November 5th, 2014
Although degrees and IT certifications can be great eye candy for a resume, experience is king. As you may have encountered, a lack of experience can be a major roadblock to getting interest from employers in your early years.
Though you might have the Network+ or CCNA cert, for instance, have you actually configured or played around with a network? Even if you already have held a network technician or administrator position, you might not have experience with all aspects of networking yet. Fortunately there are ways to get hands-on network administration experience, even at home — and most don’t cost anything.
In this story we discuss nine self-taught labs on various networking topics, where I explain the basics and how to get started. I begin with easier, newbie-level projects and progress to more complex ones requiring more thought and time. Some of the tasks take just a few minutes, while others are suitable for a weekend project. You may want to invest in some networking gear to teach yourself the basics, but there are ways around this.
Project 1: Configure TCP/IP Settings
One of the most basic network admin tasks is configuring the TCP/IP settings. If a network isn’t using the Dynamic Host Configuration Protocol (DHCP) that automatically hands out IP addresses after clients connect, you’ll have to manually set static IP and DNS addresses for each client. You may also be required to temporarily set static IP information when doing the initial setup and configuration of routers or other network components.
To set static IP details you must know the IP address of the router and the IP address range in which you can configure the client. You can figure this out from the settings of a computer already successfully connected to the network.
You’ll need the IP address as well as the Subnet Mask, the router’s IP address (a.k.a. the Default Gateway) and the Domain Name System (DNS) Server addresses.
In Windows: Open the Network Connections via the Control Panel or Network and Sharing Center. Next, open the connection that is already on the network and click the Details button.
In Mac OS X: In System Preferences, click the Network icon, then select the connection that is already on the network, such as AirPort (wireless) or Ethernet (wired). With a wired connection you’ll likely see the info you need on the first screen; for a wireless connection, additionally click the Advanced button and look under the TCP/IP and DNS tabs.
Write the numbers down or copy and paste them into a text file, and then close the window.
What Readers Like
ios 8 problems
iOS 8 problems not so magical: Slow, Laggy, Bloaty, Crashy, Buggy, Drainy and… scarlett johansson naked selfie 2 Naked celebs: Hackers download sext selfies from iCloud #thefappening
iphone 6 size comparison I thought the iPhone 6+ was too big; I was wrong subnet calculator A subnet calculator shows the acceptable IP address range for a network.
To see the acceptable IP address range for the network, you can input the IP address and Subnet Mask into a subnet calculator. For example, inputting the IP of 192.168.1.1 and Subnet Mask of 255.255.255.0 shows the range of 192.168.1.1 to 192.168.1.254.
Even though you now know the IP address range, remember that each device must have a unique IP. It’s best to check which IP addresses are taken by logging into the router, but you could also take an educated guess or simply choose a random address within the range. If the address is already taken by another device, Windows or OS X will likely alert you of an IP conflict and you can choose another. Once the IP address is set, write it down or save it in a document; a best practice is to keep a log of all the static IPs along with the serial numbers of the computers that use them.
TCP/IP settings Manually setting the computer’s IP address.
Now, to set a static IP address:
In Windows: Open the Network Connection Status window, click the Properties button and open the Internet Protocol Version 4 (TCP/IPv4) settings. Choose “Use the following IP address” and enter the settings: an IP address that’s in the acceptable range, plus the Subnet Mask, Default Gateway and DNS Server from the Network Connection Details window.
In Mac OS X: Open the Network window and click the Advanced button. On the TCP/IP tab, click the drop-down next to Configure IPv4, choose Manually and enter an IP address that’s in the acceptable range, plus the Subnet Mask and router address you copied earlier. Go to the DNS tab and enter the DNS Server address you copied before.
As a network admin, you’ll likely help set up, troubleshoot and maintain the wireless portion of the network. One of the most basic tools you should have is a Wi-Fi stumbler. These tools scan the airwaves and list the basic details about nearby wireless routers and access points (APs), including the service set identifier (SSID), also known as the network name; the MAC address of the router/AP; the channel; the signal level; and the security status.
You can use a Wi-Fi stumbler to check out the airwaves at home or at work. For instance, you can check which channels are being used by any neighboring wireless networks so you can set yours to a clear channel. You can also double-check to ensure all the routers or access points are secured using at least WPA or WPA2 security.
NetSurveyor The NetSurveyor stumbler gives a text-based readout and visual charts of wireless channel usage and signals.
Vistumbler and NetSurveyor (for Windows), KisMAC (for OS X) and and Kismet (for both plus Linux) are a few free options that give both text-based readouts and visual charts of the channel usage and signals. Check out my previous review of these and others.
Wifi Analyzer The Wifi Analyzer app provides a nice visualization for channel usage.
If you have an Android phone or tablet, consider installing a Wi-Fi stumbler app on it for a quick, less detailed look at the Wi-Fi signals. Wifi Analyzer and Meraki WiFi Stumbler are two free options. See my previous review of these and others.
Project 3: Play with a wireless router or AP
To get some experience with setting up and configuring wireless networks, play around with your wireless router at home. Or better yet, get your hands on a business-class AP: See if you can borrow one from your IT department, check eBay for used gear or consider buying new equipment from lower-cost vendors such as Ubiquiti Networks, where APs start at around $70.
To access a wireless router’s configuration interface, enter its IP address into a web browser. As you’ll remember from Project 1, the router’s address is the same as the Default Gateway address that Windows lists in the Details window for your wireless network connection.
Accessing an AP’s configuration interface varies. If there’s a wireless controller, it’s the one interface you’ll need to configure all the APs; with controller-less systems you’d have to access each AP individually via its IP address.
Once you’ve accessed the configuration interface of your router or AP, take a look at all the settings and try to understand each one. Consider enabling wireless (or layer 2) isolation if supported and see how it blocks user-to-user traffic. Perhaps change the IP address of the router/AP in the LAN settings and/or for routers, disable DHCP and statically assign each computer/device an IP address. Also consider setting a static DNS address (like from OpenDNS) in the WAN settings. You might also look into the Quality of Service (QoS) settings to prioritize the traffic. When you’re done experimenting, make sure it’s set to the strongest security — WPA2.
typical AP interface I’ve statically assigned this AP an IP address and DNS servers.
If you can’t get your hands on a business-class AP, consider playing around with interface emulators or demos offered by some vendors, as Cisco does with its small business line.
Project 4: Install DD-WRT on a wireless router
For more experimentation with wireless networking, check out the open-source DD-WRT firmware for wireless routers. For compatible routers, DD-WRT provides many advanced features and customization seen only in business- or enterprise-class routers and APs.
For instance, it supports virtual LANs and multiple SSIDs so you can segment a network into multiple virtual networks. It offers a VPN client and server for remote access or even site-to-site connections. Plus it provides customizable firewall, startup and shutdown scripts and supports a few different hotspot solutions.
DD-WRT DD-WRT loads a whole new feature set and interface onto the router.
For more on DD-WRT and help on installing it on your router, see “Teach your router new tricks with DD-WRT.”
Project 5: Analyze your network and Internet traffic
As a network admin or engineer you’ll likely have to troubleshoot issues that require looking at the actual packets passing through the network. Though network protocol analyzers can cost up to thousands of dollars, Wireshark is a free open-source option that works on pretty much any OS. It’s feature-rich, with support for live and offline analysis of hundreds of network protocols, decryption for many encryption types, powerful display filters, and the ability to read/write via many different capture file formats.
Wireshark Wireshark capturing network packets.
Once you get Wireshark installed, start capturing packets and see what you get. In other words, browse around the Web or navigate network shares to see the traffic fly. Keep in mind you can stop the live capturing to take a closer look. Although Wireshark can capture all the visible traffic passing through the network, you may see only the traffic to and from the client whose packets you’re capturing packets if the “promiscuous” mode isn’t supported by your OS and/or the network adapter. (For more information, see the Wireshark website.)
Note: Even though packet capturing is usually only a passive activity that doesn’t probe or disturb the network, some consider monitoring other people’s traffic a privacy or policy violation. So you don’t get into trouble, you ought to perform packet capturing only on your personal network at home — or request permission from management or the CTO before doing it on your work network. In fact, you should clear it with management before doing any monitoring or analysis of a company or school network.
There are other free network analyzers you might want to experiment with. For instance, the EffeTech HTTP Sniffer can reassemble captured HTTP packets and display a Web page, which can visually show you or others what’s captured rather than looking at the raw data packets. Password Sniffer “listens” just for passwords on your network and lists them, which shows just how insecure clear-text passwords are. And for mobile analysis via a rooted Android phone or tablet, there are free network analyzers like Shark for Root.
Project 6: Play with network emulators or simulators
Though you might not be able to get your hands on enterprise-level network gear for practicing, you can use emulators or simulators to virtually build and configure networks. They can be invaluable tools for preparing for IT certifications, including those from Cisco and Juniper. Once you create virtual network components and clients you can then configure and administer them with emulated commands and settings. You can even run network analyzers like Wireshark on some, to see the traffic passing through the network.
Here are a few of the many emulators and simulators:
The GNS3 Graphical Network Simulator is a popular free and open source choice. It requires you to supply the OS, such as Cisco IOS or Juniper’s Junos OS, which usually requires a subscription or support contract from the particular vendor, but you may be able to get access via the IT department at work or school.
GNS3 interface GNS3 Graphical Network Simulator supports Cisco IOS/IPS/PIX/ASA and Juniper JunOS.
Netkit is another free and open source option. It doesn’t include vendor-specific functionality and is limited to generic networking components, but it also doesn’t require you to have the OSes as GNS3 does.
The Boson NetSim Network Simulator is a commercial offering with pricing starting at $99; its intent is to teach Cisco’s IOS. It offers a free demo download, but that functionality is greatly limited.
There are also websites, such as SharonTools and Open Network Laboratory, that offer remote admin access to network components and Web-based emulators for you to practice with commands. Network World has a nice roundup of free Cisco simulators and emulators.
Project 7: Perform penetration testing on your own network
You can read and read about network security, but one of the best ways to learn about or to verify security is by penetration testing. I don’t mean you should snoop on your neighbors or hack a business; try it your own network so you don’t end up in the slammer.
Perhaps find a network vulnerability that interests you, research how to take advantage of it and, once you’ve done the hack, make sure you understand how it was possible. And always ensure your network and those you administer are protected from the vulnerability.
Here are a few hacks you could try:
Crack Wi-Fi encryption — WEP is the easiest — with Aircrack-ng. Crack a Wi-Fi Protected Setup (WPS) registrar PIN with Reaver-WPS to gain access to a wireless router.
Hijack online accounts via Wi-Fi using the Firefox add-on Firesheep or the Android app DroidSheep.
Capture and crack 802.1X credentials using FreeRadius-WPE.
When researching, you’ll likely find how-to tutorials on exactly how to do the hacks and what tools you need. One popular tool that’s filled with hundreds of penetration testing tools is the BackTrack live CD, but the project is currently not maintained. However, Kali Linux is a similar tool that has emerged; it can be installed on a computer or virtual machine or run via live CD or USB.
If you find you like penetration testing, perhaps look into becoming an Ethical Hacker. Project 8: Set up a RADIUS server for enterprise Wi-Fi security
At home you likely encrypt your wireless router with the Personal or Pre-shared Key (PSK) mode of WPA or WPA2 security to keep others off the network and to prevent them from snooping on your traffic. The Personal mode is the simplest way to encrypt your Wi-Fi: Set a password on the router and simply enter it on the devices and computers you connect.
Businesses, however, should use the Enterprise mode of WPA or WPA2 that incorporates 802.1X authentication. This is much more complex than the Personal mode but provides better protection. Instead of a global Wi-Fi password, each user receives his or her own login credentials; the encryption protects against user-to-user snooping. Plus you can change or revoke individual login credentials to protect the network when an employee leaves or a device becomes or lost or stolen.
To use the enterprise mode you must have a separate Remote Authentication Dial-In User Service (RADIUS) server to handle the 802.1X authentication of users. As a network admin you’ll likely have to configure and troubleshoot clients with 802.1X authentication and help maintain the RADIUS server. For practice, consider setting up your own server and using enterprise-level Wi-Fi security on your home network.
If you’re working on a network that has a Windows Server, the Network Policy Server (NPS) or Internet Authentication Service (IAS) component can be used for the RADIUS server. But if not, you have a couple of free options. If you want some Linux experience, consider the open-source FreeRADIUS. Some easier-to-use options that include a Windows GUI are the freeware TekRADIUS and the 30-day free trials of commercial products like ClearBox. In a previous review, I evaluated these and other low-cost RADIUS servers.
Once you have the RADIUS server installed, create user accounts and input shared secrets (passwords) for the APs. Then configure the wireless router or APs with WPA/WPA2-Enterprise: Enter the RADIUS server’s IP and port, and the shared secret you defined on the RADIUS server. Then you can connect clients by entering the login credentials you defined on the RADIUS server.
Here are a few previous articles you may want to check out: 6 secrets to a successful 802.1X rollout, and Tips for troubleshooting 802.1X connections, and Lock Down Your Wi-Fi Network: 8 Tips for Small Businesses.
Project 9: Install Windows Server and set up a domain
As a network admin you’ll likely manage Microsoft-based networks running Windows Server. To gain more experience, consider running Windows Server at home.
Although purchasing a copy of a server edition isn’t feasible just for tinkering around with, there are some free options. Microsoft provides 180-day free trials via a downloadable ISO for installing on a physical machine, virtual hard drive (VHD) for running on a virtual machine, and access to a pre-configured virtual machine on the Windows Azure cloud. Plus the company offers Virtual Labs — guided tutorials in a virtual environment — that you might want to check out.
Once you get access to a server, discover and experiment. Perhaps configure Active Directory and play with Group Policies, set up Exchange and configure an Outlook client, or set up NPS for 802.1X authentication.
If you found these projects useful in learning and getting experience, keep in mind there are many more self-taught labs out there online. Try searching for labs on the specific certifications you’re interested in or the network vendors you’d like to administer.
Though virtual environments and emulators provide a quick and easy way to get hands-on experience, also try to get as much time as you can with the real gear. Ask the IT department if you can borrow any spare equipment, and take advantage of any other chances you spot to get real-world experience.