COMP 312: COMPUTER NETWORKS MANUAL Compiled by Mr J. Chebor (Computer Science Department) COURSE OUTLINE Course Lecturer: Name: Cell PhoneNo.: E-mail: Mr. Chebor John 0721416894 johnchebor@yahoo.com Aim and Objectives This module aims to impart an in-depth knowledge of the fundamental techniques involved in computer-to-computer and computer-mediated communications in a networked environment. Upon satisfactory completion of this module a student should be able to: Explain different networking issues and concepts Analyze various coding techniques Make appropriate judgments regarding the use of network devices. Design, implement and administer a network Week Lecture topic Week1 Introduction to Networks Networks Types of Networks Classification of Networks Network Protocols Functions of Protocols TCP/IP Overview TCP/IP Configuration OSI OSI layer System TCP/IP Layer System Network Hardware NICs Hubs/Repeaters Bridges/Switches/ Routers Gateways Week 2 & 3 Week 4 Week 5 Week 6 Week 7 Week 8 Week 9 Assignments and Practical Activities Coding Techniques Introduction Data encoding techniques Transmission Media Channel Maximum Data Rate Cabling Wireless transmission Network Access Control Contention Token System Demand Priority Network Technologies Ethernet Token ring Fibre Distributed Data Interface 2 Server Installation Windows Server 2000 Creating User Accounts and Groups Driver installation Configuration for Active Directory CAT 1 Installation and configuration of a networ printer Installation of DBMS Applications CAT 2 Assignment 2 (Practical) Week 10 (FDDI) Network security Security risks Security policy goals Security Measures Assesment Strategy Class Test 1 (Theory) Class Test 2 (Practical) Assignment 1 (Theory) End-of-semester examination Total Administration of (DBMS) 10% 10% 10% 70% 100% Main texts 1. Fourouzan, Behrouz (1998) Introduction to Data Communications and Networking, McGraw Hill. 2. Halsall, F. (1995) Data Communications, Computer Networks and Open Systems, 4th Ed., Addison Wesley, New York. 3. Peterson L.L. & Davie Bruce S. (2000) Computer Networks, 2nd Ed., Morgan Kaufmann Reference texts 4. Tanenbaum, A.S. (1996) Computer Networks, 3rd Ed., Prentice Hall, New Jersey 5. Stallings, W. (1997) Data and Computer Communications, 5th Ed., Prentice Hall, New Jersey, 3 Introduction to Computer Networks -are interconnection of computers and computer devices to share data and communicate. There are several types but we look at three types: (i) Wide area network Covers a wide geographical area (sites). Usually connected by non-dedicated circuits. Use greater verities of transmission technology and media. E.g. telephones network, satellite links and internet. Involves LANs, MANs Internet is an internet work consisting of a world wide interconnection of governmental, academic, public and private based networks. Intranets are internal corporate networks that use the infrastructure uses internet protocols and IP based tools e.g web browsers and standards of the internet. Intranets use firewalls a security program software that connects the internet to the internet it blocks or filters unauthorized traffic from entering the intranet and can also prevent an authorized employees from accessing the internet. Extranets are extended intranets connecting not only internal personnel but also some selected stakeholders e.g customers, supplies and other strategic offices. (ii) Metropolitan Area Networks (MAN). Network of computers and other device within a confined geographical region e.g urban region of urban centre or town Larger than LAN and connects clients and servers. Uses different transmission media and technology than LAN. normally belong to the same organization (iii)Local Area Networks (LANs) Network of computers and other devices confined in relatively small area e.g. a room or in a building. Connected by dedicated circuits A private network 4 Categories of Computer Networks (i) Peer – to-peer No one computer in the network has higher capabilities that the other. Used for communication and not administration. Can have same OS or different OS. OS in each computer considers itself more authoritative than the other. They are easy to manage; do not require expertise, less expensive. Not flexible (expand), unsecure and not practical: not centralized. (ii) Client-server One superior computer serves the other computer (clients / workstations). Server must be installed with NOS to function. NOS designed to; - Manage data and other resources for a number of clients e.g files disks space, net work printers, computer processing power and communication ports. - Ensure that only authorized users access the network. - Control which type of files a user can open and read. - Restrict when and from where users can access the network. - Dictate which ruler’s computers will use to communicate. - Supply applications to users. - Examples of NOS include MS windows server 2000, 2003, Novell, NetWare, UNIX and Linux, Windows NT. Advantage Easy to manage and control other computers from the server. More secure: use passwords and log ins. Allow filtered information e.g. (for exams, accords, personnel etc.) Disadvantage Slow use of resources Failure of the server crumbles the organizations operations; need - backups - Several servers (secondary domain controllers). - May be complex: server software configuration to server the other computers. 5 Types of Servers File and print servers – manage print jobs and file transfers. Mail servers for Emails. Application servers; handles applications e.g databases. Communication serves for fax etc. Proxy server: provides proxy services and stores frequently used websites to be accessed locally rather than remotedly All these can be configure in one server, but will make operations slow. Advantages of Computer Networks 1. Share resources - Software - Hardware, scanners, printers CD-writers and backups devices. 2. Less running cost - Files are all on servers - Diskless workstations are possible –thin client 3. More efficiency - Against system failure Failing nodes can be by passed Additional backup servers. - Group working Single online project: multiple participants for same free space - Distributed processing Some heavy tasks can on some systems share out workload to idle nodes on the network. 4. Faster - 10,100 or even higher mbps as compared to ordinary telecommunicating modems at 56k. 5. Facilitate communication - Same information and files can be sent to multiple workstations. - Faxes and internet or ISDN lines e-mail. 6. Flexible working -Tele-working and data logging using portable computers. 7. Security 6 - Centralized control via servers 8. Data integrity - No duplicates of same documents in different files. Disadvantages (i) Errors can be propagated: hard to eradicate. (ii) Virus can spread across the entire system (iii) Costly to manage: extra staff without adequate safeguards in place. (iv) Less secure than standalone. (v) Complex network software. (vi) Not simple to install. 7 Protocols -Protocol is a rule that governs how networks communicate i.e. it is a method of communication between network nodes. - Integral part of both software and hardware adhered to by software & hardware developers. -Only clients and servers using the same protocols to communicate. There are many different types of protocols available to accomplish different purposes - Some work at different layers of the OSI reference model and some work together in what is referred to as protocol stack. - They include: IPX/SPX- Internet work packet exchange, sequenced packet exchange created by Novel TCP/IP- transmission control protocol/internet protocol. SNMP, HTTP, SMTP, POP, NETBIOS, Apple Talk, SDLC etc Functions of a protocol (i) Define the structure of the message information i.e. function of the parity bit to the transmission data (ii) Coping up with signal errors through (a) block checksum (a code generated and sent after a certain number of bytes have been transmitted e.g. the checksum for the message “Cad!” for ASCII (American Standard Code for Information Exchange) coding is C 0100 0011 a 0000 0001 d 0000 0100 ! 0010 0001 + 01100111 Matching checksum values at both transmitter and receiver implies absence of errors (b) or using a polynomial code (a mathematical code that detects burst errors (ii) Control information flow through windowing (the transmission of multiple packets that requires acknowledgment from receiving machine. 8 Performed by link management where - Transmitting computer sends out a “connection request packet” -Receiving computer returns a “connection acknowledgement packet” - Transmission is added by a “disconnected packet” -end transmission is confirmed with a “disconnection acknowledgement packet” TCP/IP Overview The most common protocol is TCP/IP because it can be supported by other operating systems e.g. LINUX and Windows (compatibility) TCP/IP is fondly referred in short as IP There are many versions of IP protocols. The present and commonly used one is IPv4 or simply IP that has a 32-bit address (a maximum of 232 =4,294,967,296 addresses) TCP/ IP configuration: (i) IP addressing - The location of communicating nodes must be known in order to transmit - IP address is a code that uniquely identifies the location of each node on a network. - It is composed of a set of four dotted decimal numbers each of which range 0255 in value e.g. of an IP address is 172.68.1.10 - An IP address is split into two parts, a Network ID and an Host ID Network ID - Is the first part of the IP address - It identifies the network segment (physical network) in which a particular node is located in the network. - All nodes on the same segment will have the same network ID. EXAMPLE; 192.168.8.0,172.16.10.0,10.0.0.0 Host ID - Is the unique ID of the device/node - It is the second part of the IP address 9 IP Address Classification - There are five IP classes namely A, B, C, D and, E - They define the division between networks and host ID. - Are based on the physical location of the network that an organization has. (a) Class “A” - Uses only the first of the four IP decimal numbers for network Id and the next three for the host Id - Out of the 32-bit addresses, it uses 7-bit for NetID and 24-bit address for HostId leaving 1-bit (binary 1) for class order. Therefore a prefix of 8 bits - Allows the use of 126 (27-2) networks and 16,777 214 (224-2) hosts per network - Good for organizations with large number of hosts (b) Class “B” - Uses the first two IP address Network ID and last two parts for host id. - Out of the 32-bit addresses, it uses 14-bit for NetID and 16-bit address for HostId leaving 2-bits (binary 10) for class order. Therefore a prefix of 16 bits - Allows the use of 16384 (214) networks and 65534(216-2) hosts per network - Usually assigned to medium sized to large sized number of hosts. (c) Class “C” - Users the first three IP address parts for NetId and the last part for HostId - Out of the 32-bit addresses, it uses 21-bit for NetID and 8-bit address for HostId leaving 3-bits (binary 110) for class order. Therefore a prefix of 24 bits - Allows the use of 2097152 (221) networks and fewer 254(28-2) hosts per network - Used for small sized hosts LANs - Commonly used because lots of networks are required than hosts (c) Class “D” - Is not allocated to hosts and is used for multicasting networks (d) Class “E” - Is reserved for future IP expansion and experimental use. IP address classes is identified using the first parts (first octet) of the four dotted decimal part . The first octet range for each class is obtained from binary number systems range as follows: 10 Class Dotted Decimal range Binary Number range A 0-127 00000000-01111111 B 128-191 10000000-10111111 C 192-223 11000000-11011111 D 224-239 11100000-11101111 E 240-255 11110000-11111111 IP address Consideration (a) IP address cannot be 127 as it results to looped back function used to test network continuity. (ping address=127.0.0.1) (b) Bits cannot be all 1s for both network and host Ids ; the address is interpreted as a broadcast rather than a host id or network id (c) Bits as well cannot be all 0s; the address is interpreted as this network only i.e. cannot connect to a remote network (d) Host Id must be unique to network Id for identification (ii) - Sub netting Used in conjunction with IP address to determine whether device is located on a local or remote network - Has two uses: (a) Blocks out a portion of the IP address to distinguish the network ID from the host ID. (b) Specifies whether the destination IP address is located on local or a remote network. Class A – 255.0.0.0 B- 255.255.0.0 C – 255.255.255.0 Class Rage 0rder subnet Prefix Networks Host/Network A 0-126 1 255.0.0.0 8 126 16,777 214 B 128-191 1-0 255.255.0.0 16 16384 65534 C 192-223 1-1-0 255.255.255.0 24 2097152 254 D 224-239 1-1-1-0 - - - - E 240-255 1-1-1-1 - - - - 11 For the following IP addresses, identify the class, network Id , host Id and caret netting (i) 197. 68.1 C 255.255.255.0 192.68.1 2 (ii) 101.101. 1.0 A 255.0.0.0 101 101.1.0 (iii) 16.5.1.1 A 255.0.0.0 16 5.1.1 (IV) 188.58.6.1 B 255.255.0.0 158.58 6.1 (V) 171.201.6.1 B 255.255.0.0 171.201 6.1 (iii) - Default Gateway This is the IP address for the router to which packet destined for a remote network can be sent by default - Not a must to address but failure to address it limits the network to a LAN (iv) - DNS (Domain name server). Are servers that provide resolutions of TCP/IP host names to the IP addresses and are essential for locating devices on a network i.e. giving names of users e.g. comp1 or meshack=172.68.1.10. DNS translates human readable computer host names into IP address that an equipment require to deliver information (v) Internet uses WINS ( Windows Internet Name System) Other protocols (a) SMTP( simple mail transfer protocol) - Protocol responsible for moving messages from one mail server to another over the TCP/IP network. - Received messages are stored on a remote “mail server” until the destination machine “collects “them (b) POP (Post Office Protocol) is used to retrieve mails from a mail server. Once delivered; it is deleted from the server. 12 (c) IMAP. Alternative to POP where messages can be stored on servers rather than downloading to a local machine. Deleted messages remain in the server. (d) UDP ( user datagram protocol) for fast delivery but does not guarantee delivery (e) ARP (Address Resolution Protocol) for confirming and identifying the MAC (media access control) address of the NIC on the destination node using IP address. ARP is used in many Ethernet networks. (f) ICMP (Internet control message protocol) for error correction and identification handling. Handles special Internet control functions Responsibilities: 1. Reporting unreachable destinations 2. Reporting IP packet header problems 3. Reporting routing problems 4. Reporting echoes (pings) •Protocol for error detection and reporting – tightly coupled with IP, unreliable • ICMP messages delivered in IP packets • ICMP functions: 1. Announce network errors 2. Announce network congestion 3. Assist trouble shooting 4. Announce timeouts (g) IGMP: Internet group management protocol for multicasting within TCP/IP (h) DHCP (Dynamic Host Configuration Protocol). A protocol installed and configured in the server to automatically assign unique IP addresses to every device on a network. (i) HTTP (Hypertext Transfer Protocol) provides a standard for web browsers and services to communicate. 13 (j) SNMP (Simple Network Management Protocol) standard for TCP/IP protocol for network management. It is used to monitor and map network availability, performance and error rates. 14 OSI Reference Model Networking involves so many issues that require standardization. For instance - Packet size - Packet structure - Speed of transmission - Synchronization of senders & receivers - Error detection and correction - Or even physical circuitry of the sender and receiver OSI (open system interconnect) model was developed by international standards organization (ISO) - It splits the hardware and software of networks into seven layers. - A layer is a collection of related functions that provide services to the layers below it and receives services above it. Layer Name 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Date Link 1 physical 15 (1) Physical layer (Media, signal and binary transmission) concerned with the hardware itself transmits raw bit stream over physical cable defines cables, cards, and physical aspects defines NIC attachments to hardware, how cable is attached to NIC defines techniques to transfer bit stream to cable e.g. NICs, Cables, amplifiers, hubs, RJ-11, RJ-45 (2) Data link Layer (Physical Addressing/configuration). this layer defines the methods used to transmit and receive data on the network. It consists of the wiring, the devices use to connect the NIC to the wiring, the signaling involved to transmit / receive data and the ability to detect signaling errors on the network media Turns packets into raw bits 100101 and at the receiving end turns bits into packets. handles data frames between the Network and Physical layers the receiving end packages raw data from the Physical layer into data frames for delivery to the Network layer responsible for error-free transfer of frames to other computer via the Physical Layer e.g CSMA/CD, bridges, switches, NIC 16 (3) Network layer (Path determination and logical addressing) Routes data to different network routes Adds unique addressing information to packets translates logical network address and names to their physical address (e.g. computer name ==> MAC address) responsible for o addressing o determining routes for sending o managing network problems such as packet switching, data congestion and routing if router can’t send data frame as large as the source computer sends, the network layer compensates by breaking the data into smaller units. At the receiving end, the network layer reassembles the data -e.g. IP, IPX, AppleTalk, routers, switchers (4)Transport layer (End-to-end communication) -Interface between hardware& software. additional connection below the session layer manages the flow control of data between parties across the network divides streams of data into chunks or packets; the transport layer of the receiving computer reassembles the message from packets "train" is a good analogy => the data is divided into identical units provides error-checking to guarantee error-free data delivery, with on losses or duplications provides acknowledgment of successful transmissions; requests retransmission if some packets don’t arrive error-free E.g. switches, UDP, TCP, ARP, SPX, NetBIOS / NetBEUI (5) Session Layer (Inter host communications) establishes, maintains and ends sessions across the network responsible for name recognition (identification) so only the designated parties can participate in the session provides synchronization services by planning check points in the data stream => if session fails, only data after the most recent checkpoint need be transmitted manages who can transmit data at a certain time and for how long Examples are interactive login and file transfer connections, the session would connect and re-connect if there was an interruption; recognize names in 17 sessions and register names in history - e.g. Telnet, FTP, NetBIOS, TCP, Duplexing (6) Presentation (Network Translator) Translates from network to application format and vice-versa all different formats from all sources are made into a common uniform format that the rest of the OSI model can understand responsible for protocol conversion, character conversion, data encryption / decryption, expanding graphics commands, data compression sets standards for different systems to provide seamless communication from multiple protocol stack provides encryption compression and terminal emulation e.g. a gateway ASCII, EBCDIC, Manchester, NRZ, (7) Application: used for applications specifically written to run over the network allows access to network services that support applications; directly represents the services that directly support user applications handles network access, flow control and error recovery Example apps are file transfer, e-mail, NetBIOS-based applications Examples Word, Spreadsheet, and e-mail, DNS, FTP, SNMP, DHCP, SMTP, Telnet OSI vs TCP/IP 18 Network Hardware (i) Network Interface Card (NIC) - Also called Network adapter, transceiver (transmitter receiver) - A component that physically connect .computer to transmission media -Could be physical: can either be slotted onto ISA (industrial standard architecture) for old type PCs or PCI (peripheral component interconnect) commonly used or still slotted onto AGP (Accelerated Graphics port) for advanced technology. -NICs can also in-built: be built on to the motherboard or to a portable PC via serial/parallel ports or PCMCIA ((personal computer memory card International Association) interfaces -Still NICs can be wireless: uses an antennae to transmit and receive transmissions -The wide range types and speeds are required as performance of the NIC is critical for the performance of the network as a whole. Parts of NIC Expansion bus connection is an expansion that connects to the system board. -Media connector: - Port connector to the transmission media which in the connected to terminator RJ45 -Buffer – memory chip that stores data temporarily before transmission and on reception. - Boot ROM (optional) applicable for thin client technology, for computers to boot from it instead of booting from a storage device. -Transceiver: chip next to media connector that converts analog to digital and vice versa transmissions Transceiver Boot ROM Buffer Media connector Expansion bus connector 19 Functions of NIC (i) Prepare data from computer for the network cable i.e. from digital to analog. (ii) Send of data (iii) Control data flow from computer to cable system. Server Server fax server client Internet Server Switch Printer client Client WAN link Client Client Router Switch printer Client Printer hub Client Printer router (i) Hubs: Act as a point of connection between network nodes - Are 4, 8, 12 or 24 etc ported - Most are passive: just repeat signals or - Intelligent hubs / management hubs may posses internal processing capabilities permit remote management, filter data or provide diagnostic information about the network - They can be used as standalone hubs: serve isolated group of computers for small organization workgroup or home office or used to link remote network segment (ii) Repeaters: - Repeaters: Connect similar segment of LANs. - Receive transmissions from one segment , cleans and amplifies the signal and then transmits it to the next segment - Enables coaxial cable extend from 185 m to 925m or thick coaxial from 500m to 2.5km. - Usually two ported but may be multiported for multiple segments. 20 (iii)Bridges : - Connects two dissimilar network segments but unlike repeaters establishes a filtering database (forwarding table) of MAC address to forward or filter traffic segments and passes traffic between them using MAC address. - Used to extend network size and avoid exceeding network limits such as segment size, numbers of devices. - Can be standalone or a PC node assigned the job utilizing two NICs, physical addressing information. - Is protocol independent Ethernet (IPX) Ethernet–(IP) Bridge - Faster than routers; protocol independent - Slower than repeaters and hubs analyzes packets before transmission - Can extend a network without extending further a collision domains or can also extend segments - Improves network performance: can be programmed to filter out certain frames e.g. unnecessary broadcast frames. - They are useful for LANs which extend over different floors in a building or LANs built on departmental levels. Types of Bridges 1. Local bridges: Directly connect local area networks (LANs) 2. Remote bridges: Can be used to create a wide area network (WAN) link between LANs. Remote bridges, where the connecting link is slower than the end networks, largely have been replaced by routers. 3. Wireless bridges: Can be used to join LANs or connect remote stations to LANs. (iv) Switches: -Connect not only network nodes but also dissimilar network segments of a LAN 21 -Can be described as multiported bridge. Each portt = a bridge, each device connected receives its own dedicated channel => eases traffic congestion. -Most have an internal processor, an operating system, memory and several ports -more costly but effectively make use of limited bandwidth than bridges: multiports - Better security (Isolates traffic) and performance (Separate channels) than routers - Data can be lost because switches can be overwhelmed by continuous ,heavy traffic - Traffic can come to a halt due to amounting collisions if protocols that do not detect and restore data loss operate (therefore switches placement should match backbone capacity and traffic patters) - Has replaced workgroup hubs Types of switches (switching modes) (i) Cut-through mode: Reads a frames header and decides where to forward the data before it receives the whole packet. - Incase frames becomes corrupt packets, runts, or erroneously shortened packets, it waits to determined packet integrity then transmits does not actually detectcorrupt packets. - Fast: does not stop to read entire packet. - Suits small workgroups; limited speed and low number of devices. ii. Store and forward mode: Switch reads entire packets into memory, checks for accuracy then transmits. -Slow -Results to traffic congestion - Do not propagate errors - Transfer data with segments of different transmission speeds -Good for larger LANs and mixed speed environments. (v)Routers: 22 Apart from keeping track of certain nodes on the network as switches do, routers connect dissimilar networks e.g. LANs and WANs running at different transmission speeds and using variety of protocols. -Used in specialized applications e.g. large internet nodes or digitized telephone cells Functions of routers (i) Connect dissimilar networks (ii) Addressing of information interpretation. (iii) Determine the best path for data to follow from node A to node B (iv) Reroute traffic if primary path is down but another path is available. (v) Other functions include. - Filter out broadcast transmissions to alleviate network congestion - Prevent certain types of traffic from getting to a network, enabling customized segregation and security - Support simultaneous local and remote connectivity - Provide high network fault tolerance through redundant components such as power suppliers or network interfaces - Monitor network traffic and report statistics. - Diagnose internal or other connectivity problems and trigger alarms. Categories: Categorized according to the scope of the network they serve (i) Interior router: Directs data between autonomous LAN of an organization e.g. from supervisors node to employee node (ii) Exterior router: directs data between nodes external to a given autonomous LAN e.g. routers on internet backbone. (iii) Border routers (gateway routers) connect autonomous LAN with a WAN e.g. a business node with its ISP node. Routing Modes (i) Static routing : use specific routers between nodes (programmed by network administration - Not optimal: does not account for Network congestion, farted connections 23 -But can be used with dynamic routing to indicate the router of last resort, the router that accepts all unroutable packets - Less efficient and less accurate: requires human (administrative) intervention. (ii) Dynamic routing: Automatically calculates the best path between two nodes and accumulate this information in a routing table. A routing table contains three information details Network ID: Destination network id Cost: the cost or metric of the path through which the packet is to be sent Next Hop: is the address of the next station to which the packet is to be sent on the way to its final destinat the routing table for node C from the following network for destinations A, B, D and E A E C B D F Is given as in the routing table below Network ID NextHop Cost A A 1 B B 1 D B 2 E A 2 - Can detect congestion and failures and re- route traffic - Used by many networks. 24 (Vi) Gateways: combination of hardware and software to connect two dissimilar kinds of networks (different formatting, communications protocols or architecture) - Interprets information to be read by another system - They must : - Operate at all levels of OSI Communicate with applications. Establish and manage sessions. Translate encoded data Interpret logical and physical addressing of data Can reside on servers, computers, connectivity device (e.g. routers) or mainframes. - (:translators) Slower than bridges or routers—can cause extreme network congestion. Examples include firewall, e-mail, IBM host, Network Design Consideration • For efficient, largely trouble free networks the following “5-4-3” rule is often applied • – No more than 5 repeated segments – No more than 4 repeaters/hubs between any 2 nodes – No more than 3 segments must be populated Also a maximum of 7 bridges allowed in a system 25 Data Transmission Introduction Information stored in computer systems and transferred over computer networks can be divided into two categories; Data and signals. Data are values stored in the computer system e.g. characters, symbols, numbers, spaces etc. Signals are the electric or electromagnetic encoding of data to transmit data over a medium. Signals are either digital (convey digital data) or analog (convey analog data). - But we are interested in digital data in computer networks. - The binary data must be encoded at source node into a signal to be conveyed over the medium and be decoded at destination into binary data. Data Encoding Techniques - There are many techniques that exist. They include character coding techniques (e.g. Baudot, Binary Coded Decimal-BCD, American Standard Code for Information Interchange-ASCII, Extended Binary Coded Decimal Interchange Code-EBCDIC and Unicode), Manchester Phase Encoding-MPE, Differential Manchester Encoding-DME, Non-Return to Zero-NRZ, Non-Return to Zero Inverted-NRZ-I, 4B/5B, 5B/6B, Pulse Amplitude Modulation 5-PAM5 etc. But we look at four main techniques. (i) Non-return to zero (NRZ) - Positive voltage define bit 1 and zero voltage define digit 0. V(v) 1 - Signal does not return zero at the middle of bit. - Costly because of high power output needed in sending I bit per unit line 0 1 1 0 0 0 1 resistance (prone to attenuation). - Uses larger bandwidth two bits = 1 wave (transmitted per cycle). - No clock synchronization between sender and receiver i.e. the internal clocks of the sender and receiver should match. This can easily be achieved if there are 26 frequent changes in the shape of the transmitted signal. It should be in any of the three states transmitting a 0 bit (-ve) transmitting 1 bit (+ve voltage) or idle (0 volts). - Hard to distinguish 0 and 1 bits when synchronized. (ii) Non-Return to Zero Inverted (NRZ-I) - A 1 bit inverts the voltage and a 0 bit has no effect on the voltage format - a 1 bit is represented by 0 volts or +ve volts depending on the previous level V(v) 1 0 - 1 1 0 0 0 1 Bandwidth usage is minimized and frequent voltage changes for clock synchronization. - Still problem in power output. (iii) Manchester encoding - Duration of a bit is divided into two halves such that =1 =0 - Voltage remains at one level during the 1st half and moves onto the other level in the second half. Provides clock synchronization. V(v) 1 0 - 1 1 0 0 0 1 Transition in the middle of data bit (each bit = full normal cycle) to recover clock synchronization - Clock speed matches the data speed e.g. 10 mbps current wave is 10MHz. which makes it very inefficient. (iv) Differential Manchester encoding - 1 = changes the previous state of the voltage. - 0 = has no effects on the previous state V(v) 1 0 1 1 0 0 0 27 1 - Voltage change is always in the middle of an interval for easy clock synchronization. -Taken ring uses this technique where no preamble required. Maximum data rate of a channel Determined in two ways; (i) Nyguist theorem Used to determine the maximum capacity of a noise-free channel. It states that for a noise –free channel with a bandwidth B, the maximum capacity of the channel is given by: Capacity =2x B E.g. Determine the maximum capacity of a complex low-pass signal of 10 kHz frequency. C =2 x 1 max = 2 x 10000 =20000 bps =20 mbps Shannon’s theorem. (ii) - Applies in noisy channels -States maximum capacity is given by C = Blog 2 ( 1+S/N ) Where C =Maximum capacity B = maximum frequency (bandwidth) S =signal power N =noise power S/N = signal-to noise ratio e.g Determine the maximum capacity of a 3000Hz bandwidth channel with thermal noise of 30 dB 28 C =300 log 2 (1+3000) 3 2 x =1001 = 3000 log 2 (1001) 3000 log10 1001 = 3000 x 9.9673 Log 10 2 = 3000 bps Transmission Media Is the means through which data is transmitted between nodes. There are two categories: Conducted and Wireless media 1. Conducted Media (a) Twisted - composed of four pairs of cables twisted to prevent attenuation and crosstalk Outer shield Shield s h i e l (registered jug) - Use a termination called RJ45 d -Main media for large scale LAN implementation Twisted pairs -There are two types i. UTP (Unshielded Twisted Pair) Uses telephone line cable Two insulated copper wires twisted together in a regular spiral per cable Most common in medium sized LANs for low-cost , short distance ii. STP (Shielded Twisted Pair) pairs of twisted cable ,each wrapped in plastic, then wrapped in aluminum foil then copper braid and finally covered by a PVC The metal braid is connected to earth for earthing. 29 They drastically reduce interference, of greater physical strength but expensive Advantages of T.P - Cables and connections are inexpensive - Cables are easy to install - Ends of cables easily connected to device - Most commonly used cables: compatible to telephone cable systems. Disadvantages - Electromagnetic interference - Temperature and humidity interference - Have limited segment length – depending on the cable standard. - Have limited bandwidth. Categories There are several categories depending on frequency and capacity of transmission in mps. Categories Capacity (mbps) Application 20kbps for voice only (CAT) CAT1 (telephone) CAT2 4 : for slow token ring CAT3 10 :for Ethernet CAT4 16 :fast token ring CAT5 100 : fast Ethernet CAT5E 100 : LAN for ATM CAT6 thicker 250 : LAN for ATM CAT7 Thicker >250 : LAN for ATM (ii) Coaxial Cable: -Similar to aerial cable that consist of copper conductor surrounded by a layer of flexible insulation. The insulator is covered by copper braid that acts as conductor and also reduce EMIs and finally covered by a plastic case (PVC) 30 - Commonly used by backbone topology - Use BNC –British naval connectors terminators -Are stronger and transmit data over longer distance -Support higher bandwidths -Are simple to install - Are expensive and incompatible with telephone cables: need convectors - There are two types (a)Thin coaxial cable Copper braid Solid copper core Plastic insulator PVC 10 Base 2 cable E.g. cheaper net Thinner and 10 Base 2 -10 base2 has maximum segment length of 185m, impedance of 50, and speed of up to 10 mbps and minimum physical bend radius of 15cm -the cable terminator can be cut (b) Thick coaxial cable - Big and one has to drill at the point of terminator. -E.g. standard, Thicknet and 10Base5 31 Copper core Plastic insulation Inner braid Outer copper braid PVC Case -Added layer of aluminum tape - Extra layer of copper braid - Covers 500m length segment - 60cm bend radius iii. - Fibre optic cable Consists of quite flexible plastic or glass thread surrounded by glass cladding (coat)and covered by light-proof PVC sleeve slightly thicker than human hair - Have ST- straight tip by AT&Tor SC- subscriber connector – new version that allow push/ pull insertion for simple connection PVC Sleeve Glass cladding Glass/plastic thread Fibre optics transmission - light source is projected into the cable by quickly switching on and off by: a. High intensely LED- photo diode projections 32 - lower cost - Lower power - Shorter distance in-km - Up to 200mbps b. Laser projections - Cover much longer distance - much longer transmission speeds 1-2 gbps - during transmission, light reflects off glass fibre sleeve due to total internal reflection due to higher refractive index of glass thread - optic sensor called photo receptor receive pulses on the receiving end Advantages - very fast 10-100 times than wire systems: no impedance - Cover greater distance (in km vs. m), no signal degradation - Immune to electromagnetic radiation: use light waves only - Safe in most conditions : use photons, hard to tap into - Electrically isolated: No crosstalk Disadvantages - lack of good , set international standards - lack of knowledge- technicians are expensive to hire - Expensive media type - Difficult to install: ca be shatter in transit or when bent round corners Categories (a) Monomode: carries a single ray of light, usually emitted from laser projections. can transmit pulses for a long distance: light is unidirectional at the centre of the fibre. Supports higher transmission rates It is expensive (b) Multimode- wavelength of light take multiple paths hence path at receiving end is more blurred (modal dispersion) than in monomode 33 2. Wireless media - signal transmission through the space Types (i) WPAN (Wireles Personal Area) Used to connect and exchange information between devices such as mobile phones, laptops, PCs, Cameras and video console over short range radio frequencies without connecting to elaborate network (ii) Wifi (Wireless Fidelity) connects within wireless LAN (WLAN) e.g Ethernet for faster, better range and security (iii) WiMAX(World interoperability for microwave access) uses point to multipoint topology to provide broadband access (iv) GSM (Global system for mobile communications) enables roaming and switching carriers without switching phones for voice calls and sms services. Newer versions of GSM include GPRS (General packet radio services) for higher speed data transmission that uses WAP (wireless application protocol), MMS (multimedia messaging services) (v) CDMA (code division multiple access) a form of broad spectrum for higher data bandwidth using shared codes. It is limited to regions Wireless waves are either Infrared: use line-of sight transmission e.g. remote - No obstacle Radio waves: can go through obstacles from transmitting antennae to receiving antennae Laser-jet – can penetrate through some materials e.g. glass. - Wireless media have no physical connection - More expensive - Used in complex structures - Are affeceted by interference e.g from other devices, fluorescent tubes etc - Not secure - Have hubs with 3-4 ports To extend connections to wired networks Connect wireless to telephone line for internet 34 Acts as the access point (transmitter/receiver) - Characteristics of wireless transmissions that make them travel from source to destination include absorption, reflection, diffraction, scattering refraction Factors to Consider when choosing a Medium -Distance and expansibility - Environmental conditions (e.g. noise and weather conditions) -cost -Speed -security 35 4. Media access methods - Also referred to as logical topologies Media control methods - Ways of transmitting methodology used by computers to determine when devices are allowed to communicate using the network. - Allows one workstation transmit data at a time onto the network or the use of one channel at a time - All in the case where multiple computers complete for a cable especially in LAN. - There are three methods (i) Connection (ii) Token passing (round loin) (iii) Demand priority (reservation) (i) Contention: -Operate mainly in bus topology - Computers on the network complete to sent date. - There are two types: (a) CSMA/CD – Carrier Sense Multiple Access Collision Detection Carrier Sense: Each station on the LAN continually listens to the cable for presence of signals before transmitter Multiple access: Many computers attempting to transmit Collision detection: If collision is detected, the station stops transmitting and waits for a random length of time before transmitting again How CSMA /CD Works (i) A station that wishes to transmit checks whether a cable in free. (ii) It transmits (iii) If other stations transmitted simultaneously collision results (iv) All stations stop transmitting (v) Wait for a random length of time then transmits. 36 Station listens for activity Stop transmitting then waits Yes Details Activity? No Detects Collision? Transmits Yes No Transmitting complete Wait (b) CSMA/CA (Collision Avoidance): - Each computer signals its intension to transmit data before transmitting to avoid collision. - CSMA/CA can optionally be supplemented by the exchange of a Request to Send (RTS) packet sent by the sender S, and a Clear to Send (CTS) packet sent by the intended receiver R, alerting all nodes within range of the sender, the receiver, or both, to keep quiet for the duration of the main packet - CA comes with a cost overhead incurred by having each station broadcasting its intension prior to transmitting (ii) Token Ring - Functions in a ring physical topology and star logical topology - Token passing method which collisions are avoided by using a token - A token is a small data frame used to transmit data. How it works -A station that wishers to transmit on the network waits until the token is through -The sending station transmits data using the token - Token travels to the recipient 37 - Receiving station receives the token with data and returns token to the sender – a show of reception - Sender receives, acknowledges and releases the token to the network -Once the communication is over, the token is passed to the next candidate in a sequential manner. -The most well-known examples are token ring and ARCNET. (iii) Demand priority -A system that requires demand priority switches/ hubs that control network access to transmit information at a time - Data ca be prioritized according to the data types of video - If data is send and received at the same time contention occurs data of a higher priority token precedence -the access method used distinguishes four priority levels called access classes (0, 2, 4 and 6) Class 6: for urgent messages e.g those relating to critical alarm conditions and associated control functions Class 4: Messages relating to normal control actions and ring management functions Class 2: Messages relating to routine data gathering for data logging Class 0: Messages relating to program downloading, and general file transfers- low priority messages 38 5. Network Technologies - Are standards in which data follows during transmission - Are usually created by specific manufactures - Include Ethernet, token ring, FDDI , ATM & ARNET etc (i) Ethernet Historical Background - Was created at university of Hawaii in 1960 for their WAN called ALOHA. - Xerox first used it commercially in the late 1970s. -The first original version of Ethernet was designed as a 2.94 mbps system to connect over 100 computers on a 1km cable. A 10 mbps Ethernet was developed jointly by Xerox, Intel Corporation and Digital Equipment. Today, it is a specification describing a method for computers and data systems too connect and share cabling. It is the basis of IEEE 802.3 specification (Institute of Electronic &Electrical Engineering) Features of Ethernet 1. Topology : liner bus ,star bus 2. Signal mode: baseband 3. Access method: CSMA/CD 4. Specification: IEEE 802.3 5. Transfer speed: 10/100 mbps 6. Cable type: Thicknet, thinnet or UTP 7. maximum frame size: 15-18 bytes 8. media: passive i.e. draws power form the computer and thus will not fail unless the media is physically cut or improperly terminated. Ethernet frame - Ethernet breaks data into frames 39 - A frame is a unit of data that is transmitted as a single unit. It can be between 64 and 1518 bytes long but the Ethernet frame itself uses at most 18 bytes. - Every frame contains control information and follows same basic organization Preamble source Destination data CRC type Example of a Ethernet frame used in TCP/IP Preamble: marks the start of a frame Destination and source: Shows the origin and destination addresses. Type: Used for identifying the network layer protocol (i.e. is it IP or IPX) CRC: Cyclical redundancy check for error checking field to determine if the frame arrived without being corrupted. Examples of Ethernet Standards 10 Base 2 -thin coaxial cable 10 Bases -Std Ethernet using a thick coaxial cable 10BaseF Cable type (Fibre optic cable) Bandwidth (baseband) Speed in mbps Bus Ethernet: Newer version of Ethernet 40 Introduced due to increased demands for greater bandwidths due to faster servers processors, new applications and more demanding environment that require greater network transfer rates than existing LANs ca provide Specifications - Based on CSMA/CD protocol. - Can use twisted pair & fibre optics. - Ca be broken down to. 2. 100 Base TX 3. 100 Base T4 4. 100 Base FX (iii)Token Ring - LAN technology that uses a three-byte token to transmit data around a logical ring network - Baseband transmission - Transfer rate of 4 and 16 mbps - Used by IBM computers - Use twisted and fibre optics cables - Segment length 45-200m - Employs differential Manchester encoding scheme: does not have pre-amble part Token ring frame format SD AC FC DA SA Data CRC ED FS Starting Delimiter consists of a special bit pattern denoting the beginning of the frame. Access Control : controls how the frame is accessed Frame Control a one byte field that contains bits describing the data portion of the frame contents. Indicates whether the frame contains data or control information Destination address 41 a six byte field used to specify the destination(s) physical address . Source address Contains physical address of sending station . It is six byte field that is either the local assigned address (LAA) or universally assigned address (UAA) of the sending station adapter. Data a variable length field of 0 or more bytes, the maximum allowable size depending on ring speed containing MAC management data or upper layer information. Maximum length of 5000 bytes Frame Check Sequence a four byte field used to store the calculation of a CRC for frame integrity verification by the receiver. Ending Delimiter The counterpart to the starting delimiter, this field marks the end of the frame Frame Status a one byte field used as a primitive acknowledgement scheme on whether the frame was recognized and copied by its intended receiver. (iii) - FDDI (fibre distributed data interface) Describes a high speed 100-200 mbps duplex token passing network that uses fibre optical media - FDDI network contains two token rings; one for possible backup in case the primary ring fails - It has a larger maximum frame-size than Ethernet therefore more throughput - Though FDDI can replace Ethernet for fast networks, Ethernet due to its speed, cost and reliability have made FDDI redundant 42 Network Security Security Risks To understand how to manage network security, you should first recognize the types of threats that your network may suffer. Security threats or risks come from four areas: people, transmission and hardware network, Protocols and software, and internet Risks Associated With People By some estimates, human errors, ignorance, and omissions cause more than half of all security breaches sustained by networks. Human errors account for so many security breaches because taking advantage of them is easiest way to circumvent network security. The risks associated with people are included -the following list; Intruders or attackers using social engineering or snooping to obtain user passwords. An administrator incorrectly creating or configuring user IDs, groups and their associated rights on a file server, resulting in file and logon access vulnerabilities. Network administrators overlooking security flaws in topology or hardware configuration. Network administrators overlooking security flaws In the operating system or application configuration. Lack of proper documentation and communication of security policies, leading to deliberate or inadvertent misuse of files or network access Dishonest or disgruntled employees abusing their file and access rights. An unused computer or terminal being left logged on to the network, thereby providing an entry point for an intruder. Users or administrators choosing easy-to-guess passwords. Authorized staff leaving computer room doors open or unlocked, allowing unauthorized individuals' to enter. Staff discarding disks or backup tapes in public waste containers. Administrators neglecting to remove access and file rights for employees who have left the organization. 43 Users writing their passwords on paper, then placing the paper in an easily accessible place (for example, taping it to their monitor or keyboard'). Risks Associated with Transmission and Hardware This section describes security risks inherent in the Physical, Data Link, and Network layers of the OSI Model. Recall that the transmission media, NICs, hubs, network access methods (for example, Ethernet), bridges, switches, and routers reside at these layers. At these levels security breaches require more technical sophistication than those that take advantage of human errors. The following risks are inherent in network hardware and design: Transmissions can be intercepted (wireless and fiber-based transmissions are more difficult to intercept). Networks that use leased public lines, such as T1 or DSL connections to the interne: are vulnerable to eavesdropping at a building's demarcation point (demarc), at a remote switching facility, or in a central office. Unused hub, router, or server ports can be exploited and accessed by hackers if they are not disabled, A routers configuration port, accessible by Telnet, may not be adequately secured. If routers are not properly configured to mask internal subnets, users on outside networks (such as the Internet) can read the private addresses. Modems attached to network devices may be configured to accept incoming calls, thus opening security holes if they are not properly protected. Dial-in access servers used by telecommuting or remote staff may not be carefully secured and monitored. Computers hosting very sensitive data may coexist on the same subnet with computers open to the general Public. Passwords for switches, routers, and other devices may not be sufficiently difficult to guess, changed frequently, or worse, may be left at their default value, imagine that a hacker wants to bring a library's database and mail servers to a halt. Risks Associated with Protocols and Software 44 Like hardware, networked software is only as secure as you configure it to be. This section describes risks inherent in the higher layers of the OSI Model, such as the Transport, Session, Presentation, and Application layers. As noted earlier, the destinations between hardware and software risks are somewhat blurry because protocols and hardware operate in tandem. For example, if a router has not been properly configured, a hacker may exploit the openness of TCP/IP to gain access to a network. Network operating systems and application software present different risks, in many cases; their security is compromised by a poor understanding of file access rights or simple negligence in configuring the software. Remember-even the best encryption, computer room door locks, security policies, and password rules make no difference if you grant the wrong users access to critical data and programs. The following are some risks pertaining to networking protocols and software: TCP/IP contains several security flaws. For example, IP addresses can be falsified easily, checksums can be thwarted, UDP requires no authentication, and TCP requires only weak authentication. Trust relationships between one server and another may allow a hacker to access the entire network because of a single flaw. NOSs may contain "back doors" or security flaws that allow unauthorized users to gain access to the system. Unless the network administrator performs regular updates, a hacker may exploit these flaws. If the NOS allow server operators to exit to a command prompt, intruders could run destructive command-line programs. Administrators might accept the default security options after installing an operating system or application. Often, defaults are not optimal. For example, the default user name that enables someone to modify anything in Windows Server 2003 is called "Administrator." This default is well known, so if you leave the default user name as "Administrator/1 you have given a hacker half the information he needs to access and obtain full rights to your system. Transactions that take place between applications, such as databases and Web-based forms, may be open to interception. Risks Associated with internet Access 45 Although the internet has brought computer crime, such as hacking, to the public's attention, network security is more often compromised "from the Inside" than from external sources. Nevertheless, the threat of outside intruders is very real, and it will only grow as more people gain access to the Internet. Users need to be careful when they connect to the internet Even the most popular Web browsers sometimes contain bugs that permit scripts to access their systems while they're connected to the Internet, potentially for the purpose of causing damage. Users must also be careful about providing information while browsing the Web. Some sites will capture that information to use when attempting to break into systems. Bear in mind that hackers are creative and typically revel in devising new ways of breaking into systems. As a result, new Internet-related security threats arise frequently. By keeping software current, staying abreast or emerging security threats, and designing your Internet access wisely, users can prevent most of these threats. Common Internet-related security issues include the following: A firewall may not be adequate protection, if it is configured improperly. For example, it may allow outsiders to obtain internal IP addresses, then use those addresses to pretend that they have authority to access your internal network from the Internet—a process called IP spoofing. When a user Telnets or FTPs to your site over the Internet, his user ID and password are transmitted in plain text—that is, unencrypted. Anyone monitoring the network (that is, running a network monitor program or a hacking program specially -designed to capture logon data) can pick up the user ID and password and use it to gain access to the system. Hackers may obtain information about your user ID from newsgroups : mailing lists, or forms you have filled out on the Web. While users remain logged on to Internet chat sessions, they may be vulnerable to other Internet users who might send commands to their machines that cause the screen to fill with garbage characters and require them to terminate their chat sessions. This type of attack is called flashing. After gaming success to your system through the Internet, a hacker may launch denialof-service attacks. A denial-of-service attack occurs when a system becomes unable to function because it has been deluged with data transmissions or otherwise. Disrupted. This incursion is a relatively simple attack to launch (for example, s hacker could create a looping program that sends thousands of e-mail messages to your system per minute). The easiest resolution of this problem is to bring down the attacked server, then 46 reconfigure the firewall to deny service (in return) to the attacking machine. Denial-ofservice attacks may also result from malfunctioning software. Regularly upgrading software is essential to maintaining network security. An Effective Security Policy As you have learned, network security breaches can be initiated from within an organization, and many take advantage of human errors. This section describes how to minimize the risk of break-ins by communicating with and managing the timers in your organization via a thoroughly planned security policy. A security policy identifies your security goals, risks, levels of authority designated security coordinator and team members, responsibilities for each team member, and responsibilities for each employee. In addition, it specifies how to address security breaches. It should not state exactly which hardware, software, architecture, or protocols will be used to ensure security, nor how hardware or software will be installed and configured. These details change from time to time and should be shared only with authorized network administrators or managers. Security Policy Goals Before drafting a security policy, you should understand why the security policy is necessary and how it will serve your organization. Typical goals for security policies are as follows:Ensure that authorized users have appropriate access to the resources they need. Prevent unauthorized users from gaining access to the network, systems, programs, or data. Protect sensitive data from unauthorized access, both from within and from outside the organization. Prevent accidental damage to hardware or software. Prevent intentional damage to hardware or software. Create an environment in which the network and systems can withstand and, if necessary, respond to and recover from any type of threat. Communicate each employee's responsibilities with respect to maintaining data integrity and system security. A company's security policy may not pertain exclusively to computers or networks. 47 Security in Network Design Addressing physical access to hardware and connections is just one part of a comprehensive security approach. Even if you restrict access to computer rooms, teach employees how to select secure passwords, and enforce a security policy, breaches may still occur due to poor LAN or WAN design. In this section, you will learn how to address some security risks via intelligent network design. The optimal way to prevent external security breaches from affecting your LAN is not to connect your LAN to the outside world at all. This option is impractical in today's business environment, however. The next best protection is to restrict access at every point where your LAN connects to the rest of the world. This principle forms the basis of hardware and designed based security. Fire walls A Firewall is a specialized device, or a computer installed with specialized software, that selectively filters or blocks traffic between networks. A firewall typically involves a combination of hardware and software and may reside between two interconnected private networks or, more typically between a private network and a public network (such as the Internet), as shown in many types of firewalls exist, and they can be implemented in many different ways. To understand secure network design and to qualify for Network+ certification, you should recognize which functions firewalls can provide, where they can appear on a network, and how to decide what features you need in a firewall. The simplest form of a firewall is a packet-filtering firewall, which is a router (or a computer installed with software that enables it to act as a router) that examines the header of every of data it receives to determine whether that type of packet is authorized to continue for its destination. If a packet does not meet the filtering criteria, the firewall prevents the packet. 48 Internet placement of a firewall between a private network and the Internet However, if a packet does meet filtering criteria, the firewall allows that packet to pass through to the network connected to the firewall. Packet-filtering firewalls are also called screening firewalls. (In fact, nearly all routers can be configured to act as packet-filtering firewalls.) Examples of software that enables a computer to act as a packet-filtering firewall include IP tables (for Linux systems), Checkpoint Firewall Technologies' Firewall-1, McAfee Firewall, and Symantec. In addition to blocking traffic on its way into a LAN, packet-filtering firewalls can block traffic attempting to exit a LAN. One reason for blocking outgoing traffic is to stop worms from spreading. For example, if you are running a Web server, which in most cases only needs to respond to incoming requests and does not need to initiate outgoing requests, you could configure a packet-filtering firewall to block certain types of outgoing transmissions initiated by the Web server. In this way, you he lp prevent spreading worms that are designed to attach themselves to Web servers and propagate themselves to other computers on the Internet. Often, fire //alls ship with a default configuration designed to block the most Corryton types of security threats. In other words, the firewall may be preconfigured to accept or deny certain types of traffic. However, many network administrators choose to 49 customize the firewall settings, for example, blocking additional ports or adding criteria for the type of traffic that may travel in or out of ports. Some common criteria a packetfiltering firewall might use to accept or deny traffic include the following:Source and destination IP addresses. Source and destination ports (for example, ports that supply TCP/UDP connections, FTP, Telnet, ARP, ICMP, and so on). Flags set in the IP header (for example, SYN or ACK). Transmissions that use the UDP or ICMP protocols. A packet's status as the first packet in a new data stream or a subsequent packet. A packet's status as inbound to or outbound from your private network Based on these options, a network administrator could configure his firewall, for example, to prevent any IP address that does not begin with "196-57," the network ID of the addresses on his network, from accessing the network's router and servers. Furthermore, he could disable— or block-certain well-known ports, such as the FTP ports (20 and 21), through the router's configuration. Blocking ports prevents any user from connecting to and completing a transmission through those ports. This technique is useful to further guard against unauthorized access to the network. In other words, even if a hacker could spoof an IP address that began with "196.57," he could not access the FTP ports (which are notoriously insecure) on the firewall. Ports can be blocked not only on firewalls, but also on routers, servers, or any device that uses ports. For example, if you established a Web server for testing but did not want anyone in your organization to connect to your Web pages through his or her browsers, you could block port 80 on that server. For greater security, you can choose a firewall that performs more complex functions than simply filtering packets. Among the factors to consider when making your decision are the following:Does the firewall support encryption? (You will learn more about encryption later in this chapter). Does the firewall support user authentication?. Does the firewall allow you to manage it centrality and through a standard interface (for example, by using SNMP)? How easily can you establish rules for access to and from the firewall? 50 Does the firewall support filtering at the highest layers of the OSI Model, not just at the Data Link and Transport layers? Does the firewall provide logging and auditing capabilities, or alert you to possible intrusions? Does the firewall protect the identity of your internal LAN's addresses from the outside world? F Further, you could configure the firewall to accept incoming traffic only from IP addresses that match the IP addresses on your Houston LAN. In a way, the firewall acts like a bouncer at a private club who checks everyone's ID and ensures that only club members enter through the door. In the case of the Houston-Denver VPN, the firewall will discard any data packets that arrive at the Denver firewall and do not contain source IP addresses that match those of Houston's LAN. Because you must tailor a firewall to your network's needs, you cannot simply purchase one, install it between your private LAN and the Internet, and expect it to offer much security. Instead, you must first consider what type of traffic you want to filter, then configure the firewall accordingly, ft may take weeks to achieve the best configuration-not so strict that it prevents authorized users from transmitting and receiving necessary data, yet not so lenient that you risk security breaches. Further complicating the matter is that you may need TO create exceptions to the rules. For example, suppose that your human resources manager is working from a conference center in Salt Lake City While recruiting new employees and needs to access the Denver server that stores payroll information. In this instance, the Denver network administrator might create an exception to allow transmissions from the human resources manager's workstation's IP address to reach that server. In the networking profession, creating an exception to the filtering rules is called "punching a hole" in the firewall. Because packet-filtering firewalls operate at the Network layer of the OSI Model and examine only network addresses, they cannot distinguish between a user who is trying to breach the firewall and a user who is authorized to do so. For example, your organization might host a Web server, which necessitates accepting requests for port 80 on that server. In this case, a packet-filtering firewall, because it only examines the packet header, could not distinguish between a harmless Web browser and a hacker attempting to manipulate his way through -he Web site to gain access to the network. For higherlayer security, a firewall that can analyze data at higher layers is required. The next section describes this kind of device. 51 Proxy Servers One approach to enhancing the security of the Network and Transport layers provided by firewalls is to combine a packet-filtering firewall with a proxy service. A proxy service is a software application on a network host that acts as an intermediary between the external internal networks, screening all incoming and outgoing traffic The network host that runs proxy service is known as a proxy server. (A proxy server may also be called an Application layer gateway, an application gateway, or simply, a proxy.) Proxy servers manage security, at the Application layer of the OSI Model. To understand how they work, think of the secure data on a server as the president of a country and the proxy server as the secretary of state. Rather than have the president risk her safety by leaving the country, the secretary of state travels abroad, speaks for the president and gathers information on the president's behalf. In fact foreign leaders may never actually meet the president. Instead, the secretary of state acts as her proxy. In a similar way, a proxy server represents a private network to another network (usually the Internet). Although a proxy server appears to the outside world as an internal network server, in reality it is merely another filtering device for the internal LAN. One of its most important functions is preventing the outside world from discovering the addresses of the internal network. For example, suppose your LAN uses a proxy server and you want to send an e-mail message your workstation to your mother via the Internet. Your message would first go to the pr; server (depending on the configuration of your network, you may or may not have to leg: -separately to the proxy server first). The proxy server would repackage the data frames that make up the message so that, rather than your workstation's IP address being the source, the proxy server inserts its own IP address as the source. Next, the proxy server passes repackaged data to the packet-filtering firewall. The firewall verifies that the source IP address in y o u r packets is valid (that it came from the proxy server) and then sends your message to the internet. Examples of proxy server software include Squid (for use on UNIX-type of systems), Novell Border Manager and Microsoft Internet Security and Acceleration (ISA) Server 2000, an optional service for Windows 2000 Server and Windows Server 2003 servers. Figure144, depicts how a proxy server night fit into a WAN design. 52 Proxy servers can also improve performance for users accessing resources external to their network by caching files. For example, a proxy server situated between a LAN and an external Web server can be configured to save recently viewed Web pages. The next time a user or on the LAN wants to view one of the saved Web pages, content is provided by the proxy server. This eliminates the time required to travel over a WAN and retriev3 the content from the external Web server. Figure 14-4 A proxy server used on a WAN .- . Remote Access As you have learned, many companies supply traveling employees, telecommuters, or distant vendors with remote access to their private LANs or WANs. When working with remote access, you must remember that any entry point to a LAN or WAN creates a potential se: risk. In other words, if an employee can get to your network in New York from his hotel room in Rome a smart hacker can likely do the same. You can, however, take advantage of techniques designed to minimize the possibility of such unauthorized remote access In this section, you will learn about security measures tailored to remote access solutions, such as remote control and dial-up networking. Remote Control Remote control systems enable a user to connect to a host system on a network from a distance and use that system's resources as if the user were sitting in front of it. Although such remote .control systems can be convenient, they can also present serious security risks. Most remote control software programs (for example, Symantec Corporation's PC anywhere) offer features that increases the security of remote control systems. If you intend to allow remote control access to a host on your LAN, you should investigate these security features and know how to implement them correctly, important security features that you should seek in a remote control program include the following:53 Often, firewall and proxy server features are combined in one device. In other words, you might purchase a firewall and be able to configure it not only to block certain types of traffic from entering your network, but also to modify the addresses in the packets leaving your network. Network Operating System Security Regardless of whether you run your network on a Novel!, Microsoft, Macintosh, Linux, or UNIX network operating system, you can implement basic security by restricting what users are authorized to do on a network. Every network administrator should understand which resources on the server ail users need to access. The rights conferred to all users are called public rights, because anyone can have them and exercising them presents no security threat to the network. In most cases, public rights are very limited. They may include privileges to view and execute programs from the server and to read, create, modify, delete, and execute files in a shared data directory. In addition, network administrators need to group users according to their security levels and assign additional rights that meet the needs of those groups. As you know, creating groups simplifies the process of granting rights to users- For example, if you work in the IT Department at a large college, you will most likely need more than one person to create new user IDs and passwords for students and faculty. Naturally, the staff in charge of creating new user IDs and passwords need the rights to perform this task. You could assign the appropriate rights to each staff member individually, but a more efficient approach is to put all of the personnel in a group, and then assign the appropriate rights on the group as a whole. Logon Restrictions In addition to restricting users' access to files and directories on the server, a network administrator can constrain the ways in which users can access the server and its resources. The followings a list of additional restrictions that network administrators can use to strengthen the security of their networks; Time of day-Some user accounts may be valid only during specific hours-for example, between 8:00 A.M. and 5:00 P.M. specifying valid hours for an account can increase security by preventing any account from being used by unauthorized personnel after hours. 54 Total time logged on-Some user accounts may be restricted to a specific number of hours per day of logged-on time. Restricting total hours in this way can increase security in the case of temporary user accounts. For example, suppose that your organization offers a WordPerfect training class to a group of high school students one. Afternoon, and the WordPerfect program and training files reside on your staff server. You might create accounts that could log on for only four hours on that day. Source address-You can specify that user accounts can log on only from certain workstations or certain areas of the network (that is, domains or segments). This restriction can prevent unauthorized use of user names from workstations outside the network. Unsuccessful logon attempts-Hackers may repeatedly attempt to log on under a valid user name for which they do not know the password. As the network administrator you can set a limit on how many consecutive unsuccessful logon attempts from a single user ID the server will accept before blocking that ID from even attempting to log on. Another security technique that can be enforced by a network administrator through the NOS is the selection of secure passwords. The following section discusses the importance and characteristics of choosing a secure password. Passwords Choosing a secure password is one of the easiest and least expensive ways to guard against unauthorized access. Unfortunately, too many people prefer to use an easy-to-remember password. If your password is obvious to you, however, it may also be easy for a hacker to figure out. The following guidelines for selecting passwords should be part of your organization's security policy. It is especially important for network administrators to choose difficult passwords, and also to keep passwords confidential and to change them frequently. Tips for making and keeping passwords secure include the following: Always change system default passwords after installing new programs or equipment. For example, after installing a router, the default administrator's password on the router might be set by the manufacturer to be "1234" or the router's model number. 55 Do not use familiar information, such as your name, nickname, birth date, anniversary, pet's name, child's name, spouse's name, user ID, phone number, address, or any other words or numbers that others might associate with you. Do not use any word that might appear in a dictionary. Hackers can use programs that try a combination of your user ID and every word in a dictionary to gain access to the network. This is known as a dictionary attack, and it is typically the first technique a hacker uses when trying to guess a password (besides asking the user for her password). Make the password longer than eight characters—the longer, the better. Some operating systems require a minimum password length (often, eight characters), and some may also restrict the password to a maximum length. Choose a combination of letters and numbers; add special characters, such as exclamation marks or hyphens, if allowed. Also, if passwords are case sensitive, use a combination of uppercase and lowercase letters. Do not write down your password or share it with others. Change your password at least every 60 days, or more frequently, if desired. If you are a network administrator, establish controls through the network operating system to force users to change their passwords at least every 60 days. If you have access to sensitive data, change your password even more frequently. Do not reuse passwords. Password guidelines should be clearly communicated to everyone in your organization through your security policy. Although users may grumble about choosing a combination of letters and numbers and changing their passwords frequently, you can assure them that the company's financial and personnel data is safer as a result. No matter how much your colleagues protest, do not back down from your password requirements. Many companies mistakenly require employees only to use a password, and don't help them choose a good one. This oversight increases the risk of security breaches. Encryption Encryption is the conversion of data into a form, called a cipher that cannot be easily understood by unauthorized people. Decryption is the process of converting encrypted data back into its original form, so it can be understood. 56 Encryption is the use of an algorithm to scramble data into a format that can be read only by reversing the algorithm-that is, by decrypting the data. The purpose of encryption is to keep information private. Many forms of encryption exist, with some being more secure than others. Even as new forms of encryption are developed, new ways of cracking their codes emerge too. Encryption is the last means of defense against data theft. In other words, if an intruder has bypassed all other methods of access, including physical security (for instance, he has broken into the telecommunications room) and network design security (for instance, he has defied a firewall’s packet-filtering techniques), data may still be safe if it is encrypted. Encryption can protect DATA stored on a medium, such as a hard disk, or in transit over a communications channels. To protect data, encryption provides the following assurances:Data was not modified after the sender transmitted it and before the receiver picked it up. Data can only be viewed by its intended recipient (or at its intended destination). All of the data received at the intended destination was truly issued by the stated sender and not forged by an intruder. 57 Practical Activities Server Installation Planning for installation When installation and configuring an NOS, you must create a plan for your server and its place in your network before you insert installation CD. You need to consider many factors, including organizational structure, server function, applications, number of users, LAN architecture, and optional services (such as remote access) when developing this plan .After you have installed and configured the NOS, changing its configuration may prove difficult and causes service disruptions for users. To begin, first ensure that your server hardware meets the NOS version sever requirements. Next, you must prepare answers to the following list of critical pre-installation decisions. How many, how large, and what kind of partitions will the server require? Windows 2000 server for instance, must be installed on a single partition. When you install it, you will have a choice of: Creating a new partition on non partitioned hard disk. Creating a new partition on partitioned hard disk. Installing windows 2000 server on an existing partition. Removing an existing partition and creating a new one for installation. The option you choose will depend on how your server is currently partitioned, whether you want to keep data on existing partitions, and how you want to subdivide your server’s hard disk. If you know the number and size of the partitions you need (for example on a 16-GB hard disk you might want to create a 6-GB system partition and a 10-GB data partition), it is best to create them during installation. What type of file system will the server use? Recall that the optimal file system for windows server 2003 computer is NTFS; choose NTFS unless your applications require a different file system. NTFS must be used if you intend to use Active Directory and the Domain model for centralized resource and client management. What will you name the server? You may use any name that includes a maximum of 15 characters, and that includes numerals, letters, and hyphens but no periods, spaces or other special characters (e.g. ? or =). Choose a practical, descriptive name that distinguishes the server from others and that is 58 easy for you and your user to remember. For example, you might use geographical server names, such as Kabarak or Nakuru. Alternatively you might name servers according to the function such Marketing or Research. The marketing server in the Kabarak domain might be called Mktg-Kabu. Which protocols and network services should the server use? Before you begin installing server, you need to know which protocol (or Protocols) your network requires. In Windows 2000 server, TCP/IP is the default protocol, and depending on your circumstances, should probably leave it as such. If your server runs Web services or requires connectivity with UNIX, Linux, or Mac OS X server systems, you must run TCP/IP. If your Windows 200 server must communicate with an older Netware server that relies on IPX/SPX, you should also install NWLink IPX/SPX compatible protocol and Gateway services for NetWare. For communication with Macintosh computers running the Apple Talk protocol, you need to install Apple Talk. What will the Administrator password be? Use a strong password- in other word that is difficult to crack. In Windows server 2003, network administrators can require users to choose stronger passwords than ever, which means , among other things, must include a mix of different characters, including numbers, uppercase letters, lowercase letters, and special characters (such as*, &, @ and so on), and they cannot contain any part of the user’s name, nor can they resemble any known English. The strongest passwords are also the longest. The Administrator password should be the most stringent criteria. Should the network use domains or workgroups, and if so, what will they be called? First decide whether your network will use workgroups or domains. During installation you will be asked whether the server should join an existing workgroup, be a new workgroup server, or join an existing domain. As you learned, in a workgroup situation, computers share network access in a peer-topeer fashion. It is more likely that your environment will require domains, in which the security for clients and resources is centralized. If the server will be joining an existing domain, you must know the domain name, domain controller name, and the DNS server name. 59 Domain names should describe the logical group of servers and users they support. You may use any name that includes numerals, letters, and hyphens, but no spaces, periods, or other special characters (for example? or =). Popular schemes for naming domains incorporate geography and function into the names. For example, in a domain model for a WAN spanning several towns, you might want to name your domains Kaba, Naku, Keri, and so on. In a very large organization, you might want to use a less limiting convention. For example if, your company’s business is chemical production, you might want to name your domains Hydrocarbons, Resins, Solvents, and so on. Will the server support additional services? During installation, you will be asked to choose which services your server will support. Of course, you must install certain protocols and network services in order for clients to access the server. You may also want to install optional services, such as: Remote installation Services, Terminal Server, Windows Media Services and Management and Monitoring Tools. Although it’s easiest to include additional services during the original installation, they can be added later as well. Which licensing mode will you use? You may choose one of two licensing modes per seat or per server. The server licensing allows a limited number of clients to access the server simultaneously. (The actual number is determined by your windows server 2003 purchase). In per server mode, any of your organization’s clients may be capable of connecting to the server. The number of concurrent connections is restricted. Per server mode is a popular choice in organizations that have a limited number of servers and many users, or where multiple users share workstations (for example, a mail-order catalog’s call center). The per seat mode requires a license for every client capable of connecting to the Windows Server 2003. Environments that include multiple Windows Server 2003 computers and in which each user has his own workstation, this choice is probably more economical than per server licensing. If you are running Windows Server 2003 as Web or FTP server for anonymous clients (for example, Internet users from anywhere in the world), you do not need separate Windows Server 2003 client licenses for these types of clients. 60 How can I remember all of this information? As you make these preinstallation decisions, you should note your choices on a server installation form and keep the form with you during installation. The preceding list describes only the most significant installation options. You should also be prepared to: Read and accept license agreement. Identify your organization. Provide your Product Key (which can be found on the jacket of your Windows Server 2003 CD-ROM). Select the appropriate time and date. Specify display settings. Identify and supply drivers for hardware components, such as video cards, NICs, Printers, and so on. If you are upgrading a server that currently runs an older Windows NOS, such as Windows NT or Windows 2000 Server, you will have to follow a special upgrade process, as described in the Microsoft documentation. The following section walks you through a new Windows Server 2003 installation. Installing and Configuring a Windows Sever 2003 Server After you have devised a plan for your windows server 2003 installation, you can begin the actual installation process. In this section, you will learn about the available options and the decisions you must make when installing and initially configuring your windows server 2003 server. The installation process You can install windows server 2003 from a CD-ROM or remotely over the network. If you use the network method, be aware that this type of installation generates a high volume of network traffic and shouldn’t be performed while clients are attempting to use the network. You also have the choice of performing a windows server 2003 installation in attended or unattended mode. The term “attended mode” simply means that someone is at the computer responding to installation prompts as they appear. Unattended mode relies on a pre-programmed script (which can be customized for different environments) to answer installation prompts. 61 This mode prevents the need for a network administrator to be present during server installation. However, creating the script requires forethought and preparation. Now that you understand the variables and considerations for a windows server 2003 installation, you are prepared to install the NOS. following is a summary of the processes, which assumes an attended installation using a CD-ROM (in other words, somebody will be responding to prompts, rather than allowing a script to respond to prompts automatically). It represents a typical, simple installation for a small or home office. The options you choose and the prompts you see during installation will depend on your network environment and your pre-installation decisions. The time your installation requires will also depend on the options you choose in addition to your server’s processor speed and amount of memory. Insert the windows server 2003 CD-ROM in your server’s CD-ROM drive and restart the server (making sure your computer is configured to boot from a CD-ROM). After booting, you may be prompted to press nay key to install windows server 2003. after you press a key, the windows setup screen appears and installation will proceed with prompts, to: Inspect your hardware and load appropriate hardware drivers and other files. Display the Windows Licensing Agreement, which you should read and then press the F8 key to accept if you want to continue. Search the hard disk to determine whether any previous versions of windows are installed. Scan the hard disk to assess how many partitions and what types of partitions are available. Select a partition for windows server 2003 installation (at this point, you may also create a new partition or delete an existing partition). Format the disk partition you selected. Copy files to the windows installation folders on the hard disk. After the windows installation files are copied to your server’s hard disk, the setup process ahs finished preparing your computer for the windows server 2003 installation. Your computer restarts and returns to a graphical user interface screen. During the next part of the process, you are prompted to: 62 Customize regional and language options, which include how numbers should be formatted and what languages you want windows server 2003 to support. Personalize your software by entering your name and your organization’s name. Enter the 25 character product key that appears on your CD-ROM folder. Select the licensing mode you want to use-either per server, per devices, or per user. Assign a name to your server and enter (and confirm) the password associated with the administrator user account. Enter modem dialing information. Choose date and time settings. Choose whether the server is part of workgroup or a domain. After gathering the preceding information, the setup program installs and registers the components you’ve selected, installs start menu items, saves settings, and removes the temporary files created during installation. Then, your system restarts (or prompts you to click finish to restart). Finally, you can log on to the server using the Administrator user name and password. 63 Network Administration Configuration for Active Directory Additional accounts that you create may be local accounts, or those that only have rights on the server they are logged on to, and domain accounts, those that have rights throughout the domain. To create domain accounts, you must have Active Directory installed and your domains properly configured. Active Directory is not installed by default when you install Windows server 2003. To install Active Directory, click start, and then click Manage Your Server. From the Manage Your Server window, click Add or remove a role, and then select Domain Controller (Active Directory) from the list of server roles that the Configure Your Server Wizard offers. The Active Directory Installation Wizard will lead you through the process of making the computer a domain controller. Creating User Accounts and Groups The following exercise assumes that Active Directory is installed on your Windows Server 2003 computer and that domains have already been configured. To create a domain user account: 1. Make sure you are logged on as Administrator. 2. Click start, point All Programs, point to Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers snap-in opens. 3. Double –click the Active Directory container in which you want to create the new user. This may be a domain or an OU. 4. Right-Click the Users folders, point to New on the shortcut menu, and then click User. The new object-User dialogue box opens, as shown in figure 8-18. 5. Type the user’s last and first name in the appropriate text boxes. You then see the user’s full name in the Full name text box. 6. Enter a user name in the User logon name text box. This name uniquely identifies the user in a domain or forest. The domain name is provided automatically. Click Next to continue. 7. In the new object – User dialog box shown in figure 8-19, enter a password for the user. Enter a strong password (one that consists of at least 10 characters, cannot be found in the dictionary, and contains numbers, letters and special 64 characters). Re-type the password in the confirm password text box. You may also select from four additional options: user must change password at next logon, User cannot change password. Password never expires, or Account is disabled. It’s a good policy to force the user to pick a new password the first time they log on, so that they have a password that is meaningful to them and so that you as the network administrator don’t know their password. It is also a good policy to allow the password to periodically expire. With this in mind, make certain that the first option, user must change password at next logon, is checked, and then click next. 8. The next New Object –user window displays the information you have entered. Click Finish to complete the creation of a new domain user account. After you have created a new user, you can configure the properties associated with his account, including his address, telephone number, and e-mail address, his rights to use remote access, his position in the organization, his group memberships, what hours of the day he may log on to the network, and so on. To modify user account properties, you can use the Active directory Users and Computers snap-in. In the snap-in window, double click the user account in the right-hand pane. The user Account Properties dialog box opens, with multiple tabs that represent different categories of attributes you may change. Before you add many users, you will probably want to establish groups into which you can collect user accounts. But before creating a group, you must know what type of scope the group will have. The group’s scope identifies how broadly across the windows serve 2003 network its privileges can reach the possible scopes re domain local, global, or universal. A domain local group is one that allows its members access to resources within a single domain. Domain local groups are one that allows its members access to resources within a single domain. Domain local groups are used to control aces to certain folders, directories, or other resources. They may also contain global groups. A global group allows its members access to resources within a single domain also. However, a global group usually contains user accounts and cam be inserted (or nested) into a domain local group to gain access to resources in other domains. A universal group is one that allows its members access to resources across multiple domains and forest. 65 To create a group in windows server 2003 1. Make sure you are logged on as Administrator. 2. Click start, point to All programs, point to Administrative Tools, and then click Active directory users and computers. The Active Directory users and Computers snap-in starts. 3. Double click the Active Directory container in which you want to create the new group. This may be a domain or an OU. 4. Click Action on the menu bar, click New, and then click Group. The new object-group dialog box appears, as shown in figure 8-20. 5. In the New object –group dialog box, enter the name of the group in the Group name text box. In case you are using Windows NT servers on your network, the group name (pre-windows 2000) text box is automatically completed. 6. Choose the group scope: Domain local, global, or universal. 7. Select the type of group you want to create: security or distribution. A security group is the type you would use to grant a group of users privileges to shared resources, whereas distribution groups are used solely for sending e-mail messages to a group of users through mail server software such as the Microsoft Exchange Server. After you have made your selection, click OK to finish creating the new group. Modifying the properties of a group account is similar to modifying the properties of a user account. To modify the properties of your newly created group, double click the group in the right panel of the Active Directory Users and Computers snap-in window. This opens the group’s properties dialog box, which contains four tab: General, Members, Member of, and managed by. Through this dialog box, you can add user accounts to the group, make the group a member of another group, and specify which user account will manage the group. As mentioned earlier, users and groups are virtually useless unless they have some right to the server’s data and system directories. Sharing Applications Suppose you want to assign the role of file server to newly installed Windows Server 2003 computer. In that case, you would follow these steps: 66 1. If the manage Your Server window is not open, click start, and then click Manage Your Server. The Manage Your Server window opens. 2. Click Add or remove a role. The Configure Your Server Wizard window opens, reminding you to make sure that all of the server’s peripherals are installed, that it is connected to the network and to the internet, if internet access is desired, and that you have the windows server 2003 installation CD handy. 3. Click next to continue. 4. The configure your server wizard detects your network connection settings. Then, it prompts you to select the server’s role from a list possibilities. 5. Click File server, then click Next to continue. 6. The configure Your server wizard prompts you to set default d disk quotas (a limit on how much of the server’s hard disk space user’s personal files can occupy) for new users, if desired. After you have made your choice, click next to continue. 7. Next, you are prompted to choose whether you want to enable the File server indexing service, which allows users to search indexed files for specific words or characters. (By default, the indexing service is turned off). After making your selection, click next to continue. 8. Finally, you are presented with a summary of your selections. Confirm that the selections are correct, and then click next to continue. 9. The share a folder wizard appears, prompting you to establish shared folders on the server. Click next to continue. 10. Specify a folder path for the folder you want to share. For example, you might want to share the folder called “C:\ documents and settings\ All users\ Documents” Then click next to continue. 11. You are prompted to name the share you have just created and if, you desire, provide a description. For example, you could name the share “Public documents” and enter a description of “A directory available for file sharing among all users.” Click next to continue. 12. The share a folder wizard prompts you to indicate users’ permissions to the folder. The default selection allows users read-only access to files in the folder, as shown in Figure 8-17. (“Read-only access” means that users can view data files and 67 execute program files within a folder, but they cannot modify, delete, or add files). If you want users to be able to save files to the folder, you could choose Administrators have full access; other users have read and write access. Click Finish to continue. 13. The next screen announces that “sharing was successful’. Click close to close the share a folder wizard. 14. The Configure Your Server Wizard announces that “This server is now a file server.” Click finish to close the wizard. 15. You have now made it possible for users to share files on this server. 68 COMP312 Assignment A new graphics and design company "Pentagon Designs" is setting up a complement of computer systems, ready for their official business launch in around two months time. It is your task as an employee of "Universal Network Co." to design and specify a fully networked, site-wide system (see building plan attached). You will need to identify the possible needs of each department listed on the plan and include designs for: One computer system per employee – which should be specified according to their job needs. The computer systems must be designed part-by-part by you. Just show ONE example system per department. One fileserver and one backup server per department area – also designed by you. You will also need to specify: cabling Additional hardware such as routers and repeaters that you deem necessary Operating systems software and any required networking software, ensuring that any licensing requirements are met – there is no need to specify applications software Network Backup software, firewall & virus protection software where you feel it is appropriate You should also produce a reproduction of the building plan showing any necessary connecting cabling, to allow engineers to lay cabling across the site. You may use any one, or sensible combinations of network topologies that you feel appropriate. As a responsible employee of “Universal Network Co.," dedicated to the best value for money for your clients, you need to ensure that your specifications are based on performance. Note: You must include well researched and well referenced material to back up your decisions made in the above specifications, especially in the areas of network topologies, network security and the network hardware you have chosen 69 SITE BUILDING PLAN – SHOWING DEPARTMENTS Personnel 20 Graphics Designers 2 Security Guards 3 Accountants 7 Secretarial/Typing 4 Technicians/Stores 1 Managing Director 1 Receptionist/PA to Managing Director A Door. 70