A network topology is defined as describing the physical or logical layout of a network. Logical topology describes how these devices communicate and interact, as well as how the data is transferred. While physical topology describes the physical layout of these and locations of these devices. Both physical and logical topologies fall into the following categories: Bus, Star, Ring, Tree, and Mesh.
When I began my journey in IT, I noticed a lot of talk about home labs. I researched and decided that it would be extremely beneficial to have actual equipment that I could try to implement the things I was learning about in addition to books and other resources. I will be using this small LAN as the subject for this analysis.
I was able to find older enterprise equipment for reasonably cheap on eBay. My lab currently consists of an Arris BWG210, which is provided to me by my ISP, a Cisco 2811 router, a Cisco 2960 24 port switch, a Linksys E2500 SOHO wireless router, and a few computers given to me in a non-functioning state that I repaired myself. I am changing and reconfiguring this network; however, here is a look at its current topology.
The Arris BGW210 multifunction device is a 10/100/1000Base-T Ethernet switch, an 802.11b/g/n/ac wireless access point, and a firewall. It supports VoIP, IPv6, and some remote management features. The Cisco 2811 is a bit of a downgrade in speed as it only supports 10/100Base-T Ethernet, but to become more familiar with enterprise networking equipment while keeping cost low, this is what I went with to start. From there, I have the Cisco 2960 28-port switch. It also only supports 10/100Base-T Ethernet. The E2500 SOHO device has four 10/100Base-T Ethernet ports, an 802.11n wireless access point with 2.4 GHz and 5 GHz bands, Multi-Input Multi-Output (MIMO), and offers WEP, WPA, and WPA2 encryption.
One could best describe my current topology as a hybrid topology. It is a mix of both a bus and a star consisting of 3 routers and one switch. Except for the Cisco 2811 router, the routers and switch have multiple devices connected to them, creating a star.
My current configuration consists of my ISP router handing out a 192.168.1.0/24 address to the f0/0 interface on the cisco 2811 using DHCP. From there, the 2811 router is using NAT inside/outside and using a static IP address of 192.168.2.1. This static address allows all downstream traffic a consistent place to go. The 2811 router also serves as a DHCP server handing out IP addresses to downstream devices connected to the 2960 switch. This small lab set up also offers IEEE 802.11n wireless in both the 2.4ghz and 5ghz bands.
Finally, the Linksys E2500 wireless router uses DHCP to pass out IP addresses to devices connecting to it on the 10.10.10.0 network. The 2811 router uses network address translation (NAT), which enables the devices using private IP addresses to connect to the internet using the public IP address provided by my ISP. The DNS for this network is pointed to Google’s 8.8.8.8 server. This network primarily only uses ipv4; however, the Linksys E2500 passes out both IPv4 and IPv6 addresses to devices connecting to it.
Bandwidth is the theoretical measure of how much data could be transferred through a network or equipment. This number is typically what internet service providers and equipment manufacturers advertise. Throughput is the actual amount of data that the network is transferring. The actual throughput of my network is not very far off from the 100mbps bandwidth.
However, the devices connected to the E2500 were considerably slower
All of the devices in this small network are in one room in my house, and I am the only user. So, the amount of traffic compared to most SOHO multifunction devices is considerably lower. That said, even when streaming videos from YouTube, the throughput remained consistent across the network.
Using WireShark to analyze the traffic moving across the network, I discovered a few different protocols that I did not expect to appear. Aside from traffic on ports 443 (HTTPS), 80 (HTTP), and 8080(HTTP), I also noticed traffic across ports 993 (SSL IMAP) and 5223 (Apple Push Notifications Services).
The traffic on ports 443 and 993 is secure while the traffic on ports 80 and 8080 is not. After a little research, I discovered that the Apple Push Notification Services traffic on port 5223 is not secure. You can, however, obtain an APNS Certificate.
One of the simplest things a person can do to protect their network is to change the default username and password on a new device. Changing the default credentials should be the first thing you do when connecting a new device to your network. A simple web search can reveal the default login information for just about any device out there. These new passwords should also be complex, preferably using a mix of uppercase and lowercase letters, numbers, and special characters. Common words or phrases make you more susceptible to a brute force or dictionary attack.
I make sure that all devices are up to date with the latest patches and updates. I often check for firmware updates as these updates contain patches or fixes for vulnerabilities in previous versions. It is essential to back up any data or configurations if something goes wrong with the update. You may need to roll back to a working configuration until the new updates can be installed without issue.
The devices in my network also have the remote access features disabled, preventing anyone from accessing the device unless physically connected. To further secure my system and the devices connected to it, I have disabled unused TCP and UDP ports. I configured this by using the host-based firewalls installed on the operating systems in use on my network. All three of the routers in my network include a firewall.
The E2500 router offers WEP, WPA, and WPA2 wireless encryption. It is currently configured with WPA2-Personal encryption, which is the most secure of the three encryption modes available on this device. I soon plan to test the security of WEP and WPA myself by configuring them and attempting to crack them. For now, I’ll stick with WPA2.
I am far more aware of the protocols that I’m using after studying them this semester — using encrypted protocols and technologies like HTTPS, IMAP on port 993, and SSH rather than HTTP, IMAP, or Telnet.
When installing recent Linux distributions, I used file hashing to verify that I was getting the exact copy of the ISO image from the Linux website’s software. This process involved checking the hash value of the download and verifying that it matched the website’s value. Even the smallest change in the download file would have resulted in a completely different hash value. Hashing is useful in ensuring you don’t accidentally download an infected file.
By disabling unnecessary services running on your machines, you can help lower the chances of running a little known service that may have a known vulnerability. It is essential to research what those services may be responsible for before actually disabling them.
Another measure I could take would be enabling MAC Filtering on the routers. Essentially, MAC filtering only allows the devices with MAC addresses that match what has been defined to connect. However, this is not entirely secure as individuals with proper knowledge can easily change or spoof their device’s MAC address.
Finally, suppose these devices were in an area that I needed to be concerned about unauthorized individuals plugging into these devices. In that case, I could manually shut down unused interfaces on the switch and routers. This would prevent someone from connecting directly into the network.
