Build Internet Infrastructure

Ethiopian TVET-System
INFORMATION TECHNOLOGY
Hardware and Networking Service
Level IV

LEARNING GUIDE # 1
Unit of Competence:Build Internet Infrastructure

Module Title : Build Internet Infrastructure

Module Code: ICT HNS4 03 0811
Learning outcomes:

LO1: Plan and design internet infrastructure

LO2: Install and configure internet infrastructure and services

LO3: Test security and internet access

LO4: Ensure user accounts are verified for security

LO5: Manage and support internet

 Build Internet Infrastructure

LO1 Plan and design internet infrastructure

1.1 Introduction to internet infrastructure

What is Internet?

It is net or the webthat contains billions of web pages created by people and companies from
around the world, making it a limitless location to locate information and entertainment. The
Internet also has thousands of services that help make life more convenient. For example, many
financial institutions offer online banking that enables a user to manage and view their account
online.

Internet infrastructure like:

• Software
• Computer hardware system with an Internet service provider

1.2 Prepare plan for internet infrastructure?

1.3 Evaluate and confirm internet infrastructure?
1.4 Ensuring internet requirements
1.4.1 Computer Hardware Required for Internet & Internet Access Components

1. PC

Any PC (Windows) should work and is recommending at this time. It could be that for your
application a Mac or Linux box will work fine, but our priority for now is the PC(window)
platform.Select a PC that will fit the user. Ideally the PC will have:

• a recent model CPU such as Pentium or Celeron, say 2Ghz or faster

• 2GB RAM (1GB is OK but why take a chance)
• Windows XP (Pro or Home)
 Build Internet Infrastructure

2. Telephone Modem

A telephone modem is a device that converts the signals from your computer into a series of
sounds and transmits them across the phone line. A telephone modem on the other side of the
connection converts these sounds back to a signal the computer can understand, allowing the
computers to communicate.

3. Network Interface Card

A NIC card is a card that plugs into the computer's motherboard. Broadband connections provide
much faster access to the Internet than narrowband connections. There are multiple types of
broadband connections, including DSL, satellite, and cable access. Each of these types of access
involves connecting to an access point using either a wired Ethernet connection or a wireless
connection.

A Network interface card (NIC) allows you to connect an Ethernet cable to your computer from
an access point. Communication to the access point travels through this cable. Connections using
a wired NIC require that an Ethernet cable be connected from the computer to the access point at
all times during Internet use. Network interface cards can be built in to the computer or
purchased as an external device that you plug in to the computer.

4. Wired Access Points

Computers using a NIC and Ethernet cable connect through an access point. Access points are
generally routers, cable modems, or DSL modems that provide a link between the Internet
service provider and your physical computer.

NIC-based connections are widely used in local area networks, such as groups of computers in
businesses. They can be used in homes, but many users prefer to use wireless connections for the
added mobility.

5. Wireless Access Points

A wireless access point allows you to connect to an access point without using a physical
connection. Wireless access can be configured in your home using a wireless router and a
computer with a wireless interface. Wireless interfaces can be installed within the computer or
purchased separately as a USB device that can be plugged in when needed. Many businesses,
such as hotels and coffee shops, provide free wireless access in their buildings for the use of their
customers.
 Build Internet Infrastructure

What equipment is needed for broadband Internet access?

A computer with a NIC card (i.e. network interface card, Ethernet card) and a broadband modem
is normally required for high-speed Internet access. The type of modem needed depends on the
type of broadband services that is used.

What is a broadband modem?

A broadband modem is a device that connects to the computer’s NIC card and is required to
handle the rapid rate of data transfer from the Internet. Many broadband service providers either
include a modem in their monthly packages or charge the subscriber a nominal monthly rental
fee.

Can a broadband modem be connected to multiple computers?

Yes. To provide concurrent high-speed Internet access to two or more computers, either an
Ethernet hub or a router should be connected between the broadband modem and each of the
computers.

What software is required for broadband Internet access?

No special software is required to use a broadband connection.

1.4.2Computer softwarerequired for Internet & Internet Access Components

Software Requirements

1. Operating System

 Windows XP.

 Vista probably works but it takes time provide support to customer.

 Mac or Linux may be OK but we cannot provide much support. Ex debian, ubuntu
 Build Internet Infrastructure

2. Browser

At this time we are evaluating whether we want to endorse Internet Explorer or Firefox as our
recommended browser. Most of our development and testing was done with Internet Explorer,
because until recently, it was the browser with the best full screen support.

These instructions assume you will use IE, but if you have the expertise and want to use Firefox
that's fine.

 Internet explorer
 Mozilla
 Opera
 Google chrome
 Safari
 ….

3. Server software

 Firewall
 Mail server
 Web server
 …..

1.4.3 Network and security

Network Security is an organization’s strategy and provisions for ensuring the security of its
assets and of all network traffic. Network security is manifested in an implementation of security
policy, hardware, and software. The following approach is adopted in an effort to view network
security in its entirety:

1. Policy
2. Enforcement
3. Auditing

Policy

The IT Security Policy is the principle document for network security. Its goal is to outline the
rules for ensuring the security of organizational assets. Employees today utilize several tools and
applications to conduct business productively. Policy that is driven from the organization’s
culture supports these routines and focuses on the safe enablement of these tools to its
employees. The enforcement and auditing procedures for any regulatory compliance an
organization is required to meet must be mapped out in the policy as well.
 Build Internet Infrastructure

Enforcement

Most definitions of network security are narrowed to the enforcement mechanism. Enforcement
concerns analyzing all network traffic flows and should aim to preserve the confidentiality,
integrity, and availability of all systems and information on the network. These three principles
compose the CIA triad:

• Confidentiality - involves the protection of assets from unauthorized entities

• Integrity - ensuring the modification of assets is handled in a specified and authorized
manner
• Availability - a state of the system in which authorized users have continuous access

Strong enforcement strives to provide CIA to network traffic flows. This begins with a
classification of traffic flows by application, user, and content. Proper application identification
allows for full visibility of the content it carries. Policy management can be simplified by
identifying applications and mapping their use to a user identity while inspecting the content at
all times for the preservation of CIA.

The concept of defense in depth is observed as a best practice in network security, prescribing
for the network to be secured in layers. These layers apply an assortment of security controls to
sift out threats trying to enter the network:

• Access control
• Identification
• Malware detection
• Encryption
• URL filtering

These layers are built through the deployment of firewalls, intrusion prevention systems (IPS),
and antivirus components. Among the components for enforcement, the firewall (an access
control mechanism) is the foundation of network security.

Auditing

The auditing process of network security requires checking back on enforcement measures to
determine how well they have aligned with the security policy. Auditing encourages continuous
improvement by requiring organizations to reflect on the implementation of their policy on a
consistent basis. This gives organizations the opportunity to adjust their policy and enforcement
strategy in areas of evolving need.
 Build Internet Infrastructure

Physical Network Security

The most basic but often overlooked element of network security involves keeping hardware protected
from theft or physical intrusion. Corporations spend large sums of money to lock their network servers ,
network switches and other core network components in well-guarded facilities.

Widespread use of mobile devices makes physical security that much more important. Small
gadgets are especially easy to leave behind at travel stops or to have fall out of pockets. News
stories in the press abound of local residents having their smartphones stolen in public places,
sometimes even while using them. Be alert to the physical surroundings whenever using mobile
devices.

Finally, stay in visual contact with a phone when loaning it to someone else: A malicious person
can steal personal data, install monitoring software, or otherwise “hack” phones in just a few
minutes when left unattended. An alarming number of ex-boyfriends/girlfriends, spouses, and
neighbors get accused of such acts.

Password Protection
Passwords are an extremely effective system for improving network security if applied properly.
Unfortunately, some don't take password management seriously and insist on using bad, weak
(meaning, easy to guess) passwords like “123456” on their systems and networks. Following just
a few common-sense best practices in password management greatly improves the security
protection on a computer network:

• set strong passwords, or passcodes, on all devices that join the network
• change the default administrator password of network routers
• do not share passwords with others more often than necessary
• change passwords when it may have become too widely known

Spyware
Even without physical access to the devices or knowing any network passwords, illicit programs
called spyware can infect computers and networks, typically by visiting Web sites. Much
spyware exists on the Internet. Some spyware monitors a person’s computer usage and Web
browsing habits and reports this information back to corporations, who use it to create more
targeted advertising. Other spyware attempts to steal personal data. One of the most dangerous
forms of spyware, keylogger software captures and sends the history of all keyboard key presses
a person makes, ideal for capturing passwords and credit card numbers. All spyware on a
computer attempts to function without the knowledge of people using it, thereby posing a
substantial security risk.Because spyware is notoriously difficult to detect and remove, security experts
recommend installing and running reputable anti-spyware software on computer networks.
 Build Internet Infrastructure

1.5 Allocating Internet protocol

What is an IP Address?

An Internet Protocol address (IP address) in layman’s terms is basically the address given to your
computer when it’s connected to a network. Technically speaking, an IP address is number that
signifies the address of both the sender and receiver of packets on a network.

Let’s take an example: suppose you want to send an email to your friend. Though your email
may be broken down into millions of data packets before its transmitted, right now for
simplicity’s sake consider it a single information packet. The IP addresses are embedded on each
packet that is transmitted over the network and are used to identify the machine.

A packet is the unit of data that is routed between an origin and a destination on the Internet or
any other packet-switched network.

It turns out that everything you do on the Internet involves packets. For example, every Web
page that you receive comes as a series of packets, and every e-mail you send leaves as a series
of packets. Networks that ship data around in small packets are called packet switched
networks.

On the Internet, the network breaks an e-mail message into parts of a certain size in bytes. These
are the packets. Each packet carries the information

 destination
 sender's IP address
 Content(message)

Each packet contains part of the body of your message.

Packet-switched networks move data in separate, small blocks or packets -- based on the
destination address in each packet. When received, packets are reassembled in the proper
sequence to make up the message.
 Build Internet Infrastructure

Assigning IP-Addresses
Things are a little more complicated with real networks like Ethernets. If you want to connect
your host to an existing network, you have to ask its administrators to give you an IP-address on
this network. When setting up the network all by yourself, you have to assign IP-addresses
yourself as described below. Hosts within a local network should usually share addresses from
the same logical IP-network.

If your network is not connected to the Internet, you are free to choose any (legal) network
address. You can assign as you want. However, if you intend to get on the Internet, you should
obtain an official IP-address now. The best way to proceed is to ask your network service
provider to help you.

Static IP Address

As the name speaks, the static IP addresses are those types of IP address that never change once
they are assigned to a device on a network unless we change it through manually. No doubt this
type of addressing is cost effective but could have a high security risk.

Dynamic IP Address

Dynamic IP address changes each time the device logs in to a network. This kind of IP address
is very difficult to trace and are thus used by companies and business firms.You must be thinking
as to who or what allocates this Dynamic IP address every time the device logs in. These IP
address are assigned using DHCP (Dynamic Host Configuration Protocol).

Which is better, Static or Dynamic?

 Build Internet Infrastructure

LO2 Install and configure internet infrastructure and services

2.1 Install and testing cables

Cable Testing
Whether installing new cable, or troubleshooting existing cable, cable testing plays an important
role in the process. As networks evolve, so do the requirements of the cabling infrastructure to
support them. New standards are continuously being developed to provide guidelines for cabling
professionals when installing, testing, troubleshooting, and certifying either copper or fiber.
Cable testing provides a level of assurance that the installed cabling links provide the desired
transmission capability to support the data communication desired by the users.

Types of Cable Testers

Cable test instruments are designed with a variety of focused features for particular field tasks.
They vary in price, performance, and application. Depending on the task the field test instrument
performs, it can be classified into one of the three hierarchical groups: certification,
qualification, or verification. Each group answers a unique testing need and provides a different
level of operational assurance.

Levels of Cable Testing

Certification – guarantees cabling system compliance to industry standards
Certification instruments are the only tools that provide “Pass” or “Fail” information in
accordance with industry standards. In the North America market, the prevalent industry
standards organization dealing with the transmission capabilities of structured cabling, is the
Telecommunications Industry Association (TIA). In the international markets, the Electro-
technical commission of the International Organization for Standards (ISO/IEC) creates and
maintains standards for telecommunication cabling.

Qualification – determines if an existing cabling link can support certain network speeds and
technologies
Qualification is a new category of testers in the industry that meets the emerging needs of
network technicians who do not install new cabling, but need to troubleshoot operating networks.
Qualification testers perform tests that decide whether an existing cabling link will support the
requirements for “Fast Ethernet” , Voice over Internet Protocol (VoIP).

Verification – verifies that cable is connected correctly

Verification test tools perform basic continuity functions; they assure that all wires in a cabling
 Build Internet Infrastructure

link are connected to the proper termination points. Verification tools sometimes include
additional features such as a Time Domain Reflectometer (TDR) to determine length of a cable
or distance to a break or short circuit. These test tools do not provide any information on
bandwidth or suitability for high-speed data communication.
 Build Internet Infrastructure

2.2 Build and test mail servers

A mail server is the computerized equivalent of your friendly neighborhood mailman. Every
email that is sent passes through a series of mail servers along its way to its intended recipient.
Although it may seem like a message is sent instantly -leaving from one PC to another in the
blink of an eye - the reality is that a complex series of transfers takes place.

Types of Mail Servers

Mail servers can be broken down into two main categories:

1. outgoing mail servers

Outgoing mail servers are known as SMTP, or Simple Mail Transfer Protocol, servers.

2. Incoming mail servers.

Incoming mail servers come in two main varieties.

 POP3, or Post Office Protocol, servers are best known for storing sent and received
messages on PCs' local hard drives.
 IMAP, or Internet Message Access Protocol, servers always store copies of messages on
servers. Most POP3 servers can store messages on servers, too, which is a lot more
convenient.

Test email server

 record verification (validation)

 client testing(user)
 create user
 different privilege
 Alert (pop up)
 Build Internet Infrastructure

2.3 Installing and configuring workstation software

A workstation is a computer intended for individual use that is faster and more capable than a
personal computer. It's intended for business or professional use (rather than home or recreational
use). Workstations and applications designed for them are used by small engineering companies,
architects, graphic designers, and any organization, department, or individual that requires a faster
microprocessor, a large amount of random access memory, and special features such as high-speed
graphics adapters. Historically, the workstation developed technologically about the same time and
for the same audience as theUNIX operating system, which is often used as the workstation
operating system. Among the most successful makers of this kind of workstation are Sun
Microsystems, Hewlett-Packard, DEC, and IBM.

Install workstation software

Installing VMware Tools

VMware Tools is a suite of utilities that enhances the performance of the virtual machine’s guest
operating system and improves management of the virtual machine.

Although the guest operating system can run without VMware Tools, many VMware features are
not available until you install VMware Tools. For example, if you do not have VMware Tools
installed in your virtual machine, you cannot use the shutdown or restart options from the
toolbar.

You can use the Windows Easy Install or Linux Easy Install feature to install VMware Tools as
soon as the operating system is finished installing.

Each type of guest operating system, including Windows, Linux. When you select the command
to install or upgrade VMware Tools, the virtual machine’s first virtual CD-ROM disk drive
temporarily connects to the VMware Tools ISO file for your guest operating system.

The most recent versions of the ISO files are stored on a VMware Web site. When you select the
command to install or upgrade VMware Tools, the VMware product determines whether it has
downloaded the most recent version of the ISO file for the specific operating system. If the latest
version has not been downloaded or if no VMware Tools ISO file for that operating system has
ever been downloaded, you are prompted to download the file.

The installation procedure varies, depending on the operating system.

 Build Internet Infrastructure

2.4 Connect internet to intranet or network

2.4.1 Install hardware requirements

• Install cable
• Install any card which plugged like external device ex NIC, TV card
• install any external hardware such as external wireless interface

2.4.2 Install and configure software requirements

• Install browsers
• Install any server software like mail server, file server…
• Install any application software which are essential for clients

2.4.3 Checking the service

• Check the network is accessible

• Check the mail server is working properly
• Check the shared documents is available for the authorized user
• Check any policy regarding to security

2.5 configuring domain names and internet protocol addresses

Definition:

Stands for "Domain Name System" Domain names serve as memorable names for websites and
other services on the Internet Names are easier to remember than number. . However, computers
access Internet devices by their IP addresses. DNS translates domain names into IP addresses,
allowing you to access an Internet location by its domain name.

Thanks to DNS, you can visit a website by typing in the domain name rather than the IP address.
For example, to visit the Tech Terms Computer Dictionary, you can simply type
"techterms.com" in the address bar of your web browser rather than the IP address (67.43.14.98).
It also simplifies email addresses, since DNS translates the domain name (following the "@"
symbol) to the appropriate IP address.

To understand how DNS works, you can think of it like the contacts application on your
smartphone. When you call a friend, you simply select his or her name from a list. The phone
does not actually call the person by name; it calls the person's phone number. DNS works the
same way by associating a unique IP address with each domain name.
 Build Internet Infrastructure

Unlike your address book, the DNS translation table is not stored in a single location. Instead,
the data is stored on millions of servers around the world. When a domain name is registered, it
must be assigned at least two name servers (which can be edited through the domain name
registrar at any time). The nameserver addresses point to a server that has a directory of domain
names and their associated IP addresses. When a computer accesses a website over the Internet,
it locates the corresponding name server and gets the correct IP address for the website.

Since DNS translation creates additional overhead when connecting to websites, ISPs cache
DNS records and host the data locally. Once the IP address of a domain name is cached, an ISP
can automatically direct subsequent requests to the appropriate IP address. This works great until
an IP address changes, in which case the request may be sent to the wrong server or the server
will not respond at all.

How domain name system works

If you've ever used the Internet, it's a good but that you've used the Domain Name System, or
DNS, even without realizing it. DNS is a protocol within the set of standards for how computers
exchange data on the Internet and on many private networks, known as the TCP/IP protocol
suite. Its basic job is to turn a user-friendly domain name like "howstuffworks.com" into an
Internet Protocol (IP) address like 70.42.251.42 that computers use to identify each other on the
network.

Computers and other network devices on the Internet use an IP address to route your request to
the site you're trying to reach. This is similar to dialing a phone number to connect to the person
you're trying to call.

Whether you're accessing a Web site or sending e-mail, your computer uses a DNS server to look
up the domain name you're trying to access. The proper term for this process is DNS name
resolution, and you would say that the DNS server resolves the domain name to the IP address.
For example, when you enter "http://www.howstuffworks.com" in your browser, part of the
network connection includes resolving the domain name "howstuffworks.com" into an IP
address, like 70.42.251.42, for HowStuffWorks' Web servers.

You can always bypass a DNS lookup by entering 70.42.251.42 directly in your browser (give it
a try). However, you're probably more likely to remember "howstuffworks.com" when you want
to return later.

Without DNS servers, the Internet would shut down very quickly. But how does your computer
know what DNS server to use? Typically, when you connect to your home network, Internet
service provider (ISP) or WiFi network, the modem or router that assigns your computer's
network address also sends some important network configuration information to your computer
or mobile device. That configuration includes one or more DNS servers that the device should
use when translating DNS names to IP address.
 Build Internet Infrastructure

What Is A Domain Name Extension?

A domain name extension is the last part of a domain name. It is the part that follows the "name"
part of your domain.For example, in the domain name quackit.com the domain extension is .com

 .edu
 .com
 .et
 .gov

2.6 setup software to provide services as required

• Block the software if there is no relevance to the business such as face book
• Block an necessary retrieved data by extracting word such as sex
• sending notify to the user
• showing which access point is fail
 Build Internet Infrastructure

Lo3 Test security and internet access

3.1 security access level is tested and verified based on security policy

Security testing is the activity of assessing a system for the presence of security weaknesses.
In most cases, specialized testers assess the system with a set of specialized tools.
Network security testing, also known as infrastructure security testing, involves assessing
network devices, servers, and other network infrastructure services such as Domain Name
Service (DNS) for security vulnerabilities. Many of the security issues found in network
securitytests are actually specific wellknown vulnerabilities in common software platforms.
Most of the specific vulnerabilities detailed in the Common Weakness Enumeration are actually
instances of the common weaknesses analysis technique:

Runtime testing: Also referred to as black box testing, this kind of test involves assessing the
system for security issues from the perspective of an end user. The main difference between this
and code review is that the tester does not have access to source code or other detailed
knowledge of system internals. This is an accurate reflection of the kind of knowledge an
external attacker has. Not having access to source code limits the tester’s visibility into potential
security issues. Because runtime tests are often time-limited in order to control costs, they may
not accurately capture the kinds of attacks a dedicated adversary can find with more time.
Code review: Also referred to as white box testing, this kind of test involves assessing an
application by reviewing its code. Many security testers prefer combined runtime testing and
code review to maximize visibility into potential security issues. Performing a code review with
a runtime test can allow security testers to be more efficient in their reviews. In general, external
code reviews tend to be less popular thanruntime testing because many software teams are
primarily interested in protecting theirsystems from external attackers with limited system
knowledge.

Automated Application Assessment Techniques

Application security testers can be expensive to employ as they are often in short supply. Due to
the cost of security testing, many organizations take a risk-based approach to performing
assessments. They tend to use specialized testers for their highest risk applications, such as
consumerfacing Internet applications as well as applications that they are mandated to test by
regulation or legislation. For example, the Payment Card Industry Data Security Standard
mandates that certain applications undergo security assessments.
There are two popular classes of tools that correlate to the two main types of assessment
techniques:
Dynamic analysis: Automated runtime testing. Generally focused specifically on web
applications, dynamic analysis tools through the application looking for specific issues by
automatically executing attacks and analyzing responses for evidence that the attacks work.
Static analysis: Automated code review. These tools often involve hooking into a compiler to
understand an application’s data flow. They are particularly effective at finding some of the
highest risk input validation vulnerabilities, such as SQL Injection and Cross Site Scripting.
 Build Internet Infrastructure

Automated tools are often more accurate than manual testing alone for finding certain kinds of
securityissues. Many security testers use automated tools to help improve the effectiveness of
their assessments.

3.2 capability and availability of security systems is monitored and evaluated

based on security policy

Availability of security

our goal at Authentic is to provide uninterrupted service 24 hours per day, 7 days a week, 365 days a year.
While system maintenance is inevitable, our service level agreements reflect up-time commitments of
99.9% or better. Authentify systems are located and operate out of multiple geographically-dispersed and
load-balanced data centers. The systems within each data center are fault tolerant to accommodate
component failures. The overall architecture is designed to handle full load without service degradation in
the event of a complete failure of a single data center. Authentify will notify customers if scheduled
maintenance will affect availability. Up-time is calculated based upon a monthly accumulation of the
number of minutes of downtime. We have developed and maintain a disaster recovery and business
continuity plan. In the event of a disaster or other prolonged service interruption, we have a recovery plan
that includes the use of alternative service sites to allow for business resumption within 24 hours.

3.3 changes are made to system to ensure protection against known and
potential threats

• Interruption
– the system is destroyed of becomes unavailable or unusable
– Attack on availability
– Destruction of hardware
– Cutting of a communication line
– Disabling the file management system
• Interception
– An unauthorized party gains access to an asset
– Attack on confidentiality
– Wiretapping to capture data in a network
– Illicit(illegal) copying of files or programs
• Modification
– An unauthorized party not only gains access but tampers(interferes) with an asset
– Attack on integrity
– Changing values in a data file
– Altering a program so that it performs differently
– Modifying the content of messages being transmitted in a network
 Build Internet Infrastructure

• Fabrication
– An unauthorized party inserts counterfeit objects into the system
– Attack on authenticity(reality)
– Insertion of spurious messages in a network
– Addition of records to a file
 Build Internet Infrastructure

LO4 Ensure user accounts are verified for security

4.1 user settings are verified to ensure that they conform to security
policies
Overview
This user privilege policy is an internal IT policy and defines the privileges various users on the
organizational network are allowed to have, specifically defining what groups of users have
privileges to install computer programs on their own or other systems. This policy defines the
users who have access to and control of sensitive or regulated data. This policy defines internet
access to specific sites for some users or other ways they may or may not use their computer
systems.

Purpose
This policy is designed to minimize risk to organizational resources and data by establishing the
privileges of users of data and equipment on the network to the minimum allowable while still
allowing users to perform job functions without related the job.

Local Computer Privileges

There are three main categories of users on a computer or network. These categories include:

1. Restricted user - Can operate the computer and save documents but can't save system
settings.
2. Standard user (power user) - Can change many system settings and install programs that
don't affect Windows system files.
3. Administrators - Have complete access to read and write any data on the system and add
or remove any programs or change system settings. The majority of users on most
common networks should be restricted users on their local computers. Only users with
special training or a need for additional access should be allowed to change system
settings and install programs that are not operating system programs. If the user does not
have the ability to install programs or change settings to a more vulnerable setting, most
of these potential security problems can be prevented.

Therefore only users that demonstrate a need and ability for power user or administrator access
on local machines shall permitted to have this level of access. Upon demonstration of a special
need for additional access, the IT manager must approve the access before it can be made
effective. Groups that may be allowed this type of access include:

1. Domain Administrators
2. Help Desk personnel
3. Application developers for testing purposes who have computer training or skills.
 Build Internet Infrastructure

Network Privileges
Most network users will have access to the following types of network resources.

1. Email - Most users will have full access to their own email.
2. A personal network drive on a networked file server - This is a folder on a drive that only
the primary user of this drive can read and write only of domain administrators.
3. A shared group or organizational division's drive - This is a folder that members of
specific groups or divisions in the organization may access. Access may be read or write
and may vary by organizational requirements.
4. Access to databases - There may be additional databases that may be stored on a shared
drive or on some other resource. Most databases will have a standard user level which
gives users appropriate permissions to enter data and see report information. However
only the database administrators will have full access to all resources on a database.

Groups that may be allowed additional access include:

1. Backup operator - Allowed to read data on the domain for the purpose of saving files to
backup media. This group cannot write all data on the domain.
2. Account operator - Can manage and view information about user accounts on the domain.
3. Server operator - Has full privileges on servers including reading and writing of data,
installing programs, and changing settings.

Enforcement
Since data security and integrity along with resource protection is critical to the operation of the
organization; employees that do not adhere to this policy may be subject to disciplinary action up
to and including dismissal.

Note:
This policy should be more specific and refined based on the needs of your organization. In some
cases server operators will have full access on some servers but not others. Help desk personnel
may have full access on some local computers but not in all groups in your organization.
 Build Internet Infrastructure

4.2 Legal notices are displayed at appropriate locations for system

users

Notifications

The notification system allows users to keep informed about relevant and timely events in your
applications, such as new chat messages from a friend or a calendar event. Think of notifications
as a news channel that alerts the user to important events as they happen or a log that chronicles
events while the user is not paying attention and one that is the way as appropriate across all their
devices.

At a minimum, all notifications consist of a base layout, including:

• The notification's icon. The icon symbolizes the originating app. It may also potentially indicate
notification type if the app generates more than one type.
• A notification title and additional text.
• A timestamp.
 Build Internet Infrastructure

4.3 passwords are checked in accordance with business policies and verified
with software utility tools.

Password Policy

When writing a password policy there is several issues to be considered. There are some experts
that argue that password policies in many organizations are too severe and actually increase the
organization's computer security. When employees are required to change passwords often, meet
minimum complexity requirements, and not repeat a password for a minimum amount of time,
they may begin to break the rules and start writing passwords down simply because they cannot
remember passwords that change so often. The reason for changing passwords is due to the fact
that if an attacker gets a hashed or encrypted copy of a password, they can eventually break the
password using a brute force attack. This takes a certain amount of computing power and as
computers are more powerful, takes less time every year.

However the password policy is setup, it may be worth taking other precautions to protect
accounts and passwords. One precaution is not to transmit them on the internet even in encrypted
form.

Password Protection rules

1. Never write passwords down.

2. Never send a password through email.
3. Never include a password in a non-encrypted stored document.
4. Never tell anyone your password.
5. Never reveal your password over the telephone.
6. Never hint at the format of your password.
7. Never use the "Remember Password" feature of application programs such as Internet Explorer,
your email program, or any other program.
8. Don't use common words or reverse spelling of words in part of your password.
9. Don't use names of people or places as part of your password.
10. Don't use part of your login name in your password.
11. Don't use parts of numbers easily remembered such as phone numbers, social security numbers.
12. Be careful about letting someone see you type your password.
 Build Internet Infrastructure

Password Requirements
Those setting password requirements must remember that making the password rules too
difficult may actually decrease security if users decide the rules are impossible or too difficult to
meet.

The following password requirements will be set by the IT security department:

1. Minimum Length - 8 characters recommended

2. Maximum Length - 14 characters
3. Minimum complexity - No dictionary words included. Passwords should use three of four
of the following four types of characters:
1. Lowercase
2. Uppercase
3. Numbers
4. Special characters such as !@#$%^&*(){}[]
4. Passwords are case sensitive and the user name or login ID is not case sensitive.
5. Maximum password age - 60 days
6. Minimum password age - 2 days
7. Store passwords using reversible encryption - This should not be done without special
authorization.
8. Account lockout threshold - 4 failed login attempts
9. Password protected screen savers should be enabled and should protect the computer
within 5 minutes of user inactivity. Computers should not be unattended with the user
logged on and no password protected screen saver active. Users should be in the habit of
not leaving their computers unlocked. They can press the CTRL-ALT-DEL keys and
select "Lock Computer".

Other Considerations
Administrator passwords should be protected very carefully. Administrator accounts should have
the minimum access to perform their function. Administrator accounts should not be shared.
 Build Internet Infrastructure

LO5 manage and support internet

5.1 Management is assisted in developing procedures and policies for

maintaining the internet infrastructure

This IT Equipment Purchase and Failure Prevention policy provides a guideline for the purchase
of IT equipment when the equipment supports organizational identified critical services. This
policy will contain critical services and provide a guideline for purchasing technologies that are
failure tolerant.

Critical Services
Critical services which are required for normal operation of the organization include:

1. File sharing service on a file sharing server.

2. Web services to the internet
3. Email services
4. Database services for internal users and critical external applications.
5. Critical external application servers.
6. Firewall to connect these services to the internet.

Any servers or equipment that supports these services should adhere to this policy including
connection equipment from the internet to these services.

Equipment Requirements
All critical services are required to utilize redundant technologies including:

1. Dual power supplies on all servers providing critical services.

2. RAID disk arrays to prevent one disk failure from interrupting services
3. Uninterruptable power supplies that can provide power for a minimum of 1 hour to
servers operating critical services in the event of a power outage.
4. A backup generator to ensure that long term power outages cannot interrupt service.
 Build Internet Infrastructure

5.2 management tools are obtained, installed and used to assist

in internet administration
This server monitoring policy is an internal IT policy and defines the monitoring of servers in the
organization for both security and performance issues.

Purpose
This policy is designed both to protect the organization against loss of service by providing
minimum requirements for monitoring servers. It provides for monitoring servers for file space
and performance issues to prevent system failure or loss of service.

The policy applies to all production servers and infrastructure support servers including but not
limited to the following types of servers:

1. File servers
2. Database servers
3. Mail servers
4. Web servers
5. Application servers
6. Domain controllers
7. FTP servers
8. DNS servers

Daily Checking
All servers shall be checked manually on a daily basis the following items shall be checked and
recorded:

1. The amount of free space on each drive shall be recorded in a server log.
2. The system log shall be checked and any major errors shall be checked and recorded in
the server log.
3. Services shall be checked to determine whether any services have failed.
4. The status of backup of files or system information for the server shall be checked daily.

External Checks
Essential servers shall be checked using either a separate computer from the ones being
monitored or a server monitoring service. The external monitoring service shall have the ability
to notify multiple IP personnel when a service is found to have failed. Servers to be monitored
externally include:

1. The mail server

2. The web server
3. External DNS servers
4. Externally used application servers.
5. Database or file servers supporting externally used application servers or web servers.
 Build Internet Infrastructure

wireless use policy

A wireless use policy is necessary to computer security since there is demand for wireless
equipment in every organization today. The wireless use policy may specify that no wireless
equipment should be used but this would not be very good since that may cause some to violate
the policy. It is best to set conditions and specify equipment that is approved for wireless use in
order to minimize security risk associated with wireless.

Authentication
The authentication mechanisms of all approved wireless devices to be used must be examined
closely. The authentication mechanism should be used to prevent unauthorized entry into the
network. One authentication method shall be chosen.

Encryption
The encryption mechanisms of all approved wireless devices to be used must be examined
closely. The encryption mechanism will be used to protect data from being disclosed as it travels
through the air. The following must be considered.

1. How secure is the encryption mechanism?

2. How sensitive is the data traveling through the wireless device?
3. How expensive is the encryption mechanism?

Configuration
The wireless device shall be configured in such manner so it does not contain or indicate any
information about the organization, its departments, or its personnel including organization
name, department name, employee name, employee phone number, email addresses, or product
identifiers.

Access Points
All wireless access points and wireless devices connected to the organizational network must be
registered and approved by the designated IT department representative. All wireless devices are
subject to IT department audits and penetration tests without notice.

Network Separation
This policy requires that parts of the network containing and supporting wireless devices directly
(the wireless network) be separated from the part of the network that does not support wireless
connections. The part of the network supporting wireless devices or connections shall be
considered less trusted than the part of the network that does not. All file servers and internal
domain controlling servers shall be separated from the wireless network using a firewall. One or
more intrusion detection devices shall monitor the wireless network for signs of intrusion and log
events. The type of logged events will be determined by the network administrator.
 Build Internet Infrastructure

Allowable Wireless Use

1. Only wireless devices approved by make and model shall be used.

2. All wireless devices must be checked for proper configuration by the IT department prior
to being placed into service.
3. All wireless devices in use must be checked monthly for configuration or setup problems.

5.3 Traffic, appropriateness of broadcasts and content access

are monitored over the internet (presented by students)
5.4 Internet performance is optimized in accordance with
business need(presented by students)