Additional Considerations

The security policy should address personnel security considerations as well. Personnel security issues include processes and procedures for establishing identity confirmation, privilege rights required to access certain information, accountability for the proper use and security of the systems being accessed, and proper training to make sure that employees understand and fulfill their security responsibilities. The most serious breaches of corporate security come from the inside (for example,...

Authentication and Authorization

Because authentication and authorization are critical parts of secure communications, they must be emphasized. Authentication establishes the identity of the sender and or the receiver of information. Any integrity check or confidential information is often meaningless if the identity of the sending or receiving party is not properly established. Authorization is usually tightly coupled to authentication in most network resource access requirements. Authorization establishes what you are...

Basic Cryptography

This chapter details the basic building blocks and fundamental issues you need to understand before moving on to more complex security technologies. Cryptography is the basis for all secure communications it is, therefore, important that you understand three basic cryptographic functions symmetric encryption, asymmetric encryption, and one-way hash functions. Most current authentication, integrity, and confidentiality technologies are derived from these three cryptographic functions. This...

Content Based Access Control

Advanced packet session filtering in Cisco IOS software is supported as of Version 11.2 with the CBAC feature. By default, Cisco routers pass all routable traffic between all router interfaces. By configuring access control lists (ACLs), traffic can be permitted and denied from being processed and forwarded. CBAC not only examines network layer and transport layer information, it also examines the application layer protocol information (such as FTP connection information) to learn about the...

Copyright and License Information

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE...

Data manipulation

If these threats are realized and networking devices or data is compromised, what are the immediate impacts and further consequences Will it result in embarrassment or bankruptcy The greater the possibility of bankruptcy, the more stringent the security measures should be. Let's take a look at some corporate impacts and consequences in the event of data compromise, loss of data integrity, and unavailability of networked resources. Any information stored or transferred electronically can...

Detecting an Incident

Determining whether or not some suspicious system or user behavior is really an incident is tricky. When looking for signs of a security breach, some of the areas to look for from a network viewpoint are Data modification and deletion Users complaining of poor system performance Atypical time of system use Large numbers of failed login attempts Detecting any anomalies in normal network behavior requires a knowledge of what is normal behavior. Using auditing tools that keep track of traffic...

Developing IP Multicast Networks

Introduction to IP Multicast Internet Group Management Protocol Mutlimedia Multicast Applications Distance Vector Multicast Routing Protocol Multicast Open Shortest Path First Connecting to DVMRP Networks Multicast over Campus Networks Multicast over NBMA Networks Multicast Traffic Engineering Inter-Domain Multicast Routing Appendix A-PIM Packet Formats HOME CONTENTS PREVIOUS NEXT GLOSSARY FEEDBACK SEARCH HELP Copyright 1989-2000 Cisco Systems Inc.

Double Authentication Authorization

When a remote user dials in to a local corporate perimeter host (a NAS or router) over PPP, CHAP or PAP can be used to authenticate the user. However, both of these authentication methods rely on a secret password (the secret) that must be stored on the local host and either remembered by a user or saved on the remote host. If either host ever comes under the control of a network attacker, the secret password is compromised. Consider a corporate user who often uses a laptop computer to log in...

Establishing the Core Team

The core incident response team should consist of a well-rounded representation from the corporation. Essential are people who can diagnose and understand technical problems thus, technical knowledge is a primary qualification. Good communication skills are equally important. Because computer security incidents can provoke emotionally charged situations, a skilled communicator must know how to resolve technical problems without fueling emotions or adding complications. In addition, the...

Evaluating Risk

For all possible threats, you must evaluate the risk. Many methodologies are available to measure risk. The common approaches are to define risk in quantitative terms, qualitative terms, or a combination of both. Quantitative risk evaluation uses empirical data and known probabilities and statistics. Qualitative risk analysis uses an intuitive assessment. Regardless of the mechanism you use, the important aspect is that how you quantify the loss and the likelihood of the loss occurring should...

Examples of Cases in Santa Clara County Silicon Valley

The following are some of the more serious cases of proprietary theft and network intrusions that the Santa Clara County District Attorney's Office has investigated Kevin M. used the name of a victim company manager and obtained a modem account. He uploaded his own code and obtained superuser status on several systems. He then downloaded source code through cutouts and cellular phones. BV used cracking tools obtained on the Internet to gain system administration status at an Ivy League...

Figure 111 Establishing Secret Keys Using the Diffie Hellman Algorithm

The following steps are used in the Diffie-Hellman algorithm 1. Alice initiates the exchange and transmits two large numbers (p and q) to Bob. 2. Alice chooses a random large integer Xa and computes the following equation 3. Bob chooses a random large integer Xb and computes this equation Yb (qXB) mod p 4. Alice sends Ya to Bob. Bob sends Yb to Alice. 5. Alice computes the following equation Z (YB)XA mod p 6. Bob computes this equation Z' (YA)XB mod p The resulting shared secret key is as...

Figure 113 Obtaining a Digital Certificate Through a Certificate Authority

Assume that Alice has a valid certificate stored in the CA and that Bob has securely obtained the CA's public key. The steps that Bob follows to obtain Alice's public key in a reliable manner are as follows 1. Bob requests Alice's digital certificate from the CA. 2. The CA sends Alice's certificate, which is signed by the CA's private key. 3. Bob receives the certificate and verifies the CA's signature. 4. Because Alice's certificate contains her public key, Bob now has a notarized version of...

GRE Tunneling

The Generic Routing Encapsulation (GRE) protocol encapsulates various network protocols inside IP tunnels. With GRE tunneling, a router at each site encapsulates protocol-specific packets in an IP header, creating a virtual point-to-point link to routers at other ends of an IP cloud, where the IP header is stripped off. GRE is capable of handling the transportation of multiprotocol and IP multicast traffic between two sites that have only IP unicast connectivity. GRE tunneling involves three...

Historical Perspective on US Policy

In the United States, cryptography export used to be controlled by the International Traffic in Arms Regulation (ITAR) because cryptography was deemed to serve both civilian and military purposes and was placed on the United States Munitions List (USML). If an article or service is placed on the USML, its export is regulated exclusively by the State Department. ITAR controls software that includes but is not limited to the system functional design, logic flow, algorithms, application programs,...

Implementation Examples

This section shows two comprehensive examples of virtual dial-in environments. The first example uses GRE tunnels with CET the second example uses L2TP with IPsec. The example in Figure 10-8 shows a branch router located in Estonia that is connecting to the corporate network in Vancouver over the Internet. Figure 10-8 Virtual Dial-In Using GRE with CET The following security policy is defined for this scenario Private addresses are used for the remote branch router and the corporate network....

Incident Response Teams

NIST Special Publication (SP) 800-3, Establishing a Computer Security Incident Response Capability (CSIRC). Computer Security Resource Clearinghouse (CSRC) The Danish Computer Emergency Response Team provides a pointer to a number of different Computer Emergency Response Teams (CERTs) around the world

Ip address 1442541666 2552552550

Dialer map ip 171.73.34.33 name merike ip route 0.0.0.0 0.0.0.0 144.254.166.6 ip route 144.254.166.6 255.255.255.255 BRI0 allows Telnet from telecommuter to this router access-list 101 permit tcp any host 144.254.166.6 eq telnet allows telecommuter to have access anywhere inside campus after Telneting to router and successful authentication access-list 101 dynamic telecommuter timeout 120 permit ip any any dialer-list 1 protocol ip permit line vty 0

Key Management

Key management is a difficult problem in secure communications, mainly because of social rather than technical factors. Cryptographically secure ways of creating and distributing keys have been developed and are fairly robust. However, the weakest link in any secure system is that humans are responsible for keeping secret and private keys confidential. Keeping these keys in a secure place and not writing them down or telling other people what they are is a socially difficult task---especially...

Legal Proof of Authenticity

Authentication of an original document is fundamental to the admissibility of the original document in a court of law. Any copying or conversion process (photocopy, microfilm, electronically scanned image, and so on) must be proven reliable---as must the authenticity of the original document. If there is no capability to authenticate the original document, no amount of reliability evidence with respect to the conversion process will serve to support credibility. If a court admits a record into...

No service finger

Securing the Corporate Network Infrastructure disables access to minor TCP services such as echo, chargen, discard and daytime no service tcp-small-servers disables access to minor UDP services such as echo, chargen and discard prevents client applications from using source routes no ip source-route configure TACACS+ authentication as default - for users logging in as staff, there is a local database authentication in the event that the TACACS+ server is unavailable aaa new-model aaa...

No service udpsmallservers

Idef ne privileged access password enable secret letmedostuff i i define modem usernames and passwords username merike password ilikeAbsolut username toivo password joekeg username staff password iamincontrol i define shared passwords for CHAP authentication with Branch routers username BRANCH1 password letmein username BRANCH2 password knockknock i i define ISDN switch type isdn switch-type primary-5ess i i loopback interface is 'logical' subnet to which i all dial-in users belong interface...

Other Common Application Protocols

Many multimedia applications used for videoconferencing---for example CU-SeeMe, H.323 (for NetMeeting and ProShare), and RealAudio---use the TCP control channel to establish media channels. This control channel contains information that opens new media channels. Firewalls should have the capability to watch these control channels, to identify those ports that media channels use, and to open additional channels on a dynamic basis. Table 9-1 lists the most common applications that should be...

Outbound 1 except 19216802 255255255255 http

Apply (inside) 1 outgoing_src Cut-Thru-Proxy Feature Whenever you permit outside users access to your network, you should establish a user authentication and authorization system. The PIX has a feature called Cut-Thru-Proxy that enables authentication based on FTP, HTTP, or Telnet traffic and subsequent authorization for any allowed application traffic. The example in Figure 9-12 shows the use of this feature. In the figure, any outbound FTP or HTTP traffic must be successfully authenticated...

Physical Security Controls

Physical security controls are those controls pertaining to the physical infrastructure, physical device security, and physical access. Do you expect intruders to tap into your infrastructure to eavesdrop on transmitting data How easy or difficult is it for intruders to gain physical access to the important network infrastructure devices If the corporate network has not yet been created at an existing site, you should consider the physical security controls available in its planning phase. For...

Prioritizing Actions

Prioritizing actions to be taken during incident handling is necessary to avoid confusion about where to start. Priorities should correspond to the organization's security policy and may be influenced by government regulations and business plans. The following are things to be considered Protecting human life and people's safety. Systems should be implemented that control plant processes, medical procedures, transportation safety, or other critical functions that affect human life and safety...

Reporting and Alerting Procedures

You should establish a systematic approach for reporting incidents and subsequently notifying affected areas. Effective incident response depends on the corporate constituency's ability to quickly and conveniently communicate with the incident response team. Essential communi-cations mechanisms include a central telephone hotline monitored on a 24-hour basis, a central electronic-mail (e-mail) address, or a pager arrangement. To make it easy for users to report an incident, an easy-to-remember...

Sample IOS Firewall Configuration

The sample firewall configuration shown in Listing 9-1 is an implementation of the following policy Device access is limited to the username security_geeks Device authentication is performed from the local database Anti-spoofing filters are in place for Internet connections Only services initiated within the corporate environment are allowed except for FTP and WWW services to the FTP server and WWW server Some special debugging tools are allowed to be initiated from the Internet to the...

Secure Passwords

Although passwords are often used as proof for authenticating a user or device, passwords can easily be compromised if they are easy to guess, if they are not changed often enough, and if they are transmitted in cleartext across a network. To make passwords more secure, more robust methods are offered by encrypting the password or by modifying the encryption so that the encrypted value changes each time. This is the case with most one-time password schemes the most common being the S Key...

Securing DialIn Access

This chapter examines how to secure the dial-in connections coming into the corporate network. Often, corporate networks encompass both privately connected dial-in infrastructures (direct dial-in) and public data infrastructures (virtual dial-in) from Internet service providers (ISPs) to deliver remote access to corporate users. Dial-in access for a corporate network usually includes access between corporate branches located in different geographic regions, telecommuters, and mobile users. The...

Securing Internet Access

This chapter examines how to secure Internet access to the corporate network. This is accomplished using some type of firewall functionality. Firewalls have become an integral component of perimeter network access such as the boundary between the trusted corporate network and the less-trusted Internet. On this perimeter, traffic can be analyzed and controlled according to parameters such as specific applications, addresses, and users, for both incoming traffic from remote users and outgoing...

Software License

READ THIS SOFTWARE LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THE SOFTWARE. BY USING THE SOFTWARE OF CISCO SYSTEMS, INC. AND ITS SUPPLIERS FROM TIME TO TIME, YOU AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS LICENSE. IF YOU DO NOT AGREE WITH THE TERMS OF THIS LICENSE, PROMPTLY RETURN THE UNUSED SOFTWARE, MANUAL, AND RELATED EQUIPMENT (WITH PROOF OF PAYMENT) TO THE PLACE OF PURCHASE FOR A FULL REFUND. Cisco...

Statutes in Other States

In the United States, many state legislatures as well as varying government agencies are putting in place rules and regulations governing the use of digital signatures. Many are following either the Utah or the California model, although serious questions have been raised about whether legislation should be less detailed and less specific about a particular technology, be less pro-industry by giving away liability limits to certification authorities, and pose less burden and risks on the...

Subnet Boundaries

A characterization is sometimes made that traffic on different subnets is secure because the traffic is constrained to a single subnet domain. The thinking is that there is a logical separation between different groups of addresses that make up the different network access domains. You can provide filters to permit or deny traffic based on subnet addresses. However, as was pointed out in the preceding section, IP addresses are easy to spoof other security measures should always be used in...

Summary

This chapter detailed many of the current and evolving technologies relating to security. One of the most important security considerations is establishing the identity of the entity that wants to access the corporate network. This process usually entails authenticating the entity and subsequently authorizing that entity and establishing access controls. Some protocols are specifically designed to only authenticate end-users (people) or end-devices (hosts, routers). Frequently, you have to...

Tacacs

The following example is taken from a router in configuration mode to see the options for configuring authentication for enable mode last-resort Define enable action if no TACACS+ servers respond password Assign the privileged level password secret Assign the privileged level secret use-tacacs Use TACACS+ to check enable passwords Both the enable password and enable secret commands allow you to establish an encrypted password that users must enter to access the privileged enable mode. The...

TACACS and Radius Authorization

When either TACACS+ or RADIUS authorization is enabled, the NAS uses information retrieved from the user's profile (located either in the local user database or on the security server) to configure the user's session. After this is done, the user is granted access to a requested service only if the information in the user's profile allows it. Much like configuring authentication, the first step in configuring either TACACS+ or RADIUS authorization is to define a method list. This process...

TCPIP Session Hijacking

Session hijacking is a special case of TCP IP spoofing, and the hijacking is much easier than sequence number spoofing. An intruder monitors a session between two communicating hosts and injects traffic that appears to come from one of those hosts, effectively stealing the session from one of the hosts. The legitimate host is dropped from the connection and the intruder continues the session with the same access privileges as the legitimate host. Session hijacking is very difficult to detect....

The Layer 2 Forwarding Protocol

The Layer 2 Forwarding (L2F) protocol was created by Cisco Systems. It permits the tunneling of the link layer that is, High-Level Data Link Control (HDLC), async HDLC, or Serial Line Internet Protocol (SLIP) frames---of higher-level protocols. Figure 2-25 shows the format of the tunneled packet. Figure 2-25 The Format of a Tunneled Packet Using such tunnels, it is possible to decouple the location of the initial dial-up server from the location at which the dial-up protocol connection is...

The Layer 2 Tunneling Protocol

Because both L2F and PPTP provide similar functionality, Cisco and Microsoft, along with other vendors, have collaborated on a single standard a track protocol within the IETF, which is now called Layer 2 Tunneling Protocol (L2TP). This protocol is considered a work in progress and addresses the following end user requirements End system transparency. Neither the remote end system nor the home site hosts should require any special software to use this service in a secure manner. Authentication...

The SYN and ACK flags are of interest in the following section Tcpip Connection Establishment

To establish a TCP IP connection, a three-way handshake must occur between the two communicating machines. Each packet of the three-way handshake contains a sequence number sequence numbers are unique to the connection between the two communicating machines. Figure 4-7 shows a sample three-way handshake scenario. Figure 4-7 Establishing a TCP IP Connection The steps for establishing the initial TCP connection are as follows Step 1 The client initiates a TCP connection to the server. This packet...

The X509 Standard

The X.509 standard constitutes a widely accepted basis for a PKI infrastructure, defining data formats and procedures related to the distribution of public keys using certificates digitally signed by CAs. RFC 1422 specified the basis of an X.509-based PKI, targeted primarily at satisfying the needs of Internet privacy-enhanced mail (PEM). Since RFC 1422 was issued, application requirements for an Internet PKI have broadened tremendously, and the capabilities of X.509 have greatly advanced. Much...

UDP Protocol Traffic

For IP traffic using the UDP protocol, advanced packet-session filtering inspects all IP and UDP headers in every packet based on a combination of the following fields Because UDP is a connectionless service, there are no actual UDP sessions, per se. Most systems approximate sessions by examining UDP packet information and determining whether the packet is similar to other UDP packets recently seen.

Unauthorized Access

Unauthorized access is when an unauthorized entity gains access to an asset and has the possibility to tamper with that asset. Gaining access is usually the result of intercepting some information in transit over an insecure channel or exploiting an inherent weakness in a technology or a product. The ease or difficulty of packet snooping (also known as eavesdropping) on networks depends largely on the technology implemented. Shared media networks are particularly susceptible to eavesdropping...

Value of Assets

Placing values on corporate assets can be a very subjective process. For intangible assets---usually some form of software, data, or documentation---it can be useful to represent the value in terms of importance or criticality. In this way, the relative loss of the asset becomes more important than placing a correct value on it. The value of tangible assets can be based on replacement value and, as in the case of intangible assets, the immediate impact of the loss and the consequences of a...

Where to Begin

Many companies have existing guidelines for security procedures in a corporate environment. These can be in the form of a statement of conduct rules for employees---which, to some extent, outlines how employees are to deal with confidential technology, intellectual property rights, and other confidential corporate information. These guidelines can be a basis for establishing a strategy for an enterprise network security policy because they establish corporate rules for what information is...

Table 11 Brute Force Attack Combinations

A natural inclination is to use the longest key available, which makes the key more difficult to break. However, the longer the key, the more computationally expensive the encryption and decryption process can be. The goal is to make breaking a key cost more than the worth of the information the key is protecting. Note If confidential messages are to be exchanged on an international level, you must understand the current government policies and regulations. Many countries have controversial...

Historical Perspective on International Policy

Internationally, encryption export and import controls are also undergoing vast changes. The Coordinating Committee for Multilateral Export Controls (COCOM) was an international organization that provided common export controls of strategic products and technical data from country members to prescribed destinations. COCOM provided an agreement to control the export and handling of sensitive technologies including supercomputers, fast DSP chips, crypto, lasers, precision CNC milling machining...

Key Escrow

Key escrow is the notion of putting a confidential secret key or private key in the care of a third party until certain conditions are fulfilled. This, in itself, is not a bad idea because it is easy to forget a private key, or the key may become garbled if the system it is stored on goes berserk. The controversy revolves around which keys should be in escrow and who becomes the trusted third party who has access to confidential keys while still protecting the privacy of the owners of the keys....

The Pointto Point Tunneling Protocol

The Point-to-Point Tunneling Protocol (PPTP) was initiated by Microsoft. It is a client server architecture that allows the Point-to-Point Protocol (PPP) to be tunneled through an IP network and decouples functions that exist in current NASs. Decoupling Traditional NAS Functionality Traditionally, the following functions are implemented by a NAS Providing a physical native interface to PSTN or ISDN networks and controlling external modems or terminal adapters. Providing the logical termination...

Designing Network Security

Export Controls on Cryptography Threats in an Enterprise Network Considerations for a Site Security Policy Design and Implementation of the Corporate Security Policy Securing the Corporate Network Infrastructure Sources of Technical Information Reporting and Prevention Guidelines Industrial Espionage and Network Intrusions Copyright 1989-2000 Cisco Systems Inc. HOME CONTENTS PREVI& US NEXT GLOSSARY FEEDBACK SEARCH HELP Welcome to the employee only Cisco Press web site. The above Welcome...

Protocols Using Authentication Mechanisms

Many protocols require authentication verification before providing authorization and access rights to the user or device. TACACS+, RADIUS, Kerberos, DCE, and FORTEZZA are examples of such protocols. TACACS+ and RADIUS are often used in dial-in environments to provide a scalable authentication database and can incorporate a variety of authentication methods. Kerberos is a protocol used in some campus environments to first verify that users and the network services they use are really who and...

Transport Layer Security Protocols

The following sections describe the security protocols that operate over TCP IP or some other reliable but insecure transport. They are categorized as Transport layer security protocols because their intent is to secure the Transport layer as well as to provide methods for implementing privacy, authentication, and integrity above the Transport layer. The Secure Socket Layer (SSL) is an open protocol designed by Netscape it specifies a mechanism for providing data security layered between...

Route Filters and Routing Believability

By default, all dynamic routing protocols propagate routing information. At times, you may not want certain other devices or portions of your network to learn your network topology from the routing protocol. If this is the case, you must take explicit steps to prevent route propagation. To prevent routing updates through a specified router interface, use the following command in router configuration mode passive interface interface type and number To prevent other routers from learning one or...

Network Layer Security

Network layer security pertains to security services at the IP layer of the TCP IP protocol stack. Many years of work have produced a set of standards from the IETF that, collectively, define how to secure services at the IP Network layer. The IP Security (IPsec) protocol suite comprises a set of standards used to provide privacy and authentication services at the IP layer. The current ratified IPsec standards include four algorithm-independent base specifications RFC 2401, the IP Security...

Using VPDN Technologies

Although the L2TP protocol is what is being worked on in the standards track, L2F and PPTP implementations will still be available from a variety of vendors. Effectively, all three technologies support similar functionality. However, L2TP will probably have more vendor support because it is on the standards track. When considering whether to implement any of the Virtual Private Dial-up Network (VPDN) technologies into a corporate network environment, the differences between the standard...

PPP Authentication Protocols

Passwords are incorporated into many protocols that provide authentication services. For dial-in connections, the Point-to-Point Protocol (PPP) is most often used to establish a dial-in connection over serial lines or ISDN. PPP authentication mechanisms include the Password Authentication Protocol (PAP), the Challenge Handshake Protocol (CHAP), and the Extensible Authentication Protocol (EAP). In all these cases, the peer device is being authenticated rather than the user of the device. PPP is...

Line vty 0 4 exectimeout 2

The example in Figure 10-9 shows the remote connection of a remote branch office in Toronto and a remote branch office in New York connecting back to the corporate network in Denver. Both connections are done through local ISPs and use the Internet as the way to transport the data back to the corporate network in Denver. Mobile users also have access to the corporate network using local ISP dial-up connections. Figure 10-9 Virtual Dial-In Using L2TP with IPsec The following security policy is...

Disables access to minor TCP services such as echo

chargen, discard, and daytime no service udp-small-servers disable access to minor UDP services such as echo, chargen, and discard enable secret 5 1 dLOD QR.onv68q3326pzM.Zexj1 no service finger no service pad configure TACACS+ authentication as default - for users logging in as staff, there is a local database authentication in the event that the TACACS+ server is unavailable aaa new-model aaa authentication login default tacacs+ aaa authentication login staff tacacs+ local aaa authorization...

Routerconfigaccesslist 101 permit tcp any any

Eq Match only packets on a given port number established established Match established connections gt Match only packets with a greater port number lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with a given precedence value range Match only packets in the given range of port numbers tos Match packets with the given TOS value Here is a list of the more commonly used TCP port numbers (operands) Router(config) access-list...

Physical Media Selection

From a security point of view, the type of cable chosen for various parts of the network can depend on the sensitivity of the information traveling over that cable. The three most common cable types used in networking infrastructures are twisted pair, coax, and optical fiber. Optical fiber is most often used in high-bandwidth and long-haul environments. Unlike either twisted pair or coax, optical fiber does not radiate any energy and, therefore, provides a very high degree of security against...