem is that, as business needs increase, in a multi-shift environment or in a company that has international customers in different time zones, the window of availability for backups shrinks. One solution is to create an isolated network used just for backups. The drawback is the expense involved in implementing a separate network segment just for this purpose, but it leaves the rest of the LAN relatively unaffected.

You could multihome your servers so that each has a second NIC used to connect to the backup network. You could also conduct incremental backups, which take less time than a differential, but the trade-off is that the restore process takes longer. It may also be possible to combine incremental backups with multistreaming and backing up to multiple tapes simultaneously, to reduce the amount of time backups are conducted.

Selecting backup media

Although tape is the traditional backup media, smaller businesses have made successful use of optical (CD and DVD) media. For cost savings, you may want to use the backup method you're currently equipped to implement. If you're stepping in to the administrator role on an existing network infrastructure, chances are that tape backups are currently in use. You don't have to "reinvent the wheel" if this system is working well. However, you can use optical recordings to perform the same function. You could also mix media and tapes for full backups while employing CDs or DVDs for incremental backups. Tapes and discs are easily transported offsite to a safe storage location, so there's no true barrier to implementing such a plan.

Using a single backup program strategy

Another foundational piece to the puzzle is ensuring that you use a single program to perform backup functions across all hardware platforms -- servers, desktops, and laptops -- as well as application and database data. This program should also be able to adapt mobile backup functions, disaster recovery planning, data archiving, and multiple backup methods. Select a program that you can access over the internet using a web interface for ease of use; this enables you to use a single software program to manage backup and restore operations across multiple hardware and software platforms on your entire network infrastructure. You can manage these operations onsite or remotely to gain quick access and control of backup operations and handle emergencies anywhere they arise.

Instituting a compliance plan

HIPAA (Health Insurance Portability and Accountability Act) and SarbanesOxley legislation places additional requirements on how data is stored, especially in the long term. (Visit the websites for more information.) The burden falls on you and your legal department to develop a data storage and backup policy that complies with all relevant and current laws. If your data storage methods are out of compliance, an audit could result in substantial fines brought against your company. Make sure your plan is in compliance, and when you make changes to this system, verify that changes have not adversely affected how data storage is properly and legally managed.

Delegate responsibility

Someone on your staff must be responsible for managing the backup and restore system at all times. Although the business of backups may seem routine, you must be sure that someone is tending the system. If the responsible party is ill or on vacation, make sure that a substitute person is always in place to attend to such mundane tasks as changing tapes and cycling tapes, and more importantly, emergency restore functions.

An IT department is a busy place and a lack of organization and planning can result in details being overlooked. This is one area that you must not allow to be neglected. Also, a disaster or incident can occur at anytime, not just during business hours. An IT staff member should always be on call if a problem arises in the middle of the night or on the weekend. Such occurrences should be rare, but when they happen, you should always have someone available to respond to a crisis.

Optimizing backup performance

Once you've established the foundation for your backup and restore plan, there are still a number of tasks you can perform to optimize backup performance. Even if, initially, your system performs at peak level, it's unlikely that it will stay that way. System performance tends to degrade over time, and your backup system requires general maintenance and troubleshooting. In the next section, you'll take a look at some of the ways you can optimize performance.

Backup and recovery software

Leveraging current infrastructure

There's a tendency to over-buy equipment and material for a backup plan, usually based on the desire to "do it right" and avoid being under equipped. This doesn't mean that you'll never buy more than the projected storage capacity; however, you can use what you already have more effectively, as follows:

HP offers backup software that delivers new levels of recovery in a service-driven management approach. HP StorageWorks data protector express software

Meeting future challenges

As previously mentioned, no matter how well you optimize your system, eventually, your needs grow. Budget for projected needs by purchasing additional capacity that matches your projected growth rather than reacting in crisis mode when you realize you don't have sufficient ability to back up all of your data. This requires you to stay on top of backup trends and data sources on the network. Databases have a habit of growing with amazing speed and, if insufficiently monitored, can consume storage capacity at an alarming rate. On the other hand, it's prudent to monitor end user's data storage allotment. If you are against enforcing quotas on user data storage, users may end up saving unnecessary data or non-business-related data. (For example, a collection of MP3s containing the top pop charts of the last 15 years usually takes up a lot of storage space, and has nothing to do with the company's business plan.) It may be that you need to limit how storage is used rather than increase capacity. Learn to know the difference.

Use load balancing between your current backup servers to manage resources and measure backup server throughput to monitor performance. Although redundancy can be a good thing in terms of fault tolerance, sometimes, a poorly designed system can result in undesirable and unintended redundancy. Analyze your current system and eliminate any redundancy that doesn't fulfill your desired purpose. Adjust your system if backups are running too slowly across the network. Even under ideal circumstances, you have a backup window to stay within, and timing is crucial.

Keeping ahead of the curve isn't just a matter of periodically increasing your storage capacity by adding more hard drives or additional backup servers. Your network infrastructure must also be able to manage the load. If you added 150 new users to the main office recently and your branch offices are also growing, you need to supply network backups with sufficient bandwidth so that all of the data can reach the backup servers and be stored in a timely fashion. Even when backing up in off-peak hours, you are still trying to hit a narrow window and have only so many hours to conduct the backup. There are other maintenance tasks that have to be done at the same time as backups, so you can't depend on 100 percent processing power and network availability dedicated to the backup. Upgrade your hardware and network infrastructure as needed to provide sufficient ability to back up the growing amount business data.

Securing data backup and storage

It's possible for your data to be at risk of interception and theft during the backup process and while in storage. This is especially true if you back up across public lines such as backing up a branch office server to a backup server at the main office. Security is a two-part process because, in the backup system, data is either directly being backed up across the network or is in storage. To protect data in transit, you're best method is using IPSec (Internet Protocol Security) over a VPN tunnel to ensure security. Even if the data is intercepted, it's encrypted and unable to be read. Encrypting data in storage protects it if your storage medium is compromised. This can occur either on the hard drive of a backup server or if your portable backup media should fall into the wrong hands.

Even if you take these precautions, if you suspect that your data has been compromised, report the incident to law enforcement as well as the appropriate business managers and your legal department. (Lesson 2 covered network security.) To keep your backup media as safe as possible, keep your portable storage in a tape vault or some other secure location. Smaller businesses with limited budgets can use a safety deposit box or offsite safe. The location must be readily accessible to authorized staff should the media be needed for a recovery procedure.

Storage media management

Managing your backup tapes is more than just switching them out and making sure they're properly stored. There are a number of Layer 1 issues that come with using storage media repeatedly over long periods of time, such as:

If you intend to keep some backed up data long term, make two copies, in case one becomes lost or damaged. If the data is important enough to keep for long a long time, it's important to ensure that it'll be around when you need it. If you have data stored long-term on outmoded or obsolete media, transfer the data to a more modern storage method. In a small to medium-sized business environment, it's unlikely that you'll implement a SAN or NAS storage solution, so those options are beyond the scope of this lesson. Read more about SAN and NAS on the HP Servers and storage expertise center.

Tapes and tape drive heads can become dirty or damaged: This can result in errors being introduced to your backed up data, impairing your ability to perform a complete and accurate restore. Worse, it could result in garbage being written to your storage media instead of data, resulting in the loss of everything. Not only do tapes get dirty, but also they can become creased or otherwise damaged, resulting in lost data. Tapes wear out: Pay attention to the manufacturer's recommendations. If the tape is rated for 1,000 recordings, don't stretch it. The risk of losing your data is too great. Buy new tapes and retire older media securely, making sure they're stored in a locked safe or destroyed. (You don't want someone else getting their hands on your backup tapes and reading them just because you threw them in the nearest dumpster.) CDs or DVDs degrade: Repeatedly handling and recording to discs can result in scratches, which damage the data recording process. Accidentally touching the surface of the disc can introduce body oils from your fingertips that interfere with writing and reading of data. Clean your recording drives and media regularly, and as they become worn, replace them. It's less expensive than discovering you can't restore your data when you need to.

RAID is no substitute for backups

Testing your recovery plan

This isn't a foolproof method of optimizing backups; however, it's important to implement fault tolerance on your network, which isn't the same as a backup and recovery process. Whereas RAID 0, 1, and 5 may afford you some measure of protection in terms of redundancy and data protection, in the event of a catastrophic loss of data due to a hardware failure, RAID can't take the place of a set of backup tapes stored in a secure location and ready for use. Don't take shortcuts and don't make assumptions. Now that you've laid the foundation of your backup plan and optimized it to your needs, you still need to know if it actually works. Waiting until a disaster strikes to test the plan is inviting more problems than you ever want to have.

Set up a regular schedule to test your recovery system and determine whether it actually works before a disaster strikes. Also, remember that you're not just testing whether the system works but how quickly it works. How long can your business afford to remain offline without access to critical data? Chances are, not very long. Your system must work and as quickly as possible so that, in a crisis, you can recover and have the business running with a minimal loss of time and productivity.

Testing the team

When discussing how to establish a foundation for backups, you looked at the subject of delegating responsibility. This doesn't involve just assigning someone the tasks of changing and storing tapes but of delegating the task of performing a recovery in the event of a disaster.

Depending on the size of your firm, that task could fall to a single individual or to a team. Even in a small company, you may decide that most or all of the IT staff should become involved in the recovery process, depending on the scope of the emergency, to get your servers and the company back up and running as quickly as possible. When you test the team, you're testing how well it implements the recovery plan and how the members of the team mesh in their tasks. If one team member has successfully corrected the hardware fault, does she have to wait for the tapes to be made available to initiate the recovery? If the tapes and the servers are ready, is there a delay in restoring the correct configuration files to the local switch? Testing the team is like running a fire drill. You not only find out how well they work together, but also where the faults and gaps are in performance and, to some degree, the plan itself. And, after you've gathered your data and found where you can make improvements, you should amend the plan and run your drill again.

Developing the test plan

While backup and restore tends to focus on network servers, in fact in a disaster, multiple parts of your network infrastructure can fail or at least be impaired. It's not always a damaged hard drive that causes the problem. What about a malfunctioning router or broken network conduit? Your recovery plan should take into account all of the different aspects of the overall system and how to respond when faults occur. The first part of testing the plan is developing the plan. You go into problem solving mode right when you create your recovery plan, trying to anticipate everything that could possibly go wrong. Out of that, you develop different areas of the plan. Depending on the scope of the disaster (and you should always plan for the worst-case scenario), you may have a Computer Recovery plan to address issues of restoring workstation and

laptop functions.

On the other hand, the systems recovery plan should address server faults and the network recovery plan should focus on bringing up internetworking devices, such as routers and switches after a disaster. You'll likely have an overall disaster management plan that oversees all of the other aspects of recovery and a communications plan that coordinates how different organizations are contacted, such as law enforcement, company management, and Hazmat and FEMA if necessary. These different parts of the plan can easily map to different teams in a larger organization. In a small to medium-sized business, you might have one staff person wearing multiple hats with the entire IT staff representing a dozen different functions. As your network changes and grows, so must your plan. Build in periodic reviews of your backup and recovery plan to keep it current.

Running test levels

Because you can face different types of disasters, you should run different types of tests. One of the most common tests is restoring data from tape in the event of a data loss. Any test you run must be conducted in off-peak hours when few or no end users are on the system. Planning for the occasional weekend testing "party" is a small price to pay for the relative security of knowing your recovery plan works. Beyond restoring data to a server, you can also introduce issues to different parts of your system and see how quickly those issues are addressed. Depending on how extensive you want to be, you can announce where the problem lies or allow your staff to attempt a diagnosis based on certain symptoms you announce.

Make sure that everyone knows their role ahead of time so that they participate efficiently in testing the recovery plan. Also, although backups are conducted every day, recovery operations are (ideally) rarely performed, so make sure your staff is familiar with how to perform a server recovery and any and all equipment. In a total disaster, most of your infrastructure will be unavailable, and every aspect of your network must be examined. Be prepared to quickly perform a damage assessment and determine the scope of the recovery effort.

You can't simulate a hurricane, tornado, or earthquake; however, you can create circumstances that test at least the most basic or common recovery tasks your team should be familiar with in the event of a major problem. The recovery plan you put into practice will likely be some form of data loss or systems malfunction and not a major catastrophe. In fact, the most common reason for conducting a data recovery operation is when a user accidentally erases or damages a file or the contents of a folder. Other similar circumstances might be a junior administrator inadvertently deleting the engineering organizational unit and all the members therein. Also, it's impractical to test every tape you create. Use a random sampling of tapes periodically to make sure they're readable and that data is properly restored.

Moving on

In this lesson, you learned how to create and test a data backup plan, and how to recover data.

Assignment #6
Solution

Before moving on, complete the assignment and take the quiz for this lesson. Drop by the Message Board to exchange any final questions and comments with your classmates and instructor. The best to you in your role as senior IT administrator! Read the Network backup - disk-to-disk or tape emulation? article in Techworld. Notice that the author favors tape emulation as a superior solution. After reading the article, write a brief report that describes why tape emulation may be the better option. Read the Network backup - disk-to-disk or tape emulation? article in Techworld. Notice that the author favors tape emulation as a superior solution. After reading the article, write a brief report that describes why tape emulation may be the better option. Question 1: What are some common elements of a backup plan? (Check all that apply.) A) B) D) Increasing the speed of backups to optimize network availability Redirecting user My Documents folders to a directory on a central server

Quiz #6

C) Selecting a homogenous backup media scheme such as tape or optical disc or using a heterogeneous scheme by mixing the two

Question 2: Which are appropriate methods to ensure staff is assigned to monitor backup and restore operations? (Check all that apply.) B) Assigning a single staff person who's responsible for monitoring backup and restore operations but having other staff positioned to take over if the primary person becomes ill or is on vacation Question 3: What can you do to optimize backup performance? (Check all that apply.) A) D) A) B) C) D) Use IPSec to encrypt data as it's backed up across the network Network recovery team

A) Rotate responsibility among the IT staff so that everyone shares in these tasks, including being on call in the event of a crisis

Using multiple types of backup software to manage multiple types of hardware platforms and data types

C) Having the senior administrator take sole responsibility for backup and restore operations because it's too important a function to be left to junior staff D) Assigning a backup and recovery team that rotates monitoring responsibilities among themselves and, in a crisis, works together to restore the network C) Secure data on portable media by making sure it's encrypted, and then keep it in a tape vault in your locked office Question 4: What kinds of teams should you create to respond to a disaster on the network? (Check all that apply.) Question 5: What's the single most common reason for conducting a data recovery operation? Communications team Systems recovery team Computer recovery team Buy additional storage capacity well ahead of time to accommodate for future growth B) Set quotas for the amount of data end users are allowed to store on network servers and issue notices to them when they're nearing their personal capacity

A) B)

C) D)

Accidental deletion of data Server hard drive crash Power failure Natural disaster 2003 - 2007 Powered, Inc.