23.Kerberos

Kerberos is a cross-platform authentication protocol used for mutual authentication of users and services in a secure manner. Kerberos v5 is the current version of this protocol. The protocol ensures the integrity of data as it is transmitted over the network. It is widely used in all other major operating systems, such as Unix and Cisco IOS. The authentication process is the same in all operating system environments.

Kerberos protocol is build upon Symmetric Key Cryptography and requires a trusted third party. Kerberos works in a Key Distribution Center (KDC)—which is usually a network server—used to issue secure encrypted keys and tokens (tickets) to authenticate a user or a service. The tickets carry a timestamp and expire as soon as the user or the service logs off. The following steps are carried out to complete the authentication process:
1.The client presents its credentials to the KDC for authentication by means of username and password, smart card, or biometrics.
2.The KDC issues a Ticket Granting Ticket (TGT) to the client. The TGT is associated with an access token that remains active until the time client is logged on. The TGT is cached locally and is used later if the session remains active.
3.When the client needs to access the resource server, it presents the cached TGT to the KDC. The KDC grants a session ticket to the client.
4.The client presents the session ticket to the resource server, and the client is granted access to the resources on the resource server.

The TGT remains active for the entire active session. Kerberos is heavily dependent on synchronization of clocks on the clients and servers. Session tickets granted by the KDC to the client must be presented to the server within the established time limits; otherwise, they may be discarded.

22.Remote Authentication Dial-in User Service (RADIUS)

RADIUS is used to provide centralized authentication for remote users connecting to the internal network of an organization through simple dial-up, VPN, or wireless connection. When a remote user needs access to the internal resources of an organization, he must provide his credentials to the Network Access Server (NAS). The NAS, in turn, sends the user’s credentials to the RADIUS server for authentication. If the RADIUS server authenticates the user, the connection request is accepted; otherwise, it is refused.

A RADIUS server can either work as a standalone server to authenticate all connection requests coming from outside users, or it can be a part of a distributed RADIUS setup. Larger organizations deploy multiple RADIUS servers to distribute the authentication load among multiple RADIUS servers. RADIUS servers support several popular protocols such as PAP, PPP, CHAP, and EAP. When a remote or wireless user sends a connection request, the RADIUS authentication process takes place as follows:
1.When the user attempts to connect to the RAS server, he is asked to supply his credentials, which in most cases are the username and password.
2.The RAS server encrypts the credentials of the user and forwards the request to the RADIUS server.
3.The RADIUS server makes an attempt to verify the user’s credentials against a database.
4.If the user’s credentials match those stored in the centralized database, the server responds with an access-accept message. If the user’s credentials do not match the stored credentials, the server sends an access-reject message.
5.The RAS server acts upon receipt of access-accept or access-reject messages and grants or denies a connection to the remote user appropriately.
6.If the connection is granted, the RADIUS server may also be configured to automatically assign an IP address to the remote client.

21.Authentication Protocols

Authentication is the process of verifying the credentials of a user. In the case of remote access, the user connecting remotely must present one or more sets of credentials to get access to the Remote Access Server. Once the Remote Access Server authenticates the user, further access to network resources is governed and limited by the permissions set on the resources and are applicable to the remote user.

The following are commonly used authentication protocols for remote access:

Challenge Handshake Authentication Protocol (CHAP)
The CHAP authentication protocol is very commonly used for remote access. When the remote link is established, the user is sent a challenge text. The remote user responds with a shared secret in encrypted form using an MD5 hashing algorithm. The user is authenticated only if the secret matches the one stored on the Remote Access Server. CHAP periodically verifies the identity of the user by sending challenge text at random times during the connection.

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
MS-CHAP is Microsoft’s implementation of the CHAP authentication protocol used on Windows systems. It is a password-based authentication mechanism that is more secure than CHAP. MS-CHAP is an earlier version of MS-CHAPv2 that supports only one-way authentication. MS-CHAPv2 supports two-way authentication in which both client and server authenticate each other using encrypted passwords.

Password Authentication Protocol (PAP)
PAP is the oldest and most basic form of authentication in which the username and password are transmitted in clear text over the dial-up network. The transmissions are unencrypted and insecure.

Extensible Authentication Protocol (EAP)
EAP is the most secure of all authentication mechanisms. It enables the use of a variety of encryption methods for remote access, VPN, and wired and wireless LANs. It supports the use of smart cards for secure authentication.

Shiva Password Authentication Protocol (SPAP)
SPAP is used for authentication to Shiva Remote Access Servers. This protocol is more secure than PAP but not as secure as CHAP, MS-CHAP, or EAP.

*Types of Security Protocols

(i)Point-to-Point Tunneling Protocol (PPTP)
PPTP is a popular tunneling protocol used to implement VPNs. It uses TCP port 1723 and works by sending a regular PPP session using a Generic Routing Encapsulation (GRE) protocol. A second session on TCP port 1723 is used to start and maintain the GRE session.

PPTP is easy to configure and supports Unix, MAC, and Linux as its clients. It is supported on almost all major versions of Microsoft Windows. Due to its low administrative costs, PPTP is the choice of many administrators for VPNs that require medium security. It is commonly used in Microsoft networks, which use Microsoft Point-to-Point Encryption (MPPE) for encrypting data.
Following are some of the limitations of PPTP:
• It cannot be used if the RAS/NAS servers are located behind a firewall.
• It works only in IP networks.
• When used alone, it does not provide encryption for authentication data.
Only the transmissions after the initial negotiations are encrypted.

(ii)Layer 2 Tunneling Protocol (L2TP)
L2TP is another tunneling protocol that is widely supported by most vendors in the IT industry. It uses the Data Link layer (Layer 2 of the OSI model) to carry data from one point of the tunnel to another over the Internet. This protocol uses UDP port 1701 for transport. L2TP offers the combined benefits of the PPTP and the L2F (Layer 2 Forwarding) protocol from Cisco. It is considered a major improvement over PPTP, but it still lacks encryption capabilities when used alone. A combination of L2TP and IP Security (IPSec) is generally used to provide secure transmissions for VPN connections. L2TP/IPSec can be used behind firewalls provided UDP port 1701 is opened for incoming and outgoing packets. Besides this, both ends of the communications must support the L2TP/IPSec protocols. Some of the advantages of using the L2TP/IPSec combination over PPTP for implementing VPNs include the following:
• L2TP/IPSec requires two levels of authentication: computer or network hardware authentication and user-level authentication. This provides better authentication security.
• IPSec provides confidentiality, authentication, and integrity for each packet. This helps prevent replay attacks. PPTP provides only data confidentiality.

• IPSec establishes security associations (SA) during the transmission of the user-level authentication process. This ensures that the authentication data is not sent unencrypted. This is an advantage over PPTP in which the user-level authentication is never encrypted.
• L2TP/IPSec supports the use of RADIUS and TACACS+ for centralized authentication, while PPTP does not.
• L2TP/IPSec can be used on top of several protocols such as IP, IPX, and SNA, while PPTP can be used only with IP.

(iii)Internet Protocol Security (IPSec)
IPSec is a standardized frame work used to secure Internet Protocol (IP) communications by encrypting and authenticating each IP packet in a data stream. This protocol ensures confidentiality and authentication of IP packets so that they can
securely pass over a public network such as the Internet. IPSec is considered to be an “open standard” because it is not bound to a particular application, authentication method, or encryption algorithm. IPSec is implemented at the Network layer (Layer 3 of the OSI model). This makes IPSec independent of application compatibility.

IPSec can be implemented in any of the modes that are described in the next sections.

Transport mode.
When implemented in transport mode, only the payload (the actual message or data) inside the IP packet is encrypted during transmission. The IP header is not encrypted. This results in better transmission speeds. Transport mode is generally implemented in host-to-host communications over VPNs or inside a local area network (LAN).

Tunnel mode.
When implemented in tunnel mode, the entire IP packet is encrypted. This includes the IP header (AH) as well as the data (ESP) (AH and ESP are discussed next). The advantage is that both the IP header and the data inside the IP packet are secured. This comes at the cost of transmission speed. Tunnel mode IPSec is implemented in gateway-to-gateway VPNs.

IPSec components.

IPSec is made up of two distinct security components: Authentication Header (AH) and Encapsulating Security Payload (ESP), described here:
Authentication Header (AH)
The AH protocol secures data or payload by signing each IP packet to maintain its authenticity and integrity.
Encapsulating Security Payload (ESP)
The ESP protocol also ensures authenticity and integrity of data but adds confidentiality to the data that uses encryption techniques.

AH and ESP can either be used together or separately. When they are used together, the sender and receiver of data can be assured of complete security.

IPSec authentication.

As noted earlier, IPSec ensures authenticity, integrity, and confidentially of data. IPSec uses the Internet Key Exchange (IKE) mechanism to authenticate the two ends of the tunnel by providing a secure exchange of shared secret keys before the transmission starts. Both ends of the transmission use a password known as a pre-shared key. Both ends exchange a hashed version of the pre-shared key during IKE transmissions. Upon receipt of the hashed data, it is recreated and compared. A successful comparison is required to start the transmission.

IPSec can also be used for digital signatures. A digital signature is a certificate issued by a third-party Certificate Authority (CA) to provide authenticity and non-repudiation. Non-repudiation means that the sender cannot deny that he sent the data and can be held responsible for the sent data or message.

(iv)Secure Socket Layer (SSL)
SSL is an encryption protocol popularly used for Internet-based transactions such as online banking and e-commerce. This protocol is based on public key encryption mechanisms. SSL provides end-to-end security for Internet communications by using encryption. In typical implementations, only the server component is required to use public keys for authentication. For example, when you access a secure server on the Internet that uses SSL, the address of the web site begins with https://, while the addresses of unsecure web sites begin with http://. When both the client and the server need to authenticate each other, the SSL communications start with the following steps:
• Both the client and the server negotiate the encryption algorithm.
• The client and the server exchange session keys using public key-based encryption.
• The client and the server authenticate each other using certificates.
• Communications start, and all traffic is encrypted using a symmetric cipher.

The client and the server negotiate a common encryption algorithm and a hashing algorithm. For end-to-end security using SSL, a Public Key Infrastructure (PKI) is required. Both the server and the client must be SSL-enabled to communicate over a secure channel.

(v)Wired Equivalent Privacy (WEP)
WEP is a security protocol used mainly for IEEE 802.11 wireless networks. Because wireless networks communicate using radio signals, they are susceptible to eavesdropping. Eavesdropping refers to the monitoring and capturing of signals as they travel over network media. WEP is designed to provide a comparable privacy (confidentiality) to a wired network. When sending data over radio frequencies, a WEP-enabled client adds a 40-bit secret key to the data while it is passed through an encryption process. The resulting data is called cipher text. On the receiving end, the data is decrypted using the secret key to recover the plain text.

Initial implementations ofWEP used a 40-bit encryption key and were not considered very secure. It was still better than not using WEP at all. Soon, a number of tools appeared that could crack the WEP keys. A later version of WEP uses 128- bit encryption keys, which is more secure than the earlier version.

(vi)Wi-Fi Protected Access (WPA)
WPA is used for secure access to wireless networks, and it overcomes many weak-nesses found in WEP. It is backward-compatible with wireless devices that support WEP, but use of large encryption keys makes it a better choice than WEP. The following are some of the features of WPA:
• It provides enhanced data encryption security by using a Temporal Key Integrity Protocol (TKIP). TKIP scrambles encryption keys using a hashing algorithm. At the receiving end, the hash value of the key is passed through anintegrity check to ensure that the key has not been tampered with during transmission.
• WPA uses several variations of Extensible Authentication Protocol (EAP) and public key cryptography.

WPA can also be used in personal mode or a pre-shared key mode. Each user must know and use a paraphrase to access the wireless network. A paraphrase is a short text message that is configured on all wireless devices. In other words, it is the secret key shared by all wireless devices on a network. The pre-shared key mode is less secure than the standard mode but allows small offices or home networks to secure wireless transmissions. This is particularly useful for small organizations that cannot afford the cost of implementing PKI.

(vii)802.1x
802.1x is a secure authentication protocol standard used in wired and wireless networks to provide port-based access control. This standard was mainly developed to provide enhanced security to WLANs. 802.1x provides secure point-to-point connection between a WAP and a host computer. This protocol is based on Extensible Authentication Protocol (EAP) and is usually implemented in closed wireless networks to provide authentication. The authentication process uses the following two components:

Supplicant
Supplicant refers to the software component installed on the user’s computer that needs access to a wireless access point.

Authenticator
Authenticator refers to a centralized wireless access point. The authenticator forwards the authentication request to the authentication server, such as a RADIUS server.

When a user (the supplicant) wants access to a wireless network, the 802.1x protocol sends the request to an access point (authenticator). After the communication begins, the supplicant is placed into an unauthorized state. There is an exchange of EAP messages between the authenticator and the supplicant, wherein the authenticator requests the credentials of the supplicant. After receiving the credentials, the authentication request is sent to the authentication server, such as the RADIUS server. The authentication server either accepts the credentials of the supplicant and grants access, or rejects it, thereby rejecting the connection request. If the connection is accepted, the user is placed into an authorized state.

20.Security Protocols

Network security depends on effective use of security protocols. A variety of protocols are available for implementing security in networks, and administrators must select appropriate protocols in order to provide a secure working environment. Some of the security protocols covered in this section.

19.Virtual Private Networking

As the name suggests, a Virtual Private Network (VPN) provides a secure means of communication between remote users of an organization, between different locations of an organization, or between distinct organizations. The communication takes place using a public network such as the Internet. VPN provides a cost- effective way to provide connectivity to remote users of the organization. This technology saves costs for those organizations that have a large number of telecommuting employees. These employees can connect to internal resources of the organization from anywhere because of the global availability of the Internet. All employees need to do to connect to the organization’s network is to simply connect to the local ISP. VPN technologies employ secure authentication and data transmission protocols that work by creating a tunnel in the publicly accessible network(Internet). The tunneling protocols encapsulate authentication and other data within other packets before transmitting over the Internet.

VPN is composed of the following components:
VPN Client
The remote user who wants to establish a connection to the organization’s network.
VPN Server
A server running Remote Access Service; authenticates connection requests from the remote client.
Carrier protocols
These protocols are used by the Internet to transfer data from one point to another over the Internet.

Encapsulating protocols
These protocols are used to wrap the original data before it is transmitted over the Internet. PPTP, L2TP, IPSec, and SSH are examples of encapsulating protocols.

Passenger protocol
This is the original data that is transmitted by the user.

VPN can be implemented in one of the following ways:

Remote Access VPN.

A Remote Access VPN is also known as Private Virtual Dial-up Network (PVDN). This type of VPN provides remote access to remote users over the Internet. The remote user is responsible for creating the tunnel for starting the communication. He dials into the local ISP, which provides Internet connectivity to the user. The user then connects to the secure intranet site of the organization, which is permanently connected to the Internet. figure

A Remote Access VPN is a great solution for an organization that has a large number of users spread across different locations. By using VPN technologies, organizations can save on costs involved in having users that directly dial in to the organization’s internal network.

Site-to-Site VPN.

A Site-to-Site VPN is established between different offices of the same organization spread across multiple physical locations. This can be a very cost-effective solution because the organization does not have to maintain dedicated wide area network(WAN) connections between physically separated locations. Organizations may choose from software implementations of VPN, such as Microsoft’s Routing and Remote Access Service (RRAS) in Windows Server 2003 or from hardware solutions such as Check Point or Sonic WALL. Software based VPNs require proper planning and secure implementations, as these are prone to vulnerabilities of the operating system. Hardware implementations are expensive but are generally more secure than their software counterparts. figure

As noted earlier, VPN essentially depends on a tunneling protocol to successfully and securely transmit data from one location to another using the Internet. The choice of tunneling protocol depends on the solution chosen to implement a VPN. The tunneling process is usually transparent to the end user, who only has to provide appropriate credentials to gain access to the internal resources of the organization. The only requirement is that each end of the tunnel must be able to support the selected tunneling protocol. Commonly used protocols associated with VPN implementations include the following:
• PPTP: Point-to-Point Tunneling Protocol
• L2TP: Layer 2 Tunneling Protocol
• IPSec: IP Security
• SSH: Secure Shell

18.Remote Access Protocols and Services

Remote Access refers to connecting to and accessing the shared resources located on the remote network. All major network and desktop operating systems have built-in support for remote access. There are several different techniques to establish remote access connections. There are also a variety of standards and protocols used for encryption and authentication to provide security for Remote Access Services. In this section, we will take a look at different remote access protocols and services.

(i)Remote Access Service (RAS)
RAS is Microsoft’s implementation of remote access protocols and standards. It is available on all Windows Server operating systems. Microsoft renamed it as Routing and Remote Access Service (RRAS) in Windows 2000 Server and later operating systems. A Remote Access Server is configured to provide connectivity to remote clients that support remote access protocols. This server acts as a gateway for the organization’s internal network. The Remote Access Server authenticates the remote clients before they are allowed access to resources located on other internal servers.

(ii)Serial Line Internet Protocol (SLIP)
SLIP is an older remote access protocol that provides point-to-point connections over TCP/IP using serial connections. It was mainly used on Unix platforms. Security is a main concern with SLIP because all usernames and passwords are transmitted in clear text. It does not support any methods for encryption or secure authentication. Besides this, it does not ensure guaranteed delivery of data because of the absence of any error detection, correction, or packet-sequencing mechanisms. In most major network operating systems, Point-to-Point Protocol (PPP) has replaced SLIP.

(iii) Point-to-Point Protocol (PPP)
PPP is the standard protocol for remote access due to its clear advantages over SLIP and added security features. It is a protocol suite that includes several protocols. It is a cross-platform protocol and works with all major operating system environments, including Windows, Unix/Linux, NetWare, and Mac OS.

PPP allows encryption of remote user credentials during the authentication process. It also allows administrators to select an appropriate LAN protocol for use over the remote connection. Administrators can choose from NetBEUI, NetBIOS, IPX/SPX, AppleTalk, or TCP/IP. PPP supports several protocols for authentication, such as PAP, SPAP, CHAP, MS-CHAP, and EAP. The administrator can configure multiple protocols, depending on the requirements of remote clients.

(iv) PPP Over Ethernet (PPPoE).
PPPoE is a combination of PPP and Ethernet protocols. It encapsulates the PPP information inside an Ethernet frame. This enables multiple users on a local Ethernet network to share the remote connection through a common device. For example, multiple users can share the same Internet connection through the cable modem simultaneously.

Although all users on the Ethernet network share a single physical connection to the remote network, PPPoE allows administrators to configure individual authentication for each user. PPPoE also enables administrators to track connection statistics (such as the connection time) of individual users.

*Types

(i)Digital Subscriber Line (DSL)
DSL is a family of technologies that use ordinary analog telephone lines to provide digital data transmissions. It uses different frequencies for voice and data signals, and the same telephone line can simultaneously be used for phone and data transfer. It is commonly used for high-speed Internet access from homes and offices. Different DSL technologies are collectively noted as x DSL and support data transfer speeds from 128 Kbps to 24 Mbps, as discussed in the following list:

Asymmetrical DSL (ADSL)
ADSL is the most common of all types of DSL variations. The download speed of data is faster than upload speeds. It uses one channel for analog voice (telephone) transmissions, a second for data uploads, and a third for data downloads.

Symmetrical DSL (SDSL)
SDSL supports equal speeds for both data uploads and downloads. It cannot be used for voice transmissions and hence is suitable only for Internet access at offices.

ISDN DSL (IDSL)
IDSL is a variation of symmetric DSL. It does not support analog voice trans- missions and is used only in those environments where ADSL and SDSL are not available.

Rate Adaptive DSL (RADSL)
RADSL is a variation of asymmetric DSL that can vary the transfer speeds depending on line conditions. It supports both data and voice transmissions.

High Data Rate DSL (HDSL)
HDSL is a variation of asymmetric DSL that uses twisted copper wires. It supports both data and voice transmissions.

Very High Data Rate DSL (VHDSL)
VHDSL is a symmetric variation of DSL that supports high-speed transmissions. It does not support sharing the line with voice signals.

(ii)Broadband cable
Broadband Internet Access, or simply Broadband, is provided by the cable companies that provide digital cable services. It is a reliable and efficient means of Internet access. Access is provided through a cable modem that further connects to the computer or to other network devices. Low-cost wired or wireless routers are commonly used to share a single broadband connection among several computers in a home or in small offices.

With a cable modem, the user does not have to dial the ISP, and the connection is always live. This might pose a security risk for computers that are used for critical purposes. Most cable modems support bandwidths from 1.5 to 3 Mbps for Internet access. The cable modem usually supports up to 10 Mbps data speeds for the LAN. The actual Internet access speed depends on the utilization of the shared cable signals in the area. The available bandwidth is always shared with other users in the area and may vary from time to time. In the periods of peak usage, the speed may be low compared to the periods when usage is low. Both broadband and baseband are signaling technologies.

(iii)Plain Old Telephone System/Public Switched Telephone Network (POTS/PSTN)
POTS and PSTN are the traditional methods of Internet access. These are dial-up methods; the user has to dial the telephone number of the ISP to authenticate and get Internet connectivity. The telephone line is connected to a modem that is further connected to a serial or USB port of the user’s computer. Most computers have built-in modems that can be directly connected to the telephone line. In case the model is connected to an external port such as the serial or the USB port, its software driver must also be installed.

POTS and PSTN provide a maximum data transfer speed of 56 Kbps. There are several ISPs that offer dial-up Internet access. Depending on the area in which the user lives, one must be careful while selecting the ISP. Most ISPs provide added features, such as free email accounts and access to newsgroups, and some even offer small web site for the user.

(iv)Satellite
In such areas where DSL or cable is not available, satellite Internet is the only option for high-speed Internet access. For this reason, it is commonly used in rural areas. The signals travel from the ISP to a satellite and then from the satellite to the user. The data transmission speeds vary from 512 Kbps (upload) to 2 Mbps (download). Major drawbacks of satellite Internet access are that it is expensive, and it offers low transfer speeds compared to DSL and cable.

Satellite Internet access suffers from propagation delays or latency problems. Latency refers to the time taken for the signal to travel from the ISP to the satellite and back to the user. The signals have to travel to a satellite located in the geostationary orbit that is about 35,000 Km away. This means that the signals have to travel approximately 70,000 Km before they reach the user. Latency also depends on atmospheric conditions. This might be a problem for businesses or home users that rely on real-time applications.

(v)Wireless
Wireless. Wireless networks rely on radio frequencies to communicate instead of network cabling used for normal computer networks. Radio frequencies create electromagnetic (EM) fields, which become the medium to transfer signals from one computer to another. As you go away from the hub, or the main equipment generating the radio frequency of the wireless network, the strength of the EM field reduces and the signal becomes weak.

Wireless networks defined in IEEE 802.11 standards use radio frequencies with spread spectrum technology. The two spread spectrum technologies are as follows:

Frequency-hopping spread spectrum (FHSS)
This is the method of transmitting RF signals by rapidly switching frequencies according to a pseudorandom pattern, which is known to both the sender and the receiver. FHSS uses a large range of frequency (83.5 MHz.) and is highly resistant to noise and interference.

Direct-sequence spread spectrum (DSSS)
This is a modulation technique used by wireless networks, which uses a wide band of frequency. It divides the signal into smaller parts and then transmits them simultaneously on as many frequencies as possible. DSSS is faster than FHSS and ensures data protection. It utilizes a frequency range from 2.4 GHz to 2.4835 GHz and is used in 802.11b networks.

The most popular of the IEEE 802.11 wireless network standards are 802.11b, 802.11a, and 802.11g. Table 21 gives a brief comparison of the characteristics of different 802.11 standards.

17.Internet Access Technologies

Internet access has become a necessity these days. There is hardly any business that does not have it. In its early days, the Internet was available only through dial-up connections or leased lines. With the advancement of technologies, several new techniques have evolved to access the Internet, including DSL, wireless, satellite, and broadband. This section discusses some of the commonly used Internet access methods.

*.Types

(i)Packet switching
In packet switching, the data is split into small segments known as packets. Each packet has a label that contains information such as its source address and destination address. The packets are routed individually on different intermediate nodes. The Internet is the best example of a packet-switched network. Data from the source computer to the destination computer is routed in individual packets that take different routes. Each packet is sent using the best and shortest route.

Packet-switched networks use a routing algorithm to send the individual packets to their destination. Often a route with the shortest path (lowest cost) is selected for a packet. It is very possible that the next packet travels by a different route. The individual packets arrive at the destination in a random order. The destination node waits for all the packets to arrive, checks their sequence numbers, and then reconstructs the information.

(ii)Circuit switching
In circuit-switched networks, a dedicated physical circuit is established before the two nodes can communicate. Each circuit or communication channel is reserved and cannot be used by other nodes until the nodes already using the channel release it. The Plain Old Telephone System (POTS) is an example of a circuit switched network. An ISDN is another example where a separate channel is used for control and administrative purposes.

The advantages of circuit switching include reliable connection and guaranteed speed of data transmission. The disadvantage is that resources are wasted due to dedicated physical connections. Circuit switching is different from packet switching in which data is split into packets and sent over a shared network. Packet switching allows several nodes to communicate simultaneously over the same network.

(iii)Integrated Services Digital Network (ISDN)
ISDN is a packet-switched network that is designed to allow transmission of data and voice over the same copper wires used in telephone systems. This results in better quality and higher data transfer speeds than regular dial-up connections. ISDN is actually a set of protocols that define rules for establishing and terminating connections. It also provides several advanced features. At the same time, ISDN requires dedicated telephone lines and therefore is expensive.

As with a regular dial-up connection, an ISDN connection also uses a dial-up telephone number—but these telephone lines are considered leased lines. When the two ends need to communicate, one of them dials the specified ISDN number, and the connection is set up. When the communication between the two nodes is over, the user hangs up and the ISDN line becomes free. Computers using the ISDN line need the special network interface known as the ISDN adapter (or the terminal adapter).

ISDN communications use two types of channels: a bearer channel (B channel) that is used for data (or voice), and a delta channel (D channel) that is used for control signals. There are two main implementations of ISDN as follows:

Basic Rate Interface (BRI)
BRI ISDN uses 2 B channels of 64 Kbps each for data/voice, and a D channel of 16 Kbps. The total data transfer speed of BRI ISDN using two B channels is 128 Kbps. The two B channels can also be used separately with 64 Kbps speed.

Primary Rate Interface (PRI)
PRI ISDN uses 23 B channels of 64 Kbps each for data/voice, and a D channel of 64 Kbps. The total data transfer speed of PRI ISDN is up to 1.544 Mbps. The PRI ISDN is usually carried over dedicated (leased) T1 lines.

(iv)Fiber Distributed Data Interface (FDDI)
FDDI provides data transmissions in local area networks that can extend up to 200 kilometers (124 miles). It is primarily based on the Token Ring protocol and uses the token-passing media access method. Unlike Token Ring topology, FDDI uses two rings for providing fault tolerance. The nodes in an FDDI network are attached to two rings, and the two tokens rotate on the rings, each in the opposite direction. The first ring is used for carrying data while the second ring is used for fault tolerance.

FDDI can support thousands of network nodes spread over wide geographical locations. Due to the increasing popularity of Gigabit Ethernet, FDDI is rarely used in modern networks. The following are some of the main characteristics of FDDI:

• It is resistant to electromagnetic and radio frequency interferences (EMI and RFI).
• It provides fault tolerance because of two rings.
• Fiber optic cables can have a maximum distance of 200 kilometers.
• It has a built-in error-detection mechanism known as beaconing.
• It is very expensive in terms of the cost associated with devices and media.
• It is difficult to implement and maintain.

(v)T-Carrier
The T-carrier lines are high-speed, dedicated digital lines that can carry both data and voice signals. These lines can be leased from the local telephone company. The basic unit of T-carrier lines is the DS0, which has a transmission speed of 64 Kbps and is used for one voice circuit. Although dedicated T lines are expensive, they provide a consistent point-to-pint connection between two end systems. The European equivalent of T-carrier is the E-carrier, while in Japan the J-carrier is used. The most common of all T-carriers are T1 and T3 lines, with data transmission speeds of 1.544 Mbps and 44.736 Mbps respectively.

(vi)Optical Carrier (OC)
OC levels describe the range of digital signals (data, voice, and video) that can be carried over SONET. SONET is a fiber optic network developed by Bell Communications. The minimum speed of an optical carrier is 51.84 Mbps, and it can go up to 2.488 Gbps.

Note that the OC levels are expressed as OC-n, where n is a number. The speed of any given OC level is calculated by multiplying the level number n by 51.8 Mbps. For example, the speed of OC-3 is calculated as 3X51.84 Mbps, which is equal to 155.52 Mbps.

(vii)X.25
X.25 is a packet-switching WAN technology that uses telephone or ISDN hardware. It works at a maximum data transfer speed of 56 Kbps It is a globally accepted standard, but is slowly becoming obsolete due to newer and more efficient technologies. Since it is a packet-switching technique, the X.25 network works well when there is congestion on any part. It can route different packets on different routes. The packets are assembled at the destination using special devices known as Packet Assemblers/Dis-assemblers (PADs). Each end of the X.25 connection is attached to a PAD.

16.WAN Technologies

A wide area network(WAN) consists of two or more interconnected connect local area networks (LANs). Usually a third party—a telephone company or an ISP—is involved in providing a connectivity solution to the organization that needs to set up a WAN. A WAN can be set up using a dial-up telephone line for low bandwidth requirements, or it may be set up using a high-bandwidth dedicated line. It is also possible to tunnel the WAN connection through the Internet. The following sections describe various technologies used for WAN connectivity.

15.IP Addressing

An IP address is a unique address used to identify a computer or a host on the network. This address is made up of 32-bit numbers written in dotted decimal notation in the w.x.y.z format. Each eight bits are known as an octet or a byte. A part of the IP address is known as the network address, or network ID, and the rest of it is known as the host address, or host ID. These parts are based on the class of IP addresses used on the network. All computers on a particular network must have the same number as the network address, while the host address must be unique on the entire network. A second address, the subnet mask, is used to help identify the part of the network where the host is located.

IP addresses are assigned and controlled by an organization called Internet Assigned Numbers Authority (IANA). There are two current versions of IP addressing: IPv4 and IPv6.

IPv4 addresses
IPv4 addresses are classified into classes A, B, C, D, and E. Only addresses from the classes A, B, and C are assigned to organizations and are known as class-ful IP addresses. The first byte of an IP address identifies the class of IP addresses used in the network. For example, a host with an IP address of 92.137.0.10 is using a class A IP address. A host with an IP address of 192.170.200.10 is using a class C IP address. The IP addresses in the A, B, and C classes are available for public companies and can be assigned by an ISP. The class D and E addresses are reserved for special usage.

Subnet mask. Every IP address is accompanied by a subnet mask, which is used to help identify the part of the network where the host is located. Like the IP address, the subnet mask is a 32-bit binary number that distinguishes the network ID from the host ID. Its digits are set to 1 and 0, where 1 represents the network portion of the address and 0 represents the host portion. Table summarizes the main classes of IP addresses, the number of networks and hosts in each class and the default subnet masks.

Note: The IP address 127.0.0.1 is reserved as a loop back address for troubleshooting TCP/IP configuration of the computer.

Apart from the IP addresses, the hosts on a network also have a general alphanumeric hostname or a Fully Qualified Domain Name (FQDN) in the format server1.mycompany.com. Each hostname corresponds to an IP address, and the DNS is used to translate the IP address of a host to its domain name.

When configuring the IP address of a computer or some other network device, you will need to specify the IP address, the subnet mask, and the default gateway address. The IP address must be unique in the network, while the subnet mask must be same on all computers in a particular network segment.

Default gateway. A default gateway allows computers on a network segment to communicate with computers on another segment. The default gateway for all computers on a particular segment is the IP address of the router interface that is connected to the local segment. If a computer is not configured with the IP address of a default gateway, it cannot communicate with computers on a different network segment.

Public and private IP addresses
Public IP addresses (or registered IP addresses) are those addresses of those networks that are accessible from outside the organization. For example, if any host is connected to a network, it is using a public IP address. If an organization needs to connect its network to the Internet, it will need to obtain a public IP address from its Internet Service Provider. Typically, web servers, email servers, DNS servers, FTP servers, and VPN servers are connected directly to the Internet and use public IP addresses.

Private IP addresses (or unregistered IP addresses), on the other hand, are used when an organization’s computer network is private. In other words, it is not connected to the Internet or if it is, it is located behind a proxy server or a firewall. Access to private networks is usually restricted to users inside the organization. The Internet Assigned Numbers Authority (IANA) has set aside a range of IP addresses in each of A, B, and C address classes that can be used by private organizations for their internal IP addressing.

Subnetting
Subnetting is the process of creating two or more network segments by using the host portion of the IP address. Subnetting creates multiple broadcast domains that help reduce undesired broadcast traffic. Subnetting allows administrators to more effectively manage the IP address range. It also increases security of the network and helps contain network traffic to local network segments.

With a default subnet mask, you can have only one network segment. With subnetting, the number of segments increases, while the number of hosts in each segment reduces. For example, consider a network with an IP address of 192.168. 2.0. With the default subnet mask of 255.255.255.0, you can have only one large network segment with 254 hosts. If you use some bits from the host portion, you can create two, three, or four segments. But as the number of segments increases, the number of hosts in each segment reduces.

IPv6 addresses
The most significant advantage of IPv6 over IPv4 is the increase in the number of network addresses available for network devices. This is an important consideration because most of the IPv4 addresses have already been allocated, and the availability is continuously decreasing. IPv6 uses a 128-bit address as opposed to the 32-bit address used in IPv4.

An IPv6 address is composed of two logical parts: a 64-bit network prefix and a 64-bit host address. The host address can either be dynamically generated from the MAC address of the host interface or can be sequentially assigned.

The IPv6 address is written as eight groups of four hexadecimal digits separated by colons. The following is an example of an IPv6 address:

2001:0db8:85a3:08d3:1319:8a2e:0370:7334

If any of the four-digit group is composed of all zeros, it can be omitted. Consider another example:
2001:0db8:0000:08d3:1319:8a2e:0000:7334

This address can be written as follows:
2001:0db8::08d3:1319:8a2e::7334

Address assignment
In every network based on the TCP/IP protocol, whether it is small or large, there has to be some means of assigning IP addresses to the computers. At the minimum, the TCP/IP address configuration requires assignment of an IP address and a subnet mask. If it is a routed network(a network with multiple segments), the address of the default gateway must also be configured. IP address assignment can be done manually (static addressing) or automatically (dynamic addressing), as discussed in the following paragraphs:
Static
In the static IP address assignment method, an administrator manually configures the IP addresses on every computer. This method is prone to typing errors and cannot be used in large networks. In case the organization changes the IP addressing scheme, each computer must again be manually configured, which makes it a tedious task for the administrator. Moreover, an administrator may assign duplicate addresses, leaving a system unable to communicate on the network.
Dynamic
Dynamic IP addressing refers to automatic assignment of TCP/IP configuration by using a centralized server known as a Dynamic Host Configuration Protocol (DHCP) server. The DHCP server is configured with IP address scopes for each network segment. This not only saves the administrator from manually entering IP addresses, but it also prevents typing errors and duplicate addresses. If there is a change in the IP addressing scheme, the administrator has only to make changes on the DHCP server.

The DHCP server maintains a list of available IP addresses in a scope. When a client is assigned an IP address from a scope, the DHCP server can also provide the subnet mask and default gateway address. Optionally, the addresses of DNS and WINS servers can also be assigned to the client (WINS is discussed later in this section). IP addresses are assigned for a specific period of time known as a lease. Clients must renew their IP addresses with the DHCP server when 50 percent of the lease period expires.

Automatic Private IP Addressing (APIPA)
The default configuration on most operating systems is to dynamically obtain an IP address configuration from a DHCP server. When the DHCP server is not available for some reason, the computer can assign itself an IP address automatically. This feature is enabled by default on all Windows XP computers. The automatically assigned address is from the range 169.254.0.1 to 169.254.255.254 with a subnet mask of 255.255.0.0.

With an APIPA address, the computer can connect only to the other computers with APIPA addresses on the local network segment, but cannot access any other computers or a remote network. A computer assigned with APIPA keeps on trying to locate a DHCP server every five minutes in order to obtain a genuine IP address. If a computer is configured to obtain an IP address from a DHCP server but does not support APIPA, its IP address defaults to 0.0.0.0.

*Types

(i)NetBEUI
NetBEUI stands for NetBIOS Extended User Interface. It is an old Microsoft networking protocol used in small networks. This protocol provides services at the Transport and Network layer of the OSI model. It is not a routable protocol and cannot be used on large routed networks. It is easy to install and is the fastest of all protocols.

Computers using the NetBEUI protocol use NetBIOS naming conventions. NetBIOS computer names consist of a maximum of 15 characters, such a Server1 or Workstation1. NetBEUI uses the following three methods to resolve NetBIOS computer names to IP addresses:

IP Broadcasting
If a host does not have the IP address of a NetBIOS host in its cache, it broadcasts the NetBIOS name to the entire network.

LMHOSTS File
This is a text file that maps IP addresses to NetBIOS computer names.

NBNS
This is a NetBIOS Name Server that maps NetBIOS names to IP addresses.

Since NetBIOS name resolution mainly depends on broadcasts, the NetBEUI protocol creates significant network traffic if there are a large number of computers on the network. This protocol is used only on non routed Microsoft networks. Due to its severe limitations, it is rarely used even in Microsoft networks these days.

(ii) Internet Packet Exchange/Sequenced Packet Exchange (IPX/SPX)
IPX/SPX is a full protocol suite used in Novell NetWare networks. It is a fully routable protocol. Different protocols in this suite are as follows:

Service Advertising Protocol (SAP)
This protocol works at the application, presentation, and session layers, and it allows systems to advertise their services (such as file and print services).

NetWare Core Protocol (NCP)
This protocol works at the application, presentation, and session layers, and it allows client/server interactions (such as file and print sharing). NCP is a connection-oriented protocol.

Internet Packet Exchange (IPX)
This protocol works at the transport and network layers, and it provides network addressing and routing services. It is a connection-less protocol and provides fast and reliable communication between computers.

Sequenced Packet Exchange (SPX)
This protocol works at the Transport layer to provide connection-oriented services on top of the IPX protocol.

Routing Information Protocol (RIP)
This protocol works at the Network layer and is the default routing protocol for IPX/SPX networks. It uses the distance vector routing algorithm for calculating routes and building routing tables.

NetWare Link State Protocol (NLSP)
This protocol works at the Network layer to provide routing services based on a link state algorithm for calculating routes and building routing tables.

Open Data link Interface (ODI)
This protocol works at the Data Link layer to allow NetWare systems to work with any network interface card.

NetWare hostnames. In a NetWare network environment, only the servers are required to be assigned hostnames. These names consist of a maximum of 47 characters. The NetWare clients do not have hostnames. They use their IPX addresses instead.

IPX addresses. Logical NetWare networks are assigned 32-bit hexadecimal addresses. The servers and workstations use a 48-bit hexadecimal address that defaults to the MAC address of the network interface card. The node address is appended to the network address to create a unique node address in the internet- work. The following is an example of an IPX address:

0AC74E02:02254F89AE48

Note that the first part of the IPX address is the address of the logical network, and the second part is the unique MAC address of the network interface card. The colons from the MAC address are removed. Also, if there are any leading zeros, they are not written. Sometimes the IPX address is written as groups of four hexadecimal numbers separated by colons. The above address can thus be written as:

AC7:4E02:0225:4F89:AE48

NetWare frame types. When discussing the IPX/SPX protocol suite, it is important to include the frame types used in NetWare networks. If there is some connectivity problem between two systems using different versions, it is a good idea to check the frame types used on the network. NetWare uses the following types of frames for encapsulating data at the Data Link layer:
• NetWare 2.x and NetWare 3.x use IEEE 802.3 as the default frame type.
• NetWare 4.x uses IEEE 8.2.2 as the default frame type.

IPX/SPX interoperability and routing. The IPX/SPX protocol suite is fully routable and interoperates with many other protocols. Most notably, Microsoft operating systems include the NW Link IPX/SPX Compatible Protocol and the Microsoft Client for NetWare Networks for interoperability with Novell networks. Due to the increasing popularity and extended features of the TCP/IP protocol suite, the usage of IPX/SPX has declined significantly. Both Microsoft and Novell have made TCP/IP their default protocol.

(iii) AppleTalk
The Apple Talk protocol suite is used to interconnect Apple computers. Like IPX/ SPX and TCP/IP, this protocol is also fully routable. The Apple Talk protocol suite consists of the following different protocols:

AppleShare
This protocol works at the Application layer and provides file- and printer sharing services.

AppleTalk Filing Protocol (AFP)
This protocol works at the Presentation layer and is used to manage file sharing between AppleTalk hosts. It is also called Apple Filing Protocol.

AppleTalk Data Stream Protocol (ADSP)
This protocol works at the Application and Presentation layers, and provides services for establishing communication between AppleTalk hosts.

Zone Information Protocol (ZIP)
This protocol works at the Session layer to divide an AppleTalk network into zones.

AppleTalk Session Protocol (ASP)
This protocol works at the Session layer to establish and terminate connections between hosts.

Printer Access Protocol (PAP)
This protocol works at the Session layer to provide printing services on an AppleTalk network.

AppleTalk Address Resolution Protocol (ARP)
This protocol works at the Network layer to resolve AppleTalk addresses to Ethernet or Token Ring addresses.

Datagram Delivery Protocol (DDP)
This protocol works at the Network layer to handle routing functions and delivery of datagrams.

AppleTalk Transaction Protocol (ATP)
This protocol works at the Transport layer to provide a connectionless session between hosts.

Name Binding Protocol (NBP)
This protocol also works at the Transport layer to map AppleTalk hostnames to network layer addresses.

Routing Table Maintenance Protocol (RTMP)
This protocol works at the Transport layer to maintain routing tables.

Ether Talk Link Access Protocol (ELAP)
This protocol works at the Data Link layer and provides compatibility with Ethernet protocol.

Token Talk Link Access protocol (TLAP)
This protocol works at the Data Link layer and provides compatibility with Token Ring protocol.

AppleTalk addressing and naming. An Apple Talk host address consists of a 24-bit long number with 16 bits assigned to the network and 8 bits assigned to the host. This address is expressed in a decimal format. An administrator assigns the network address while the host address is automatically generated by the system when it is first started. It is a randomly generated number and is broadcast to the entire AppleTalk network as soon as it is generated. An example of an AppleTalk address is 5.48, where 5 is the network address and 48 is the host address. Apple Talk hostnames are resolved using the Name Binding Protocol (NBP), which is similar to the Domain Name System (DNS) used on TCP/IP networks.

AppleTalk interoperability and routing. Apple Talk is a fully routable protocol but cannot be used on the Internet. The Routing Table Maintenance protocol provides a functionality that is similar to the RIP used on TCP/IP networks. Unix/Linux and Microsoft operating systems have limited support for Apple Talk networks. As with the IPX/SPX protocol suite, the AppleTalk protocol is also losing ground due to the increasing popularity of the TCP/IP protocol.

(iv) Transmission Control Protocol/Internet Protocol (TCP/IP)
The TCP/IP is a set of several protocols. It is the most widely used protocol suite in private networks as well as on the Internet. Unlike the AppleTalk and IPX/SPX protocols, TCP/IP is not proprietary to any organization, but is a public protocol suite. Some of the well-known protocols and their functions are discussed in this section. The TCP/IP protocol suite is a set of a number of protocols and services, each with a specific function working at one or more layers of the networking model. Some of the commonly used protocols and their functions are listed here:

Internet Protocol (IP)
IP is a connection-less protocol that works at the network layer to provide IP addressing and routing functions.

Transmission Control Protocol (TCP)
TCP is a connection-oriented protocol that works at the transport layer to provide guaranteed delivery, flow control, error detection, error correction, and packet sequencing.

User Datagram Protocol (UDP)
UDP is a connection-less protocol that works at the transport layer but does not provide guaranteed delivery of data. It does not perform any error checking or correction and hence is faster and consumes less network bandwidth than TCP.

File Transfer Protocol (FTP)

FTP works at the Application layer to provide file transfers between remote computers. FTP uses TCP as its transport protocol and is a client/server application that authenticates users before allowing access to servers that host the FTP service. Most FTP servers allow anonymous logon that enables multiple users to connect to the server and download files. FTP is commonly used on the Internet for file downloads. One of the major limitations of the this protocol is security. The authentication method uses clear-text usernames and passwords, which is a serious security concern.

Secure File Transfer Protocol (SFTP)
SFTP is the secure version of FTP protocol. It is used to transfer data in an encrypted format between the client and the server. Secure Shell (SSH) is used to provide secure authentication between the two computers.

Trivial File Transfer Protocol (TFTP)
TFTP is an Application-layer protocol used to transfer files between two remote computers. It is limited in functionality compared to FTP. It uses UDP as its transport protocol and is hence less reliable, but faster than, FTP.

Simple Mail Transfer Protocol (SMTP)
SMTP is a connection-oriented Application-layer protocol that is used to transport messages between remote email servers. It uses TCP at the transport layer and hence guarantees delivery of data.

HyperText Transfer Protocol (HTTP)
HTTP is an Application-layer protocol that allows text, images, and multimedia to be downloaded from web sites. It is also a connection-oriented protocol that uses TCP at the transport layer. HTTP works with a Uniform Resource Locator (URL) to connect to the desired web site. An example of a
URL is http://www.oreilly.com.

HTTP Secure (HTTPS)
HTTPS is the secure version of the HTTP protocol that allows servers and clients to be authenticated before the communication session starts. This protocol is also an Application layer protocol and uses TCP at the Transport layer. It is commonly used for online banking and other e-commerce functions. It uses the secure socket layer (SSL) to encrypt the network traffic between the web server and the web client. A web site using SSL has a URL starting with https://.

Post Office Protocol 3 (POP3)
POP3 is used to download or retrieve email messages from mail servers running the SMTP protocol. One of the limitations of the POP3 protocol is that it uses clear-text usernames and passwords, which is a serious security concern.

Internet Message Access Protocol 4 (IMAP4)
Like POP3, IMAP4 is also used to retrieve email from mail servers. The advantage of using IMAP4 over POP3 is that it provides a secure authentication mechanism.

Telnet
Telnet is an Application-layer protocol that allows connections to remote hosts. Administrators use this protocol to connect remotely to network devices and run commands in order to configure or maintain them. This is also a connection-oriented protocol and uses TCP at the Transport layer.

Secure Shell (SSH)
SSH is the secure alternative to connecting to remote systems or devices instead of using Telnet. It provides strong authentication mechanisms and encryption of information between two remote hosts.

Internet Control Message Protocol (ICMP)
ICMP works at the Network layer to provide error checking and reporting functions. It is a connection-less protocol and uses IP for providing best-effort delivery. It is used in network management and maintenance systems. For example, ping is a troubleshooting utility that uses the ICMP protocol.

Address Resolution Protocol (ARP)
ARP works at the Network layer and is used to resolve IP addresses to MAC addresses. Upper-layer protocols use ARP to correctly deliver data packets to the destination host. ARP maintains a mapping (called the ARP cache)of IP addresses and MAC addresses in the system memory. If the ARP cache does not have an entry for a requested IP address, it broadcasts the IP address on the local network to find out which host has the specified IP address.

Reverse Address Resolution Protocol (RARP)
The function of RARP is opposite to that of the ARP. It is used to obtain the IP address of a host whose MAC address is known.

Network Time Protocol (NTP)
NTP is used to exchange time information between TCP/IP hosts. One of the systems is usually configured as a time provider, which uses NTP to transmit time information to other hosts.

Network News Transfer Protocol (NNTP)
NNTP works at the application layer to provide newsgroup services such as posting and retrieving messages on discussion forums. It uses TCP at the Transport layer.

Secure Copy Protocol (SCP)
SCP works at the Application layer to enable secure copying of files from Unix/Linux systems. It uses SSH technology for a secure information exchange between two systems. It is a safe alternative to the Remote Copy Protocol (RCP).

Lightweight Directory Access Protocol (LDAP)
LDAP is an Application-layer protocol that enables users to access and query directory services such as Microsoft’s Active Directory, Novell’s e-Directory, and Novell Directory Services (NDS). LDAP functions can be performed from the command line or from graphic user interfaces (GUIs).

Internet Group Management Protocol (IGMP)
IGMP works at the network layer of the OSI model and is used to register and discover network devices in a multicasting group. IGMP enables devices to exchange messages within the members (network devices) of a multicasting group.

Line Printer Remote (LPR)
LPR works at the application layer to provide client connectivity to printers in all major network operating systems, such as Unix/Linux and Windows. Line Printer Daemon (LPD) is a server component that accepts client print requests sent using the LPR application.

Port assignments in TCP/IP
Every application, service, or protocol in the TCP/IP suite has a specific port number assigned to it. A port is like a socket that the application uses to send or receive data packets. When a computer receives a data packet, it checks the associated port number to determine which application will receive the data. For example, the FTP service uses port numbers 20 and 21. TCP/IP port numbers fall in following three categories:
• Well-known port numbers range from 0 to 1,023.
• User ports (registered ports) range from 1,024 to 46,151.
• Dynamic/private ports range from 46,152 to 65,535.

TCP/IP addressing. Hosts in a TCP/IP network follow IP addressing schemes. IPv4 is the current and most commonly used version of IP address. The IP address consists of 32 bits and is expressed as decimal numbers separated by a period. This is called the dotted decimal notation. An IP address is composed of four sets of eight bytes (octet) each. 192.168.2.10 is an example of an IP address.

Since a TCP/IP network can be composed of several segments, it becomes necessary to identify the network segment in which a particular host is located. For this purpose, a second 32-bit number is associated with an IP address. This number is used to identify the network address from the host address, and is called the subnet mask. When converted to a binary number, the network part is assigned a binary value of 1 and the host part is assigned a value of 0 in the subnet mask. For example, if the subnet mask is 255.255.0.0, the first 16 bits of the IP address would represent the network address, and the last 16 bits would represent the host address.

IP addresses are divided into classes A, B, C, D, and E. Out of these, classes A, B, and C are available for assignment to private organizations. IP addresses can further be divided into public (registered) or private (unregistered) addresses. Organizations using public addresses can be connected to the Internet, while the private IP addresses can only be used internally.

TCP/IP naming. TCP/IP hosts can be identified either by their IP addresses or by their hostnames. A DNS server performs the translation of IP addresses to computer names. In smaller networks, a text file named hosts can also be created on every computer to provide name resolution.

TCP/IP routing. Needless to say, TCP/IP is a fully routable protocol. The routing functionality is provided by a number of routing protocols, such as RIP and OSPF.

TCP/IP interoperability. The TCP/IP protocol suite is supported by all major network and desktop operating systems. Apart from Unix/Linux operating systems, Microsoft, Apple, and NetWare have also made TCP/IP their default protocols. As of now, TCP/IP is the most versatile and feature-rich protocol suite available in all operating system environments.

14.Network Protocols

Networking protocols provide the ability for computers to communicate to each other through the networking media. In this section, we will discuss the features of different networking protocols, their advantages, and their limitations.

*Types

(i) Physical layer (Layer 1)
The Physical layer of the OSI model defines the network medium, hardware, and topology used in the network; the maximum speed, bandwidth, and cable lengths are also defined in this layer. It also details the electrical characteristics of the media, such as voltage or current. In wireless networks, it defines the frequencies over which the signals travel. The following are two main components of this layer:
Topology
The physical network topology used may be bus, ring, star, or mesh.
Hardware
The network hardware includes the network media such as cables and
connectors, and their connection details.

Network hubs and repeaters work at the physical layer of the OSI model.

(ii) Data Link layer (Layer 2)
The Data Link layer defines the interface between the physical media and the soft- ware running on the computer. It is responsible for sending and receiving the data frames to and from the Physical layer. This layer performs functions such as packet addressing, error detection, error correction, and hardware addressing. This layer is further divided into the following two sub layers:
Media Access Control (MAC)
The MAC sub layer is defined in the IEEE 802.1 standard. It is responsible for controlling access to network media and for moving the data packets from one network interface to another. The IEEE 802.1 standard defines the MAC address (also called the hardware address) of the network interfaces. A MAC address is hard coded onto every network interface.

Logical Link Control (LLC)
The LLC sub layer is defined in the IEEE 802.2 standard. It is responsible for error detection, error correction, synchronization of data frames, and flow control.

(iii) Network layer (Layer 3)
The Network layer is responsible for end-to-end communications between two computers on different networks. One of the primary functions of this layer is routing, which enables computers to forward traffic to a remote network. This functionality is provided by network protocols. Network protocols perform route selection, which is a process that determines the best path to a destination network.

Unlike the Data Link layer that uses a MAC address to forward packets to a host in a single network, the Network layer uses software-configured, Layer 3 addresses (such as an IP address or an IPX address) to send the packet to its destination network. Other functions of the network layer include packet sequencing, end-to-end error detection, congestion control, and addressing.

The IP and the IPX work at the Network layer of the OSI model. Besides this, routing protocols such as RIP, OSPF, and NLSP also work at this layer.

Network interface cards, switches, bridges, and wireless access points work at the Data Link layer of OSI model.

(iv) Transport layer (Layer 4)
The Transport layer works with the Network layer to provide guaranteed delivery of data packets in order to acknowledge that data is received at the destination. It performs segmentation of data by breaking it down into manageable packets. End-to-end error detection ensures that the data is received without damage. Flow control ensures that transmission speed is regulated in order to avoid dropped packets.

Both connectionless and connection-oriented protocols work at the Transport layer. UDP is a connectionless protocol, while TCP is a connection-oriented protocol.

(v) Session layer (Layer 5)
The Session layer provides several functions to regulate the communications session between two computers on the network. It is responsible for setting up and terminating a session as well as for controlling the dialog between applications on two computers.

(vi) Presentation layer (Layer 6)
The Presentation layer is responsible for translating syntax or format of data so that the receiving computer can understand it. The translating syntax also provides functions such as compression/decompression, encoding/decoding, and encryption/decryption. Some of the common data formats working at this layer include the following:
• Graphic file formats such as JPEG, TIFF, or GIF
•Text and data file formats such as American Standard Code for Information Interchange (ASCII) and Extended Binary Coded Decimal Interchange Code (EBCDIC)
• Sound and Video formats such as MPEG, AVI, QuickTime Video, or MIDI files

(vii) Application layer (Layer 7)
The Application layer is responsible for accepting requests from users and applications and passing them on to the lower layers of the OSI model. In other words, it provides an interface between the applications running on the computer and network protocols. Applications (such as file transfers, email, FTP, or Telnet) use the services provided by Application layer protocols, which in turn use the lower layer protocols to communicate over the network.

13. The OSI Networking Model

The Open System Interconnect (OSI) model defines the seven layers of networking. These layers define the standards for implementing networking functions and protocols. The functions of each layer are described in the following sections.

12. Protocols and Standards

This section covers a study of different networking protocols and standards. First, I will explain the OSI networking model and then discuss commonly used networking protocols. I will explain how networking protocols are associated with network operating systems. This will be followed by a detailed study of the TCP/IP protocol suite, which are the most widely used networking protocols on private networks. The TCP/IP protocol suite is the only one used on the Internet.

Media Access Control (MAC) Address
The MAC address is a unique 48-bit (6 bytes) hardware address that is hard coded into almost every networking device. This address is used by network protocols to deliver data to the correct host in the network. In devices that have multiple network interfaces, each interface has a unique MAC address. The Data Link layer of the OSI model is responsible for managing MAC addresses of network devices in the network.

The 48-bit MAC address is written as hexadecimal numbers in six groups of two bytes each, separated by colon (:) signs or hyphens (-). These numbers include 0 to 9 and A to F. The first group of 3 bytes (24 bits) uniquely identifies the manufacturer of the device and is assigned by the IEEE. The last group of three bytes is assigned to the interface by the manufacturer to uniquely identify the interface. This ensures that no two devices have an identical MAC address. The following is an example of a MAC address:

02-25-4F-89-AE-48

Network protocols, such as the Address Resolution Protocol (ARP) of the TCP/IP protocol stack, maintain a table that maps MAC addresses to their corresponding IP addresses. The method of identifying the MAC address of a network interface that is installed in a system varies from one operating system to another. The following list provides a look at the operating system utilities used to obtain the MAC address of an interface:
• Windows XP/NT/2000/2003: ipconfig /all
• Windows 95/98/ME: winipcfg
• Novell NetWare: config
• Unix/Linux: ifconfig –a

*Types

(i) Spread spectrum wireless technology
In order to reduce the effects of interfering frequencies, wireless devices use the spread spectrum technology. This technology helps share available frequency bandwidth common to wireless devices. It also helps prevent jamming of radio signals due to strong interference from another source of radio frequency. Instead of using a fixed frequency, such as that used with radio and television broadcasts, wireless networks use a spectrum of frequencies. The sender uses a number of narrow-band frequencies to communicate with the receiver. Each narrow band of frequencies contains only a part of the signal. The receiver correlates the signals received at different frequencies to retrieve the original information. Spread spectrum technology synchronizes wireless signals using one of the following methods:

Frequency Hopping Spread Spectrum (FHSS)
FHSS is the method of transmitting RF signals by rapidly switching frequencies according to a pseudorandom pattern, which is known to both the sender and the receiver. FHSS uses a large range of frequency (83.5 MHz) and is highly resistant to noise and interference. The amount of time the signal spends on any frequency is known as dwell time, and the amount of time it takes from switching one frequency to another is known as hop time. FHSS signals are difficult to intercept because the signals usually appear as noise. FHSS works in the unlicensed frequency range of 2.4 GHz and is used in Home RF and Bluetooth. It has a limited speed of transmission that ranges from 1.6 to 10 Mbps.

Direct Sequence Spread Spectrum (DSSS)
DSSS is a modulation technique used by wireless networks. It uses a wide band of frequency and it divides the signal into smaller parts and is transmitted simultaneously on as many frequencies as possible within a particular frequency band. DSSS adds redundant bits of data known as chips. The ratio of chips to data is known as spreading ratio. The higher the spreading ratio, the higher the immunity to interference. DSSS is faster than FHSS and ensures data protection, because chips are redundant and simultaneously transmitted. It utilizes a frequency range from 2.4 GHz to 2.4835 GHz and is used in 802.11b networks.

(ii) Infrared
Infrared technology employs electromagnetic radiations that use wavelengths that are longer than the visible light but shorter than radio frequency. This technology is used in night-vision equipment, thermography, digital cameras, and digital communication systems. Common examples of Infrared devices are the remote controls used by TVs and audio systems. The Infrared technology is standardized by the Infrared Data Association (IrDA). The following are some of the key characteristics of IrDA wireless communication technology:

• It supports point-to-point wireless communications between two devices.
• Infrared transmission uses a direct line of sight suitable for personal area net-works.
• Infrared waves cannot penetrate walls.
• IrDA wireless communication technology supports data transfer speeds ranging from 10 to 16 Mbps.
• Infrared devices consume very low power.
• Infrared frequencies do not interfere with radio frequencies.
• IrDA wireless communication technology provides a secure wireless medium due to the short distance (usually 3 to 12 feet) between devices.

(iii) Bluetooth
Bluetooth wireless networking technology provides short-range communications between two or more devices. It is a low-cost networking solution widely used in telephones, entertainment systems, and computers. It is designed to overcome the limitations of IrDA technology. The following are some of the key characteristics of Bluetooth-based wireless communication:

• It supports transmission speeds from 1 Mbps (Bluetooth 1.0) to 3 Mbps (Bluetooth 2.0).
• It works over the unlicensed frequency range of 2.4 GHz.
• The devices must be within a short range of less than 10 meters.
• It uses FHSS technology.
• It offers high resistance to electromagnetic interferences.
• Unlike the Infrared signals, it does not require a direct line of sight.
• Bluetooth devices consume very low power.
• Two or more Bluetooth computers form an ad-hoc wireless network.

(iv) Factors that affect wireless services
Wireless services use radio frequencies that travel through the atmosphere. There are several factors that may affect the speed, signal quality, and range of wireless signals. These include interference from other electrical devices, the type of antenna used, and other environmental factors. This section covers a brief discussion of these factors.

Interferences. Atmospheric interferences to wireless signals cannot be prevented, but they can certainly be reduced to achieve optimum performance. Some of the major causes of interference include the following:
• Physical objects such as buildings, trees, concrete and steel walls. These objects can either significantly reduce signals or even completely block them.
• Electromagnetic interference (EMI) generated by high-power electric lines, power transformers, heavy electrical machinery, fans, light fixtures, etc.
• Radio frequency interference (RFI) generated by other wireless equipment working in the same frequency ranges used by computer wireless devices. Examples of these types of equipment are wireless phones, wireless game controllers, or microwave ovens.

Type of antenna. The range of wireless signals depends on the type of antenna used for transmitting radio frequency signals. Selection of an antenna is a critical part of implementing a wireless network. Different shapes and sizes of antennas offer different signal levels. The strength of a wireless antenna (called its gain)is measured in decibels isotropic (denoted as dBi). An isotropic antenna sends signals of equal strength in all directions. A simple rule for calculating effective strength of an antenna is that every 3 dBi of gain almost doubles its output.

Omni-directional antennas send wireless signals in all directions. This type of antenna is useful when the coverage is required equally around the point of trans-mission. On the other hand, directional antennas transmit signals in one direction only. This helps send the entire output of the transmitting device in one direction, in which case, signals are more effectively transmitted.

Environmental factors. Environmental conditions, including weather, significantly affect the speed, range, and coverage of wireless signals. These factors can have a bad impact on wireless signals.

11.Wireless Technologies

Wireless networks rely on radio transmissions to communicate instead of the network cabling used for normal computer networks. Radio frequencies create Electromagnetic (EM) fields, which become the medium to transfer signals from one computer to another. As you go away from the hub, or from the main equipment generating the wireless network’s radio transmissions, the strength of the EM field reduces and the signal becomes weak. EM fields are also prone to interference, which can be introduced by walls, reflected radio waves, and the presence of other EM fields. The presence of wireless telephones, microwave ovens, television sets, and a number of other devices can potentially interfere and reduce the signal strength of wireless devices.

* Types

1. Packet-filtering firewalls.
Packet-filtering firewalls inspect the contents of each IP packet entering the firewall device and, based on predefined and configured rules, allow or block packets inside the network. These firewalls permit or block access to specific ports or IP addresses. These firewalls work on two basic policies: Allow by Default and Deny by Default. In the Allow by Default policy, all traffic is allowed to enter the network except specifically denied traffic. In the Deny by Default policy, all traffic entering the firewall is blocked except that which is specifically allowed. Deny by Default is considered the best firewall policy, as only authorized traffic is allowed to enter the network using specified port numbers or IP addresses.

Packet-filtering firewalls use IP addresses and TCP/IP port numbers to decide whether certain traffic is to be allowed or blocked. The firewall can be configured to allow or deny traffic based on the source IP address, the destination IP address, the source port, or the destination port. TCP/IP port numbers fall into the following three categories:
• Well-known port numbers that range from 0 to 1023.
• User ports (registered ports) that range from 1,024 to 46,151.
• Dynamic/private ports that range from 46,152 or 65,535.

Packet-filtering firewalls work at the Network layer (Layer 3) of the OSI model. One of the benefits of these is the ease of configuration because a packet is either allowed or blocked. This technique also does not cause any delays in transmissions. There are certain limitations also. The firewall can just inspect the header of the packet but does not read the contents of the packet. Another drawback is that if a certain application opens a port dynamically and does not close it, the open port remains a security risk to the network.

2. Application-layer firewalls.
Application-layer firewalls work at the Application layer (Layer 7) of the OSI model. They are also known as Application firewalls or Appli- cation layer gateways. This technology is more advanced than packet filtering because it examines the entire packet to allow or deny traffic. Proxy servers use this technology to provide application-layer filtering to clients. Application-layer packet inspection allows firewalls to examine the entire IP packet and, based on configured rules, allow only intended traffic through them.

One of the major drawbacks of application-layer firewalls is that they are much slower than packet-filtering firewalls. Every IP packet is broken at the firewall, inspected against a complex set of rules, and re-assembled before allowing it to pass. For example, if the firewall finds virus signatures in a packet, it can block them. Although this technique allows for more rigorous inspection of network traffic, it comes at the cost of administration and speed.

3. State-full Inspection Firewalls.
State-full Inspection Firewalls work by actively monitoring and inspecting the state of the network traffic and keeping track of all the traffic that passes through the network media. This technology overcomes the draw- backs of both packet-filtering and application-layer firewalls. It is programmed to distinguish between legitimate packets for different types of connections, and only those packets are allowed that match a known connection state. This technology does not break or reconstruct IP packets and hence is faster than application-layer technology.

Using this technology, a firewall can monitor the network traffic and dynamically open or close ports on the device on an as-needed basis, as the communication states of common applications are known to the firewall. For example, if legitimate HTTP traffic enters the firewall, it can dynamically open port 80 and then close it when traffic has been allowed. This is in contrast to packet filtering, where the administrator would have to permanently keep port 80 open on the firewall.

Benefits of Using a Firewall
The main benefits of using a firewall are:
(i) Protection from services which are inherently more prone to attackes.
(ii) Access to host in the network can be strictly controlled.
(i) Security is concentrated on a single firewall system. This leads to better implementation of authentication procedures.
(ii) Logging and statistics of network use and misuse.
(iii) Policy enforcement.

10. Firewalls

A firewall is a hardware device or a software application that sits between the internal network of the organization and external networks in order to protect the internal network from communicating with the outside networks. A properly configured firewall blocks all unauthorized access to the internal network and also prevents internal users from accessing potentially harmful external networks. The three common firewall technologies are packet-filtering firewalls, Application layer firewalls, and State full Inspection Firewalls.

9. Modems

The term modem is derived from Modulator/Demodulator. A modem is a hardware device that is used to convert digital signals from a computer to analog signals (modulation) in order to transmit them over analog lines. At the receiving end, it converts the analog signals back to digital signals (demodulation) so that a computer can understand them. In their typical usage, modems are connected to a computer in order to provide remote access (or Internet connectivity) using analog telephone lines. It can be built onto the motherboard of the computer, can be installed as an extension card, or can be an external device. External modems can either be connected to one of the serial ports or to the USB port of the computer.

When used as an internal device, modems must be configured to use system resources such as an I/O address or IRQ. Modems use the serial communication (COM) ports in a computer, and resources used by these ports must be available in order to correctly configure the modem. Table 8 provides a summary of the COM ports and resources used by them.

Modems are available in different sizes, speed capabilities, and costs. The data transmission speed of a modem depends mainly on the type of Universal Asynchronous Receiver/Transmitter (UART) chip used and varies from 9.6 Kbps to over 900 Kbps. Modems with up to 115 Kbps speeds are commonly used for dialup networking. Figure show how a modem works.

Classification of Modems
Modems can be of the following types:
(a) Landline Modems
(b) Wireless Modems
(c) LAN Modems

(a) Landline Modems
Landline modems are modems which connect to the public switched telephone network(PSTN). To connect to PSTN, these modems have a jack known as RJ-11 jack, or regular phone jack. Landline modems can be further classified into the following types:
(i) Internal modems
(ii) External modems
(iii) PCMCIA modems
(iv) Voice/data/fax modems
Internal Modems
Internal modems are installed within the computer, as interface cards. They use the computer’s CPU power for encoding and decoding.

External Modems
External modems are installed as a separate hardware device, outside the computer. They are more expensive than internal modems. They connect to the serial port on the computer using a DB9 or DB25 connector. External modems are useful when several users need to share a single modem.

PCMCIA Modems
PCMCIA modems are credit-card modems used in laptop computers. PCMCIA stands for Personal Computer Memory Card International Association.

Voice/data/fax Modems
Voice/data/fax modems are modems which are used for transferring files, sending and receiving faxes and voice mail using associated software.

(b) Wireless Modems
Wireless modems are radio transmitters/receivers installed into mobile computing devices. Using wireless modems, one can connect to a network while being mobile. Unlike landline modems, wireless modems do not plug into an RJ-11 jack. Wireless modems are designed to communicate to these private radio transmission networks. A wireless modem out of range of a wireless transmission network is of no use. As of now, there are very few manufacturers of wireless modems.

(c) LAN Modems
LAN modems allow shared remote access to LAN resources. LAN modem comes fully preconfigured for a single particular network architecture such as Ethernet or token ring and/or a particular network software such as IPX, NetBIOS, NetBEUI etc. LAN modems are of various types depending upon the number of ports, network architecture(s) supported, network protocols supported, client platforms supported, memory requirements, security etc.

Modem Standards
There are two types of modem standards. These are
(a) Bell Modems
(b) ITU-T Modems

The first commercially available modems were developed by Bell Telephone company in the early 1970s. Being the first modem manufacturer, they defined the development of the technology and provided the standard which subsequent manufacturers followed. Some major Bell modems include the 103/113 series, 202 series, 212 series, 201 series, 208 series and 209 series.

Many of the popular modems are based on the standards published by ITU-T. V.21, V.22, V.23, V.22bis, V.32, V.32bis, V.33 and V.34 modems are ITU-T modems.

Modem Protocols
(a) X.25 Protocol
X.25 is an end to end protocol. It acts as an interface between data terminal equipment (DTE) and data circuit-terminating equipment (DCE). X.25 defines how the user’s DTE communicates with the network and how packets are sent over the network using DCEs (see figure) . It also provides a set of other services such as reverse charge, call direct and delay control. Figure

X.25 is commonly used in wide area communications with multiple communicating devices. X.25 packet switching networks allow remote devices to communicate with each other without the expense of individual leased lines.

(b) Triple-X Protocols
X.3, X.28 and X.29 protocols are collectively known as Triple-X protocols. Triple-X protocols are used to connect a dumb terminal to an X.25 network. A dumb terminal is any terminal that does not understand X.25 protocol. X.3 defines a packet assembler/disassembler (PAD). PAD is required for connecting a dump terminal to an X.25 network. PAD buffers the characters and assembles them into X.25 packets. When a packet arrives, PAD disassembles the packets into the original characters.

X.28 defines the rules for communication between a dumb terminal and a PAD. It describes the commands that can be used for communication.

X.29 defines relationship between a PAD and a remote terminal. Using X.29, one can set some of the parameters in PAD.

Transceivers and media converters
As the name indicates, a transceiver is a device that combines the functions of a transmitter and a receiver. It does not refer to any standalone or separate hardware device but is normally built into devices such as network cards, modems, hubs, switches, or routers. Depending on the type of network cabling in use, you may find fiber optic transceivers used in fiber optic networks; RF transceivers used in wireless networks, and Ethernet transceivers.

Media converters are used to enable interconnection of one type of media (usually cabling) to another type. For example, you may want to connect a network segment wired with a fiber optic cable to another segment wired with UTP/STP cables. In another example, you may wish to connect a coaxial cable segment to a UTP/STP network segment.