On layer 2, we are transmitting ethernet frames. Confusingly, these are sometimes referred to as ethernet packets. They are in fact not quite the same thing. The IEEE standard is shown below
The ethernet packet is the frame plus some extra headers and trailers
When the ethernet frame (or packet) arrives at the NIC, it is briefly stored , an interrupt is raised from the NIC card to the motherboard to ask for the frame to be read into the computer’s memory. A series of processes then occurs in the kernel of the operating system
This particular graphic is confusing as the distinction between ethernet packet, ethernet frame and IP packet is not clear.
If the NIC is a virtual switch, the NIC will pass the frame to the driver which will send the memory structure (sk_buf) to the hypervisor’s memory. This is then forwarded to the driver part of the appropriate Hyper-V virtual network adapter which will unencapsulate the frame to pass the IP packet up the stack of the virtual machine. If the host does not have a virtual adapter connected to the virtual switch, it should in theory be impossible to be able to attack the host by this vector
The remote desktop protocol (RDP) is a protocol used by remote desktop to connect to a windows machine remotely. Although it is a Microsoft protocol, the client is available for Linux, Mac, ipad etc.
RDP access on a computer is enabled through the properties of “my computer” or “this pc” and users can be specifically allowed or denied access.
To access a computer on the network from outside, it is necessary to forward a port from the firewall to the server computer. So for example if the server on the network has a private address of 192.168.0.166 and the public IP address of the firewall is 220.127.116.11 then a rule needs to be placed in the firewall to forward the port. The listening port is by default 3389 but this can be altered and the firewall can be configured to forward a different port. For example 2299 on the internet side could be forwarded to 3389 on the LAN side. In this example, to connect to the server you would type in to remote desktop connecton 18.104.22.168:2299
Although using RDP for external access is convenient, easy and cheap it should be thought of as unsafe and should not be done. A large percentage of successful ransomware attacks are thought to be delivered through RDP either through misconfiguration, bugs or brute force attacks.
Remote access from outside the network should always be done via the additional protection of a VPN
Individual computer failure eg Power supply, motherboard, network card
Multiple computer failure eg fire, water damage (sprinklers), theft
Then some thought is required about the RTO and RPO time points.
Recovery point objective (RPO) is the point to which the system can be recovered. If the last backup was 10 days ago, then this is the RPO
Recovery time objective (RTO) is the time taken to restore the system from the disaster. If it takes 4 days to get a new server installed and configured then the RTO is 4 days. The time to diagnose the problem needs to be added to the RTO
The RTO increases in cost very quickly with reducing time. The RPO has an increasing system performance cost but not as much of a dollar cost with reducing time. Backups can be done 5 minutely but will slow the system appreciably.
A backup system can be block level, which backs up bits on the actual hard drive or file level which backs up actual files.
Block level is great for the hard drives of virtual machines. It can also be used on physical machines but restore is much more tricky than file level backup
File level backup checks which files have changed and backs up copies of those files – with or without versioning.
One problem with file-level backup can be open files. These are files currently being used by the operating system which may stop the backup process from accessing them. A very common example of this is for database files. Many backup softwares have an “open file” option. What this does is to tell the operating system to take a snapshot of the hard drive and then the file is copied from the snapshot. Once the backup is complete the snapshot is merged back into the hard drive. This uses a feature of windows known as the volume shadow service (VSS)
One issue with all of this can be database files. The main medical accounting and clinical system is usually a database file such as a firebird fdb file. In determining which files have changed since the last backup, the backup software may check the file size and the time attributes on the file to determine whether it has actually changed.
Because the file is open, the dates will not have changed and the size may not change frequently despite a large number of writes. This is because a database file works in blocks of pages and the size of the file will only change with each new page creation. This may be slower than first thought, even with a large number of writes. Close inspection of the backup logs may revea l that the main database is only being infrequently backed up. One solution to this is to maintain a local (non open) copy of the database file the dates of which are flushed prior to the backup operation. ie copy file, flush dates, run backup The flush operation can be done with copy /b myfile.txt ,,