network implementation presented by wahidullah shahaadat

8/14/2019 Network Implementation Presented By Wahidullah Shahaadat

1/15

IN THE NAME OF ALMIGHTY ALLAH

1-Network ImplementationIdentify the basic capabilities (For example: client support, interoperability,

authentication, file and print services, application support and security) of the followingserver operating systems to access network resources:

> UNIX / Linux

The UNIX operating systems are built around the TCP/IP protocols, and while all havecertain similarities, they vary greatly in their capabilities. This is due to the variations in theadditional software included with the operating system and the commercial (or non-commercial) nature of the various products. Some UNIX variants are commercial productsmarketed by large software companies, such as Hewlett Packard, Sun Microsystems, andIBM. Others are developed and maintained as part of the open source movement, in which

volunteer programmers work on the software in their spare time, usually communicating withtheir colleagues over the Internet, and freely releasing their work to the public domain. Thereare many different UNIX operating systems that you can download from the Internet free of charge, such as FreeBSD, NetBSD, and various forms of Linux.

UNIX is primarily an application server platform, and is typically associated with Internetservices, such as Web, FTP, and e-mail servers. As with Windows, UNIX systems canfunction as both servers and clients at the same time.

Interoperability

Open source software such as SAMBA is used to provide Windows users with Server Message Block (SMB) file sharing.

Authentication

Centralized login authentication

File and Print Services

Network File System (NFS) is a distributed file system that allows users to access files anddirectories located on remote computers and treat those files and directories as if they werelocal.

LPR/LPD is the primary UNIX printing protocol used to submit jobs to the printer. The LPR component initiates commands such as "print waiting jobs," "receive job," and "send queuestate," and the LPD component in the print server responds to them.

Security

With most Unix operating systems, the network services can be individually controlled toincrease security.

1


2/15

> MAC OS X Server

Client Support

TCP/IP file sharing with Macintosh clients using Network File System (NFS), and File

Transfer Apple File Protocol 3.0

Interoperability

Mac OS X Server uses the Open Source SAMBA to provide Windows users with Server Message Block (SMB) file sharing. Network File System (NFS) lets you make foldersavailable to UNIX and Linux users.


Mac OS X Server provides support for native Macintosh, Windows, UNIX, and Linux filesharing. Protocols supported include:

Apple file services (AFP 3.0) from any AppleShare client over TCP/IP Windows (SMB/CIFS) file sharing using Samba Network File System (NFS) for UNIX and Linux file access Internet (FTP)

Built-in print services can spool files to any PostScript-capable printer over TCP/IP,AppleTalk, or USB. Macintosh customers can use the LPR support in Print Center or theDesktop Printer utility to connect to a shared printer. Windows users can use their native

SMB/CIFS protocol to connect to a shared printer.Print services for OS X Server

Macintosh and UNIX (LPR/LPD)

Windows (SMB/CIFS)

Security

Multiple-user architecture and user-level access privileges. Secure Sockets Layer (SSL) support provides encrypted and authenticated

client/server communications. Secure Shell (SSH) provides encryption and authentication for secure remote

administration. Kerberos support for centralized login authentication.

2


3/15

> Netware

NetWare 5

Client Support

NetWare 5 comes with Novell Client software for three client platforms: DOS and Windows3.1x, Windows 95/98, and Windows NT.

Interoperability

You can set the Novell Clients for Windows 95/98 and Windows NT to work with one of three network protocol options: IP only, IP and IPX, or IPX only.

Authentication

Centralized login authentication


File Services NetWare offers two choices of mutually compatible file services: NovellStorage Services (NSS) and the traditional NetWare File System. Both kinds of file serviceslet you store, organize, manage, access, and retrieve data on the network.

NSS gathers all unpartitioned free space that exists on all the hard drives connected to your server, together with any unused space in NetWare volumes, and places it into a storage pool.

You create NSS volumes from this storage pool during server installation or later through NWCONFIG.

Novell Distributed Print Services (NDPS) is the default and preferred print system in NetWare. NDPS supports IP-based as well as IPX-based printing.

Security

Novell has support for a public key infrastructure built into NetWare 5 using a publiccertificate, developed by RSA Security.

> Windows

Windows 2000 Server:

Client Support

Windows 3.x, Windows 95, Windows 98, and Windows NT Workstation 4.0.

Interoperability

Windows 2000 Server supports UNIX, Novell NetWare, Windows NT Server 4.0, andMacintosh.

3


4/15

Authentication

Successful user authentication in a Windows 2000 computing environment consists of twoseparate processes: interactive logon, which confirms the user's identification to either adomain account or a local computer, and network authentication, which confirms the user's

identification to any network service that the user attempts to access.

Types of authentication that Windows 2000 supports are:

Kerberos V5 is used with either a password or a smart card for interactive logon. It is also thedefault method of network authentication for services.The Kerberos V5 protocol verifies boththe identity of the user and network services.

Secure Socket Layer/Transport Layer Security (SSL/TLS) authentication, is used when a user attempts to access a secure Web server.


You can add and maintain printers in Windows 2000 using the print administration wizard,and you can add file shares using Active Directory management tools. Windows 2000 alsooffers Distributed File Services, which let you combine files on more than one server into asingle share.

Security

User-level security protects shared network resources by requiring that a security provider

authenticate a users request to access resources. The domain controller , grants access to theshared resource by verifying that the user name and password are the same as those on theuser account list stored on the network security provider. Because the security provider maintains a network-wide list of user accounts and passwords, each client computer does nothave to store a list of accounts.

Share-level security protects shared network resources on the computer with individuallyassigned passwords. For example, you can assign a password to a folder or a locally attached

printer. If other users want to access it, they need to type in the appropriate password. If youdo not assign a password to a shared resource, every user with access to the network canaccess that resource.

> Appleshare IP (Internet Protocol)

Client Support

TCP/IP file sharing with Macintosh clients using Network File System (NFS), and FileTransfer Apple File Protocol 3.0.

Interoperability

Windows Server Message Block (SMB) file sharing.

4


5/15


File Services:

Apple Filing Protocol (AFP) over TCP/IP and AppleTalk Server Message Block (SMB) over TCP/IP File Transfer Protocol (FTP) over TCP/IP

Print Services:

PAP (AppleTalk) LPR/LPD

Application Support

HTTP Mail (SMTP, POP, IMAP and Authenticated Post Office Protocol APOP) Mac CGI

Identify the appropriate tool for a given wiring task (For example: wire crimper, mediatester / certifier, punch down tool or tone generator).

> Wire Crimper

A wire crimper is a tool that you use to attach media connectors to the ends of cables. For instance, you use one type of wire crimper to attach RJ-45 connectors on Unshielded Twisted

Pair (UTP) cable, and you use a different type of wire crimper to attach Bayonet NeillConcelman (BNCs) to coaxial cabling.

> Wire Map Testers

A wire map tester is a device that is similar in principle to the tone generator and locator,except that it tests all the wire connections in a UTP cable at once. This device also consistsof two parts, which you connect to the opposite ends of a cable. The unit at one end transmitssignals over all the wires, which are detected by the unit at the other end. A wire map tester can detect transposed wires, opens, and shorts, just as a tone generator and locator can, but itdoes all the tests simultaneously and provides you with a simple readout telling you what's

wrong

> Multifunction Cable Testers

Multifunction cable testers are handheld devices, that perform a variety of tests on a cableconnection and compare the results to standard values that have been programmed into theunit. The result is that these are devices that anyone can use. You simply connect the unit tothe cable, press a button, and the device comes up with a list of pass or fail ratings for theindividual tests.

5


6/15

Multifunction cable testers can test any of the following:

Length The most common method for determining the length of a cable is called timedomain reflectometry (TDR), in which the tester transmits a signal over the cable andmeasures how long it takes for the signal's reflection to return. Using the nominal

velocity of propagation (NVP) for the cable, which is the speed at which signals travelthrough the cable (supplied by the manufacturer) you can compute the length of thecable. This function also enables you to determine the location of a break in a cable.

Attenuation By comparing the strength of a signal at the far end of a cable to itsstrength when transmitted, the tester determines the cable's attenuation (measured indecibels).

Near end crosstalk (NEXT) Testing for near end crosstalk is a matter of transmittinga signal over one of a cable's wires and then detecting the strength of the signal that

bleeds over into the other wires near the end of the cable where the transmitter islocated.

Power sum NEXT (PSNEXT) This is a measurement of the crosstalk generatedwhen three of the four wire pairs are carrying signals at one time. This test is intendedfor networks using technologies like Gigabit Ethernet, which transmit signals over several wire pairs simultaneously.

Equal level far end crosstalk (ELFEXT) This is a measurement of the crosstalk atthe opposite end of the cable from the transmitter, corrected to account for the amountof attenuation in the connection.

Power sum ELFEXT (PSELFEXT) This is a measurement of the crosstalk generated at the far end of the cable by three signal-carrying wire pairs, corrected for attenuation.

Propagation delay This indicates the amount of time required for a signal to travelfrom one end of a cable to the other.

Delay skew This is the difference between the lowest and the highest propagationdelay measurements for the wires in a cable. Because the wire pairs inside a UTPcable are twisted at different rates, their relative lengths can differ, and the delay skewmeasurement quantifies that difference.

Return loss This is a measurement of the accumulated signal reflection caused byvariations in the cable's impedance along its length. These impedance variations aretypically caused by untwisting too much of the wire pairs when making connections.

> Tone Generator

6


7/15


8/15

Tone generator and locator Cons:

Testing each of the wires in a UTP cable individually is time consuming You also need two people to use the equipment, one at the generator end and one at

the locator end (unless you don't mind running back and forth from one end of your

cable connections to the other)

Identify the purpose, benefits and characteristics of using a firewall.

A firewall is used to prevent unauthorized access to or from a network. They are frequentlyused to prevent unauthorized users from accessing private networks connected to the Internet,especially intranets. All messages entering or leaving the intranet pass through the firewall,which examines each message and blocks those that do not meet the specified securitycriteria.

Firewall techniques:

Packet filter looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules.

Application gateway applies security mechanisms to specific applications, such asFTP and Telnet servers.

Circuit-level gateway applies security mechanisms when a TCP or UDP connection isestablished. Once the connection has been made, packets can flow between the hostswithout further checking.

Network layer firewalls

Network layer firewalls operate at a low level of the TCP/IP protocol stack as IP-packetfilters, not allowing packets to pass through the firewall unless they match the rules. Thefirewall administrator may define the rules; or default built-in rules may apply.

Modern firewalls can filter traffic based on many packet attributes like:

source IP address source port destination IP address or port destination service like WWW or FTP

They can also filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes.

Application-layer firewalls

Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from anapplication. They block other packets without acknowledgement to the sender. Applicationfirewalls can prevent all unwanted outside traffic from reaching protected machines.

8


9/15

Identify the purpose, benefits and characteristics of using a proxy service.

A proxy device that is running either on dedicated hardware or as software may act as afirewall by responding to input packets in the manner of an application, whilst blocking other

packets.

The Proxy service sits between a client application, such as a web browser, and a real server.When a client program makes a request, the proxy server responds by translating the requestand passing it to the Internet. When a computer on the Internet responds, the proxy server

passes that response back to the client program on the computer that made the request. The proxy server computer has two network interfaces: one connected to the LAN and oneconnected to the Internet.

The primary security features of Proxy Server are:

It blocks inbound connections. LAN clients can initiate connections to Internet servers, but Internet clients cannot

initiate connections to LAN servers. It can restrict outbound connections.

2 Network Implementation

Given a connectivity scenario, determine the impact on network functionality of aparticular security implementation (For example: port blocking / filtering,

authentication and encryption).

> Port Blocking / Filtering

A network layer firewall works as a packet filter by deciding what packets will pass thefirewall according to rules defined by the administrator. Filtering rules can act on the basis of source and destination address and on ports, in addition to whatever higher-level network

protocols the packet contains. Network layer firewalls tend to operate very fast, andtransparently to users.

Network layer firewalls generally fall into two sub-categories, stateful and stateless. Statefulfirewalls hold some information on the state of connections (for example: established or not,initiation, handshaking, data or breaking down the connection) as part of their rules (e.g. onlyhosts inside the firewall can establish connections on a certain port).

Stateless firewalls have packet-filtering capabilities but cannot make more complex decisionson what stage communications between hosts have reached. Stateless firewalls therefore offer less security. Stateless firewalls somewhat resemble a router in their ability to filter packets.

Any normal computer running an operating system which supports packet filtering androuting can function as a network layer firewall. Appropriate operating systems for such aconfiguration include Linux, Solaris, BSDs or Windows Server.

9


10/15

> Authentication

The process of identifying an individual, usually based on a username and password. Insecurity systems, authentication is distinct from authorization , which is the process of givingindividuals access to system objects based on their identity. Authentication merely ensures

that the individual is who he or she claims to be, but says nothing about the access rights of the individual.

> Encryption

Encryption is part of a larger process of encoding and decoding messages to keep informationsecure. This process, though commonly called encryption, is more correctly calledcryptography, is the use of mathematical transformations to protect data.

Cryptography is primarily a software-based solution and, in most cases, should not includesignificant hardware costs. It is a key tool in protecting privacy as it allows only authorized

parties to view the data. Encryption is also used to ensure data integrity, as it protects datafrom being modified or corrupted.

Identify the main characteristics of VLANs (Virtual Local Area Networks).

A Virtual LAN is a group of devices on one or more LANs that are configured usingmanagement software so that they can communicate as if they were attached to the sameLAN segment, when in fact they are located on a number of different segments. BecauseVLANs are based on logical instead of physical connections, they are more flexible.

For a computer to communicate with devices on different LAN segments other than thesegment it is located on, requires the use of a router. And as networks expand, more routersare needed to separate users into broadcast and collision domains, and provide connectivity toother LANs. Since routers add latency, this can result in the delay of data transfer over thenetwork.

Switches are used in VLANs to create the same division of the network into separate broadcast domains, but without the latency problems of a router.

Advantages to using VLANs:

Switched networks increase performance, by reducing the size of collision domains. Userscan be grouped into logical networks which will increase performance by limiting broadcasttraffic to users performing similar functions or within individual workgroups. Less trafficneeds to be routed, causing the latency added by routers to be reduced.

VLANs provide an easier way to modify logical groups in changing environments. VLANsmake large networks more manageable by allowing centralized configuration of deviceslocated in physically different locations.

Software configurations can be made across machines with the consolidation of adepartments resources into a single subnet. IP addresses, subnet masks, and local network

protocols will be more consistent across the entire VLAN.

10


11/15

VLANs provide independence from the physical topology of the network by allowing physically diverse workgroups to be logically connected within a single broadcast domain.

A switched network delivers frames only to the intended recipients, and broadcast framesonly to other members of the VLAN. This allows the network administrator to segment users

requiring access to sensitive information into separate VLANs from the rest of the generaluser community regardless of physical location, thus enhancing security.

Identify the main characteristics and purpose of extranets and intranets.

> Extranets

An extranet is a private network that uses Internet protocols, network connectivity, tosecurely share part of an organization's information or operations with suppliers, vendors,

partners, customers or other businesses. An extranet can be viewed as part of a company'sIntranet that is extended to users outside the company normally over the Internet.

An extranet requires security and privacy. These can include firewalls, server management,the issuance and use of digital certificates or similar means of user authentication, encryptionof messages, and the use of virtual private networks (VPNs) that tunnel through the publicnetwork.

Advantages

Extranets can improve organization productivity by automating processes that were previously done manually.

Extranets allow organization or project information to be viewed at times convenientfor business partners, customers, employees, suppliers and other stake-holders. Information on an extranet can be updated, edited and changed instantly. All

authorised users therefore have immediate access to the most up-to-date information.

Disadvantages

Extranets can be expensive to implement and maintain within an organisation Security of extranets can be a big concern when dealing with valuable information. Extranets can reduce personal contact (face-to-face meetings) with customers and

business partners. This could cause a lack of connections made between people and a

company

> Intranet

Intranets differ from "Extranets" in that the former is generally restricted to employees of theorganization while extranets can generally be accessed by customers, suppliers, or other approved parties.

An intranet is a private computer network that uses Internet protocols, network connectivity,to securely share part of an organization's information or operations with its employees.Sometimes the term refers only to the most visible service, the internal website. The sameconcepts and technologies of the Internet such as clients and servers running on the Internet

11


12/15

protocol suite are used to build an intranet. HTTP and other Internet protocols are commonlyused as well, especially FTP and e-mail.

Identify the purpose, benefits and characteristics of using antivirus software.

Antivirus software consists of computer programs that attempt to identify, thwart andeliminate computer viruses and other malicious software.

Antivirus software typically uses two different techniques to accomplish this:

Examining files to look for known viruses matching definitions in a virus dictionary Identifying suspicious behavior from any computer program which might indicate

infection. Such analysis may include data captures, port monitoring and other methods.

Most commercial antivirus software uses both of these approaches, with an emphasis on thevirus dictionary approach.

Dictionary Approach: When the antivirus software looks at a file, it refers to a dictionary of known viruses that the authors of the antivirus software have identified. If a piece of code inthe file matches any virus identified in the dictionary, then the antivirus software can take oneof the following actions:

attempt to repair the file by removing the virus itself from the file quarantine the file delete the infected file.

Suspicious Behavior Approach: Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in anyvirus dictionaries. Most antivirus software are not using this approach much today.

Using this approach the antivirus software:

Doesn't attempt to identify known viruses Monitors the behavior of all programs. If one program tries to write data to an executable program, the antivirus software can

flag this suspicious behavior

alert a user and ask what to do.

Heuristic Analysis Approach:

Antivirus software could try to emulate the beginning of the code of each newexecutable that the system invokes before transferring control to that executable.

If the program seems to use self-modifying code or otherwise appears as a virus, onecould assume that a virus has infected the executable. However, this method couldresult in a lot of false positives.

12


13/15

Identify the purpose and characteristics of fault tolerance:

Fault tolerance is the ability of a system to continue functioning when part of the system fails. Normally, fault tolerance is used in describing disk subsystems, but it can also apply to other parts of the system or the entire system. Fully fault-tolerant systems use redundant disk

controllers and power supplies as well as fault-tolerant disk subsystems. You can also use anuninterruptible power supply (UPS) to safeguard against local power failure.

Although the data is always available in a fault-tolerant system, you still need to make backups that are stored offsite to protect the data against disasters such as a fire.

> Network Redundancy

Service interruptions on a network are not always the result of a computer or drive failure.Sometimes the network itself is to blame. For this reason, many larger internetworks aredesigned with redundant components that enable traffic to reach a given destination in morethan one way. If a network cable is cut or broken, or if a router or switch fails, redundantequipment enables data to take another path to its destination. There are several ways to

provide redundant paths. Typically, you have at least two routers or switches connected toeach network, so that the computers can use either one as a gateway to the other segments.

Example, you can build a network with two backbones. Each workstation can use either of the routers on its local segment as a gateway. You can also use this arrangement to balancethe traffic on the two backbones by configuring half of the computers on each local areanetwork (LAN) to use one of the routers as its default gateway and the other half to use theother router.

> Storage

A redundant array of independent disks (RAID) is an example of a fault-tolerant storagedevice that uses data redundancy.

RAID

Redundant Array of Inexpensive (or Independent) Disks. A RAID array is a collection of drives which collectively act as a single storage system, which can tolerate the failure of adrive without losing data, and which can operate independently of each other.

Level 0 referred to as striping, is not redundant. Data is split across drives, resulting in higher data throughput. Since no redundant information is stored, performance is very good, but thefailure of any disk in the array results in all data loss.

Level 1 referred to as mirroring with 2 hard drives. It provides redundancy by duplicating alldata from one drive on another drive. Performance is better than a single drive, but if either drive fails, no data is lost. This is a good entry-level redundant system, since only two drivesare required.

Level 2 , which uses Hamming error correction codes, is intended for use with drives whichdo not have built-in error detection. All SCSI drives support built-in error detection, so thislevel is not needed if using SCSI drives.

13


14/15

Level 3 stripes data at a byte level across several drives, with parity stored on one drive. It isotherwise similar to level 4. Byte-level striping requires hardware support for efficient use.

Level 4 stripes data at a block level across several drives, with parity stored on one drive. The parity information allows recovery from the failure of any single drive. Performance is very

good for reads. Writes, however, require that parity data be updated each time. This slowssmall random writes, in particular, though large writes or sequential writes are fairly fast.

Level 5 striping with distributed parity. Similar to level 4, but distributes parity among thedrives. No single disk is devoted to parity. This can speed small writes in multiprocessingsystems. Because parity data must be distributed on each drive during reads, the performancefor reads tends to be considerably lower than a level 4 array.

Identify the purpose and characteristics of disaster recovery:

> Backup / restore

Offsite storage

A remote backup service, online backup service or managed backup service is a service that provides users with an online system for backing up and storing computer files. Managed backup providers are companies that have the software and server space for storing files.

Hot and cold spares

A hot spare disk is running, ready to start working in the case of a failure. A cold spare disk is not running.

A hot spare is used as a failover mechanism to provide reliability in system configurations.The hot spare is active and connected as part of a working system. When a key componentfails, the hot spare is switched into operation.

Examples of hot spares are components such as networked printers, and hard disks. Theequipment is powered on, or considered "hot", but not actively functioning in the system. Inthe case of a disk drive, data is being mirrored so when the hot spare takes over, the systemcontinues to operate with minimal or no downtime.

Hot Spare Disk is a disk or group of disks used to automatically or manually, replace afailing or failed disk in a RAID configuration. The hot spare disk reduces the mean time torecovery (MTTR) for the RAID redundancy group, thus reducing the probability of a seconddisk failure and the resultant data loss that would occur in any singly redundant RAID (e.g.,RAID-1, RAID-5, RAID-10).

Hot, warm and cold sites

A backup site is a location where a business can easily relocate following a disaster, such asfire, flood.

14


15/15

There are three types of backup sites, including cold sites, warm sites, and hot sites. Thedifferences between the types are determined by the costs and effort required to implementeach.

Hot Site is a duplicate of the original site of the business, with full computer systems as well

as near-complete backups of user data. Following a disaster, the hot site exists so that the business can relocate with minimal losses to normal operations. Ideally, a hot site will be upand running within a matter of hours. This type of backup site is the most expensive tooperate.

Warm Site is a location where the business can relocate to after the disaster that is alreadystocked with computer hardware similar to that of the original site, but does not contain

backed up copies of data and information.

Cold Site is the most inexpensive type of backup site for a business to operate. It does notinclude backed up copies of data and information from the its original location, nor does itinclude hardware already set up. The lack of hardware contributes to the minimal startupcosts of the cold site, but requires additional time following the disaster to have the operationrunning at a capacity close to that prior to the disaster.

15

network implementation presented by wahidullah shahaadat

Documents