4. 15.3 Remote Access Methods
Sometimes when we’re trying to do administration on a network device, like a router or switch, or maybe trying to get into a remote server, or even access a remote client that’s running a piece of application software that we need access to, oftentimes we’re not physically present at those devices, so we would like to access those remotely. That’s what we’re going to be considering in this video. Some different ways of doing remote access, maybe across the Internet to get into some of these remote devices. Let’s imagine that in this topology on screen, we’re sitting at client One, and we want to go over to that remote site where we have R two SW two is our switch. We’ve got a client, we’ve got a server there, and if we just send traffic over the Internet, that’s not going to be very secure because the Internet is an untrusted network.
There’s a lot of malicious stuff going on, on the Internet. How can we protect our traffic? One option is to use a VPN, a virtual private network that’s going to create a virtual tunnel over the Internet. And we can encrypt traffic flowing over that tunnel. And this tunnel I’m showing you on screen is labeled as a site to site VPN. That’s where the routers are originating and terminating the sides of this VPN tunnel. They’re handling all of the encryption and the decryption. It’s transparent to the clients. But sometimes we might not just be at a remote office, we might be in our home, or maybe at a conference in a hotel room. We could still have a secure connection coming into a site using a VPN. Let’s say that client One wants to go over to that site on the right side of the screen.
We can set up a VPN tunnel using client software on Client One. That’s called a client to site VPN, also known as a remote access VPN. And let’s think about some of the different protocols that we might be using to protect traffic flowing across that VPN. One that might be top of mind is IPsec, which is short for Internet Protocol Security, but we typically just call it IPsec. That’s going to give us all sorts of security features such as encryption authentication, antireplay. It’s a very robust set of security protocols. However, that might require a bit of configuration on routers. If we do a site to site VPN, it might require that we pay an annual fee to have client software on our clients that support IPsec. So another option might be to use something like SSL or TLS. You see a web browser on a client, it has security built into it without any sort of extra VPN client software.
In fact, we could run something like SSL Secure Sockets Layer or TLS Transport Layer Security. Probably today we’re going to be using TLS that’s built on top of SSL. TLS is considered to be quite a bit more secure than SSL but TLS, it does get its origin, and it relies on the underpinnings of SSL. There’s another flavor of TLS I want you to know about. It’s called Datagram Transport Layer Security, or D TLS. This can give us a little more efficient throughput for some types of applications, and as the name suggests, it’s using TLS to provide its security. Those are some of the different ways of communicating across a virtual private network to a remote site. However, sometimes we don’t want to just have access to a remote network. Maybe I’m client one and I’m working from home and I want to get to my office computer. The client over on the right side of the screen, and I need to control software on that computer, not just have a copy of it on my local home computer. I need it to seem like I’m sitting there at that client back in my office. Or maybe I’m doing some remote desktop support for somebody and I actually need to control their computer. Let’s take a look at a couple of options for doing that. Let’s say there’s something on the client on the right, and we want to be able to control it from client one on the left. Here are a couple of protocols we might use. One is RDP, the Remote Desktop Protocol. Another one is VNC, which stands for Virtual Network Computing. But maybe instead of controlling another computer at a remote site, we’re trying to pull down web pages from a server. Maybe it’s an intranet server within our corporation, or maybe it’s an Internet server. But if we’re accessing a web server, be it intra or Internet based, we’ve got a couple of protocols we could use http and Https.
But from a security perspective, we’re not big fans of Http because it’s not secure. If you have the option, you should probably use Https. In fact, when Google is doing its page rankings, it’s actually considering whether or not a URL is Http or Https. And of course, Google is going to give preference to a URL that is secure. And aside from web browsing, let’s say that we want to do file transfer. Let’s imagine the server on screen has files that we want to download. One option for doing that is to use FTP, the file transfer protocol. But notice I have an X next to that, because it’s not secure. There are a couple of secure flavors of FTP, though, that I want you to know about.
There is FTPs and there is s FTP. What’s the difference? Both of them are secure, but FTPs, it’s using SSL, or more likely, TLS for its encryption, while SFTP is using SSH secure shell. And another file transfer protocol. Is TFTP trivial file transfer protocol? And notice I’ve got an X next to that one as well, because like FTP, it is not secure. In fact, I guess we could say that TFTP is even less secure than FTP, because with FTP, you’re typically at least providing username and password credentials, unless you’re doing anonymous FTP, but oftentimes you are providing username and password credentials. You’re not even doing that with TFTP. Another way of remotely accessing a device like the server on screen is to use out of band management. That means we’re not going to be going over our network. Instead, maybe we’re using the PSTN, the public switched telephone network and coming in via perhaps a modem. Or let’s say that we’re sitting on the client on the left, and we want to access that local router, router R One.
We have a couple of options for how we can access the command line interface on Router R One. We might consider using either Telnet or SSH secure shell. But telnet is not recommended because it is not secure. It transmits data in clear text SSH. That’s going to give us encryption. And another way to try to enhance security for people trying to access the command line interface on R One is to not make it available over the network at all. Via telnet, via secure shell, via a web browser. We cannot access it remotely for management purposes. Perhaps. In that case, how do we manage it? Well, we could be physically located at the router, and we could use a terminal emulation program on that PC and connect it directly into the console port on that router. And that’s a look at a few different ways that we can remotely access network devices.
5. 15.4 Environment Monitoring
In addition to monitoring network components like servers, routers switches, we also need to think about monitoring the environment in which those devices reside. For example, those electrical components, they’re designed to work within certain environmental limits. For example, the temperature and the humidity that should be within a certain range. So we should have some sort of a device that’s going to be monitoring the temperature and the humidity entity in the equipment room. I’ve experienced this multiple times where an air conditioner will go out, maybe in an equipment room, and without air conditioning.
If you have a lot of equipment in that room, that room is going to heat up very quickly. And I remember trying to create ventilation while we waited for the AC repair people. We propped open a door, we had fans blowing. And sometimes that equipment started to fail when the temperature got too high. And we might also want to monitor the temperature to detect any temperature fluctuations, maybe before everything starts shutting down. We have a threshold that says if the temperature gets above this particular level, even though it’s not a dangerous level yet for the equipment, but it shouldn’t be at that level, if it gets above this threshold level, send an alert.
That’s what some of these environmental monitoring systems can do for us. They can send us an alert. It could be based on SNMP, the simple network management protocol. Remember SNMP traps. Well, we might have an environmental monitor that can generate an SNMP trap, sending it to an SNMP manager server, letting somebody in the knock, the network operations center know that the temperature is increasing in this room. Somebody might want to take a look at this and other environmental monitors. They’re capable of sending out an SMS text as an example to let somebody know that this threshold has been crossed. Because we probably don’t want to wait until our equipment starts to fail before we’re alerted. We want to catch it before it starts bringing down equipment. And in addition to temperature and humidity, we also need to have power. If we don’t have power to our devices, that’s clearly an issue for us. So what can we do after all power outages do happen? Well, something that’s a good practice is to have a Ups, an uninterruptible power supply. This can give us continual power if the main power source goes out. And when I say continual power, I mean that it’s not going to disrupt the flow of electricity to the equipment even if the building’s main power goes down. That’s what a Ups can do for us. But a Ups does have a finite life.
It’s a battery, after all. It’s only going to last so long. So in addition to having a Ups, I think it could be a good idea to have a generator. And the goal is for that Ups to keep everything up and going until the generator has time to get up and running. And as long as you have gasoline for the generator, you have power. And much like one of those temperature or humidity monitoring systems, some Ups, they can send us an alert to let us know that there’s a power outage. And sometimes, depending on the model of Ups, you can connect the Ups something like a server, and it will help that server do a graceful shutdown, as opposed to just going down when the power is out. And that could potentially corrupt the file system. Instead, it can gracefully shut down that server. But if we have a generator, we might not even need to do that. And that’s a look at some environmental monitoring considerations.
6. 15.5 Wireless Network Monitoring
Most of our enterprise networks, and a lot of our home networks for that matter, they’re going to have a wireless networking component. And here in this video we want to talk about a couple of different categories of wireless network monitoring tools. The first one is wireless survey software and the second is wireless analyzer software. And here we’re taking a look at an example of a wireless survey. Now this feature where you see, see a floor plan of a building and you see an access point placed here. This is just one component of a very large piece of software called a Cisco DNA Center. But this does a great job of showing us a heat map. You can see signal strength on this key over at the side from negative 90 DBM all the way up to negative 35 DBM.
And this is showing us the coverage area and the signal strength at different places on this four. So we’ve got the wireless access point here and as we start to radiate out, notice the colors change, showing greater loss in our wireless signal. And right now I’m looking at both 2. 4 and 5. Can look at just one or the other if I want. I can say show me just 5 GHz. Notice the range is not quite as broad with 5 speeds may be better, but we don’t quite have the coverage area. If I go to 2. 4 GHz, it’s a larger coverage area, but the speed might be somewhat lower. But this is a great way to position access points. And you could do this before you even do an installation. You could just drag and drop access points onto this floor plan and make sure that you’ve got a coverage area going across the entire floor.
You don’t have any dead zones. You want to make sure that you have sufficient signal strength at all these different areas. And as you’re setting up these access points, remember that you probably want to avoid overlapping channels. So with the 2. 4 GHz band, you probably want to be using channels one, six and eleven. You want five channels of separation that’s going to avoid any overlap and you’re only going to put coverage areas adjacent to one another that are using different channels. So this is a heat map and that’s something that we can do with wireless survey software. However, maybe we have a network up and running right now and we want to better analyze what’s happening.
That’s what wireless analyzer software can do for us. And here we’re taking a look at an application called WiFi Explorer and this is in my home network. Notice we have an SSID of Wallace home and there are several of those because I have multiple access points and we have Wallace Guest. There’s a Wallace 2. 4 GHz that I use for my IoT or the Internet of Things devices. I have, I’ve got a special one that I’m working with just here in the studio with WiFi six, and that’s labeled as Studio. And I can click on one of these access points and we know what the vendor is based on the vendor code. And we can see what the signal strength is from different access points. Here’s the Mac address of the access point. So if I click on that, it says we have poor coverage from that access point, we’ve got poor coverage from that access point. Here’s one that’s good, and we have extremely poor coverage from another access point. And we can see what channels we’re using, we can see what kind of wireless security we’re using. It’s WPA two with the pre shared key and also notice the channel width.
The basic channel width is going to be 20 MHz. Remembering that we can send ten 2 MHz sub channels in a single channel, but we can bond those channels together to have more simultaneous conversations. So if I bonded two channels together, that would give me a 40 MHz channel width. Here we have a lot of 80 MHz channel widths. We see that we’re using AES encryption as an example, but this is a way that we can go in and we can walk around with this application on our laptop, but we can go into a customer’s environment. And as we walk around, we can try to find any dead zones and make sure that we have sufficient signal strength from any place in the building. Because we can just continually watch this signal strength indicator as we’re walking around.
And we can see what channels are being used by both the 2. 4 and the 5 GHz bands here. And that’s a look at a couple of ways that we can do wireless network monitoring. We can use wireless survey software that can give us a heat map, and we can use wireless analyzer software which can give us detail like we’re seeing here, showing us what channels are in use, what the signal strengths are, where our device is located. And we can see things like bonding and security.
