Networking is the practice of linking two or more computing devices together for the purpose of sharing data
Size Classification
LAN
MAN
WAN
Topology Classification
BUS
Simplest type of network
Shares a common cable/bus
Example
STAR
Most Common
Uses Switch, Hub or Computer
RING
Protocol Casting Classification
How a computer communicates with others based on a protocol
Types
Unicast
1-to-1
Example
TCP, SMTP
Broadcast
1-to-All
Example
Multicast
1-to-Many
Example
IGP, PIM
Is determined by the Communication Protocol
The OSI Model
Layers are referred by the OSI model
Layer 1 – Physical
Layer 2 – Data Link
Layer 3 – Network
Layer 4 – Transport
Layer 5 – Session
Layer 6 – Presentation
Layer 7 – Application
Comparison with TCP Model
NETWORKING DEVICES
Repeaters
A Layer 1 Device
Regenerates and propagates all electrical transmissions between 2 or more LAN segments
Network Interface
Allows a device to communicate with a network
Mostly in the form of a card and usually called NIC (Network Interface Card)
MAC address
A unique identifies a Network Interface
Outlined by IEEE 802
Used by most networks
a 48 Bit Addressing
First 24 Bit – For organization
Next 24 Bit – For Device
Switches
Connects Network Interfaces (usuallu MAC addresses) to each other on it’s port
Configuration Classification
Managed
Allows configuration
Unmanaged
Is shiped with a fixed Configuration
Rarely used
Type Classification
Layer 2 (Data Link Layer) Switch
Operates up to layer 2 (Layer 1,2)
Uses MAC Address
Layer 3 (Network Layer) Switch
Operates up to layer 3 (layer 1,2,3)
Uses IP Address
One key difference with level 2 is the awareness of IP multicast through IGMP snooping
Link Aggregation Technology
A technique of combining multiple physical network ports into a single link for increased bandwidth, achieving load balancing and increase fault tolerance.
Advantages
Improves bandwidth
Provides redundancy . e.g.
Typically used for Trunk Port
Available in Layer 2 and Layer 3 switch
Hirschmann Switches
Commonly Used Models
RS40
DIN Rail
Layer 2 Switch
9 Ports GE (Gigabit Ethernet)
4 Combo Ports
Can use Fibre Optic or RJ45
Option for AC or DC
MACH104
Layer 2 Switch
19” Rack Switch
24 Ports GE (Gigait Ethernet)
4 Combo Ports
Option for redundant power
MACH1040
Layer 2 and Layer 3
16 Combo Ports
GE (Gigabit Ethernet)
Option for DC or AC
M-SFP-LX/LC
Fibre Optic Gigabit Ethernet Tranceiver
Interface or Port Conventions
Hirschman Interface are named A/B
Example 1/1, 1/2, 1/24, etc
A is the slot number
B is the port number as seen physically labelled on the front of the switch
Connecting to Hirschman Switch using
Connect using a Hirschmann Terminal Cable
Serial cable (CVP-678FA
The end connection uses RJ11
Connects to the Switch’s V.24 Port
The other end connect using DB9 Female
Open putty or Hyperterm
Check the port number used. Can be checked from Windows Device Manager
Once connected,
Enter username and password
Default Username, password
admin, private
user, public
Configuring a Hirschman Switch using Terminal
At any point,
type ‘?’ to view available commands
type ‘show sysinfo’ to show current system configuration
type ‘copy system:running-config nvram:startup-config’ to save configuration into switch ROM
Why is command like the above? In Hirschmann Switches there are two location of the config files
Running
Startup
The startup is loaded during startup and pushed to the running.
It also acts like a backup
Running
The running is what’s currently running
After making changes, the command pushes the running config to the startup config
show port all
Displays all port status. Available in privileged exec or user exec mode
Layer 2
Type ‘Enable’
This enables basic switch commands
Configure System Name,IP and Prompt Name
Current system name can be seen using ‘Show sysinfo’ command
(Hirschmann MACH) (Vlan)# vlan 100 <== ‘100’ is the VLAN ID also called ‘MANAGEMENT VLAN’
(Hirschmann MACH) (Vlan)# vlan name VLANNAME
Configure the Management IP and Management VLAN
To show existing Management IP and Management VLAN
User Name and Password Management
To show existing users
show users
To add new user
users name NEWUSER
users access NEWUSER readwrite
users passwd NEWUSER
Set snmpv3
snmpv3 is mainly used to allow authentication for the device’s webstie configuration portal
Use the following command
(config)# users snmpv3 accessmode USER readwrite
(config)# users snmpv3 authentication USER md5
(config)# users snmpv3 encryption USER des
Enter an encryption key
Disable IGMP Snooping and Spanning-Tree.
(config)#no set igmp
Disable spanning-tree
(config)#no spanning-tree
Configure the Interfaces with VLANs
#config
(vlan)# interface 1/1
(vlan)# name INTERFACENAME
(vlan)# vlan pvid VLANID
(vlan)# participation include VLANID
The include command allows the port to associate with a VLAN
in hirschman, multiple VLANs can be assigned to a port
this is commonly used for trunking
(vlan)# participation exclude 1
The exclude command remove a VLAN association on a port
(vlan)# no shutdown <== This ENABLES the port
Disable all unused ports.
This is good practice to prevent people from simply connecting to the network
Command
show port all <== TO SHOW PORT status’
#config
(vlan)# interface 1/1
shutdown <=== DISABLES PORT
no shutdown <== ENABLES PORT
Layer 3
Set System Name
(Config)#snmp-server sysname Layer3
Set Prompt Name
(Layer3) #set prompt Layer3
Create User Name and Password
To show existing users
show users
To add new user
users name NEWUSER
users access NEWUSER readwrite
users passwd NEWUSER
Set snmpv3
snmpv3 is mainly used to allow authentication for the device’s webstie configuration portal
Use the following command
(config)# users snmpv3 accessmode USER readwrite
(config)# users snmpv3 authentication USER md5
(config)# users snmpv3 encryption USER des
Enter an encryption key
Create VLANs
To show currently created VLANs
(Config)#show vlan brief
To create VLAN
(Hirschmann MACH) #vlan database
(Hirschmann MACH) (Vlan)# vlan 100 <== ‘100’ is the VLAN ID also called ‘MANAGEMENT VLAN’
(Hirschmann MACH) (Vlan)# vlan name VLANNAME
Assign VLAN to Interfaces
To show which default VLANs a port is currently assigned
(Config)#show vlan port 1/1 <== 1/1 is PORT number
To see which Ports the VLAN is assigned to
(Config)#show vlan 100
In the following example, VLAN 100 is assigned to interface 1/1 and 1/2
To assign the interfaces
(Config)#interface 1/1
(Interface 1/1)#name TrunktoArea1
(Interface 1/1)#vlan participation include 100
(Interface 1/1)#vlan tagging 100
This is used to enable VLAN tagging on the port
(Interface 1/1)#no shutdown
Enables the port
Connect using via Web Access
To know which IP to connect to
From terminal, check the management IP.
Command ‘show network’'
Also shows which VLANID the management IP network is connected to
If VLAN is used, make sure that the Interface port is assigned with the VLAN
NETWORK ROUTING
Message Transmission
Routing Classifications
Stating Routing
Network Administrator manually configures the routes
Dynamic Routing
Discovers remote networks.
Maintaining up-to-date routing information.
Choosing the best path to destination networks.
Protocols
RIP
A simple intra domain routing protocol
Each router advertises its routing information periodically (typically every 30 seconds) to neighbours
The Internet uses BGP not RIP
VLAN (Virtual Local Area Network) Technology
VLAN allows machines to connect to a network regardless of their physical location
1 switch can have many VLANs
Multiple switches can be on a same VLAN
If machine on different network switches want to communicate with each other, we need to link the different switches
This is normally achieved by using one of the ports (or interfaces) of the sqitch as a Trunk Port
Trunk Port
Is a specially dedicated port used to bridge switches for VLAN communication
One trunk port will hold packets from multiple VLANs. Normally the last port in the switch is used.
To avoid confusion VLAN Tagging Is used
VLAN Tagging is the practice of inserting a VLAN ID into a packet header in order to identify which VLAN (Virtual Local Area Network) the packet belongs to
It is done by the switch itself as it has a knowledge of which network the packet should go.
Based on IEEE 802.1Q (dot1q) is an open standard for VLAN Tagging, and can be used in mixed environments.
VLAN tag is integrated into the MAC data frame for the VLAN and Prioritization functions in accordance with the IEEE 802 1Q standard. The VLAN tag consists of 4 bytes.
In Hirschman Switches, a vlan tag is configured as a ‘T’ in the VLAN Static Page (T for Tagged, U for Untagged)
for untagged packets a default VLAN is configurable on the port, meaning that if a packet is untagged, the port will forward the packet to the default VLA
In the above example, the VLAN packets will by default be forwarded to VLANID 100 for Port 1/1 and Port 1/2.
When a switch needs to carry traffic of more than one VLAN over a link
connecting to another switch or router, that port used for that purpose is
called a Trunk Port.
- To enable trunking on a trunk port, VLAN Tagging protocols will need to be
used.
Segmentation is based on broadcast domains.
- Devices on different VLAN’s can communicate with a router or a Layer 3
switch.
LOCAL AREA NETWORKS
Casting
Type
Unicast Routing
Multicast
Multiple Unicasting
Multicasting
Protocol Independent Multicast
PIM Dense Mode
Used by VNET/IP
Sparse Mode
IGMP
Controls Multicasting
IGMP Snooping
Is Implemented by layer 2 device
IGMP Joint messages are sent by a computer to layer 2 switch
Yokogawa VNET
Uses Hirschmann Devices
RS40
DIN Rail
Layer 2 Switch
9 Ports GE (Gigabit Ethernet)
4 Combo Ports
Can use Fibre Optic or RJ45
Option for AC or DC
MACH104
Layer 2 Switch
19” Rack Switch
24 Ports GE (Gigait Ethernet)
4 Combo Ports
Option for redundant power
MACH1040
Layer 2 and Layer 3
16 Combo Ports
GE (Gigabit Ethernet)
Option for DC or AC
M-SFP-LX/LC
Fibre Optic Gigabit Ethernet Tranceiver
Make sure to order terminal cables!!!
Yokogawa has an agreement with Hirschmann which
Burns the VNETIP Configuration into the switch’s ROM
This becomes the default configuration, which can be reset using putty terminal connected with the terminal cable.
The command is : Clear Config Factory
Hirschmann will add a Yokogawa logo underneath it’s logo on the switch if it has burned the default settings to Yokogawa VNET IP
Switch Settings
VnetIP Setting Required for Layer 3 Switch
Enable Multicast Routing (IGMP and PIM-DIM) among VLAN
Comfigure Management IP for NMS
Disable RSTP
To reduce latency, because VNET IP supposed to be for real time application. RSTP takes time to recover if a loop happens
Cause VNET has VNET 1 and VNET 2 so no worries is loop happens
Shutdown Unused Ports
Change Default Password
Backup and Restore configuration using ACA21 or NMS Server
RIP set to 1 second
IGMP and PIM-DM Enabled
VnetIP for Layer 2 Switch
IGMP Snooping disabled
To ensure all devices send multicast data
Disable RSTP
Shutdown Unused Ports
Change Default Password
Backup and Restore configuration using ACA21 or NMS Server
VNET IP addressing Rules
Yokogawa Pre COnfigured
VLAN
A Layer 2 Technology
Why use VLAN
Help to do security
Cost Reduction
A little bit performance
VLAN Trunking
VLAN Tagging
Practice of inserting a VLAN ID into a packet header to identify which VLAN the packet belongs to
Link Aggregation
Rapid Spanning Tree Protocol (RSTP)
An enhanced version of Spanning Tree Protocol (Faster)
To prevent network loops or broadcast storm
How it works
Determine Root Bridge/Switch
Based on lowest Root ID
Select Root Port
Select Designated Port
Block the Ports
Is sometimes disabled
For example in Yokogawa VNET IP
ANTI VIRUS
Type of Virus
File Virus
Boot Sector Virus
Macro Virus
Network Virus
Also known as worm
Virus Life Cycle
Dormant
Propagation
Triggering
Execution
Antivirus Solutions
Symantec Endpoint Protection
McAfee VirusScan Enterprise
Yokogawa uses this
Has agreement with McAfee
Cheaper for Yokogawa
The virus definition will no affect Yokogawa Systems
Symantec Endpoint Protection
Components
LUA
Downloads Virus Definitions
SEP
Client
LUA and SEP not recommended to be installed on same machine
McAfee VirusScan Enterprise
Components
File Server
Optional
ePO server can connect to McAfee directly
Some sites wish to setup a file server where the virus definition is downloaded from the Internet and hosted on the files erver
Can use FTP Servers as well
ePO Server
Deploys virus definition to all agents in one shot
Optional Cause
Virus definition can be installed directly on a machine or obtained from a File Server but a bit tedious as need to be manually deployed on ach machine
Obtains product & virus definition from either
Internet McAfee Server
McAfee
In a process environment, there would typically be two ePO Servers:
DMZ ePO Server
Sometimes this Server connects to the McAfee Server
PCN ePO Server
Components
System
Dashboard
Audit Dashboard
Executive Dashboard
Product Deployment Dashboard
Repository
A function inside ePO
Types
Master Repository
Pulls DAT files from the Source site
Replicates DAT files to Distributed Repos
Distributed Repository
Agent Repository
Branches
Is just a means where McAfee keeps different versions of a package
This is to allow roll back in case something fails
Two versions are kept
Current
Previous
A third version called ‘Evaluation’ is used for testing purpose only and should be ignored
Communication
FTP
Most Preferred
UNC
Not preferred as it requires the use of port 135
HTTP
Not preferred as it uses port 80
Server Task Logs
All EPO activity logs is logged here
goto Menu ==> Automation ==> Server Task Logs
Agents
Can pull virus definition from ePO
Can also be manually updated using virus definitions
Agent to ePO Server communication is by default every 60 minutes
DAT Files
Virus Definition Files
Policy
A collection of setting that you create, configure and enforce.
The policy groups
McAfee Default
My Default
A best practice is to replicate McAfee Default here and work out any changes from here
Common Used Policy
Access Protection Policy
When enabled, Restricts access to specified ports, registry keys and values
Prevent users from stopping McAfee process
It is recommended to disable this policy when installing process software, such as Yokogawa applications
General Option Policy
Configure user access on system tray options
Policy needs to be done on Server and workstation.
To allow the policy to take effect, the server needs to run ‘Wakeup Agent’
Definition File (DAT)
The McAfee virus definition file is a file about a few 100MB in size, which holds all virus definitions
The file is in a .DAT format
McAfee EPO will download the whole file on each Pull, there is no incremental update.
Setting up McAfee (The following setup is based on EPO version 4.6.6)
Setup EPO on DMZ
Run EPO Setup ==> Setup
If the following error comes out
Run ‘fsutil.exe 8dot3name set 0’
Install SQL Server Express
Change IP Address if required (typically port 80 to 8080)
After complete, the EPO can be launched from the windows start menu
Note : EPO uses tomcat5
Install FTP Server
The FTP Server is required so that the Virus definitions and packages are stored in here.
It will be accessible by the PCN ePO Server
Create server site name ‘EPO’
May use any FTP Server client but, the FTP Path must be:
CheckIn is the process of putting in latest McAfee packages into the epO system
Alternatively, you can just use pull in packages.
Go to Menu ==> Master Repository ==> CheckIn Package
The packages are zip files which can be downloaded from McAfee website
Go to McAfee website==> Support
Key in Grant Number
Grant Number is given upon purchase of McAfee Software
The important package to check in here would be the
McAfee VirusScan Enterprise Package
1-VSE880LMLRP3.Zip
After CheckIn
The VirusScan Enterprise Package will appear
Add Extensions
Extensions are additional configurations on the packages
Go to Menu ==> Software ==> Extensions ==> Install Extensions
The Extensions are zip files, which can be downloaded from the internet
THe extension needed here is the VirusScan Enterprise Extension
1-2VIRUSCAN8800(348)
After installing extensions, the extension associated can be seen in
Menu ==> Software ==> Extensions ==> Policy Catalog
Under Product : 'VirusScan Enterprise’
Export Security Key
Security key is like an ID when used to communicate between PCN and DMZ servers.
Menu ==> Configuration ==> Server Settings ==> Security Keys ==> Edit
Under Local Master Repository key pairs, click ‘Export Key Pair’
The secrurity key will be a zip file which you save and bring it to the PCN EPO Server
Pull (Obtain) packages from McAfee Server
Menu ==> Software ==> Master Repository ==> Pull Now
Before pulling packages
After pulling packages
Note that the DAT file is the virus definition file
Setup EPO on PCN
Install EPO
Setup Source Site to Connect to the DMZ FTP Server
Menu ==> Configuration ==> Server Settings ==> Source Sites
Install Security Keys
Menu ==> Configuration ==> Server Settings ==> Security Keys ==> Edit ==> Import
Import the security key zip file obtained from the DMZ PCN
Pull the definitions and all packages
Menu ==> Software ==> Master Repository ==> Pull Now
Setup the clients from EPO Server
On the PCN EPO Server, System Tree ==> System Tree Actions ==> New Systems
You can browse the network. To do this, make sure Computer Browser Service is started
Deploy Agent on clients
In this process, the EPO server will attempt to install a program on the Client Machine. This requires administrator account.
This would be done during adding new system, but if need to be done manually can be accessed from System Tree ==> Tick the Computer Name ==> Actions ==> Agent ==> Deploy Agents
Make sure the credentials for deploying agent on client is correct
The Server task logs should say completed
After successful deployment, the mcafee agent should be seen in the client
Create Task to Deploy Virus Scanner
From the DMZ EPO Server, Menu ==> Policy ==> Client Task Catalog ==> Actions ==> New Task
Select Task Type "as ‘Product Deployment’
Run The Task which deploys the virus scanner
System Tree ==> Tick Machine ==> Assigned Client Task (tab) ==> Action ==> New Client task Assignment
In Schedule type, choose run immediately
System Tree ==> Tick Machine ==> WakeUpAgent
Once deployment complete, on the Client’s McAfee Agent Monitor
Adding Policies
Policies are important to use to control the features and restriction on VirusScan consoles
Policies are a bit confusing as they are hierarchical
Category
Policy Group
Policy
Server
Workstation
By default EPO does not have all policy parameters. These policy parameters need to be obtained from an Extension Package
The Extension package can either be pulled or checked in
When a policy is created it needs to be assigned to a group (easy to just assign in to My group (whish is the root group and effects all machines)
The wakeup agent command needs to be run to immediately pass out the policies
Category
Is the main branch which is the function of the policy
e.g.:
General Option Policies
Used to prevent users from disabling certain files
On Access Default Processes Policies
Used to scan only certain files
Used to exclude certain folders to be scan
On Access General Policies
Select whether to scan boot sector only or etc
Unwanted Program Policies
Used to remove unwanted programs
Policy Group
Is used so that user can just replicate some setting from a default policy group, so that users do not disturb the template settings
There are 2 default policy group
McAfee Default
My Default
Typically one will duplicate from My Default, call it with a policy name, and assign groups to the policy.
ONLY ONE POLICY group can be assigned to a CATEGORY.
NOTE : THIS IS A VERY IMPORTANT CONCEPT
ALL Groups in the System Tree branch will have ALL Policy categories. and By default the policy category will be using the MyDefault Policy Group. We CREATE AND SELECT a different policy if we do not wish to implement the default.
In the screenshot below, all Policy categories exist in the My Organization node BUT the policy applied is different.
Typical Policies
Lockdown Policy
Prevents users from disabling a virus scan
Exclusion Policy
Prevents the scanning of certain files.
Adding Client Tasks
This is normally important to make the computer run full scans at certain intervals
Menu ==> Policy ==> Client Task Catalog ==>Virus Scan Enterprise ==> On Demand Scan ==> New Task ==> Select On Demand Scan
Then Assign the Task to as group
WSUS (Windows Server Update Services)
Is installed by Adding Roles
Must either be connected to the internet or can download the installed from microsoft
WSUS Server is an IIS application
Used to patch microsoft products e.g.
Windows
Office
SQL Server
How WSUS Works in Process Environment
WSUS Main Server is installed on the corporate network and downloads patches from Microsoft
WSUS PCN server are installed on the PCN Network
The WSUS PCN Server communicates with the WCS Main Server on the Corporate Network. This process is called synchronization
The WSUS PCN Server must change the source in the WSUS Update Service Utility
The PCN WSUS Server Administrative will go to the Control System Vendors website OR contact the Vendor to see with patches are approved to be distributed
The PCN WSUS Administrator approves the patches and the approved patches will be available for the clients
The approval is based on groups, the Administrative will approve a patch to an entire group
Once approved, the clients in the group will start downloading the patch when it scheduled update starts. By default this is every 22 hours
The patch will be applied manually by the client’s administrator.
Typically, Microsoft releases patch generally on every 2nd Tuesday of each month
if its urgent, the patch is released immediately
Free
OS Patch management tool
WSUS Client
Yellow shield appear in desktop
Only Administrator Group user can view the Icon
Client Server Application
30GB for WSUS
One key use for Microsoft patch is to prevent virus attacks due to software vulnerabilities
Architecture
Server is installed on every network architecture
Corporate Domain
DMZ
PCN
Why? to avoid opening too many port links from client machine to port 80
Synchronization
Process in which WSUS server connects to Microsoft Update or Dowstream server connects to Upstream Server
Is found under Update Services==>Synchronization
Is typically set to synchronize daily
Patch Approval
Approval is done on the server which allows the patches to be released to all clients connecting to the Server
Approval Is done in groups. Groups are set in the Update Services
Reports
Produced on the Server
Produced by WSUS detailing its activities
Reports Available
Update Reports
Computer Reports
Synchronization Reports
Ports Used
Upstream Server
Should be set to Port 8530
However, typically listens to Port 80 as it is configured by IT department
DMZ/Downstream Server
Port 8530
PCN/Management Server
Port 8530
Client Configuration
Checks by default every 22 hours and download approved patches
To connect to a server, the following setting are required
Go to run ==> gpedit.msc (Local group Policy) (must be administrator) (Does not work in Windows Home)
Configure Automatic Update
Generally set to automatic download and notify for install.
Specify Microsoft Update Service Location
Specify IP Address of WSUS Server
Automatic Updates Detection Frequency
Should be enabled, by Default is 22 hours.
After changing the settings, remember to runthe Group Policy Update
gpupdate /force
This applies the settings
wuauclt.exe /detectnow
This forces the client to connect to the server and inform it that it exists
This should cause the computer to appear under the WSUS Server unassigned computer
This process may take some time before it takes effect
wuauclt.exe /resetauthorization
If detectnow doesn’t work, use this one.
Isolated Networks
Can use WSUSutil.exe to import and export files
Database
WSUS uses Windows Internal Database (A variant of MS SQL Server Express)
Option for using SQL 2005 is also possible
Server Cleanup Wizard
Removes unnecessary updates
Old WSUS servers are able to download versions of patches for newer version of windows cause essentially, it is just a file
Open-Plant is a revolutionary Industrial IOT Platform software, used to create and deploy Industrial IT apps/solutions. It is an all-encompassing solution offering both back-end and front-end components i.e. the full stack. From our user's experience, creating and deploying Industrial IT apps became 10x faster and 10x less cost. We serve the mining, energy, oil & gas, construction and manufacturing industry.
