Professional Documents
Culture Documents
Module Guide
Department of computing
Internet Administration 1
Installing Windows 2000 Professional / Windows Xp
Setting Description
Internet Administration 2
Provide a workgroup or domain name.
To install Windows 2003 server from a CD you must restart the computer
from a CD and then complete the setup wizard.
With the exception of the optional components, the information you provide
during the installation of Windows 2003 server is the same as the information
you provide during the installation of Windows 2000 Professional.
Select the file system for the new partition. You can also choose
to format the new partition.
After running the text-based portion of the Setup program, complete the
Setup wizard by providing the following information:
Internet Administration 3
Enter your name and organization.
Enter the computer name and password for the local Administrator
account.
Internet Administration 4
DNS
DNS is a distributed database system that can serve as the foundation for
name resolution in an IP network.
DNS Levels
Notice that the highest level of the domain is listed last. An example of a
domain name is: mecit.edu.om
Internet Administration 5
.org: non-commercial organizations
.uk: United Kingdom
.us: United States
.ca: Canada
.jp: Japan
FQDN
A FQDN is a complete DNS name. For example, if a server named mail
existed at the mecit, the FQDN of that server might be mail.mecit.edu.om.
Technically, a FQDN must end in a period. This rule is almost always
ignored.
A FQDN is limited to a maximum length of 255 characters.
DNS uses the FQDN to resolve a host name to an IP address
DNS SERVER
This is a computer running the DNS Server service, or BIND; that provides
domain name services. The DNS server manages the DNS database that is
located on it. The DNS server program, whether it is the DNS Server service
or BIND; manages and maintains the DNS database located on the DNS
server. The information in the DNS database of a DNS server pertains to a
Internet Administration 6
portion of the DNS domain tree structure or namespace. This information is
used to provide responses to client requests for name resolution.
Primary DNS server: This DNS server owns the zones defined in its DNS
database, and can make changes to these zones.
Secondary DNS server: This DNS server obtains a read-only copy of
zones via DNS zone transfers. A secondary DNS server cannot make any
changes to the information contained in its read-only copy. A secondary
DNS server can however resolve queries for name resolution. Secondary
DNS servers are usually implemented for the following reasons:
o Provide redundancy: It is recommended to install one primary
DNS server, and one secondary DNS server for each DNS zone
(minimum requirement). Install the DNS servers on different
subnets so that if one DNS server fails, the other DNS server can
continue to resolve queries.
o Distribution of DNS processing load: Implementing secondary
DNS servers assist in reducing the load of the primary DNS server.
Internet Administration 7
o Provide fast access for clients in remote locations: Secondary
DNS servers can also assist in preventing clients from transverse
slow links for name resolution requests.
DNS zones: A DNS zone is the contiguous portion of the DNS domain name
space over which a DNS server has authority, or is authoritative. A zone is a
portion of a namespace . it is not a domain. A domain is a branch of the DNS
namespace. A DNS zone can contain one or more contiguous domains. A
DNS server can be authoritative for multiple DNS zones.
Zone files store resource records for the zones over which a DNS server has
authority.
Zone Types
Primary zone: This is only zone type that can be directly updated or
edited because the data in the zone is the original source of the data for
all domains in the zone. Updates made to the primary zone are made by
the DNS server that is authoritative for the specific primary zone.
Secondary zone: This is a read-only copy of the zone that was copied
from the master server during zone transfer. In fact, a secondary zone can
only be updated through zone transfer.
Active Directory-integrated zone: This is an authoritative primary zone
that stores its data in Active Directory. Active Directory-integrated zones
can be regarded as enhanced standard primary zones.
Stub zone: Stub zones only contain those resource records necessary to
identify the authoritative DNS servers for the master zone
DNS client: This is a machine that queries the DNS server for name
resolution. To issue DNS requests to the DNS server, DNS resolvers are
used.
Internet Administration 8
A - Address record allowing a computer name to be translated into an
IP address. Each computer must have this record for its IP address to
be located. These names are not assigned for clients that have
dynamically assigned IP addresses, but are a must for locating servers
with static IP addresses.
AAAA Host resource record for IPv6 protocol.
AFDSB - Andrew File System Database resource record
ATMA - Asynchronous Transfer Mode resource record.
CNAME - Canonical name allowing additional names or aliases to be
used to locate a computer.
HINFO - Host information record with CPU type and operating system.
ISDN - Integrated Services Digital Network resource record.
MB - Mailbox resource record.
MG - Mail group resource record.
MINFO - Mailbox mail list information resource record.
MR - Mailbox renamed resource record.
MX - Mail Exchange server record. There may be several.
NS - Name server record. There may be several.
PTR - Pointer resource record.
RP - Responsible person.
RT - Route through resource record for specifying routes for certain
DNS names.
SOA - Start of Authority record defines the authoritative server and
parameters for the DNS zone. These include timeout values, name of
responsible person,
SRV - Service locator resource record to map a service to servers
providing the service. Windows 2000 clients will use this record to find
a domain controller.
TXT - Test resource record for informative text.
WKS - Well known service resource record.
X25 - To map a host name to an X.25 address.
Internet Administration 9
DNS Query Process
There are 2 types of queries that can be performed in DNS
Iterative. A query made from a client to a DNS server in which the server
returns the best answer that it can provide based on its cache or zone data. If
a queried server does not have an exact match for the request, it provides a
pointer to an Authoritative server in a lower level of the domain namespace.
Recursive. A query made from a client to a DNS server in which the server
assumes the full workload and responsibility for providing a complete answer
to the query. The DNS server has to reply with the requested information, or
with an error. The DNS server cannot provide a referral to a different DNS
server.
1. The resolver sends a recursive DNS query to its local DNS server, to
request the IP address of a particular name.
2. Because the local DNS server cannot refer the resolver to a different
DNS server, the local DNS server attempts to resolve the requested
domain name.
3. The local DNS server checks its zones.
4. If it finds no zones for the requested domain name, the local DNS
server sends an iterative query for the requested name to the root DNS
server.
5. The root DNS server is authoritative for the root domain. It responds
with an IP address of a name server for the specific top-level domain.
Internet Administration 10
6. The local DNS server next sends an iterative query for the requested
name to this name server who in turn replies with the IP address of the
particular name server servicing the requested domain name.
7. The local DNS server then sends an iterative query for the requested
name to the particular name server servicing the particular domain.
8. The name server responds with the requested IP address.
9. The IP address is returned to the resolver.
Internet Administration 11
DHCP
DHCP RFCs
DHCP RFCs are 1533, 1534, 1541, and 1542. Information Sent from DHCP
server to the client machine are:
IP address
Subnet mask
Default Gateway address
DNS server address(es)
NetBIOS Name server (NBNS) address(es).
Lease period in hours
IP address of DHCP server.
Internet Administration 12
Manual vs. Automatic TCP/IP Configuration
Manual TCP/IP Configuration Automatic TCP/IP Configuration
Internet Administration 13
4. Server Lease Acknowledgement - The server sends a DHCPACK or
a DHCPNACK if an unavailable address was requested.
IP Lease Selection
IP Lease
Acknowledgement
DHCP discover message - The initial broadcast sent by the client to obtain a
DHCP lease. It contains the client MAC address and computer name. This is
a broadcast using 255.255.255.255 as the destination address and 0.0.0.0 as
the source address. The request is sent, then the client waits one second for
an offer. The request is repeated at 9, 13, and 16 second intervals with
additional 0 to 1000 milliseconds of randomness. The attempt is repeated
every 5 minutes thereafter.
The client uses its own port 68 as the source port with port 67 as the
destination port on the server to send the request to the server. The server
uses its own port 67 as the source port with port 68 as the destination port on
the client to reply to the client. Therefore the server is listening and sending
on its own port 67 and the client is listening and sending on its own port 68.
This can be confusing when you consider which way the message is going.
To be clear on this, I quote RFC 1531 which states "DHCP messages from a
Internet Administration 14
client to a server are sent to the 'DHCP server' port (67), and DHCP
messages from a server to a client are sent to the 'DHCP client' port (68)"
Routers
Subnets that don't have a DHCP server to forward DHCP requests.
Client Reservation
Client Reservation is used to be sure a computer gets the same IP address
all the time. Therefore since DHCP IP address assignments use MAC
addresses to control assignments, the following are required for client
reservation:
Internet Administration 15
Exclusion Range
Exclusion range is used to reserve a bank of IP addresses so computers with
static IP addresses, such as servers may use the assigned addresses in this
range. These addresses are not assigned by the DHCP server.
IP address
MAC address
DHCP lease
A DHCP lease is the amount of time that the DHCP server grants to the
DHCP client permission to use a particular IP address. A typical server allows
its administrator to set the lease time.
Internet Administration 16
DHCP Relay Agent
Definition
A DHCP relay agent is a computer or router that is configured to listen for
DHCP/BOOTP broadcasts from DHCP clients and then relay those messages
to DCHP servers on different subnets. DHCP/BOOTP relay agents are part of
the DHCP and BOOTP standards, and they function according to the Request
for Comments (RFCs) standard documents that describe protocol design and
related behavior.
An RFC 1542- compliant router is a router that supports the forwarding of
DHCP broadcast traffic.
Why use a DHCP relay agent?
DHCP clients use broadcasts to secure a lease from a DHCP server. Routers
normally do not pass broadcasts unless specifically configured to do so.
Consequently, without additional configuration, DHCP servers can provide IP
addresses only to clients located on the local subnet. Many organizations find
it more efficient to centralize the servers that provide the DCHP Server
service. To do so, they must configure the network so that DHCP broadcasts
will be passed from the client to the DCHP server. This can be done in one of
two ways: by configuring the routers that connect the subnets to forward
DHCP broadcasts or by configuring them to implement DCHP relay agents.
Windows Server 2003 supports the Routing and Remote Access service that
is configured to function as a DHCP relay agent.
Internet Administration 17
because of the need to locate a DHCP server on each individual
subnet rather that providing DHCP server services from a centralized
location to multiple subnets. In addition, to provide fault tolerance, this
solution would require two servers configured on each subnet as
DHCP servers. Placing two DHCP servers of each subnet is often
impractical.
Configure an RFC 1542-compliant router to forward DHCP messages
between subnets.
An RFC 1542-compliant router can be configured to selectively forward
DHCP broadcasts to another subnet. Although this option is preferable
to using DHCP servers on each subnet, it can complicate router
configuration and cause unnecessary broadcast traffic to be forwarded
to other subnets.
Configure a Microsoft DHCP relay agent of each subnet to forward
DHCP messages to one or more particular DHCP servers on another
subnet.
Configuring a Microsoft DHCP relay agent of each subnet has several
advantages over the other options: It limits broadcasts to the subnet in
which they originate, and adding DHCP relay agents to multiple
subnets allows a single DHCP server to provide IP addresses to
multiple subnets more efficiently than when using RFC 1542-compliant
routers. You can also configure a Microsoft DHCP relay agent to delay
its response to a client request by a few second, in effect creating
primary and secondary DHCP responders.
Internet Administration 18
Network Troubleshooting Commands
PING
Ping is the most important troubleshooting command and it checks the
connectivity with the other computers. For example your system’s IP address
is 10.10.10.10 and your network servers’ IP address is 10.10.10.1 and you
can check the connectivity with the server by using the Ping command in
following format.
At DOS prompt type Ping 10.10.10.1 and press enter
If you get the reply from the server then the connectivity is ok and if you get
the error message like this ―Request time out‖ this means the there is some
problem in the connectivity with the server.
IPCONFIG
Ipconfig is another important command in Windows. It shows the IP address
of the computer and also it shows the DNS, DHCP, Gateway addresses of
the network and subnet mask.
At DOS prompt type ipconfig and press enter to see the IP address of your
computer.
At DOS prompt type ipconfig/all and press enter to see the detailed
information.
Internet Administration 19
At DOS prompt type ipconfig/displaydns and press enter to display DNS
Cache Info Configuration
At DOS prompt type ipconfig /flushdns and press enter to Clear DNS
Cache.
At DOS prompt type ipconfig /release and press enter to Release All IP
Address Connections
At DOS prompt type ipconfig /renew and press enter to Renew All IP
Address Connections
NSLOOKUP
NSLOOKUP is a TCP/IP based command and it checks domain name
aliases, DNS records, operating system information by sending query to the
Internet Domain Name Servers. You can resolve the errors with the DNS of
your network server
HOSTNAME
Hostname command shows you the computer name.
At DOS prompt type Hostname and press enter
NETSTAT
NETSTAT utility shows the protocols statistics and the current established
TCP/IP connections in the computer.
NBTSTAT
NBTSTAT helps to troubleshoot the NETBIOS name resolutions problems.
ARP
ARP displays and modifies IP to Physical address translation table that is
used by the ARP protocols.
FINGER
Finger command is used to retrieve the information about a user on a
network.
TRACERT
Tracert command is used to determine the path of the remote system. This
tool also provides the number of hops and the IP address of each hop. For
example if you want to see that how many hops (routers) are involved to
reach any URL and what’s the IP address of each hop then use the following
command.
Internet Administration 20
At command prompt type tracert www.yahoo.com you will see a list of all the
hops and their IP addresses.
TRACEROUTE
Traceroute is a very useful network debugging command and it is used in
locating the server that is slowing down the transmission on the internet and it
also shows the route between the two systems
ROUTE
Route command allows you to make manual entries in the routing table.
Pathping
combines functions of Ping and Tracert
net session
Shows all Windows networking sessions
net use
Retrieves a list of network connections
net share
Lists all Windows shares that are available on this machine
net user
Shows user account for the computer
net view
Displays domains in the network
net user /domain <UserName>
Shows account details for specific user
Internet Administration 21
whether the port is open
WEB SERVER
A Web server is a program that, using the client/server model and the World
Wide Web's Hypertext Transfer Protocol ( HTTP ), serves the files that form
Web pages to Web users (whose computers contain HTTP clients that
forward their requests). Every computer on the Internet that contains a Web
site must have a Web server program. Two leading Web servers are Apache ,
the most widely-installed Web server, and Microsoft's Internet Information
Server ( IIS ).
Other Web servers include Novell's Web Server for users of its NetWare
operating system and IBM's family of Lotus Domino servers, primarily for
IBM's OS/390 and AS/400 customers.
FTP File Transfer Protocol Service: Enables you to set up FTP sites for
uploading and downloading files.
Internet Administration 22
Methods of Authentication
FTP
What is FTP?
FTP (File Transfer Protocol) is the simplest and most secure way to exchange
files over the Internet. Most often, a computer with an FTP address is
dedicated to receive an FTP connection. Just as a computer that is setup to
host Web pages is referred to as a Web server or Website, a computer
dedicated to receiving an FTP connection is referred to as an FTP server or
FTP site.
Internet Administration 23
What is an FTP Site?
An FTP site is like a large filing cabinet. With a traditional filing cabinet, the
person who does the filing has the option to label and organize the files how
ever they see fit. They also decide which files to keep locked and which
remain public. It is the same with an FTP site.
The virtual 'key' to get into an FTP site is the UserID and Password. If the
creator of the FTP site is willing to give everyone access to the files, the
UserID is 'anonymous' and the Password is your e-mail address (e.g.
name@domain.com).
If the FTP site is not public, there will be a unique UserID and Password for
each person who is granted access.
To make an FTP connection you can use a standard Web browser (Internet
Explorer, Netscape, etc.) or a dedicated FTP software program, referred to as
an FTP 'Client'.
When using a Web browser for an FTP connection, FTP uploads are difficult,
or sometimes impossible, and downloads are not protected (not
recommended for uploading or downloading large files).
Internet Administration 24
nice feature for people using dial-up connections who frequently loose their
Internet connection.
The classic FTP Client look is a two-pane design. The pane on the left
displays the files on your computer and the pane on the right displays the files
on the remote computer.
Internet Administration 25
FTP commands using DOS prompt
FTP can also be done using the DOS prompt. The port number for FTP is 21.
A user should type FTP and then open the port for the server
If you need to send Images change from the default ASCII mode to
Binary
If you need to send html, ASP or other text files use the default ACSCII
mode.
―mput‖ and ―mget‖ can be used to send and receive multiple file.
―lcd‖ is used to change the directory in the local machine and ―cd‖ is used to
change the directory in the remote machine
―Dir‖ will display all then files and ―status‖ will show the status as to weather it
is in ASCII mode or Binary mode.
Internet Administration 26
NETWORK SECURITY
What is PKI?
Internet Administration 27
directory, so users of PKI can locate the certificate for an individual with
whom they wish to communicate securely.
Certification Authority
Digital certificates
Public & private key pairs
Internet Administration 28
Certificate Policy (CP)
Certification Practices Statement (CPS)
Internet Administration 29
The most widely accepted format for Digital Certificates is defined by
the ITU-T X.509 international standard; thus certificates can be read or
written by any application complying with X.509.
X.509
X.509 is an ITU-T (ITU Telecommunication Standardization Sector) standard
for PKI (Public Key Infrastructure) in cryptography, which, amongst many
other things, defines specific formats for PKC (Public Key Certificates) and
the algorithm that verifies a given certificate path is valid
Certificate Structure
A X.509 version 3 digital certificate has three main variables - the certificate,
the certificate signature algorithm and the certificate signature. The certificate
is described by attributes such as version, algorithm ID, serial number, issuer,
subject, validity, subject public key info, extensions and several other optional
ones like subject and issuer unique identifier. The subject public key info
attribute is further detailed by the public key algorithm and subject public key,
while validity attribute comes has further options for an upper and lower date
limit, which eventually decides the life of the certificate.
Structure of a certificate
Certificate
Version
Serial Number
Algorithm ID
Issuer
Validity
Not Before
Not After
Subject
Internet Administration 30
Subject Public Key Info
Public Key Algorithm
Subject Public Key
Issuer Unique Identifier (Optional)
Subject Unique Identifier (Optional)
Extensions (Optional)
...
Certificate Signature Algorithm
Certificate Signature
IPSec
Internet Protocol Security (IPSec) is a collection of standards that was
designed specifically to create secure end-to-end secure connections.
The standards were developed by the Internet Engineering Task Force
(IETF) to secure communications over both public and private
networks, though it is particularly beneficial to public networks.
Using Internet Protocol Security (IPSec), you can provide data privacy,
integrity, authenticity, and anti-replay protection for network traffic
The bundle of protocols, hashing, and encryption algorithms used in
IPSec include:
o IKE [Internet Key Exchange protocol]
o ISAKMP [Internet Security Association and Key Management
Protocol]
o AH [Authentication Header protocol]
o ESP [Encapsulating Security Payload protocol]
o STS [Station-to-Station protocol]
o HMAC [Hash Message Authentication Code]
o MD5 [Message Digest 5]
o SHA-1 [Security Hash Algorithm]
o 3DES [Triple Data Encryption Standard]
Internet Administration 31
o XAUTH [Extended Authentication]
o AES [Advanced Encryption Standard]AH versus ESP
AH Vs ESP
There are two modes of operation for IPSec: transport mode and
tunnel mode.
Transport Mode
Internet Administration 32
In transport mode, only the payload of the message is encrypted.
Transport Mode is used to protect an end-to-end conversation between
two hosts. This protection is either authentication or encryption (or
both), but it is not a tunneling protocol. It has nothing to do with a
traditional VPN: it's simply a secured IP connection.
Tunnel Mode
In tunnel mode, the payload, the header, and the routing information
are all encrypted.
Tunnel mode is intended for secure site-to-site communications over
an untrusted network. Each site has an IPsec gateway configured to
route traffic to the other site. When a computer in one site needs to
communicate with a computer in the other site, the traffic passes
through the IPsec gateways
The Secure Socket Layer protocol was created by Netscape to ensure secure
transactions between web servers and browsers. The protocol uses a third
party, a Certificate Authority (CA), to identify one end or both end of the
transactions. This is in short how it works.
Internet Administration 33
1. A browser requests a secure page (usually https://).
2. The web server sends its public key with its certificate.
3. The browser checks that the certificate was issued by a trusted party
(usually a trusted root CA), that the certificate is still valid and that the
certificate is related to the site contacted.
4. The browser then uses the public key, to encrypt a random symmetric
encryption key and sends it to the server with the encrypted URL
required as well as other encrypted http data.
5. The web server decrypts the symmetric encryption key using its private
key and uses the symmetric key to decrypt the URL and http data.
6. The web server sends back the requested html document and http
data encrypted with the symmetric key.
7. The browser decrypts the http data and html document using the
symmetric key and displays the information.
The SSL protocol runs above TCP/IP and below higher-level protocols such
as HTTP.
Internet Administration 34
have been issued by a certificate authority (CA) listed in the client's list of
trusted CAs. This confirmation might be important if the user, for example, is
sending a credit card number over the network and wants to check the
receiving server's identity.
Internet Administration 35
Overview of Routers
Introduction
A router is a device that has more than one network interface (in other words,
it is multi-homed) that can forward packets, based on network addressing
(such as IP addresses), to multiple network segments. Routers are an
intermediate system that functions at the network layer to connect networks
based on a common network layer protocol.
Purpose of routers
Routers allow you to scale your network and to maintain bandwidth by
segmenting network traffic. Routers are configured to make intelligent
decisions to determine how packets should be forwarded between network
segments. This helps ensure that a network segment is not inundated with
traffic not destined for hosts on its segment. Routers also prevent certain
types of traffic, such as broadcast traffic, from saturating the network.
Types of routers
The two types of routers that are used in a network environment are:
Hardware Routers. These dedicated hardware devices run
specialized software for the exclusive purpose of routing. Hardware
routers provide very good performance; however, they can be
expensive and may provide little functionality beyond their intended
purpose. Many hardware routers today provide greater flexibility by
offering security services such as packet filtering and VPN access.
Hardware routers should be used in environments that require high
throughput between network segments.
Internet Administration 36
Main components of routing solution
The three main components of a routing solution are:
Internet Administration 37
Remote Access
Dial-Up Connections.
To connect to the network with dial-up remote access, a remote access client
uses a communications network, such as the Public Switched Telephone
Network (PSTN), to create a physical connection to a port on a remote
access server on the Private Network. This is done by using a Modem or a
ISDN adapter to dial in to the remote access server.
A VPN provides secure remote access through the Internet, rather than
through direct dial-up connection. A VPN client uses an IP internetwork to
create an encrypted virtual point to point connection with a VPN gateway on
the private network. Typically the user connects to the Internet through an
Internet Service Provider (ISP) and then creates a VPN connection to the
VPN gateway. By using the internet in this way, companies can reduce the
long distance telephone expenses. Traveling employees can dial a local ISP
and then make a VPN connection back to the corporate network
Internet Administration 38
How a VPN Connection Works
Introduction
The Routing and Remote Access service provides VPN services so that users
can access corporate networks in a secure manner by encrypting the
transmitted data over an insecure transport network such as the Internet.
Advantages of a VPN
VPNs allow users or corporations to connect to remote servers, branch
offices, or to other organizations over a public network, while maintaining
secure communications. In all of these cases, the secure connection appears
to the user as a private network communication-despite the fact that this
communication occurs over a public network. Other benefits include:
Internet Administration 39
Cost advantages. VPNs do not use a phone line and require less
hardware (your Internet service provider, or ISP, maintains the
communication hardware).
Enhanced security. Sensitive data is hidden from unauthorized users,
but it is accessible to users authorized through the connection. The
VPN server enforces authentication and encryption.
Network protocol support. You can remotely run and application that
depends on the most common network protocols, such as
Transmission Control Protocol/Internet Protocol (TCP/IP).
IP address security. Because information sent over a VPN is
encrypted, the private IP addresses that you specify are protected, and
the traffic transmitted over the Internet will have only the external IP
address visible.
Introduction
A VPN connection is made up of several components including VPN servers,
VPN clients, tunneling protocols, and authentication methods.
Internet Administration 40
modified, a BPN also authenticates the data that was sent. The VPN
server use Active Directory as an account database.
Address and name server allocation. The VPN server is responsible for
assigning IP addresses, which it does either by using the default
protocol, Dynamic Host Configuration Protocol (DHCP), or from a static
pool of addresses that the administrator defines. The VPN server can
also allocate Domain Name System (DNS) and Windows Internet
Name Service (WINS) server addresses to clients.
PPTP L2TP
Internetwork
Internetwork Must
Must Be
Be IP
IP Based
Based Internetwork
Internetwork Can
Can BeBe IP,
IP, Frame
Frame
Relay,
Relay, X.25,
X.25, or
or ATM
ATM Based
Based
No
No Header
Header Compression
Compression Header
Header Compression
Compression
No
No Tunnel
Tunnel Authentication
Authentication Tunnel
Tunnel Authentication
Authentication
Built-in
Built-in PPP
PPP Encryption
Encryption Uses
Uses IPSec
IPSec Encryption
Encryption
Internet
Internet Administration 41
SLIP and PPP
# SLIP PPP
1 Serial Link Internet Protocol is widely Point to Point Protocol has several
used to connect systems to the advantages over SLIP.
Internet over a dial up line using a
modem.
2 It does not do any error detection or It does provide error detection or
correction correction.
3
SLIP supports only IP Supports multiple protocols.
4 Each side must know the others IP Allows IP addresses to be negotiated
address in advance. IP address at connection time dynamically.
cannot be assigned dynamically
during setup.
5
No Authentication Provides Authentication
Introduction
To provide a secure network access infrastructure, an administr5ator needs
to have an understanding of the following basic components that make up
network access infrastructure:
Internet Administration 42
administrator terminates them. Remote users can work as if their computers
are physically connected to the network.
Authentication service
When you provide greater network access, you need to increase the level of
security in your network to safeguard against unauthorized access and usage
of internal resources. You can help safeguard our network by providing strong
authentication to validate identity in addition to providing strong encryption to
protect data.
Authentication methods typically use an authentication protocol that is
negotiated during the process of establishing a connection. The remote
access server (a server configured with the Routing and Remote Access
service) handles authentication between the remote access client and the
domain controller.
If you have multiple network access severs, you can centralize authentication
by using Remote Authentication Dial-In User Service (RADIUS) to
authenticate and authorize network access clients. Using RADIUS eliminates
the need for each network access server in your network to perform
authentication and authorization.
Active Directory
Active Directory domains contain the user accounts, passwords, and dial-up
properties that are required to authenticate user credentials and evaluate both
authorization and connection constraints.
After a client is connected to your network, you can control access to
resources by various administrative controls on both the client computer and
the network access servers. These administrative controls include File and
Printer Sharing, Local Group Policy, and Group Policy through the Active
Directory service.
Internet Administration 43
Wireless Networks
Internet Administration 44
Mobility
User mobility indicates constant physical movement of the person and their
network appliance. Many jobs require workers to be mobile, such as inventory
clerks, healthcare workers, policemen, emergency care specialists, and so
on. Wireless networking offers mobility to its users much like the wireless
phone, providing a constant connection to information on the network.
Increased Reliability
A problem inherent to wired networks is the downtime due to cable faults. The
accidental cutting of cables can also bring a network down quickly. Water
intrusion can also damage communications lines during storms.. The
advantage of wireless networking, then, is experiencing fewer problems
because less cable is used.
Internet Administration 45
Long-Term Cost Savings
Wireless Devices
Antenna
The antenna radiates the modulated signal through the air so that the
destination can receive it. Antennas come in many shapes and sizes and
have the following specific electrical characteristics:
• Propagation pattern
• Radiation power
• Gain
• Bandwidth
Radiation power is the output of the radio transmitter. Most wireless network
devices operate at less than 5 watts of power.
Internet Administration 46
Most wireless LANs and WANs utilize omnidirectional antennas, and wireless
MANs use antennas that are more directives.
Bandwidth is the effective part of the frequency spectrum that the signal
propagates. For example, the telephone system operates over a bandwidth
roughly from 0–4 KHz. This is enough bandwidth to accommodate most of the
frequency components within our voices. Radio wave systems have greater
amounts of bandwidth located at much higher frequencies. Data rates and
bandwidth are directly proportional—the higher the data rates, the more
bandwidth you will need.
Access Points
The main thing to remember is that access points allow wireless clients
access to a single network
A wireless network uses an access point, or base station. The access point
acts like a hub, providing connectivity for the wireless computers. It can
connect (or "bridge") the wireless LAN to a wired LAN, allowing wireless
computer access to LAN resources, such as file servers or existing Internet
Connectivity.
Internet Administration 47
In most cases, separate access points are interconnected via a wired LAN,
providing wireless connectivity in specific areas such as offices or
classrooms, but connected to a main wired LAN for access to network
resources, such as file servers
If a single area is too large to be covered by a single access point, then
multiple access points or extension points can be used. -- Note that an
"extension point" is not defined in the wireless standard, but have been
developed by some manufacturers. When using multiple access points, each
access point wireless area should overlap its neighbors. This provides a
seamless area for users to move around in using a feature called "roaming.‖
WLAN Configurations
Independent WLANs
Internet Administration 48
Infrastructure WLANs
In infrastructure WLANs, multiple access points link the WLAN to the wired
network and allow users to efficiently share network resources. The access
points not only provide communication with the wired network but also
mediate wireless network traffic in the immediate neighborhood. Multiple
access points can provide wireless coverage for an entire building or campus.
Wireless communication is limited by how far signals carry for given power
output. WLANs use cells, called microcells, similar to the cellular telephone
system to extend the range of wireless connectivity. At any point in time, a
Internet Administration 49
mobile PC equipped with a WLAN adapter is associated with a single access
point and its microcell, or area of coverage. Individual microcells overlap to
allow continuous communication within wired network. They handle low-
power signals and ―hand off‖ users as they roam through a given geographic
area.
802.11b
Pros of 802.11b - lowest cost; signal range is good and not easily obstructed
Internet Administration 50
Cons of 802.11b - slowest maximum speed; home appliances may interfere
on the unregulated frequency band
802.11a
Cons of 802.11a - highest cost; shorter range signal that is more easily
obstructed
802.11g
Pros of 802.11g - fast maximum speed; signal range is good and not easily
obstructed
Cons of 802.11g - costs more than 802.11b; appliances may interfere on the
unregulated signal frequency
Internet Administration 51
802.11n
The newest IEEE standard in the Wi-Fi category is 802.11n. It was designed
to improve on 802.11g in the amount of bandwidth supported by utilizing
multiple wireless signals and antennas (called MIMO technology) instead of
one.
When this standard is finalized, 802.11n connections should support data
rates of over 100 Mbps. 802.11n also offers somewhat better range over
earlier Wi-Fi standards due to its increased signal intensity. 802.11n
equipment will be backward compatible with 802.11g gear.
Pros of 802.11n - fastest maximum speed and best signal range; more
resistant to signal interference from outside sources
Cons of 802.11n - standard is not yet finalized; costs more than 802.11g; the
use of multiple signals may greatly interfere with nearby 802.11b/g based
networks.
Bluetooth
WiMax
WiMax also was developed separately from Wi-Fi. WiMax is designed for
long-range networking (spanning miles or kilometers) as opposed to local
area wireless networking.
Internet Administration 52
SSID
An SSID is the name of a wireless local area network (WLAN). All wireless
devices on a WLAN must employ the same SSID in order to communicate
with each other.
The SSID on wireless clients can be set either manually, by entering the SSID
into the client network settings, or automatically, by leaving the SSID
unspecified or blank. A network administrator often uses a public SSID, that is
set on the access point and broadcast to all wireless devices in range. Some
newer wireless access points disable the automatic SSID broadcast feature in
an attempt to improve network security.
Wireless Security
WEP is a protocol that adds security to wireless local area networks (WLANs)
based on the 802.11 Wi-Fi standard. WEP is an OSI Data Link layer (Layer 2)
security technology that can be turned "on" or "off." WEP was designed to
give wireless networks the equivalent level of privacy protection as a
comparable wired network.
WEP is based on a security scheme called RC4 that utilizes a combination of
secret user keys and system-generated values. The original implementations
of WEP supported so-called 40-bit encryption, having a key of length 40 bits
and 24 additional bits of system-generated data (64 bits total). Research has
shown that 40-bit WEP encryption is too easy to decode, and consequently
Internet Administration 53
product vendors today employ 128-bit encryption (having a key length of 104
bits, not 128 bits) or better (including 152-bit and 256-bit WEP systems).
When communicating over the wire, wireless network equipment uses WEP
keys to encrypt the data stream. The keys themselves are not sent over the
network but rather are generally stored on the wireless adapter or in the
Windows Registry.
Regardless of how it is implemented on a wireless LAN, WEP represents just
one element of an overall WLAN security strategy.
WEP Keys
A WEP key is a security code used on some WiFi networks. WEP keys allow
a group of devices on a local network (such as a home network) to exchange
encoded messages with each other while hiding the contents of the
messages from easy viewing by outsiders.
Internet Administration 54
A WEP key is a sequence of hexadecimal digits. These digits include the
numbers 0-9 and the letters A-F. Some examples of WEP keys are:
1A648C9FE2
99D767BAC38EA23B0C0176D15
WEP keys are chosen by a network administrator. WEP keys are set on WiFi
routers, adapters and other wireless network devices. Matching WEP keys
must be set on each device for them to communicate with each other.
The length of a WEP key depends on the type of WEP security (called
"encryption") utilized:
To assist with the process of creating correct WEP keys, some brands of
wireless network equipment automatically generates WEP keys from ordinary
text called a "pass phrase."
Internet Administration 55
easily read by humans. Several encryption technologies exist for Wi-Fi today.
Naturally you will want to pick the strongest form of encryption that works with
your wireless network. However, the way these technologies work, all Wi-Fi
devices on your network must share the identical encryption settings.
Internet Administration 56
6. Do Not Auto-Connect to Open Wi-Fi Networks
Connecting to an open Wi-Fi network such as a free wireless hotspot or your
neighbor's router exposes your computer to security risks. Although not
normally enabled, most computers have a setting available allowing these
connections to happen automatically without notifying you (the user). This
setting should not be enabled except in temporary situations.
Internet Administration 57
10. Turn Off the Network During Extended Periods of Non-Use
The ultimate in wireless security measures, shutting down your network will
most certainly prevent outside hackers from breaking in! While impractical to
turn off and on the devices frequently, at least consider doing so during travel
or extended periods offline. Computer disk drives have been known to suffer
from power cycle wear-and-tear, but this is a secondary concern for
broadband modems and routers.
If you own a wireless router but are only using it wired (Ethernet) connections,
you can also sometimes turn off Wi-Fi on a broadband router without
powering down the entire network.
References : Mackin, J.C. and Ian Mc Lean. Windows server 2003 network
infrastructure : implementing, managing and maintaining a microsoft . New Delhi:
Prentice Hall India,2006. ISBN:8120324684.
Internet Administration 58