Middle East College of Information Technology

Module Name: Internet Administration

Module Code: COMP 0326

Module Guide

Department of computing

Internet Administration 1
 Installing Windows 2000 Professional / Windows Xp

 Start the computer from the CD

 Select to install a new copy of Windows 2000 or XP

 Read and accept the Licensing agreement

 Select the file system Fat of NTFS

 Enter the name and organization.

 Enter the computer name and password for local administrator

 Select the date and time settings

Installation network components

After completing the setup wizard, install network components by performing

the following steps:

 Choose a networking setting.

Setting Description

Typical Installs Client for Microsoft Networks, File

and Printer Sharing for Microsoft Networks, and Transmission Control
Protocol/Internet Protocol (TCP/IP) as a Dynamic Host Control Protocol
(DHCP) client.

Custom Creates custom network connections: for

example, configuring a static IP address, configuring the computer as a WINS
client, or adding NetBIOS Enhanced User Interface (NetBEUI)

Internet Administration 2
  Provide a workgroup or domain name.

 Click Finish to restart the computer.

 Configure the network ID for the computer.

After the computer restarts, Windows2000 Professional displays the Network

ID wizard. In this wizard, you do either of the following.

 Configure a specific user account and password for the computer.

When a user starts the computer, Windows2000 automatically logs on
using the configured user name and password.

 Choose not to configure a specific user account for the computer.

When a user starts the computer, the Log On t Windows dialog box
appears.

 Apply all necessary software or security updates to the operating

system.

Installing Windows 2003 Server

To install Windows 2003 server from a CD you must restart the computer
from a CD and then complete the setup wizard.
With the exception of the optional components, the information you provide
during the installation of Windows 2003 server is the same as the information
you provide during the installation of Windows 2000 Professional.

 Start the computer from the CD

 Select to install a new copy of Windows 2003 Server

 Read and accept the Licensing agreement

 Select the Partition on which to install Windows 2003 Server

 Select the file system for the new partition. You can also choose
to format the new partition.

After running the text-based portion of the Setup program, complete the
Setup wizard by providing the following information:

 Change regional settings, if necessary.

Internet Administration 3
  Enter your name and organization.

 Select the licensing mode.

 Enter the computer name and password for the local Administrator
account.

 Select the Windows 2003 optional components. Optional components

provide additional functionality to Windows 2003, such as Web
services, Remote Installation Services (RIS), and management tools.

The following table describes these optional components.

 Certificate Services Allows you to create and request digital

certificates for authentication. Certificates provide a verifiable means of
identifying users on nonsecure network, such as the internet.

 Windows Clustering Enables two or more services to work

together to keep server-based applications available, regardless of
individual component features. This service is available only in
Windows 2000 Advanced Server and Windows 2000 Datacenter
Server.

 IIS Internet Information Server-Includes FTP and Web servers, the

administrative interface for IIS, common IIS components, and
documentation.

 Terminal Services Enables windows based clients to gain access to a

virtual Windows 2000 advanced server desktop session and windows
based applications.

Internet Administration 4
 DNS

The Domain Name System (DNS) is an integral part of client/server

communications in Internet Protocol networks. DNS is a distributed database
that is used in IP networks to translate, or resolve, computer names into IP
addresses. Microsoft Windows 2000 uses DNS as its primary method for
name resolution.

DNS is a distributed database system that can serve as the foundation for
name resolution in an IP network.

DNS Levels

DNS is a hierarchical naming structure with the following levels:

 Root designated by a dot (.).

 First level - This indicates country or type of organization such as "org",
"com", and "net".
 Second level - Indicates the organization name and can be purchased
for a yearly fee and can have many sub domains.

Notice that the highest level of the domain is listed last. An example of a
domain name is: mecit.edu.om

The common top-level domain names used are:

 .com: commercial organizations

 .edu: for educational institutes.
 .gov: for government.
 .int: for international organizations.
 .mil: for military organizations
 .net: for Internet providers, and networking organizations

Internet Administration 5
  .org: non-commercial organizations
 .uk: United Kingdom
 .us: United States
 .ca: Canada
 .jp: Japan

The additional top-level domains defined by ICANN in late 2000 are:

 .aero: for the air transportation industry

 .biz: for businesses
 .coop: for cooperatives
 .info: for information
 .museum: for museums
 .name: for individual names
 .pro: for credentialed professions such as attorneys.

FQDN
 A FQDN is a complete DNS name. For example, if a server named mail
existed at the mecit, the FQDN of that server might be mail.mecit.edu.om.
 Technically, a FQDN must end in a period. This rule is almost always
ignored.
 A FQDN is limited to a maximum length of 255 characters.
 DNS uses the FQDN to resolve a host name to an IP address

DNS SERVER

This is a computer running the DNS Server service, or BIND; that provides
domain name services. The DNS server manages the DNS database that is
located on it. The DNS server program, whether it is the DNS Server service
or BIND; manages and maintains the DNS database located on the DNS
server. The information in the DNS database of a DNS server pertains to a

Internet Administration 6
portion of the DNS domain tree structure or namespace. This information is
used to provide responses to client requests for name resolution.

When a DNS server is queried it can do one of the following:

o Respond to the request directly by providing the requested

information.
o Provide a pointer (referral) to another DNS server that can assist in
resolving the query
o Respond that the information is unavailable
o Respond that the information does not exist

A DNS server is authoritative for the contiguous portion of the DNS

namespace over which it resides.

Types of DNS servers:

 Primary DNS server: This DNS server owns the zones defined in its DNS
database, and can make changes to these zones.
 Secondary DNS server: This DNS server obtains a read-only copy of
zones via DNS zone transfers. A secondary DNS server cannot make any
changes to the information contained in its read-only copy. A secondary
DNS server can however resolve queries for name resolution. Secondary
DNS servers are usually implemented for the following reasons:
o Provide redundancy: It is recommended to install one primary
DNS server, and one secondary DNS server for each DNS zone
(minimum requirement). Install the DNS servers on different
subnets so that if one DNS server fails, the other DNS server can
continue to resolve queries.
o Distribution of DNS processing load: Implementing secondary
DNS servers assist in reducing the load of the primary DNS server.

Internet Administration 7
 o Provide fast access for clients in remote locations: Secondary
DNS servers can also assist in preventing clients from transverse
slow links for name resolution requests.

DNS zones: A DNS zone is the contiguous portion of the DNS domain name
space over which a DNS server has authority, or is authoritative. A zone is a
portion of a namespace . it is not a domain. A domain is a branch of the DNS
namespace. A DNS zone can contain one or more contiguous domains. A
DNS server can be authoritative for multiple DNS zones.

Zone files store resource records for the zones over which a DNS server has
authority.

Zone Types

 Primary zone: This is only zone type that can be directly updated or
edited because the data in the zone is the original source of the data for
all domains in the zone. Updates made to the primary zone are made by
the DNS server that is authoritative for the specific primary zone.
 Secondary zone: This is a read-only copy of the zone that was copied
from the master server during zone transfer. In fact, a secondary zone can
only be updated through zone transfer.
 Active Directory-integrated zone: This is an authoritative primary zone
that stores its data in Active Directory. Active Directory-integrated zones
can be regarded as enhanced standard primary zones.
 Stub zone: Stub zones only contain those resource records necessary to
identify the authoritative DNS servers for the master zone

DNS client: This is a machine that queries the DNS server for name
resolution. To issue DNS requests to the DNS server, DNS resolvers are
used.

DNS Record types:

Internet Administration 8
  A - Address record allowing a computer name to be translated into an
IP address. Each computer must have this record for its IP address to
be located. These names are not assigned for clients that have
dynamically assigned IP addresses, but are a must for locating servers
with static IP addresses.
 AAAA Host resource record for IPv6 protocol.
 AFDSB - Andrew File System Database resource record
 ATMA - Asynchronous Transfer Mode resource record.
 CNAME - Canonical name allowing additional names or aliases to be
used to locate a computer.
 HINFO - Host information record with CPU type and operating system.
 ISDN - Integrated Services Digital Network resource record.
 MB - Mailbox resource record.
 MG - Mail group resource record.
 MINFO - Mailbox mail list information resource record.
 MR - Mailbox renamed resource record.
 MX - Mail Exchange server record. There may be several.
 NS - Name server record. There may be several.
 PTR - Pointer resource record.
 RP - Responsible person.
 RT - Route through resource record for specifying routes for certain
DNS names.
 SOA - Start of Authority record defines the authoritative server and
parameters for the DNS zone. These include timeout values, name of
responsible person,
 SRV - Service locator resource record to map a service to servers
providing the service. Windows 2000 clients will use this record to find
a domain controller.
 TXT - Test resource record for informative text.
 WKS - Well known service resource record.
 X25 - To map a host name to an X.25 address.

Internet Administration 9
DNS Query Process
There are 2 types of queries that can be performed in DNS

Iterative. A query made from a client to a DNS server in which the server
returns the best answer that it can provide based on its cache or zone data. If
a queried server does not have an exact match for the request, it provides a
pointer to an Authoritative server in a lower level of the domain namespace.

Recursive. A query made from a client to a DNS server in which the server
assumes the full workload and responsibility for providing a complete answer
to the query. The DNS server has to reply with the requested information, or
with an error. The DNS server cannot provide a referral to a different DNS
server.

The events that occur to resolve a name requested in a query are

explained below:

1. The resolver sends a recursive DNS query to its local DNS server, to
request the IP address of a particular name.
2. Because the local DNS server cannot refer the resolver to a different
DNS server, the local DNS server attempts to resolve the requested
domain name.
3. The local DNS server checks its zones.
4. If it finds no zones for the requested domain name, the local DNS
server sends an iterative query for the requested name to the root DNS
server.
5. The root DNS server is authoritative for the root domain. It responds
with an IP address of a name server for the specific top-level domain.

Internet Administration 10
 6. The local DNS server next sends an iterative query for the requested
name to this name server who in turn replies with the IP address of the
particular name server servicing the requested domain name.
7. The local DNS server then sends an iterative query for the requested
name to the particular name server servicing the particular domain.
8. The name server responds with the requested IP address.
9. The IP address is returned to the resolver.

Zone Look up Types

The zone lookup type determines the tasks that a DNS server will perform.
When you create a zone, you specify whether the zone will be used for
resolving forward or reverse lookup queries by specifying the zone type.

Forward Lookup: A request to map a name to IP address. This is the most

common type of lookup and is used to locate a server’s IP address so that a
connection can be made to it. This type of request requires name to address
resolution.

Reverse lookup: A request to map an IP address to a name. This is most

commonly used when you know an IP address, but you want to know the
domain name that is associated with the IP address.
It is used when monitoring IP connections that are made to the server.

Internet Administration 11
 DHCP

Dynamic Host Configuration Protocol (DHCP)

This protocol is used to assign IP addresses to hosts or workstations on the
network. Usually a DHCP server on the network performs this function.
Basically it "leases" out address for specific times to the various hosts. If a
host does not use a given address for some period of time, that IP address
can then be assigned to another machine by the DHCP server. When
assignments are made or changed, the DHCP server must update the
information in the DNS server.

As with BOOTP, DHCP uses the machine's or NIC Ethernet (MAC) or

hardware address to determine IP address assignments. The DHCP protocol
is built on BOOTP and replaces BOOTP. DHCP extends the vendor specific
area in BOOTP to 312 bytes from 64. RFC 1541 defines DHCP.

DHCP RFCs
DHCP RFCs are 1533, 1534, 1541, and 1542. Information Sent from DHCP
server to the client machine are:

 IP address
 Subnet mask
 Default Gateway address
 DNS server address(es)
 NetBIOS Name server (NBNS) address(es).
 Lease period in hours
 IP address of DHCP server.

Internet Administration 12
Manual vs. Automatic TCP/IP Configuration
Manual TCP/IP Configuration Automatic TCP/IP Configuration

IP addresses entered manually on each IP addresses are supplied

client computer automatically to client computers

Possibility of entering incorrect or invalid Ensures that clients always use

IP address correct configuration information

Incorrect configuration can lead to Elimination of common source of

communication and network problems network problems

Administrative overload on networks Client configuration updated

where computers are frequently moved automatically to reflect changes in
network structure

DHCP Lease Stages (DHCP Lease Generation Process)

1. Lease Request - The client sends a broadcast requesting an IP

address
2. Lease Offer - The server sends the above information and marks the
offered address as unavailable. The message sent is a DHCPOFFER
broadcast message.
3. Lease Acceptance - The first offer received by the client is accepted.
The acceptance is sent from the client as a broadcast
(DHCPREQUEST message) including the IP address of the DNS
server that sent the accepted offer. Other DHCP servers retract their
offers and mark the offered address as available and the accepted
address as unavailable.

Internet Administration 13
 4. Server Lease Acknowledgement - The server sends a DHCPACK or
a DHCPNACK if an unavailable address was requested.

IP Lease Request DHCP SERVER

DHCP
CLIENT
IP Lease Offer

IP Lease Selection

IP Lease
Acknowledgement

DHCP discover message - The initial broadcast sent by the client to obtain a
DHCP lease. It contains the client MAC address and computer name. This is
a broadcast using 255.255.255.255 as the destination address and 0.0.0.0 as
the source address. The request is sent, then the client waits one second for
an offer. The request is repeated at 9, 13, and 16 second intervals with
additional 0 to 1000 milliseconds of randomness. The attempt is repeated
every 5 minutes thereafter.
The client uses its own port 68 as the source port with port 67 as the
destination port on the server to send the request to the server. The server
uses its own port 67 as the source port with port 68 as the destination port on
the client to reply to the client. Therefore the server is listening and sending
on its own port 67 and the client is listening and sending on its own port 68.
This can be confusing when you consider which way the message is going.
To be clear on this, I quote RFC 1531 which states "DHCP messages from a

Internet Administration 14
client to a server are sent to the 'DHCP server' port (67), and DHCP
messages from a server to a client are sent to the 'DHCP client' port (68)"

DHCP Lease Renewal

After 50% of the lease time has passed, the client will attempt to renew the
lease with the original DHCP server that it obtained the lease from using a
DHCPREQUEST message. Any time the client boots and the lease is 50% or
more passed, the client will attempt to renew the lease. At 87.5% of the lease
completion, the client will attempt to contact any DHCP server for a new
lease. If the lease expires, the client will send a request as in the initial boot
when the client had no IP address. If this fails, the client TCP/IP stack will
cease functioning.

DHCP Scope and Subnets

One DHCP scope is required for each subnet.

DHCP Relay Agents

May be placed in two places:

 Routers
 Subnets that don't have a DHCP server to forward DHCP requests.

Client Reservation
Client Reservation is used to be sure a computer gets the same IP address
all the time. Therefore since DHCP IP address assignments use MAC
addresses to control assignments, the following are required for client
reservation:

 MAC (hardware) address

 IP address

Internet Administration 15
Exclusion Range
Exclusion range is used to reserve a bank of IP addresses so computers with
static IP addresses, such as servers may use the assigned addresses in this
range. These addresses are not assigned by the DHCP server.

IP address

An IP address (also called an IP number) is a number (typically written as four

numbers separated by periods, i.e. 107.4.1.3 or 84.2.1.111) which uniquely
identifies a computer that is making use of the Internet. It is analogous to your
telephone number in that the telephone number is used by the telephone
network to direct calls to you. The IP address is used by the Internet to direct
data to your computer, e.g. the data your web browser retrieves and displays
when you surf the net. One task of DHCP is to assist in the problem of getting
a functional and unique IP number into the hands of the computers that make
use of the Internet.

MAC address

A MAC address (also called an Ethernet address or an IEEE MAC address) is

a number (typically written as twelve hexadecimal digits, 0 through 9 and A
through F, or as six hexadecimal numbers separated by periods or colons, i.e.
0080002012ef, 0:80:0:2:20:ef) which uniquely identifes a computer that has
an Ethernet interface. Unlike the IP number, it includes no indication of where
your computer is located. In DHCP's typical use, the server uses a requesting
computer's MAC address to uniquely identify it.

DHCP lease

A DHCP lease is the amount of time that the DHCP server grants to the
DHCP client permission to use a particular IP address. A typical server allows
its administrator to set the lease time.

Internet Administration 16
DHCP Relay Agent
Definition
A DHCP relay agent is a computer or router that is configured to listen for
DHCP/BOOTP broadcasts from DHCP clients and then relay those messages
to DCHP servers on different subnets. DHCP/BOOTP relay agents are part of
the DHCP and BOOTP standards, and they function according to the Request
for Comments (RFCs) standard documents that describe protocol design and
related behavior.
An RFC 1542- compliant router is a router that supports the forwarding of
DHCP broadcast traffic.
Why use a DHCP relay agent?
DHCP clients use broadcasts to secure a lease from a DHCP server. Routers
normally do not pass broadcasts unless specifically configured to do so.
Consequently, without additional configuration, DHCP servers can provide IP
addresses only to clients located on the local subnet. Many organizations find
it more efficient to centralize the servers that provide the DCHP Server
service. To do so, they must configure the network so that DHCP broadcasts
will be passed from the client to the DCHP server. This can be done in one of
two ways: by configuring the routers that connect the subnets to forward
DHCP broadcasts or by configuring them to implement DCHP relay agents.
Windows Server 2003 supports the Routing and Remote Access service that
is configured to function as a DHCP relay agent.

DHCP strategies in a routed network

To understand why you would use a Microsoft DHCP relay agent, it is
important to identify strategies that can be implemented in a routed network.
For example:
 Include at least one DHCP server on each subnet.
This method requires at least one DHCP server on each subnet to
directly respond to DHCP client requests. However, this configuration
potentially requires more administrative and equipment overhead

Internet Administration 17
 because of the need to locate a DHCP server on each individual
subnet rather that providing DHCP server services from a centralized
location to multiple subnets. In addition, to provide fault tolerance, this
solution would require two servers configured on each subnet as
DHCP servers. Placing two DHCP servers of each subnet is often
impractical.
 Configure an RFC 1542-compliant router to forward DHCP messages
between subnets.
An RFC 1542-compliant router can be configured to selectively forward
DHCP broadcasts to another subnet. Although this option is preferable
to using DHCP servers on each subnet, it can complicate router
configuration and cause unnecessary broadcast traffic to be forwarded
to other subnets.
 Configure a Microsoft DHCP relay agent of each subnet to forward
DHCP messages to one or more particular DHCP servers on another
subnet.
Configuring a Microsoft DHCP relay agent of each subnet has several
advantages over the other options: It limits broadcasts to the subnet in
which they originate, and adding DHCP relay agents to multiple
subnets allows a single DHCP server to provide IP addresses to
multiple subnets more efficiently than when using RFC 1542-compliant
routers. You can also configure a Microsoft DHCP relay agent to delay
its response to a client request by a few second, in effect creating
primary and secondary DHCP responders.

 Configure a DHCP server that has multiple network cards.

When you configure a DHCP server that has multiple network cards,
you can connect each network card to a different subnet. You can then
configure DHCP scopes for each network that is attached to the
server. This is the recommended configuration if all subnets are in a
single location.

Internet Administration 18
 Network Troubleshooting Commands

Troubleshooting computer network is among the most important job

descriptions of the network administrators, system administrators, network
technicians and the IT consultants. A computer network can have different
kinds of problems such as it can be infected with virus and spyware, attacked
by hackers, accessed by unauthorized users and may face connectivity
failure issues due to the faulty network devices or configurations. Following is
a list of the basic network troubleshooting commands that are built-in the
Windows based operating systems and UNIX etc. The right use of these
troubleshooting commands can helps a lot in diagnosing and resolving the
issues with your computer network.

PING
Ping is the most important troubleshooting command and it checks the
connectivity with the other computers. For example your system’s IP address
is 10.10.10.10 and your network servers’ IP address is 10.10.10.1 and you
can check the connectivity with the server by using the Ping command in
following format.
At DOS prompt type Ping 10.10.10.1 and press enter
If you get the reply from the server then the connectivity is ok and if you get
the error message like this ―Request time out‖ this means the there is some
problem in the connectivity with the server.

IPCONFIG
Ipconfig is another important command in Windows. It shows the IP address
of the computer and also it shows the DNS, DHCP, Gateway addresses of
the network and subnet mask.
At DOS prompt type ipconfig and press enter to see the IP address of your
computer.
At DOS prompt type ipconfig/all and press enter to see the detailed
information.

Internet Administration 19
At DOS prompt type ipconfig/displaydns and press enter to display DNS
Cache Info Configuration
At DOS prompt type ipconfig /flushdns and press enter to Clear DNS
Cache.
At DOS prompt type ipconfig /release and press enter to Release All IP
Address Connections
At DOS prompt type ipconfig /renew and press enter to Renew All IP
Address Connections
NSLOOKUP
NSLOOKUP is a TCP/IP based command and it checks domain name
aliases, DNS records, operating system information by sending query to the
Internet Domain Name Servers. You can resolve the errors with the DNS of
your network server
HOSTNAME
Hostname command shows you the computer name.
At DOS prompt type Hostname and press enter
NETSTAT
NETSTAT utility shows the protocols statistics and the current established
TCP/IP connections in the computer.
NBTSTAT
NBTSTAT helps to troubleshoot the NETBIOS name resolutions problems.
ARP
ARP displays and modifies IP to Physical address translation table that is
used by the ARP protocols.
FINGER
Finger command is used to retrieve the information about a user on a
network.
TRACERT
Tracert command is used to determine the path of the remote system. This
tool also provides the number of hops and the IP address of each hop. For
example if you want to see that how many hops (routers) are involved to
reach any URL and what’s the IP address of each hop then use the following
command.

Internet Administration 20
At command prompt type tracert www.yahoo.com you will see a list of all the
hops and their IP addresses.

TRACEROUTE
Traceroute is a very useful network debugging command and it is used in
locating the server that is slowing down the transmission on the internet and it
also shows the route between the two systems

ROUTE
Route command allows you to make manual entries in the routing table.

Pathping
combines functions of Ping and Tracert

net session
Shows all Windows networking sessions

net use
Retrieves a list of network connections

net share
Lists all Windows shares that are available on this machine

net user
Shows user account for the computer

net user /domain

Displays user accounts for the domain

net view
Displays domains in the network
net user /domain <UserName>
Shows account details for specific user

Internet Administration 21
whether the port is open
WEB SERVER

A Web server is a program that, using the client/server model and the World
Wide Web's Hypertext Transfer Protocol ( HTTP ), serves the files that form
Web pages to Web users (whose computers contain HTTP clients that
forward their requests). Every computer on the Internet that contains a Web
site must have a Web server program. Two leading Web servers are Apache ,
the most widely-installed Web server, and Microsoft's Internet Information
Server ( IIS ).

Other Web servers include Novell's Web Server for users of its NetWare
operating system and IBM's family of Lotus Domino servers, primarily for
IBM's OS/390 and AS/400 customers.

Configuring a WEB SERVER

By default IIS is installed automatically when you install Windows 2000.IIS is

designed to support simple websites in addition to multiple web sites on a
single server. In addition to the World Wide Web (WWW) server other internet
services that IIS include

 FTP File Transfer Protocol Service: Enables you to set up FTP sites for
uploading and downloading files.

 NNTP Network News Transfer Protocol Service. Enables you to host

electronic discussion groups or newsgroups.

 SMPT Simple Mail Transfer Protocol. Enables you to receive mail

messages from client applications and send these mail messages to
another server over the Internet.

Internet Administration 22
Methods of Authentication

 Anonymous access provides users access to he public areas of your

website without prompting them for user name and password. This
authentication method id configured by default during IIS Installation.

 Basic Authentication prompts the users for a user name and

password before allowing access to a web page. You can set basic
authentication at the Web Site, Folder or File level.

 Digest Authentication is a new feature in IIS 5.0.This method is

similar to Basic authentication, but it involves a different way of
transmitting the authentication Credentials. The authentication
Credentials pass through a process called Hashing.

 Integrated Windows Authentication: You are configuring an intranet

site, where both the users and the web server are in the same domain,
or in domains with a trust relationship

FTP
What is FTP?

FTP (File Transfer Protocol) is the simplest and most secure way to exchange
files over the Internet. Most often, a computer with an FTP address is
dedicated to receive an FTP connection. Just as a computer that is setup to
host Web pages is referred to as a Web server or Website, a computer
dedicated to receiving an FTP connection is referred to as an FTP server or
FTP site.

Internet Administration 23
What is an FTP Site?

An FTP site is like a large filing cabinet. With a traditional filing cabinet, the
person who does the filing has the option to label and organize the files how
ever they see fit. They also decide which files to keep locked and which
remain public. It is the same with an FTP site.

The virtual 'key' to get into an FTP site is the UserID and Password. If the
creator of the FTP site is willing to give everyone access to the files, the
UserID is 'anonymous' and the Password is your e-mail address (e.g.
name@domain.com).

If the FTP site is not public, there will be a unique UserID and Password for
each person who is granted access.

When connecting to an FTP site that allows anonymous logins, you're

frequently not prompted for a name and password. Hence, when
downloading from the Internet, you most likely are using an anonymous FTP
login and you don't even know it.

To make an FTP connection you can use a standard Web browser (Internet
Explorer, Netscape, etc.) or a dedicated FTP software program, referred to as
an FTP 'Client'.

When using a Web browser for an FTP connection, FTP uploads are difficult,
or sometimes impossible, and downloads are not protected (not
recommended for uploading or downloading large files).

When connecting with an FTP Client, uploads and downloads couldn't be

easier, and you have added security and additional features. For one, you're
able to to resume a download that did not successfully finish, which is a very

Internet Administration 24
nice feature for people using dial-up connections who frequently loose their
Internet connection.

What is an FTP Client?

An FTP Client is software that is designed to transfer files back-and-forth

between two computers over the Internet. It needs to be installed on your
computer and can only be used with a live connection to the Internet.

The classic FTP Client look is a two-pane design. The pane on the left
displays the files on your computer and the pane on the right displays the files
on the remote computer.

File transfers are as easy as dragging-and-dropping files from one pane to

the other or by highlighting a file and clicking one of the direction arrows
located between the panes.
Additional features of the FTP Client include: multiple file transfer; the auto re-
get or resuming feature; a queuing utility; the scheduling feature; an FTP find
utility; a synchronize utility; and for the advanced user, a scripting utility.

Internet Administration 25
FTP commands using DOS prompt
FTP can also be done using the DOS prompt. The port number for FTP is 21.
A user should type FTP and then open the port for the server

A user must login to a server with a valid username and Password.

Decide weather he has to send Images or Text, Html files.

 If you need to send Images change from the default ASCII mode to
Binary
 If you need to send html, ASP or other text files use the default ACSCII
mode.

To send a file the command is ―send‖ filename.

To receive a file from the remote server it is ―get‖ filename.

―mput‖ and ―mget‖ can be used to send and receive multiple file.

―help‖ will display different commands

―lcd‖ is used to change the directory in the local machine and ―cd‖ is used to
change the directory in the remote machine

―Dir‖ will display all then files and ―status‖ will show the status as to weather it
is in ASCII mode or Binary mode.

―bye‖ is used to disconnect from the ftp server.

Internet Administration 26
 NETWORK SECURITY
What is PKI?

 PKI is the acronym for Public Key Infrastructure.

 The technology is called Public Key because, unlike earlier forms of
cryptography, it works with a pair of keys. One of the two keys can be
used to encrypt information that can only be decrypted with the other key.
 One key is made public and the other is kept secret. The secret key is
usually called the private key.
 Since anyone can obtain the public key, users can initiate secure
communications without having to previously share a secret through some
other medium with their correspondent.
 The Infrastructure is the underlying system needed to issue keys and
certificates and to publish the public information.
 PKI is a set of comprehensive system policies, procedures, and
technologies working together to allow secure and confidential
communication between internet users.
 PKI is based on the idea of encryption using public and private keys.
 PKI uses key pairs (public and private keys) where the public key is
digitally signed by a third party known as a certification authority.

Public Key Certificates

A public key needs to be associated with the name of its owner. This is done
by using a public key certificate, which is a data structure containing the
owner's name, their public key and e-mail address, validity dates for the
certificate, the location of revocation information, the location of the issuer's
policies, and possibly other information such as their affiliation with the
certificate issuer (often an employer or institution). The certificate data
structure is signed with the private key of the issuer so that a recipient can
verify the identity of the signer and prove that the data in the certificate has
not been altered. Public Key Certificates are then published, often in an LDAP

Internet Administration 27
directory, so users of PKI can locate the certificate for an individual with
whom they wish to communicate securely.

Encryption and Signing

A secret key allows two transformations of data to occur. Plain text is
transformed to cipher text, which is unreadable until it is transformed back to
plain text using the secret key. A public key system uses the Encrypt and
Decrypt functions to implement two primitive operations, data encryption and
signatures.
To encrypt data, the public key of the recipient is used to transform a plain
text message to cipher text. The cipher text of the message can be converted
back to plain text only by using the corresponding private key. Since this
private key is known only by the intended recipient, only that individual can
decrypt the message.
A signature is created by transforming plain text to cipher text using the
private key of the signer. A signature is verified by looking up the public key of
the signer and attempting to transform the cipher text of the signature back to
plain text. If the operation is successful, it verifies that the data encryption was
done with the corresponding private key. This implies that the signature was
produced by the owner of that private key.
What is the relationship between PKI and security?
The relationship between PKI and security lies in the fact that the public and
private keys can be used for encryption. To secure online transactions one
must hide the content of the data being transmitted over the wire, PKI is used
to do this task through the use of SSL and TLS.
What are the major elements of PKI?
The major components of PKI are listed below.

 Certification Authority
 Digital certificates
 Public & private key pairs

Internet Administration 28
  Certificate Policy (CP)
 Certification Practices Statement (CPS)

What is a Certificate Authority (CA)?

A Certification Authority is a trusted third party that verifies the identity of an
entity registering for a digital certificate. Once a Certification Authority
authenticates the requesting entity's identity, it issues a digital certificate to
the requesting entity binding his or her identity to a public key. (Digital
certificates can be issued to organizations and devices in addition to people)
What is digital certificate?
 Digital Certificates are the electronic counterparts to driver licenses,
passports and membership cards. You can present a Digital Certificate
electronically to prove your identity or your right to access information
or services online.
 Digital Certificates bind an identity to a pair of electronic keys that can
be used to encrypt and sign digital information.
 Used in conjunction with encryption, Digital Certificates provide a more
complete security solution, assuring the identity of all parties involved
in a transaction.
 A Digital Certificate is issued by a Certification Authority (CA) and
signed with the CA's private key.
 A Digital Certificate typically contains the:
o Owner's public key
o Owner's name
o Expiration date of the public key
o Name of the issuer (the CA that issued the Digital
Certificate
o Serial number of the Digital Certificate
o Digital signature of the issuer

Internet Administration 29
  The most widely accepted format for Digital Certificates is defined by
the ITU-T X.509 international standard; thus certificates can be read or
written by any application complying with X.509.

X.509
X.509 is an ITU-T (ITU Telecommunication Standardization Sector) standard
for PKI (Public Key Infrastructure) in cryptography, which, amongst many
other things, defines specific formats for PKC (Public Key Certificates) and
the algorithm that verifies a given certificate path is valid
Certificate Structure
A X.509 version 3 digital certificate has three main variables - the certificate,
the certificate signature algorithm and the certificate signature. The certificate
is described by attributes such as version, algorithm ID, serial number, issuer,
subject, validity, subject public key info, extensions and several other optional
ones like subject and issuer unique identifier. The subject public key info
attribute is further detailed by the public key algorithm and subject public key,
while validity attribute comes has further options for an upper and lower date
limit, which eventually decides the life of the certificate.
Structure of a certificate

The structure of a X.509 v3 digital certificate is as follows:

Certificate
Version
Serial Number
Algorithm ID
Issuer
Validity
 Not Before
 Not After
Subject

Internet Administration 30
 Subject Public Key Info
 Public Key Algorithm
 Subject Public Key
Issuer Unique Identifier (Optional)
Subject Unique Identifier (Optional)
Extensions (Optional)
 ...
Certificate Signature Algorithm
Certificate Signature

IPSec
 Internet Protocol Security (IPSec) is a collection of standards that was
designed specifically to create secure end-to-end secure connections.
 The standards were developed by the Internet Engineering Task Force
(IETF) to secure communications over both public and private
networks, though it is particularly beneficial to public networks.
 Using Internet Protocol Security (IPSec), you can provide data privacy,
integrity, authenticity, and anti-replay protection for network traffic
 The bundle of protocols, hashing, and encryption algorithms used in
IPSec include:
o IKE [Internet Key Exchange protocol]
o ISAKMP [Internet Security Association and Key Management
Protocol]
o AH [Authentication Header protocol]
o ESP [Encapsulating Security Payload protocol]
o STS [Station-to-Station protocol]
o HMAC [Hash Message Authentication Code]
o MD5 [Message Digest 5]
o SHA-1 [Security Hash Algorithm]
o 3DES [Triple Data Encryption Standard]

Internet Administration 31
 o XAUTH [Extended Authentication]
o AES [Advanced Encryption Standard]AH versus ESP

AH Vs ESP

"Authentication Header" (AH) and "Encapsulating Security Payload" (ESP)

are the two main wire-level protocols used by IPsec, and they authenticate
(AH) and encrypt + authenticate (ESP) the data flowing over that connection.

AH is used to authenticate — but not encrypt — IP traffic

Authentication Header (AH): provides authenticity guarantee for packets, by

attaching strong crypto checksum to packets. If you receive a packet with AH
and the checksum operation was successful, you can be sure about two
things if you and the peer share a secret key, and no other party knows the
key:

o The packet was originated by the expected peer. The packet

was not generated by impersonator.
o The packet was not modified in transit.

Encapsulating Security Payload (ESP) provides confidentiality guarantee

for packets, by encrypting packets with encryption algorithms. If you receive a
packet with ESP and successfully decrypted it, you can be sure that the
packet was not wiretapped in the middle, if you and the peer share a secret
key, and no other party knows the key.

Modes of Operation for IPSec

 There are two modes of operation for IPSec: transport mode and
tunnel mode.

Transport Mode

Internet Administration 32
  In transport mode, only the payload of the message is encrypted.
 Transport Mode is used to protect an end-to-end conversation between
two hosts. This protection is either authentication or encryption (or
both), but it is not a tunneling protocol. It has nothing to do with a
traditional VPN: it's simply a secured IP connection.

Tunnel Mode

 In tunnel mode, the payload, the header, and the routing information
are all encrypted.
 Tunnel mode is intended for secure site-to-site communications over
an untrusted network. Each site has an IPsec gateway configured to
route traffic to the other site. When a computer in one site needs to
communicate with a computer in the other site, the traffic passes
through the IPsec gateways

Secure Socket Layer

The Secure Socket Layer protocol was created by Netscape to ensure secure
transactions between web servers and browsers. The protocol uses a third
party, a Certificate Authority (CA), to identify one end or both end of the
transactions. This is in short how it works.

Internet Administration 33
 1. A browser requests a secure page (usually https://).
2. The web server sends its public key with its certificate.
3. The browser checks that the certificate was issued by a trusted party
(usually a trusted root CA), that the certificate is still valid and that the
certificate is related to the site contacted.
4. The browser then uses the public key, to encrypt a random symmetric
encryption key and sends it to the server with the encrypted URL
required as well as other encrypted http data.
5. The web server decrypts the symmetric encryption key using its private
key and uses the symmetric key to decrypt the URL and http data.
6. The web server sends back the requested html document and http
data encrypted with the symmetric key.
7. The browser decrypts the http data and html document using the
symmetric key and displays the information.

The SSL protocol runs above TCP/IP and below higher-level protocols such
as HTTP.

SSL server authentication allows a user to confirm a server's identity. SSL-

enabled client software can use standard techniques of public-key
cryptography to check that a server's certificate and public ID are valid and

Internet Administration 34
have been issued by a certificate authority (CA) listed in the client's list of
trusted CAs. This confirmation might be important if the user, for example, is
sending a credit card number over the network and wants to check the
receiving server's identity.

SSL client authentication allows a server to confirm a user's identity. Using

the same techniques as those used for server authentication, SSL-enabled
server software can check that a client's certificate and public ID are valid
and have been issued by a certificate authority (CA) listed in the server's list
of trusted CAs. This confirmation might be important if the server, for
example, is a bank sending confidential financial information to a customer
and wants to check the recipient's identity

An encrypted SSL connection requires all information sent between a client

and a server to be encrypted by the sending software and decrypted by the
receiving software, thus providing a high degree of confidentiality.
Confidentiality is important for both parties to any private transaction. In
addition, all data sent over an encrypted SSL connection is protected with a
mechanism for detecting tampering--that is, for automatically determining
whether the data has been altered in transit.

The Algorithms used in SSL are

DES. Data Encryption Standard, an encryption algorithm used by the U.S.

Government

RSA. A public-key algorithm for both encryption and authentication.

Developed by Rivest, Shamir, and Adleman.

MD5. Message Digest algorithm developed by Rivest.

Internet Administration 35
 Overview of Routers

Introduction
A router is a device that has more than one network interface (in other words,
it is multi-homed) that can forward packets, based on network addressing
(such as IP addresses), to multiple network segments. Routers are an
intermediate system that functions at the network layer to connect networks
based on a common network layer protocol.

Purpose of routers
Routers allow you to scale your network and to maintain bandwidth by
segmenting network traffic. Routers are configured to make intelligent
decisions to determine how packets should be forwarded between network
segments. This helps ensure that a network segment is not inundated with
traffic not destined for hosts on its segment. Routers also prevent certain
types of traffic, such as broadcast traffic, from saturating the network.

Types of routers
The two types of routers that are used in a network environment are:
 Hardware Routers. These dedicated hardware devices run
specialized software for the exclusive purpose of routing. Hardware
routers provide very good performance; however, they can be
expensive and may provide little functionality beyond their intended
purpose. Many hardware routers today provide greater flexibility by
offering security services such as packet filtering and VPN access.
Hardware routers should be used in environments that require high
throughput between network segments.

 Software Routers. These routers are not dedicated to routing alone;

they perform routing as one of multiple processes running on the router
computer. Windows Server 2003 Routing and Remote Access is a
service that performs routing as one of its multiple processes. When
enabled as a network router, Windows Server 2003 can also offer
services such as Microsoft Windows Internet Name Service (WINS),
Domain Name system (DNS), and Dynamic Host Configuration
Protocol (DHCP).

Internet Administration 36
Main components of routing solution
The three main components of a routing solution are:

 Routing interface. This is a physical or logical interface over which

packets are forwarded.
 Routing protocol. This is a set of messages that routers use to share
routing tables so that routers can determine the path by which data
should be forwarded.
 Routing table. This table of information is maintained on a system that
determines the path to various network segments. Routing tables
contain information about various network segments, based on their
network ID and the routers that should be used to communicate with
those network segments.

How information is routed

Network communication between hosts is performed either directly or

indirectly. Direct communications occur between two hosts on the same
network segment. Indirect communications occur when a host needs to
communicate with a remote system. Because the host cannot establish a
direct communication with the remote system, it must forward the packet to a
router. When sending a packet to a remote system, hosts forward packets to
a router by using direct communications.

Internet Administration 37
 Remote Access

Types of Remote Access Connectivity

Dial-Up Connections.

To connect to the network with dial-up remote access, a remote access client
uses a communications network, such as the Public Switched Telephone
Network (PSTN), to create a physical connection to a port on a remote
access server on the Private Network. This is done by using a Modem or a
ISDN adapter to dial in to the remote access server.

Dial-up remote access allows an organization to keep users connected to

their network when they are working remotely. However if your organization
has a large number of users traveling to many locations, the expense of long
distance telephone charges will become significant. An alternative to
increasing the size of a dial-up remote access network is to consider a VPN
solution for remote connectivity.

Virtual Private Network Connections.

A VPN provides secure remote access through the Internet, rather than
through direct dial-up connection. A VPN client uses an IP internetwork to
create an encrypted virtual point to point connection with a VPN gateway on
the private network. Typically the user connects to the Internet through an
Internet Service Provider (ISP) and then creates a VPN connection to the
VPN gateway. By using the internet in this way, companies can reduce the
long distance telephone expenses. Traveling employees can dial a local ISP
and then make a VPN connection back to the corporate network

Internet Administration 38
How a VPN Connection Works

Introduction
The Routing and Remote Access service provides VPN services so that users
can access corporate networks in a secure manner by encrypting the
transmitted data over an insecure transport network such as the Internet.

What a VPN does

A VPN extends the capabilities of a private network to encompass links
across shared or public networks such as the Internet. With a VPN, you can
send encrypted data between two computers across a shared or public
network in a manner that emulates a point-to-point link on a private network.
To emulate a point-to point link, data is encapsulated, or wrapped, with a
header that provides routing information, which allows the data to traverse the
shared or public network to reach its endpoint. To emulate a private link, the
data is encrypted for confidentiality. Packets that are intercepted on the
shared or public network cannot be read without the encryption keys. The link
in which the private data is encapsulated and encrypted is a VPN connection.
The VPN connection is also referred to as a VPN tunnel.

VPN connection process

The process of a VPN connection is described in the following steps:
1. A VPN client makes a VPN connection to a remote access/VPN server
that is connected to the Internet. (The VPN server acts as a gateway
and is normally configured to provide access to entire network to which
the VPN server is attached.)
2. The VPN server answers the virtual call.
3. The VPN server authenticates by contacting a domain controller and
verifies the caller’s authorization to connect.
4. The VPN server transfers data between the VPN client and the
corporate network.

Advantages of a VPN
VPNs allow users or corporations to connect to remote servers, branch
offices, or to other organizations over a public network, while maintaining
secure communications. In all of these cases, the secure connection appears
to the user as a private network communication-despite the fact that this
communication occurs over a public network. Other benefits include:

Internet Administration 39
  Cost advantages. VPNs do not use a phone line and require less
hardware (your Internet service provider, or ISP, maintains the
communication hardware).
 Enhanced security. Sensitive data is hidden from unauthorized users,
but it is accessible to users authorized through the connection. The
VPN server enforces authentication and encryption.
 Network protocol support. You can remotely run and application that
depends on the most common network protocols, such as
Transmission Control Protocol/Internet Protocol (TCP/IP).
 IP address security. Because information sent over a VPN is
encrypted, the private IP addresses that you specify are protected, and
the traffic transmitted over the Internet will have only the external IP
address visible.

Components of a VPN Connection

Introduction
A VPN connection is made up of several components including VPN servers,
VPN clients, tunneling protocols, and authentication methods.

Components of a VPN connection

A VPN connection includes the following components:

 VPN server. A computer that accepts VPN connections from VPN

clients. The Routing and Remote Access service on Windows Server
2003 can be configured as a VPN server.
 VPN client. A computer that initiates a VPN connection to a VPN
server.
 Transit network. The shared or public network that the encapsulated
data crosses. Common VPN implementations use the Internet as the
transit network.
 VPN connection or tunnel. The portion of the connection in which your
data is encrypted and encapsulated.
 Tunneling protocols that are used to manage tunnels and encapsulate
private data (for example, Point-to-Point Tunneling Protocol, or PPTP).
 Tunneled data. Data that is sent across a private point-to-point link.
 Authentication. The identity of the client and the server in a VPN
connection are authenticated. To ensure that received data originated
from the other end of the connection and was not intercepted and

Internet Administration 40
 modified, a BPN also authenticates the data that was sent. The VPN
server use Active Directory as an account database.
 Address and name server allocation. The VPN server is responsible for
assigning IP addresses, which it does either by using the default
protocol, Dynamic Host Configuration Protocol (DHCP), or from a static
pool of addresses that the administrator defines. The VPN server can
also allocate Domain Name System (DNS) and Windows Internet
Name Service (WINS) server addresses to clients.

Virtual Private Network Protocols

PPTP L2TP
Internetwork
Internetwork Must
Must Be
Be IP
IP Based
Based Internetwork
Internetwork Can
Can BeBe IP,
IP, Frame
Frame
Relay,
Relay, X.25,
X.25, or
or ATM
ATM Based
Based
No
No Header
Header Compression
Compression Header
Header Compression
Compression
No
No Tunnel
Tunnel Authentication
Authentication Tunnel
Tunnel Authentication
Authentication
Built-in
Built-in PPP
PPP Encryption
Encryption Uses
Uses IPSec
IPSec Encryption
Encryption

Internet

Client PPTP or L2TP Server

Internet Administration 41
SLIP and PPP

# SLIP
1 Serial Link Internet Protocol is widely
used to connect systems to the
Internet over a dial up line using a
modem.
2 It does not do any error detection or
correction
3
SLIP supports only IP
4 Each side must know the others IP
address in advance. IP address
cannot be assigned dynamically
during setup.
5
No Authentication
PPP
Point to Point Protocol has several
advantages over SLIP.
It does provide error detection or
correction.
Supports multiple protocols.
Allows IP addresses to be negotiated
at connection time dynamically.
Provides Authentication

Components of a Network Access Infrastructure

Introduction
To provide a secure network access infrastructure, an administr5ator needs
to have an understanding of the following basic components that make up
network access infrastructure:

 Network access server

 Network access clients
 Authentication service
 Active Directory- directory service

Network access server

A network access server is a server that acts as a gateway to a network for a
remote client. The Microsoft Routing and Remote Access service supports
remote access to a network. By configuring the Routing and Remote Access
service to act as remote access server, you can connect remote workers to
and organization’s networks. The network access server for these remote
clients authenticates sessions for users and services until the user or network

Internet Administration 42
administrator terminates them. Remote users can work as if their computers
are physically connected to the network.

Network access clients

A network access server provides network access connectivity for VPN and
dial-up clients.
These network access clients can use standard tools to access resources.
For example, on a server that is configured with the Routing and Remote
Access service, remote clients can use Windows Explorer to make drive
connections and to connect to printers. Connections are persistent so that the
clients do not need to reconnect to network resources during remote
sessions.

Authentication service
When you provide greater network access, you need to increase the level of
security in your network to safeguard against unauthorized access and usage
of internal resources. You can help safeguard our network by providing strong
authentication to validate identity in addition to providing strong encryption to
protect data.
Authentication methods typically use an authentication protocol that is
negotiated during the process of establishing a connection. The remote
access server (a server configured with the Routing and Remote Access
service) handles authentication between the remote access client and the
domain controller.
If you have multiple network access severs, you can centralize authentication
by using Remote Authentication Dial-In User Service (RADIUS) to
authenticate and authorize network access clients. Using RADIUS eliminates
the need for each network access server in your network to perform
authentication and authorization.

Active Directory
Active Directory domains contain the user accounts, passwords, and dial-up
properties that are required to authenticate user credentials and evaluate both
authorization and connection constraints.
After a client is connected to your network, you can control access to
resources by various administrative controls on both the client computer and
the network access servers. These administrative controls include File and
Printer Sharing, Local Group Policy, and Group Policy through the Active
Directory service.

Internet Administration 43
 Wireless Networks

Wireless networks utilize radio waves and/or microwaves to maintain

communication channels between computers. Wireless networking is a more
modern alternative to wired networking that relies on copper and/or fiber optic
cabling between network devices.
A wireless network offers advantages and disadvantages compared to a
wired network. Advantages of wireless include mobility and elimination of
cables. Disadvantages of wireless include the potential for radio interference
due to weather, other wireless devices, or obstructions like walls.

Wireless is rapidly gaining in popularity for both home and business

networking. Wireless technology continues to improve, and the cost of
wireless products continues to decrease. Popular wireless local area
networking (WLAN) products conform to the 802.11 "Wi-Fi" standards. The
gear a person needs to build wireless networks includes network adapters
(NICs), access points (APs), and routers.

Benefits of Wireless Networks

Companies can realize the following benefits by implementing wireless

networks:
• Mobility
• Ease of installation in difficult-to-wire areas
• Reduced installation time
• Increased reliability
• Long-term cost savings

Internet Administration 44
Mobility

User mobility indicates constant physical movement of the person and their
network appliance. Many jobs require workers to be mobile, such as inventory
clerks, healthcare workers, policemen, emergency care specialists, and so
on. Wireless networking offers mobility to its users much like the wireless
phone, providing a constant connection to information on the network.

Installation in Difficult-to-Wire Areas

The implementation of wireless networks offers many tangible cost savings

when performing installations in difficult-to-wire areas. If rivers, freeways, or
other obstacles separate buildings you want to connect, a wireless MAN
solution may be much more economical than installing physical cable or
leasing communications circuits such as T1 service or 56 Kbps lines.

Reduced Installation Time

The installation of cabling is often a time-consuming activity. For LANs,

installers must pull twisted-pair wires above the ceiling and drop cables
through walls to network outlets that they must affix to the wall. These tasks
can take days or weeks, depending on the size of the installation.

Increased Reliability

A problem inherent to wired networks is the downtime due to cable faults. The
accidental cutting of cables can also bring a network down quickly. Water
intrusion can also damage communications lines during storms.. The
advantage of wireless networking, then, is experiencing fewer problems
because less cable is used.

Internet Administration 45
Long-Term Cost Savings

Companies reorganize, resulting in the movement of people, new floor plans,

office partitions, and other renovations. These changes often require re-
cabling the network, incurring both labor and material costs. In some cases,
the re-cabling costs of organizational changes are substantial, especially with
large enterprise networks.

Wireless Devices

Antenna
The antenna radiates the modulated signal through the air so that the
destination can receive it. Antennas come in many shapes and sizes and
have the following specific electrical characteristics:

• Propagation pattern
• Radiation power
• Gain
• Bandwidth

The propagation pattern of an antenna defines its coverage. A truly

omnidirectional antenna transmits its power in all directions, whereas a
directional antenna concentrates most of its power in one direction.

Radiation power is the output of the radio transmitter. Most wireless network
devices operate at less than 5 watts of power.

A directional antenna has more gain (degree of amplification) than the

omnidirectional type and is capable of propagating the modulated signal
farther because it focuses the power in a single direction.

Internet Administration 46
Most wireless LANs and WANs utilize omnidirectional antennas, and wireless
MANs use antennas that are more directives.

Bandwidth is the effective part of the frequency spectrum that the signal
propagates. For example, the telephone system operates over a bandwidth
roughly from 0–4 KHz. This is enough bandwidth to accommodate most of the
frequency components within our voices. Radio wave systems have greater
amounts of bandwidth located at much higher frequencies. Data rates and
bandwidth are directly proportional—the higher the data rates, the more
bandwidth you will need.

Access Points
The main thing to remember is that access points allow wireless clients
access to a single network
A wireless network uses an access point, or base station. The access point
acts like a hub, providing connectivity for the wireless computers. It can
connect (or "bridge") the wireless LAN to a wired LAN, allowing wireless
computer access to LAN resources, such as file servers or existing Internet
Connectivity.

There are two types of access points:

 Dedicated hardware access points (HAP) such as Lucent's WaveLAN.

Hardware access points offer comprehensive support of most wireless
features.
 Software Access Points runs on a computer equipped with a wireless
network interface card as used in an ad-hoc or peer-to-peer wireless
network.
Multiple access points can be connected to a wired LAN, or sometimes even
to a second wireless LAN if the access point supports this.

Internet Administration 47
In most cases, separate access points are interconnected via a wired LAN,
providing wireless connectivity in specific areas such as offices or
classrooms, but connected to a main wired LAN for access to network
resources, such as file servers
If a single area is too large to be covered by a single access point, then
multiple access points or extension points can be used. -- Note that an
"extension point" is not defined in the wireless standard, but have been
developed by some manufacturers. When using multiple access points, each
access point wireless area should overlap its neighbors. This provides a
seamless area for users to move around in using a feature called "roaming.‖

WLAN Configurations

Independent WLANs

The simplest WLAN configuration is an independent (or peer-to-peer) WLAN

that connects a set of PCs with wireless adapters. Any time two or more
wireless adapters are within range of each other, they can set up an
independent network These on-demand networks typically require no
administration or preconfiguration.

Access points can extend the range of independent WLANs by acting as a

repeater effectively doubling the distance between wireless PCs.

Internet Administration 48
Infrastructure WLANs

In infrastructure WLANs, multiple access points link the WLAN to the wired
network and allow users to efficiently share network resources. The access
points not only provide communication with the wired network but also
mediate wireless network traffic in the immediate neighborhood. Multiple
access points can provide wireless coverage for an entire building or campus.

Microcells and Roaming

Wireless communication is limited by how far signals carry for given power
output. WLANs use cells, called microcells, similar to the cellular telephone
system to extend the range of wireless connectivity. At any point in time, a

Internet Administration 49
mobile PC equipped with a WLAN adapter is associated with a single access
point and its microcell, or area of coverage. Individual microcells overlap to
allow continuous communication within wired network. They handle low-
power signals and ―hand off‖ users as they roam through a given geographic
area.

Wireless Network Standards

802.11a, 802.11b, 802.11g, and 802.11n are the wireless standards

collectively known as Wi-Fi technologies. Additionally, Bluetooth and various
other non Wi-Fi technologies also exist, each also designed for specific
networking applications.

802.11b

 Very common and inexpensive

 Communicates on the 2.4GHz frequency
 Maximum data transmission rate up to 11 Mbps
 Indoor range of about 150 feet
 Week Security

Pros of 802.11b - lowest cost; signal range is good and not easily obstructed

Internet Administration 50
Cons of 802.11b - slowest maximum speed; home appliances may interfere
on the unregulated frequency band

802.11a

 Not as common as 802.11b.

 More expensive than 802.11b equipment
 Communicates on the 5 GHz frequency
 Maximum data transmission rate up to 54 Mbps
 Indoor range of about 75 feet
 Not backward compatible with 802.11b
 Weak Security – Uses WEP

Pros of 802.11a - fast maximum speed; regulated frequencies prevent signal

interference from other devices

Cons of 802.11a - highest cost; shorter range signal that is more easily
obstructed

802.11g

 Most common Wireless network standard.

 More expensive than 802.11b equipment
 Communicates on the 2.4 GHz frequency
 Maximum data transmission rate up to 54 Mbps
 Good Indoor range of about 150 feet
 backward compatible with 802.11b
 Improved Security – Uses WPA

Pros of 802.11g - fast maximum speed; signal range is good and not easily
obstructed

Cons of 802.11g - costs more than 802.11b; appliances may interfere on the
unregulated signal frequency

Internet Administration 51
802.11n
The newest IEEE standard in the Wi-Fi category is 802.11n. It was designed
to improve on 802.11g in the amount of bandwidth supported by utilizing
multiple wireless signals and antennas (called MIMO technology) instead of
one.
When this standard is finalized, 802.11n connections should support data
rates of over 100 Mbps. 802.11n also offers somewhat better range over
earlier Wi-Fi standards due to its increased signal intensity. 802.11n
equipment will be backward compatible with 802.11g gear.

Pros of 802.11n - fastest maximum speed and best signal range; more
resistant to signal interference from outside sources

Cons of 802.11n - standard is not yet finalized; costs more than 802.11g; the
use of multiple signals may greatly interfere with nearby 802.11b/g based
networks.

Bluetooth

Bluetooth is an alternative wireless network technology that followed a

different development path than the 802.11 family. Bluetooth supports a very
short range (approximately 10 meters) and relatively low bandwidth (1-3
Mbps in practice) designed for low-power network devices like handhelds.
The low manufacturing cost of Bluetooth hardware also appeals to industry
vendors. You can readily find Bluetooth in the networking of PDAs or cell
phones with PCs, but it is rarely used for general-purpose WLAN networking
due to the range and speed considerations.

WiMax

WiMax also was developed separately from Wi-Fi. WiMax is designed for
long-range networking (spanning miles or kilometers) as opposed to local
area wireless networking.

Internet Administration 52
SSID

An SSID is the name of a wireless local area network (WLAN). All wireless
devices on a WLAN must employ the same SSID in order to communicate
with each other.

The SSID on wireless clients can be set either manually, by entering the SSID
into the client network settings, or automatically, by leaving the SSID
unspecified or blank. A network administrator often uses a public SSID, that is
set on the access point and broadcast to all wireless devices in range. Some
newer wireless access points disable the automatic SSID broadcast feature in
an attempt to improve network security.

SSIDs are case sensitive text strings. The SSID is a sequence of

alphanumeric characters (letters or numbers). SSIDs have a maximum length
of 32 characters.

Also Known As: Service Set Identifier, Network Name

Wireless Security

WEP (Wired Equivalent Privacy)

WEP is a protocol that adds security to wireless local area networks (WLANs)
based on the 802.11 Wi-Fi standard. WEP is an OSI Data Link layer (Layer 2)
security technology that can be turned "on" or "off." WEP was designed to
give wireless networks the equivalent level of privacy protection as a
comparable wired network.
WEP is based on a security scheme called RC4 that utilizes a combination of
secret user keys and system-generated values. The original implementations
of WEP supported so-called 40-bit encryption, having a key of length 40 bits
and 24 additional bits of system-generated data (64 bits total). Research has
shown that 40-bit WEP encryption is too easy to decode, and consequently

Internet Administration 53
product vendors today employ 128-bit encryption (having a key length of 104
bits, not 128 bits) or better (including 152-bit and 256-bit WEP systems).
When communicating over the wire, wireless network equipment uses WEP
keys to encrypt the data stream. The keys themselves are not sent over the
network but rather are generally stored on the wireless adapter or in the
Windows Registry.
Regardless of how it is implemented on a wireless LAN, WEP represents just
one element of an overall WLAN security strategy.

WPA (Wi-Fi Protected Access)

WPA is a security technology for wireless networks. WPA improves on the
authentication and encryption features of WEP (Wired Equivalent Privacy). In
fact, WPA was developed by the networking industry in response to the
shortcomings of WEP.
One of the key technologies behind WPA is the Temporal Key Integrity
Protocol (TKIP). TKIP addresses the encryption weaknesses of WEP.
Another key component of WPA is built-in authentication that WEP does not
offer. With this feature, WPA provides roughly comparable security to VPN
tunneling with WEP, with the benefit of easier administration and use.
One variation of WPA is called WPA Pre Shared Key or WPA-PSK for short.
WPA-PSK is a simplified but still powerful form of WPA most suitable for
home Wi-Fi networking. To use WPA-PSK, a person sets a static key or "pass
phrase" as with WEP. But, using TKIP, WPA-PSK automatically changes the
keys at a preset time interval, making it much more difficult for hackers to find
and exploit them.

WEP Keys

A WEP key is a security code used on some WiFi networks. WEP keys allow
a group of devices on a local network (such as a home network) to exchange
encoded messages with each other while hiding the contents of the
messages from easy viewing by outsiders.

Internet Administration 54
A WEP key is a sequence of hexadecimal digits. These digits include the
numbers 0-9 and the letters A-F. Some examples of WEP keys are:

 1A648C9FE2
 99D767BAC38EA23B0C0176D15

WEP keys are chosen by a network administrator. WEP keys are set on WiFi
routers, adapters and other wireless network devices. Matching WEP keys
must be set on each device for them to communicate with each other.
The length of a WEP key depends on the type of WEP security (called
"encryption") utilized:

 40- / 64-bit WEP: 10 digit key

 104- / 128-bit WEP: 26 digit key
 256-bit WEP: 58 digit key

To assist with the process of creating correct WEP keys, some brands of
wireless network equipment automatically generates WEP keys from ordinary
text called a "pass phrase."

10 Tips for Wireless Home Network Security

1. Change Default Administrator Passwords (and Usernames)

At the core of most Wi-Fi home networks is an access point or router. To set
up these pieces of equipment, manufacturers provide Web pages that allow
owners to enter their network address and account information. These Web
tools are protected with a login screen (username and password) so that only
the rightful owner can do this. However, for any given piece of equipment, the
logins provided are simple and very well-known to hackers on the Internet.
Change these settings immediately

2. Turn on (Compatible) WPA / WEP Encryption

All Wi-Fi equipment supports some form of encryption. Encryption technology
scrambles messages sent over wireless networks so that they cannot be

Internet Administration 55
easily read by humans. Several encryption technologies exist for Wi-Fi today.
Naturally you will want to pick the strongest form of encryption that works with
your wireless network. However, the way these technologies work, all Wi-Fi
devices on your network must share the identical encryption settings.

3. Change the Default SSID

Access points and routers all use a network name called the SSID.
Manufacturers normally ship their products with the same SSID set. For
example, the SSID for Linksys devices is normally "linksys." True, knowing
the SSID does not by itself allow your neighbors to break into your network,
but it is a start. More importantly, when someone finds a default SSID, they
see it is a poorly configured network and are much more likely to attack it.
Change the default SSID immediately when configuring wireless security on
your network.

4. Enable MAC Address Filtering

Each piece of Wi-Fi gear possesses a unique identifier called the physical
address or MAC address. Access points and routers keep track of the MAC
addresses of all devices that connect to them. Many such products offer the
owner an option to key in the MAC addresses of their home equipment, that
restricts the network to only allow connections from those devices. Do this,
but also know that the feature is not so powerful as it may seem. Hackers and
their software programs can fake MAC addresses easily.

5. Disable SSID Broadcast

In Wi-Fi networking, the wireless access point or router typically broadcasts
the network name (SSID) over the air at regular intervals. This feature was
designed for businesses and mobile hotspots where Wi-Fi clients may roam
in and out of range. In the home, this roaming feature is unnecessary, and it
increases the likelihood someone will try to log in to your home network.
Fortunately, most Wi-Fi access points allow the SSID broadcast feature to be
disabled by the network administrator.

Internet Administration 56
6. Do Not Auto-Connect to Open Wi-Fi Networks
Connecting to an open Wi-Fi network such as a free wireless hotspot or your
neighbor's router exposes your computer to security risks. Although not
normally enabled, most computers have a setting available allowing these
connections to happen automatically without notifying you (the user). This
setting should not be enabled except in temporary situations.

7. Assign Static IP Addresses to Devices

Most home networkers gravitate toward using dynamic IP addresses. DHCP
technology is indeed easy to set up. Unfortunately, this convenience also
works to the advantage of network attackers, who can easily obtain valid IP
addresses from your network's DHCP pool. Turn off DHCP on the router or
access point, set a fixed IP address range instead, then configure each
connected device to match. Use a private IP address range (like 10.0.0.x) to
prevent computers from being directly reached from the Internet.

8. Enable Firewalls On Each Computer and the Router

Modern network routers contain built-in firewall capability, but the option also
exists to disable them. Ensure that your router's firewall is turned on. For
extra protection, consider installing and running personal firewall software on
each computer connected to the router.

9. Position the Router or Access Point Safely

Wi-Fi signals normally reach to the exterior of a home. A small amount of
signal leakage outdoors is not a problem, but the further this signal reaches,
the easier it is for others to detect and exploit. Wi-Fi signals often reach
through neighboring homes and into streets, for example. When installing a
wireless home network, the position of the access point or router determines
its reach. Try to position these devices near the center of the home rather
than near windows to minimize leakage.

Internet Administration 57
10. Turn Off the Network During Extended Periods of Non-Use
The ultimate in wireless security measures, shutting down your network will
most certainly prevent outside hackers from breaking in! While impractical to
turn off and on the devices frequently, at least consider doing so during travel
or extended periods offline. Computer disk drives have been known to suffer
from power cycle wear-and-tear, but this is a secondary concern for
broadband modems and routers.

If you own a wireless router but are only using it wired (Ethernet) connections,
you can also sometimes turn off Wi-Fi on a broadband router without
powering down the entire network.

References : Mackin, J.C. and Ian Mc Lean. Windows server 2003 network
infrastructure : implementing, managing and maintaining a microsoft . New Delhi:
Prentice Hall India,2006. ISBN:8120324684.

Compiled By: Arun

Revised By: R. Meganathan

Internet Administration 58