1

An
Assignement on:-
“computer networks”
Submitted by:- Submitted to:-
Deepanshu ranjan Mrs. Monika sharma
17ce011
cse
 2

Remote Monitoring
• Remote Monitoring (RMON) is a standard specification that facilitates the monitoring of
network operational activities through the use of remote devices known as monitors or probes.
RMON assists network administrators (NA) with efficient network infrastructure control and
management.

RMON was initially developed to address the issue of remote site and local area network
(LAN) segment management from a centralized location. The RMON standard specifies a
group of functions and statistics that may be exchanged between RMON compatible network
probes and console managers. RMON performs extensive network-fault detection and provides
performance-tuning data to NAs.

RMON collects nine information types, including bytes sent, packets sent, packets dropped and
statistics by host. NAs use RMON to determine network user traffic or bandwidth levels and
website access information. Additionally, issue alerts may be preconfigured.

RMON uses certain network devices, such as servers, and contains network management
applications that serve as clients. RMON controls the network by using its servers and
applications simultaneously. When a network packet is transmitted, RMON facilitates packet
status viewing and provides further information, in the event that a packet is blocked,
terminated or lost.

Two RMON versions are available:

 RMON1: Outlines 10 management information base (MIB) groups for standard network
monitoring. MIB groups are viewable in most advanced network hardware.
 RMON2: Focuses on higher traffic layers that exist above the medium access control (MAC)
layer, Internet Protocol (IP) and application-level traffic. Facilitates network management
applications to track all network layer packets.
DEEPANSHU RANJAN
17CE011
 3

How Does It work?

Like SNMP, RMON is implemented as a standard Management Information Base (MIB) on
RMON-enabled devices. These RMON-enabled devices include the following:

 Stand-alone devices called dedicated RMON probes that can be temporarily or permanently
installed where desired on the network
 Existing network devices such as repeaters, bridges, hubs, routers, or Ethernet switches that
have an RMON probe embedded into their circuitry
An RMON probe consists of an SNMP agent for collecting information and communicating it
to an SNMP management application, and one or more RMON MIBs defining the network
objects to be managed. Typically, an SNMP-manageable device such as a hub or router needs
additional software installed on it only to provide RMON functionality and turn it into a probe.
Other devices called hosted probes are implemented as add-on hardware modules with built-in
processing power and memory.

RMON is usually implemented on only one device or interface per TCP/IP subnet. RMON
agent software runs on the port of the router or switch, which monitors and collects Ethernet
networking statistics for the attached subnet. These statistics relate to the physical layer (layer
1) and the data-link layer (layer 2) of the Open Systems Interconnection (OSI) reference
model for networking. An SNMP management console contacts the RMON agent when it
wants to collect the statistics in order to analyze them and present them to the network
administrator, or network traffic conditions on the device can trigger the agent to notify the
management station of an alarm condition using SNMP traps. RMON agents can also collect
and store statistics for monitoring trends in network traffic.

The RMON MIB defined in RFC 1757 contains nine groups of manageable objects (RMON
monitoring elements) for various aspects of Ethernet traffic monitoring, totaling 204 objects
and 2 events. These groups of objects, usually referred to as the RMON1 groups, are as
follows:

 Statistics (1): Records statistics for Ethernet network interfaces (ports), including packets
sent and received, bytes sent and received, the number of each type of packet, packets dropped,
errors, and collisions 

DEEPANSHU RANJAN
17CE011
 4

 History (2): Specifies the types of data being sampled and the frequency at which data is
sampled, and records the sampled data for later analysis 
 Alarm (3): Lets you set thresholds and sampling periods to trigger alarms when specified
network conditions arise 
 Host (4): Records MAC addresses; the number of packets sent and received for broadcast,
unicast, and multicast packets; the number of bytes sent and received; and the number of error
packets for all hosts on the subnet 
 HostTopN (5): Lets you list hosts according to ranking parameters such as amount of traffic
generated or number of errors generated 
 Matrix (6): Records statistics for communication between pairs of hosts, such as their source
and destination addresses and the number of bytes and packets sent and received 
 Filter (7): Controls which kinds of packets the agent should capture, such as all packets
larger than a certain size, all packets that match a specific bit mask, or logical combinations of
individual expressions 
 Capture (8): Lets you capture packets for collecting network statistics and configure capture
buffer sizes 
 Events (9): Lets you generate SNMP traps and log entries
 Desktop/server monitoring

Benefits Of Remote MonitioringServices:-

1. Minimize Downtime
2. Security
3. Reduced TCO
4. Maintenance
5. Productivity
6. Save Time
7. Gain Insights

DEEPANSHU RANJAN
17CE011
 5

Polling
In this access control method,
 A polling is conducted in which all the stations willing to send data participates.
 The polling algorithm chooses one of the stations to send the data.
 The chosen station sends the data to the destination.
 After the chosen station has sent the data, the cycle repeats.
Polling works with topologies in which one device is designated as a primary station and the
other devices are secondary stations. All data exchanges must be made through the primary
device even when the ultimate destination is a secondary device. The primary device controls
the link; the secondary devices follow its instructions. It is up to the primary device to
determine which device is allowed to use the channel at a given time. The primary device,
therefore, is always the initiator of a session (see Figure 12.19).

If the primary wants to receive data, it asks the secondaries ifthey have anything to send; this is
called poll function. Ifthe primary wants to send data, it tells the secondary to get ready to
receive; this is called select function.

DEEPANSHU RANJAN
17CE011
 6

Select
The select function is used whenever the primary device has something to send. Remember
that the primary controls the link. If the primary is neither sending nor receiving data, it knows
the link is available. If it has something to send, the primary device sends it. What it does not
know, however, is whether the target device is prepared to receive. So the primary must alert
the secondary to the upcoming transmission and wait for an acknowledgment of the
secondary's ready status. Before sending data, the primary creates and transmits a select (SEL)
frame, one field ofwhich includes the address ofthe intended secondary.

Poll
The poll function is used by the primary device to solicit transmissions from the secondary
devices. When the primary is ready to receive data, it must ask (poll) each device in turn if it
has anything to send. When the first secondary is approached, it responds either with a NAK
frame ifit has nothing to send or with data (in the form of a data frame) if it does. If the
response is negative (a NAK frame), then the primary polls the next secondary in the same
manner until it finds one with data to send. When the response is positive (a data frame), the
primary reads the frame and returns an acknowledgment (ACK frame), verifying its receipt.

What are SNMP Traps?

The most frequently used SNMP messages are traps. These are sent to the manager by an agent
when an issue needs to be reported. SNMP traps are quite unique if compared to other message
types, since they are the only method that can be directly initiated by an SNMP agent. The other
types of messages are either initiated by the SNMP manager or sent as a result of the manager’s
request. This ability makes SNMP traps indispensable in most networks. It is the most convenient
way for an SNMP agent to inform the manager that something wrong is going on.

There are two main methods to send useful data via SNMP traps. The first one is by using the so-
called ”granular traps”. Granular traps have a unique identification number (OID – “object
identifier”) that allows the SNMP manager to distinguish them from each other. The meaning of

DEEPANSHU RANJAN
17CE011
 7

each OID is stored in a translation file called Management Information Base (MIB) which is
addressed by the SNMP manager in order for it to understand the trap sent by the agent.

Thanks to the above method, the actual trap sent by the agent does not have to carry any
information about the alert, since all of the details are available in the MIB. Only the OID is needed
for the manager to look up the information in the MIB. This minimizes the bandwidth used by the
trap.

The second way of transmitting useful information using SNMP traps is to incorporate the alert
data within the traps themselves. In this case usually all the traps have the same OID. In order for
the manager to understand these kind of traps, it needs to process the information contained in the
trap. Data is encoded within an SNMP trap in a typical key-value pair configuration. These pairs
are called “variable bindings” and they contain extra information relating to the trap. For instance,
an SNMP trap might contain variable bindings for “domain name”, “urgency level”, and “alert
description”.

To conclude, SNMP trap is a widely used mechanism to alert and monitor a devices’ activities
across a network. With that being said, Noction has also added this capability to it’s Intelligent
Routing Platform. IRP produces a vast number of various events and majority of them are critical
for administrators’ awareness. Operations can decide upon which events should trigger
notifications and then configure them on IRP. Such events include:

 Excessive loss detected towards a destination prefix

 Excessive latency detected towards a destination prefix
 Outage detected towards a destination prefix
 A BGP session with one of the providers goes down
 The PBR policies configured on the edge router are not properly working
 Plus many more, which can easily be configured.
Currently the platform supports only traps for version SNMPv2. These are generated by the IRP
components and are disabled by default. Besides notifying about events occurring in the network,
the traps also include the list of Variable Bindings (varbinds) with detailed information related to a
particular trap.

Performance Management
Performance management, which is closely related to fault management, tries to monitor and
control the network to ensure that it is running as efficiently as possible. Performance management
tries to quantify performance by using some measurable quantity such as capacity, traffic,
throughput, orresponse time.

Capacity

One factor that must be monitored by a performance management system is the capacity ofthe
network. Every network has a limited capacity, and the performance management system must

DEEPANSHU RANJAN
17CE011
 8

ensure that it is not used above this capacity. For example, if a LAN is designed for 100 stations at
an average datarate of2 Mbps, it will not operate properly if 200 stations are connected to the
network. The data rate will decrease and blocking may occur.

Traffic

Traffic can be measured in two ways: internally and externally. Internal traffic is measured by the
number ofpackets (or bytes) traveling inside the network. External traffic is measured by the
exchange of packets (or bytes) outside the network. During peak hours, when the system is heavily
used, blocking may occur if there is excessive traffic.

Throughput

We can measure the throughput of an individual device (such as a router) or a part of the network.
Performance management monitors the throughput to make sure that it is not reduced to
unacceptable levels.

Response Time

Response time is normally measured from the time a user requests a service to the time the service
is granted. Other factors such as capacity and traffic can affect the response time. Performance
management monitors the average response time and the peak-hour response time. Any increase in
response time is a very serious condition as it is an indication that the network is working above its
capacity.

Quality-of-Service (QoS) 
refers to traffic control mechanisms that seek to either differentiate performance based on
application or network-operator requirements or provide predictable or guaranteed
performance to applications, sessions or traffic aggregates. Basic phenomenon for QoS means
in terms of packet delay and losses of various kinds.
Need for QoS –
 Video and audio conferencing require bounded delay and loss rate.
 Video and audio streaming requires bounded packet loss rate, it may not be so sensitive to
delay.
 Time-critical applications (real-time control) in which bounded delay is considered to be an
important factor.
 Valuable applications should be provided better services than less valuable applications.
QoS Specification –
QoS requirements can be specified as:
1. Delay
2. Delay Variation(Jitter)
3. Throughput
4. Error Rate
There are two types of QoS Solutions:

DEEPANSHU RANJAN
17CE011
 9

1. Stateless Solutions –
Routers maintain no fine grained state about traffic, one positive factor of it is that it is scalable
and robust. But it has weak services as there is no guarantee about kind of delay or
performance in a particular application which we have to encounter.
2. Stateful Solutions –
Routers maintain per flow state as flow is very important in providing the Quality-of-Service
i.e. providing powerful services such as guaranteed services and high resource utilization,
provides protection and is much less scalable and robust.
Integrated Services(IntServ) –
1. An architecture for providing QoS guarantees in IP networks for individual application
sessions.
2. Relies on resource reservation, and routers need to maintain state information of allocated
resources and respond to new call setup requests.
3. Network decides whether to admit or deny a new call setup request.
IntServ QoS Components –
 Resource reservation: call setup signaling, traffic, QoS declaration, per-element admission
control.
 QoS-sensitive scheduling e.g WFQ queue discipline.
 QoS-sensitive routing algorithm(QSPF)
 QoS-sensitive packet discard strategy.
RSVP-Internet Signaling –
It creates and maintains distributed reservation state, initiated by the receiver and scales for
multicast, needs to be refreshed otherwise reservation times out as it is in soft state. Latest
paths discovered through “PATH” messages (forward direction) and used by RESV messages
(reserve direction).
Call Admission –
 Session must first declare it’s QoS requirement and characterize the traffic it will send
through the network.
 R-specification: defines the QoS being requested, i.e. what kind of bound we want on the
delay, what kind of packet loss is acceptable, etc.
 T-specification: defines the traffic characteristics like bustiness in the traffic.
 A signaling protocol is needed to carry the R-spec and T-spec to the routers where
reservation is required.
 Routers will admit calls based on their R-spec, T-spec and based on the current resource
allocated at the routers to other calls.
Diff-Serv –
Differentiated Service is a stateful solution in which each flow doesn’t means a different state.
It provides reduced state services i.e. maintain state only for larger granular flows rather than
end-to-end flows tries to achieve best of both worlds.
Intended to address the following difficulties with IntServ and RSVP:
1. Flexible Service Models:
IntServ has only two classes, want to provide more qualitative service classes: want to provide
‘relative’ service distinction.
2. Simpler signaling:
Many applications and users may only want to specify a more qualitative notion of service.
Streaming Live Multimedia –
DEEPANSHU RANJAN
17CE011
 10

 Examples: Internet radio talk show, Live sporting event.

 Streaming: playback buffer, playback buffer can lag tens of seconds after and still have
timing constraint.
 Interactivity: fast forward is impossible, but rewind and pause is possible.

What is Network Security?

Network security is a computer networking system policy to assure the security to its
organization assets, software and hardware resources. The term network security also emphasis
on monitoring and controlling of unauthorized access, misuse and any unwanted modification
in the networking system.

The most common authentication process practiced everywhere is to assign an exclusive user
ID and password to the user for authentication and to access the resources of the network.
The term security is inclusive of both private and public domain networks like RTGS or NEFT
through online banking.

What Is Network Security And Its Management?

Security management in any network, whether public or private, is a set of policies and routine
procedure implemented by the networking system to shield their network from unauthorized
access, denial of computer service, interruption in running, etc is known as Network Security
Management.

It also emphasizes on round the clock monitoring of the network to prevent the system from
virus attacks, and any misuse or modification in the database.

The best ways to manage security is to use advanced antivirus and anti-malware software and
keep updating the system at regular intervals of time.

Need for Network Security

The use of the Internet has been increased drastically, as we are moving even our day to day
activities towards complete digitalization. Due to the increase in the use of the Internet, hackers
and attackers also become more active and our networking system tends to a higher number of
virus attacks.

Basically, the need for network security is to perform two tasks mainly, first is to secure the
information from any unauthorized access and the second is to provide the security to the data
stored at PC or laptops not only for an individual network but also on the shared or public
domain networks.

The need for information security is based on the following points:

 To protect the information against any unwanted access.
 To safeguard the data from any inappropriate delay in the route followed to deliver it to the
destination at the desired period of time.

DEEPANSHU RANJAN
17CE011
 11

 To guard the data from any undesired amendment.

 To prohibit a particular user in the network from sending any mail, message in such a way in
which it appears to the receiving party that it has been sent by some third party. (Protection
from hiding the identity of the original sender of the resource message).
 To guard our hardware like hard disk, PC’s, laptop from the attack of malware, viruses etc.,
which can damage our system by corrupting or deleting all the content stored within it.
 To protect our PC’s from the software which if installed can harm our system as hackers do.
 To safeguard our system from Trojan horses, worms etc. which can completely destroy our
system.
Network Security Types
We can shield our networking system in various ways, based on the type of network attack.

Thus, there are many solutions, and out of which few are discussed below.

#1) Antivirus and Anti-malware Software:

The protection software that is used to shield our system from viruses, Trojan attacks, worms
etc is an antivirus and anti-malware software.

This software scans the system and network for malware and Trojan attack every time when a
new file is introduced in the system. It also detects and fixes the problem, if found with any
infected data or with a virus.

#2) Data Loss Prevention (DLP):

The MNC's or large-scale organizations, maintain the confidentiality of data and resources by
making sure that their internal information will not be leaked out by any of the employees to
the outside world.

This is done by deploying DLP technology in which the network administrator restricts the
employee's access to the information to prevent it from sharing to the outside world by
blocking ports and sites for forwarding, uploading or even printing information.

#3) Email Security:

The attackers can induce the virus or malware in the network by sending it through an e-mail in
the system.

Therefore a highly skilled email security application which can scan the incoming messages for
viruses and is capable of filtering suspicious data and controlling the outflow of messages to
prevent any kind of information loss to the system is required.

#4) Firewalls:
These are an integral part of the networking system. It acts as a wall between two networks or
between two devices. It is basically a set of pre-defined rules which are used to prevent the
network from any unauthorized access.

DEEPANSHU RANJAN
17CE011
 12

Firewalls are of two kinds, i.e. hardware, and software. The software firewall is installed in the
systems to provision shield from various types of attacks as they filter, block and fix the
unwanted creatures in the network.

The hardware firewall acts as a gateway between two networking systems so that only a
particular pre-defined user or traffic can access the network and its resources.

Intrusion prevention system (IPS): It is the network security system which contains some set
of rules and by following them you can easily figure out the threats and block them as well.
#5) Mobile Security:
The cyber-criminals can easily hack or attack the mobile handsets with the data facility on the
handsets, and they can enter into the device from any unsecured resource link from the website.

Hence it is necessary to install an antivirus on our device and people should download or
upload the data from reliable resources and that too from secured websites only.

Introduction of Firewall in Computer Network

A firewall is a network security device, either hardware or software-based, which monitors all
incoming and outgoing traffic and based on a defined set of security rules it accepts, rejects or
drops that specific traffic.
Accept : allow the traffic
Reject : block the traffic but reply with an “unreachable error”
Drop : block the traffic with no reply
A firewall establishes a barrier between secured internal networks and outside untrusted
network, such as the Internet.

History and Need for Firewall

Before Firewalls, network security was performed by Access Control Lists (ACLs) residing on
routers. ACLs are rules that determine whether network access should be granted or denied to
specific IP address.
But ACLs cannot determine the nature of the packet it is blocking. Also, ACL alone does not
have the capacity to keep threats out of the network. Hence, the Firewall was introduced.

DEEPANSHU RANJAN
17CE011
 13

Connectivity to the Internet is no longer optional for organizations. However, accessing the
Internet provides benefits to the organization; it also enables the outside world to interact with
the internal network of the organization. This creates a threat to the organization. In order to
secure the internal network from unauthorized traffic, we need a Firewall.

Firewall types can be divided into several different categories based on their general structure
and method of operation. Here are eight types of firewalls:

 Packet-filtering firewalls
 Circuit-level gateways
 Stateful inspection firewalls
 Application-level gateways (a.k.a. proxy firewalls)
 Next-gen firewalls
 Software firewalls
 Hardware firewalls

Packet-Filtering Firewalls

As the most “basic” and oldest type of firewall architecture, packet-filtering firewalls basically
create a checkpoint at a traffic router or switch. The firewall performs a simple check of the
data packets coming through the router—inspecting information such as the destination and
origination IP address, packet type, port number, and other surface-level information without
opening up the packet to inspect its contents.

If the information packet doesn’t pass the inspection, it is dropped.

The good thing about these firewalls is that they aren’t very resource-intensive. This means
they don’t have a huge impact on system performance and are relatively simple. However,
they’re also relatively easy to bypass compared to firewalls with more robust inspection
capabilities.

Circuit-Level Gateways

As another simplistic firewall type that is meant to quickly and easily approve or deny traffic
without consuming significant computing resources, circuit-level gateways work by verifying

DEEPANSHU RANJAN
17CE011
 14

the transmission control protocol (TCP) handshake. This TCP handshake check is designed to
make sure that the session the packet is from is legitimate.

While extremely resource-efficient, these firewalls do not check the packet itself. So, if a
packet held malware, but had the right TCP handshake, it would pass right through. This is
why circuit-level gateways are not enough to protect your business by themselves.

Stateful Inspection Firewalls

These firewalls combine both packet inspection technology and TCP handshake verification to
create a level of protection greater than either of the previous two architectures could provide
alone.

However, these firewalls do put more of a strain on computing resources as well. This may
slow down the transfer of legitimate packets compared to the other solutions.

Proxy Firewalls (Application-Level Gateways/Cloud Firewalls)

Proxy firewalls operate at the application layer to filter incoming traffic between your network
and the traffic source—hence, the name “application-level gateway.” These firewalls are
delivered via a cloud-based solution or another proxy device. Rather than letting traffic connect
directly, the proxy firewall first establishes a connection to the source of the traffic and
inspects the incoming data packet.

This check is similar to the stateful inspection firewall in that it looks at both the packet and at
the TCP handshake protocol. However, proxy firewalls may also perform deep-layer packet
inspections, checking the actual contents of the information packet to verify that it contains no
malware.

Once the check is complete, and the packet is approved to connect to the destination, the proxy
sends it off. This creates an extra layer of separation between the “client” (the system where
the packet originated) and the individual devices on your network—obscuring them to create
additional anonymity and protection for your network.

If there’s one drawback to proxy firewalls, it’s that they can create significant slowdown
because of the extra steps in the data packet transferal process.

Next-Generation Firewalls

Many of the most recently-released firewall products are being touted as “next-generation”
architectures. However, there is not as much consensus on what makes a firewall truly next-
gen.

DEEPANSHU RANJAN
17CE011
 15

Some common features of next-generation firewall architectures include deep-packet

inspection (checking the actual contents of the data packet), TCP handshake checks, and
surface-level packet inspection. Next-generation firewalls may include other technologies as
well, such as intrusion prevention systems (IPSs) that work to automatically stop attacks
against your network.

The issue is that there is no one definition of a next-generation firewall, so it’s important to
verify what specific capabilities such firewalls have before investing in one.

Software Firewalls

Software firewalls include any type of firewall that is installed on a local device rather than a
separate piece of hardware (or a cloud server). The big benefit of a software firewall is that it's
highly useful for creating defense in depth by isolating individual network endpoints from one
another.

However, maintaining individual software firewalls on different devices can be difficult and
time-consuming. Furthermore, not every device on a network may be compatible with a single
software firewall, which may mean having to use several different software firewalls to cover
every asset.

Hardware Firewalls

Hardware firewalls use a physical appliance that acts in a manner similar to a traffic router to
intercept data packets and traffic requests before they're connected to the network's servers.
Physical appliance-based firewalls like this excel at perimeter security by making sure
malicious traffic from outside the network is intercepted before the company's network
endpoints are exposed to risk.The major weakness of a hardware-based firewall, however, is
that it is often easy for insider attacks to bypass them. Also, the actual capabilities of a
hardware firewall may vary depending on the manufacturer—some may have a more limited
capacity to handle simultaneous connections than others, for example.

Cloud Firewalls

DEEPANSHU RANJAN
17CE011
 16

Whenever a cloud solution is used to deliver a firewall, it can be called a cloud firewall, or
firewall-as-a-service (FaaS). Cloud firewalls are considered synonymous with proxy firewalls
by many, since a cloud server is often used in a proxy firewall setup (though the proxy doesn't
necessarily have to be on the cloud, it frequently is).

What is a VLAN?
VLANs (Virtual LANs) are logical grouping of devices in the same broadcast domain.
VLANs are usually configured on switches by placing some interfaces into one broadcast
domain and some interfaces into another. VLANs can be spread across multiple switches, with
each VLAN being treated as its own subnet or broadcast domain. This means that frames
broadcasted onto the network will be switched only between the ports within the same VLAN.

A VLAN acts like a physical LAN, but it allows hosts to be grouped together in the same
broadcast domain even if they are not connected to the same switch. Here are the main reasons
why you should use VLANs in your network:

 VLANs increase the number of broadcast domains while decreasing their size.
 VLANs reduce security risks by reducing the number of hosts that receive copies of frames
that the switches flood.
 you can keep hosts that hold sensitive data on a separate VLAN to improve security.
 you can create more flexible network designs that group users by department instead of by
physical location.
 network changes are achieved with ease by just configuring a port into the appropriate
VLAN.

The following topology shows a network with all hosts inside the same VLAN:

Without VLANs, a broadcast sent from host A would reach all devices on the network. By
placing interfaces Fa0/0 and Fa0/1 on both switches into a separate VLAN,  a broadcast from
host A would reach only host  B, since each VLAN is a separate broadcast domain and only
host B is inside the same VLAN as host A. Hosts in VLAN 3 and VLAN 5 will not even be
aware that the communication took place. This is shown in the picture below:

DEEPANSHU RANJAN
17CE011
 17

The big benefit of having cloud-based firewalls is that they are very easy to scale with your
organization. As your needs grow, you can add additional capacity to the cloud server to filter
larger traffic loads. Cloud firewalls, like hardware firewalls, excel at perimeter security.

Windows NT
— The architecture of Windows NT, a line of operating systems produced and sold by
Microsoft, is a layered design that consists of two main components, user mode and kernel
mode. It is a preemptive, reentrant operating system, which has been designed to work with
uniprocessor and symmetrical multi-processor (SMP)-based computers. The Microsoft
Windows NT operating system was designed and built with fully integrated networking
capabilities. These networking capabilities differentiate Windows NT from other operating
systems, such as MS-DOS, OS/2, and UNIX, in which network capabilities are installed
separately from the core operating system. It was initially hyped as the replacement for all
other operating systems for Intel-based PCs, but it was somewhat slow to catch on and was
later redirected to the upper end of the market, where it found a niche. It is gradually becoming
more popular at the low end as well. This research paper includes the design goals and
rationale for the Windows NT operating system. Index Terms— User mode, kernel mode
,Hardware abstraction layer, Environment subsystems.

I. INTRODUCTION

The Microsoft Windows NT Server Resource Kit for version 4.0 consists of three new volumes
and a single compact disc(CD) containing programs for both Windows NT Workstation and
Windows NT Server. The architecture of Windows NT, a line of operating systems produced
and sold by Microsoft, is a layered design that consists of two main components, user mode
and kernel mode. It is a preemptive, reentrant operating system, which has been designed to
work with uniprocessor and symmetrical multi-processor (SMP)-based computers.

To process input/output (I/O) requests, they use packet-driven I/O, which utilizes I/O request
packets (IRPs) and asynchronous I/O. Starting with Windows 2000, Microsoft began making
64-bit versions of Windows available before this, these operating systems only existed in 32-
bit versions.

DEEPANSHU RANJAN
17CE011
 18

It was initially hyped as the replacement for all other operating systems for Intel-based PCs,
but it was somewhat slow to catch on and was later redirected to the upper end of the market,
where it found a niche. It is gradually becoming more popular at the low end as well.

NT is sold in two versions: server and workstation. These two versions are nearly identical and
are generated from the same source code. The server version is intended for machines that run
as LAN-based file and print servers and has more elaborate management features than the
workstation version, which is intended for desktop computing for a single user.

II. THE WHOLE ARCHITECTURE OF WINDOWS NT CAN BE

DIVIDED INTO TWO PARTS

User mode: User mode is the least privileged mode of Windows NT and it has no direct
access to hardware and only restricted access to memory. For example, when programs such as
Word and Lotus Notes execute in user mode, they are confined to sandboxes with well-defined
restrictions.

The user mode is made up of subsystems which can pass I/O request to the appropriate kernel
mode drivers via the I/O manager (which exists in kernel mode). The user mode layer of
Windows NT is made up of the Environment subsystems and the Integral subsystem.

The environment subsystems were designed to run applications written for many different
types of operating systems. None of the environment subsystems can directly access hardware,
and must request access to memory resources through the Virtual Memory Manager that runs
in kernel mode.

1. Components of User mode:

 End user Applications

 Environment Subsystems

Kernel mode: Windows NT kernel mode has full access to the hardware and system
resources of the computer and runs code in a protected memory area. It controls access to
scheduling, thread prioritization, memory management and the interaction with hardware. The
kernel mode stops user mode services and applications from accessing critical areas of the
operating system that they should not have access to; user mode processes must ask the kernel
mode to perform such operations on their behalf.

2. Components of Kernel mode:

 NT Executive

 NT Kernel (Microkernel)

DEEPANSHU RANJAN
17CE011
 19

 Hardware Abstraction Layer (HAL)

III. OPERATING SYSTEM ENVIRONMENTS

NT's operating system environments are implemented as client/server systems. As part of the
compile process, applications are bound by a link-time binding to an operating system API that
NT's operating system environments export. The link-time binding connects the application to
the environment's client-side DLLs, which accomplish the exporting of the API. For example,
a Win32 program is a client of the Win32 operating system environment server, so it is linked
to Win32's client-side DLLs, including Kernel32.dll, gdi32.dll, and user32.dll. A POSIX
program would be linked to the POSIX client-side DLL, psxdll.dll.
Client-side DLLs carry out tasks on behalf of their servers, but they execute as part of a client
process. As figure shows, in some cases a client-side DLL can fully implement an API without
having to call upon the help of the server; in other cases, the server must help out. The server's
aid is usually necessary only when global information related to the environment must be
updated. When the client-side DLL requires help from the server, the DLL sends a message
known as a local procedure call (LPC) to the server. When the server completes the specified
request and returns an answer, the DLL can complete the function and return control to the
client. Both the client-side DLL and the server may use NT's native API when necessary.
Operating system environment APIs augment the native API with additional functionality or
semantics that are specific to themselves.

IV. EXECUTIVE

The NT Executive takes care of the important tasks that are vital to the entire system. This
includes services such as object management, virtual memory management, I/O management,
and process management. NT's Executive subsystems make up the meatiest layer in kernel
mode, and they perform most of the functions traditionally associated with operating
systems.The executive is the kernel-mode portion of the Windows NT operating system and,
except for a user interface, is a complete operating system unto itself. The executive is never
modified or recompiled by the system administrator.

DEEPANSHU RANJAN
17CE011
 20

The executive components are listed below.

 I/O Manager

 Object Manager

 Security Reference

Monitor

 Process Manager

 Local Procedure Call

Facility

 Virtual Memory Manager

 Window Manager

 Graphics Device Interface

DEEPANSHU RANJAN
17CE011