Ethiopian TVET- System

Hardware and Network Servicing Level IV

LEARNING GUIDE

Unit of Competence: Build Internet Infrastructure

Module Title: Building Internet Infrastructure

MODULE CODE :
LG Code:
Nominal Duration : 100hrs

What is Internet Infrastructure?

All the hardware and services required to make a web page appear in your browser.
Internet infrastructure is a collective term for all hardware and software systems that constitute
essential components in the operation of the Internet. Physical transmission lines of all types,
such as wired, fiber optic and microwave links, along with routing equipment, the accompanying
critical software services like the Domain Name System (DNS), Email, website hosting,
authentication and authorization, storage systems, and database servers are considered critical
Internet components

Internet Infrastructure consisting of:

1. Data Centre

A Data Centre is basically a specialist building that has the ability to power (and cool) massive
amounts of computer equipment. Typically a Data Centre would also have a very large amount
of network bandwidth to accommodate data transfer in and out of it.

A data center is a centralized repository computer facility used to house computer systems and
associated components, such as telecommunications and storage systems. It generally includes
redundant or backup power supplies, redundant data communications connections,
environmental controls (e.g., air conditioning, fire extinguisher) and security devices

1
 2. Network
 Most important foundation block of Internet Infrastructure is the Network. Without a
network connection no data can pass between Data Centers, over the Internet, and

3. Internet Service Provider (ISP)

 Choosing the proper bandwidth and network connection (cable) is critical to the site's
web presence.
 The router and the communications interface (cable, modem, bridge or other device) and
the cables that connect them form the bridge from the Web server to the outside world.
Most of this equipment will be provided by the Internet Service Provider, but as the site
grows more equipment such as switches, hubs, patch panels, wiring and firewalls will be
needed

4. Computer Equipment
Computer equipment refers to any or all of the many different parts of a computer, as well as
peripheral devices such as printers, external hard drives and servers. Basically, anything relating
to a computer is considered computer equipment.

5. Storage Services

Data Storage is a huge part of Internet Infrastructure. All those emails accessible online, all the
web pages on your favorite web site, all those photos on Face book … are all stored on a hard
drive in a DC somewhere. The basic level of storage is on-server storage, which means the hard
drives in the computer server.

6. Server Applications

The final piece of underlying Internet Infrastructure is the server applications themselves. In
order for a web application to be delivered from a server, that server requires
1. Operating System (typically Windows or Linux),
2. Web Server application (like Apache or Microsoft IIS), and
3. Database (such as MySQL, MS-SQL or Oracle).
There any many more variations here, but the basic web server has these 3 things. From here you
can install blog software, an ecommerce site, your new web 2.0 application, or any Internet
capable piece of software (more include – Instant Messaging Server, File Storage Server,
Message Board)

 Internet security

2
Management Controls:
Focus on security policies, planning, guidelines, and standards that influence the selection of
operational and technical controls to protect the organization
 Security policy

- A high level management document that describes the management’s expectation

of the employees’ security practice and responsibilities.

- It sets a clear direction and demonstrates the management’s support for and
commitment to information security.

 Background checking of employees

 Training/awareness
 Physical and environmental protection

Technical Controls:
Involve the correct use of hardware and software security capabilities in systems. This range
from simple to complex measures that work together to secure critical and sensitive assets of the
organization.
 Login
 Encryption
 Authentication protocol
 Access control
 Firewall/proxy server
 Intrusion detection system
 etc

Operational Controls:
Address the correct implementation and use of security policies and standards, ensuring
consistency in security operations and correcting identified operational deficiencies. These
controls relate to mechanisms and procedures that are primarily implemented by people rather
than systems
 Backup/Restore
 Monitor audit trials
 Account/privilege management
 Monitoring and adjusting firewall
 Media disposal
 Patching

Needs analysis

Various techniques can be used to define and refine the project needs, such as interviews with
the client, online JavaScript surveys/forms, user discussion groups and questionnaires with
3
samples of the target audience. A very important purpose of this analysis is to develop an
understanding of what is achievable within the project resources of skills, funds and time.

The process of needs analysis may result in a separate needs report, especially on large projects.
On smaller projects, the needs analysis and the information gathered can often be documented
with the proposed solution in the one document: the scope document. This provides information
on which design decisions will be based in the next stages of development.
For most IT applications including multimedia, the needs analysis will need to focus on three
perspectives:
1 Business perspective: An outline of the current business climate, structure of company and
the emerging industry issues that are driving the project.
2 Technical perspective: An outline of existing IT systems/infrastructure of the company
including computer hardware specifications, numbers and locations, details on browsers,
operating systems, servers, security policies, networks, bandwidth capacity and so on.
3 Human perspective: An outline of the motivation of staff to use new IT systems. It may also
cover such considerations as PC literacy, industrial relations issues for staff, legalities and
even language issues for users.
A common criticism over the last decade is that IT developers have focused too heavily on the
technology and not enough on the users’ needs or the long-term business goals. By giving
adequate attention to these different perspectives, you are likely to end up with a solution that
addresses the client’s real needs.

Scope documentation
The aim of the scope document is to identify, control and justify the proposed solution.
Typically, the project manager/developer will normally prepare the document after consultation
with the client and the project team. It should contain most, if not all, of the information that will
form the project contract. Data gathered in the needs analysis can also be included here.
The first draft of the scope document is rarely fully mutually agreed upon. There are usually
numerous negotiations to refine the specifications of the deliverables. These will, of course,
impact on the budget and schedule of the project.
The final scope document should clearly specify the milestones and sign-off points, including
possible points and conditions for revisions to the budget and schedules. A timeframe should be
included in the document, but a full timeline that has agreed delivery dates may not necessarily
be part of the document at this stage. (This depends on the size and complexity of the project).
As part of the scope, there must be clear agreement on issues such as reporting, documentation,
evaluation, testing and delivery requirements. This defines, in quantitative terms, how the client
and the developer/implementer will work together and how, through the process of sign-offs, a
mutual end agreement will be reached. This means that in the end the appropriate product has
been built in the agreed way and via the agreed strategies outlined in the scope document.
The approval of the contract generally involves representatives signing a specified agreement on
the last page of the scope document. Any variations to this agreement will also have to be
approved by authorised representatives of the client and development team.

4
As you can imagine, once hardware is approved, ordered and functioning it is very difficult for
the client to then request anything else. At this stage, many thousands of dollars in hardware and
software, not to mention IT specialist wages, may have been allocated. The basic plan must be
right at the start!
Throughout the project, the client and the development team must have a strategy in place to
inform each other of any event that may impact on successful progress and timely completion of
the project. The strategy again must be outlined in the scope document.
Functional requirements specification:

The functional specification describes what the system will do, as opposed to how it will be
done. This distinction is important, because:

 the client may not be interested in the details of how a function is implemented, and the
technical details may simply cause confusion for the client
 the implementation details may need to change during the design and development of the
project

 you don’t want to have to negotiate changes to the functional specification just to change
details of implementation

 the technical specification for large projects will be detailed in a separate document, and
you should not entangle one with the other.

The language of the functional specification should be clear, concise and (as far as possible) non-
technical. It is very important to attend to details in the functional specification. One misplaced
word may commit a vendor company to develop extra functionality that was never intended, and
damage the profitability of the project.

Fixed requirements

Some requirements are fixed, and not derived from the ideal functionality that the product or
system should possess. These are often in the form of constraints set by the client. For example:

 A client may require a particular look-and-feel to their website.

 The client may require your system to interface to their existing systems in a particular
way.

Use cases

A use case is a list of steps, typically defining interactions between a role and a system, to
achieve a goal. The actor can be a human or an external system.

A use case is a very useful tool to help you start to determine the required functionality of a
system. Use cases have quickly become a standard tool for capturing functional requirements.

5
A use case is a diagram showing how the proposed system will be used in one particular
scenario, by a particular user. Use cases allow the designer to focus on details, but keep the
design grounded in the basics of how the system will be used. A large system will have many use
cases.

Examples of functional requirements

Functional requirements describe the way in which the different components and functions in the
solution will interact. They will clarify how the solution is going to work and how users can use
it.
Next are some examples of the questions you might ask in order to determine the functional
requirements of an IT system.

User requirements
 How many users are expected to use the system?
 How many people will be utilising the solution at one time?
 Where the users will be located (eg overseas, interstate or at home)?
 What navigation model will it use?
 What is the range of the content?
 How much content will it include?

6
  How will the content be structured?

Technical requirements
 What types of computers/operating systems will the users operate?
 Are their desktops all the same?
 What bandwidth restrictions occur presently?
 What security (login) will they need?
 What backup policies need to be in place?
 Who will have administration rights?
 What will the business do if the system fails at any stage?
 Who is the project sponsor?
 What does management expect the system will do and won’t do?

Hardware requirements
 Compatibility: will the solution work with existing systems?
 Support for multimedia formats: will the existing systems and architecture support all
types of media?
 Will the new system be supported by existing resources within the company?
 Is there funding available for new hardware? (eg new servers)
 What is the backup strategy? Has this been costed?
 Does the system need to be copied?
 Will there be time delays to purchase and install hardware?
 Will you be relying on another group to set up the hardware? If they don’t consider your
project a priority, is that time delay factored into the delivery strategy?
 Are there other projects that you may be able to share hardware costs with?
 If the system needs to cater for multimedia, does there need to be extra attention paid to
being able to store and transmit large graphic, sound and video files?
 If you are a consultant or part time employee, will you be given permissions and rights to
install and support the system fully? (As some computer centres are secure).

Software requirements
 What is the true cost of the software?
 Are there licensing issues? (As the system is in development, should you pay for all the
licensing now, or when the system is in live mode?)

7
  Can the software be licensed for use by multiple users who use it on different machines?
(Concurrent licensing)
 How long has the software been on the market for?
 What happens if the software company becomes insolvent? Who supports it?
 Who owns the source code?
 What happens if the source code is modified; who supports the product then?
 Does the solution work with all other company software systems?
 If web-based, does the solution function on all common browsers?
 If security is a concern, can the software be delivered in a ‘locked down’ format?
 Does the software support all file formats? (This is especially important when working on
multimedia tasks.)
 Is the software easy to use or are there major training issues/costs?

Support materials

You will need to consider the content and design requirements of all support materials. Support
materials could include:

 system specifications
 user guides
 knowledge banks
 intranet/Internet help sites/CD-ROMs
 training manuals
 General user documentation and print-based help.

You will also need to consider workshops, seminars or briefings you may need to run in order to
support the software/hardware/system.

During the development of the scope document you will have determined the kinds of support
materials that you will need. You will probably also establish who will be responsible for the
production of those materials.

Handover training is another important and time-consuming task. If a developer (who is a

specialist in the area) works on a project for, say, six months, how long will it take to train a
support officer to support the system? One day? One week? One month?

In conclusion, the project manager will generally be responsible for coordinating the
development of the support materials in parallel with the development of the package.

8
Role definitions
One of the most important tasks a developer must do before moving into the design and
development phases is to clarify roles and responsibilities. If this has not been done it is virtually
impossible to cost a job, as you cannot allocate the funding for staff. As well, this can lead to
problems finishing a project on time.
For example, the main things to clarify (in terms of roles and responsibilities) may include:
 Who is responsible for the sign-off? (And if that person leaves the company, who will do
it then?)
 Should the roles be described as position titles rather than individuals’ names?
 Who approves purchases (eg software)?
 Who will support the project after the development team has gone?
 Who will collect and collate the content?
 Who will check the legality of the content?
 Who has responsibility for organising the workspace for the development team?
 Who will approve the security systems of the multimedia product?
 Who takes final responsibility for the project?

Budget issues
Funding is a tricky area. Sometimes the ‘real’ budget is not disclosed. Sometimes this is done for
valid reasons, sometimes not. It is common knowledge that some clients are reluctant to reveal
their budget as vendors will bid up to available funds. As well, some parts of the IT industry are
still somewhat immature, so it is often difficult to cost a job.
There are many variables. One job could take 2-3 weeks to install and set-up. Once all the bugs
are identified, the task might only take a matter of hours to repeat. Implementing complex IT
projects is not an exact science!
Due to this situation, it’s always worthwhile to seek additional funds. Many large and small
organisations do not appreciate being asked to fund extra amounts after a project has
commenced. It is often wiser to be honest and seek additional funds when completing the initial
project approval.
Another important point is that the client must understand what it is they are paying for. Be
mindful that it is easy to confuse clients with technology terms and acronyms. Ensure the
contract outlines what the deliverables are in plain English. It is also helpful for the client if you
include a breakdown list, as an attachment, that quantifies all the major deliverables.
Finally, remember that if you do not win the contract, you have devoted time to the bid and this
has cost your company money. So ensure this potential loss is a consideration in your overall
business plan!

9
Sign-off
In the planning phase, the sign-off typically covers an agreement with the client for the following
items:
 target platforms
 look and feel of the solution (proposed product/system)
 graphics standards
 navigation and user issues
 hardware and software limitations
 development tools (if not purchasing a solution off-the-shelf)
 client and developer responsibilities
 privacy issues
 initial timelines
 budget
Again, the major purpose of the sign-off is to prevent problems later in the project. No one wants
disagreement about aspects of the deliverables at the end of the project. The sign-off process
forces all issues to be laid out on the table and discussed.

10
LO2: INSTALL AND CONFIGURE INTERNET INFRASTRUCTURE
Network hardware: A great variety of networking devices exist—many more than can possibly
be covered here. Local requirements dictate the types of networks be formed using these devices.
This reading will focus on the most common range of network devices and the main standard
that supports them, Ethernet.
Ethernet: Most network devices commonly-used are based upon the Ethernet protocol. Ethernet
speeds have been slowly increasing over the last decade, from 10 megabits per second (10 Mbps,
10 million bps) up to discussions of 10 gigabits per second (10 Gbps, 10 x 1000 Mbps) and
beyond. Currently, most computer networks work very well with the 100 Mbps range of
products, but as data transfers within a local rea network increase, the higher bandwidth and
capacity of faster networks may be needed. Often the limiting factor is not the network speed but
other bottlenecks (limits) in the overall system, such as processing speed and hard drive access
times. Ethernet uses the concept of CSMA/CD (carrier sense multiple access with collision
detection). Carrier sense means that devices on the network listen first for no network activity on
the network. No activity indicates that no other device is sending information, since they all use a
common medium to transfer data (multiple access). But since just as in a momentarily quiet
room two or more people may start to speak at the same time, the collision detection mechanism
is a method of dealing with this. Wireless Ethernet: devices (based on the IEEE 802.11
standards) have recently become more available. These include connection devices such as
wireless access points (AP) and individual peripherals, such as printers. Wireless networking
devices connect the network by radio waves. Similar concepts to the wired Ethernet are used to
ensure that transmissions don’t conflict (collisions) and are regulated in some way.

11
Open systems interconnect–reference model (OSI-RM): The open systems interconnect—reference

model forms the basis of networking communications and is maintained by the International Standards

Organization (ISO). It is a model to aid in the development of communications standards, not a

standard itself. The different layers define functions that should be considered and implemented at each

level. When a device operates at a particular layer it means that the device components make informed

decisions based on information from that layer of the model. For example, a switch makes decisions at

layer 2, data link layer, based on the media access control (MAC) address of the destination network

card. The MAC is a sub-layer of the data link layer. (Of course, all devices need access to the layers

below so that they can physically connect together.)

Table 1: OSI reference model layers and basic functions

Layer Basic functions

7 – Application Interface to user Programs
6 – Presentation Data compression, encryption
5 – Session Authentication
4 – Transport Logical connection of data stream
3 – Network Moving of data packets through connected
networks
2 – Data Link Co-ordination of access to the medium
1 – Physical Physical signalling on the medium

12
Network devices
Some of the more general types of network devices available are listed in Table 1 on the next
page.

Table 2: Examples of network devices available

Device Description
Network Often referred to as network interface cards (NICs), they may be installed in a
cards computer or peripheral device and interact with the network medium, including both
wired and wireless networks.
Switches Often switches are used interchangeably with hubs, but they have slightly different
characteristics. The differences will not usually show up as a performance increase
until used in a larger network with multiple servers. A switch is a better performing
device and is only slightly more expensive than a hub.
Switches operate at layer 2 (data link layer) of the open systems interconnect—
reference model and can make a decision on the destination of a data packet that they
receive. In this way, a switch may send data out to a port based on the destination
media access control (MAC) address that is included in every frame. In fact,
simultaneous data transfer between computers is possible, which increases overall
network capacity.
Hubs A hub creates the basic framework for most local area networks used in business and
home environments. They connect the servers, workstations and other network
devices together.
Hubs are also called multi-port repeaters. Hubs work at the OSI open systems
interconnect—reference model Physical (layer 1).
Routers Routers are used to interconnect two or more LANs. The LANs may communicate
through the router or the router may act as a gateway to connect to the Internet.
Routers operate at Layer 3 (Network layer) of the open systems interconnect—
reference model and make decisions based on the network addresses which are
included in the data packet. In most networks, the network address will be based on
IP addresses but may also include IPX address information to work with Novell
Netware networks.
Access These devices act as a hub in a wireless network and as a connection between the
points wired and wireless network segments in a combined network. In some configurations,
the access point will act as a switch and/or router and prevent unnecessary data
packets from travelling between the wired and wireless sections of the network. In
other configurations, two or more access points may only act as a repeater (or relay)
and connect segments of a wired LAN, perhaps between buildings or across roads
where wired access would be difficult or expensive to connect.

13
Device Description
Broadban These devices connect between a LAN (or single computer) and a permanent
d modem/ broadband Internet connection such as ADSL or Cable. Modem versions tend to have
routers USB connections that must connect directly to a computer. Router versions have an
RJ-45 LAN connection and/or a wireless antenna that may connect to a computer or
hub to share Internet access between many computers.
Printers Many printers are available to connect directly to an Ethernet network. These include
printer with an inbuilt NIC. Examples are of network-ready printers are: Brother HL-
5170DN, Canon IP4000R and Hewlett Packard DJ6840.
Scanners Some scanners are network-ready and provide access from the network. Many of
these are included in Multi-Function Centres with printer, copying and fax
capabilities as well. Examples are: Brother MFC-620CN, Canon NSA-01 and Hewlett
Packard Photosmart 2710.
Storage These devices offer additional file storage capabilities to a network. They act as a file
server and the storage can be controlled over the network. Examples of Network
Attached Storage devices are: D-Link DSM-624H, Iomega NAS 100d/160G and
Linksys EFG250

14
Ways of minimising disruption

 Reputation—yours and your client’s; will they want you for future projects?
 System reliability—until fully tested doubts will linger as to the stability of the system.
In a technical field such as this client communications is important. Ultimately, the clients use
the computers and devices you are working on. These clients will determine if you continue
working with them. To minimise disruption, a close rapport of information exchange is required
that sets the scene to handle disputes and technical glitches that may arise.
You also need to plan to avoid disruption in the first place. When planning an installation or
modification to a network, you need to:
 schedule work outside normal business hours
 inform people when your work may disrupt their work
 have backup and ‘back out’ plans in place to repair problems sooner
 have an installation plan approved by your client in advance (and avoid the need for
problem and conflict resolution later).
For work in business hours, a temporary set up can allow business to continue while work is
done. This may include reconfiguring devices to use alternative resources, or to allow different
protocols to be used, such as by changing gateway settings and routes for Internet connection and
changing log in scripts. The configuration of any temporary set-up should be fully documented
as it can also be part of a disaster recovery plan.

15
 Installation procedures: Internal hardware: Many main system boards come with a network

adapter built-in; opening the system unit of a computer workstation in order to add networking hardware

is rarely necessary. You may otherwise need to add a network card to a system when:

 none is built-in to the main system board

 replacing or overriding a failed built-in network card
 an additional network card is needed for routing purposes
 upgrading the network card for one with faster processing.
Regardless of the reasons for installing an internal network card, typical precautions must be
taken. Remember that if the computer is a server of files, printer or other resources on the
network then many people are potentially affected by the outage.
Typical steps to follow when installing a network card, explained in detail to follow, are to:
 inform users who will be affected
 isolate the system unit by disconnecting the power supply and exterior cables
 open the case and take anti-static precautions
 identify the location to install card and possibly remove old card
 follow manufacturer’s directions
 replace case and cables
 reconnect the power
 install the software drivers, following manufacturer’s instructions.
Informing users
Depending on the system to be opened this may be a single user or a group or everyone.
The only time you do not have to worry about this step is when the system is not working at all
and by working on it, you will restore functionality. If it will take a long time then you still need
to keep people informed of the progress. You can judge the necessity of the progress reports by
the number of people asking you when it will be fixed or even just ‘How’s it going?’
Isolating and disconnecting the unit
You must first isolate the unit for your own safety and that of the equipment and data stored.
Most system units only deal with low voltages within the case (except for the power supply
itself) and safety switches on the mains supply (residual current devices, RCDs) reduce the

16
chances of electrocution.
The disadvantage of such systems is that the safety switches cover many power points. This
means that if a safety switch trips, many devices and even larger numbers of users will be
affected by the loss of mains power. Disconnection from the supply reduces the possibility of
causing such a power failure. Removing or adding components to a live system may cause
damage to the main board (and potentially larger problems, causing file system damage and data
loss, even application and operating system problems, over a network).
You need to disconnect exterior cables as a further safety practice. Access to the system unit will
be simpler if you can lift the case to a normal work height and into better lighting than found
under most tables. Disconnected cables must then be left out of the way to prevent accidents.
Opening the case and taking anti-static precautions
With the system unit in a well-lit, stable work area, you can remove the case. (Remember to put
the case parts out of the way to prevent accidents.)

At a minimum, you need to use an Notes on static

anti-static wrist strap in a correct Static discharge can damage
manner to avoid causing damage to sensitive components in the
the system while working on it. The computer system. They may not fail
anti-static device works by immediately but the life of
connecting you to the computer and components exposed to static
parts to reduce the voltage difference discharge is often reduced.
to zero.
It is not sufficient to merely touch
Wear the wrist-strap on your non- the case. This is a fallacy. As soon as
dominant wrist (the left wrist for you are no longer touching the case,
right-handed people). The lead static starts to build up a voltage
between the wrist-strap and the difference between you and the
alligator clip (or similar) should system unit. You would need to
connect to an unpainted surface of consciously keep continuous contact
the computer case containing the with the case. Less than 25 volts is
main-board. needed to damage sensitive
components in computer systems
while it takes over 1000 volts before
you feel any shock from static
electricity.
Keep all hardware in its anti-static packaging until ready for installation and keep the anti-static
packaging in contact with an unpainted section of the computer case while removing the
component from packaging. Hardware components removed from the system should be placed in
anti-static packaging while the packaging is in contact with the case, in preparation for storage
and transport.
The additional use of an anti-static (static dissipative) mat will enhance your anti-static working
environment. At client sites this displays your concern for the equipment under your care. Web
links to handling techniques are listed in the Resources section of this Learning Pack.

17
 Figure 1: PCI network interface card on anti-static bag with wrist-strap

Identify location to install card (possibly removing an old card)

PCI is the peripheral component interconnect standard (the abbreviation is always used), which
specifies a computer bus for attaching peripheral devices to a computer motherboard. These
devices can take the form of integrated circuits fitted onto the motherboard itself (called planar
devices in the PCI specification); or expansion cards that fit in sockets.
New network cards will insert into a spare PCI slot of the main system board. The PCI slots can
be identified as white connectors approximately 8 cm long by 1 cm wide towards the back of the
system board. You should also identify possible obstructions to the installation of the network
interface card (NIC) and a clear path for the easy connection of the network patch cable with all
the other cables connected. This may include removing a screwed-in cover plate or a fixed panel
that has been pre-perforated. The pre-perforated panel needs to be removed by repeated small
movements back and forth until eventually it snaps off. Beware of the sharp edges of the case
while doing this, particularly when the piece comes away.

18
 Figure 2: PCI slot on main system board

Follow manufacturer’s directions

Manufacturer’s directions usually include instructions for the correct insertion of the NIC. Some
manufacturers specify which PCI slot to use, which may require the rearrangement of other
cards.
The visibility within a system case is often low, particularly with other cards adjacent to the
small NICs available. It is important to be sure that the network card is properly seated into the
PCI slot. You should be able to see that most of the card’s gold edge connectors have gone into
the slot and what is left showing is even along the top edge.

Figure 3: Firmly seated PCI card

Reassembly and connection

Reassembly and connection reverses the removal procedure. Remember to disconnect your
antistatic wrist-strap from the system as well. Re-locate the system unit and reconnect the
exterior cables.

19
 When the power is turned on the unit should start up as normal. Be aware of any beeps or
warning messages that may be generated as the system performs its self-check.
Installing software drivers
The Microsoft Windows operating system should automatically detect the hardware during start-
up and a wizard will begin to install drivers necessary for the network card. This may require a
re-boot in order to activate the network card successfully. For UNIX or Linux systems, modules
may have to be enabled or even a re-compilation of the system kernel.

External hardware
Many devices already come with a network interface installed, such as hubs, printers and storage
devices. You may also choose to install a network interface adapter to an external port, such as
USB (Version 2.0) or FireWire (also known as i.Link or IEEE 1394). The choice of device will
have already been made by this time, so the physical installation is relatively straightforward.
Similarly, the location of the external device and provision of power and suitable network
connections should have been arranged.

Patch and crossover cables

Most networking hardware will interconnect using standard patch cables. Stranded unshielded
twisted pair (UTP) cable is used for flexibility, with an RJ-45 modular connector plug on each
end. The four pairs of conductors are arranged identically in each plug, as shown in Figure 4 on
the next page.
When you need to directly connect a pair of like (similar) devices, a crossover cable must be
used. These cables are also made from stranded UTP cable for flexibility with an RJ-45 modular
connector plug on each end, while the four pairs of conductors are arranged to swap (cross over)
the ‘transmit’ and ‘receive’ pairs in just one of the plugs, as shown in Figure 5 on the next page.
Table 3 on the next page shows the types of direct connections possible and the types of cables
used.

Figure 4: Patch cable showing both Figure 5: Crossover cable with

ends identical swapped pairs (green swaps with
orange)

20
Table 3: Direct connections table
* These direct connections should not
normally occur when connecting hardware
Network ** to a network.
storage
** These direct connections will probably
Network ** ** never happen.
printer
Wall Patch Patch ***
*** A patch cable may
plate cable cable
be for testing as a
* * Fixed *** loop back.
Patch
panel cabling
Hub or Patch Patch Crosso Patch Patch cable
switch cable cable ver cable between an
cable * uplink and
a normal
port
Compute Crossov Crosso Patch * Patch cable Crossove
r (NIC) er cable ver cable r cable
cable
Device Network Networ Wall Patch Hub or Compute
storage k plate panel switch r (NIC)
printer

How does it look?

Figures 6-10 to follow show
how the various connections will
appear when you connect the
devices to form a network. Note
the plastic lug of the RJ-45
connector needs to be squeezed
in order to remove the plug as it
locks the connector in place.
Cables with broken lugs need to
be repaired or replaced.
Figure 6: Computer using active network
card

21
 Figure 7: Double wall plate with Figure 8: Patch panel showing spare
shuttered sockets and patch cable positions
connected

Figure 9: Hub with patch cable Figure 10: Hub with uplink port in
use Note: The uplink port and the 1X
port cannot both be used at the same
time.

In Australia, for patch cables, the colour of the wire’s insulation (in Table 4) and their
interconnection follow the adopted standard is TIA/EIA T568A.

Table 4: Patch cable colours

Conductor Colour
pairs
1/2 White with orange stripe/solid orange
3/6 White with green stripe/solid green
4/5 White with blue stripe/solid blue
7/8 White with brown stripe/solid brown
The connections you produce would resemble those on pages following, shown for:
 normal connections with infrastructure (fixed wiring)
 normal connections without infrastructure (no fixed wiring)

22
  connecting two devices directly
 connecting multiple hubs directly.

Figure 11: Diagram of the network connections used when fixed wiring infrastructure and a
wiring cabinet is available

23
Figure 12: Diagram of the network connections used when there is no fixed wiring infrastructure
available

Figure 13: Diagram of the network connections used when connecting two like devices directly

24
 Figure 14: Diagram showing how two or more hubs may be interconnected either within or
outside a wiring cabinet

Note: Many hubs and switches now come with auto negotiation of the ports as either medium
dependent interface-crossover (MDI-X, normal) or MDI (uplink), this makes it much more fool-
proof to interconnect devices. MDI is an Ethernet port connection that allows network hubs or
switches to connect to other hubs or switches without a null-modem, or crossover cable.
However with the increased ease of interconnection, more care needs to be taken to ensure that
you keep a hierarchical structure to minimise the number of hubs between any two devices on a
LAN to four.

25
Configuration

Once new hardware is connected, the equipment is then integrated into the existing network or a
new network begins. Integration includes the naming and addressing schemes for the protocols
used on the network, which may be specified by the organisation.
Many new network devices such as routers or switches include a small web-server that allows
you to log in to the device and change settings using a web browser. In this way devices can be
configured using any operating system with a web browser.
When making changes you must keep track of the IP address of the device, if you change it to
suit the network you are working on, you will not be able to connect using the IP address in the
browser address bar. Factory defaults are usually in place for username and password, so at a
minimum the password needs to be changed to prevent unwanted access. There is often a button
to reset factory defaults if the password is lost or forgotten. Unfortunately, this also wipes any
configuration changes, so documenting the settings, including any changes made over time, is
essential. The reset switch also requires the device to be physically secured, to prevent
tampering.
Table 5 outlines the basic configurations added network hardware.

Table 5: Configurations for added hardware

Added network Basic configuration required

hardware
Workstation or Name; IP Address; Join domain or active directory; Add
NIC extra protocols such as Internetwork Packet Exchange
(IPX) if needed
Hub Usually no configuration needed
Switch Usually no configuration needed. Switches learn about
their part of the network as they are used.
Router Name; Configuration needs to be made to have correct
routes and interface addresses assigned. IP Addresses
(Note two or more for a router). Some routers will
discover the adjacent route from adjacent routers if these
protocols are active.
Printer Configuration program needs to be installed on a
workstation to allow configuration to be carried out.
Drivers installed on the server if present and possibly on
each workstation. Name; Share name; IP address; Add to
domain or active directory

26
Added network Basic configuration required
hardware
Network storage Configuration program needs to be installed on a
workstation to allow configuration to be carried out.
Share often controlled by the server transparently to the
users. Mapping drive letters by modifying login scripts.
Name; Share name; IP Address.
If any settings were modified at the start of the installation phase then these need to be
reconfigured to their original settings, or to new settings if they are affected by the changes you
have made.

Setting the IP address

Each workstation, server or other network peripheral device on a network needs its own unique
identification number in the form of an Internet protocol (IP) address. In IP version 4 (used here),
known as dotted decimal notation, has a 4-byte binary string that is normally written as four
decimal numbers each separated by a period or dot, for example:
203.14.151.67.
The two choices for setting IP addresses are called static and dynamic. Static IP addresses are
changed manually so the address remains the same for a computer until specifically changed.
A dynamic host control protocol (DHCP) server allocates dynamic IP addresses, and while they
tend to remain the same, they may change without notice.
Static IP addresses are manually configured and tend to be used in small networks where
changes will not happen very often and a DHCP server is not present on the network. Static IP
addresses are also used for routers, gateways, servers and other network resources on any
network.

Dynamic IP addresses must be used in Note on figures next page

conjunction with a DHCP server and
tend to be used on larger networks for
IP address allocation to workstations.
The DHCP server allocates an IP
address automatically to a client
device when the client requests one.
Dialog boxes in Figures 15–19 to
follow, used to illustrate setting
an IP address and computer name,
are from Windows XP Home
edition. Windows XP
Professional differs slightly in
detail.

Many ADSL routers now incorporate a DHCP server so smaller networks are using dynamic IP
addressing. The DHCP server also allocates the configuration details for accessing the Internet
through the router, making re-configuration and Internet access easy.

27
 To set the IP address as either static or dynamic as per
organisational policy and standards you must:
 Login with an administrator level account.
 Select Start then select the My Network Places option.
 In Network Tasks on the left select View network connections if
they are not currently shown.
 In the right panel under the LAN or High-Speed Internet section
right-click the Local Area Connection and select Properties from
the pop-up menu to display the following dialog.
 You may need to scroll down the Protocols and Clients list to
view the Internet Protocol (TCP/IP) item. Select this and click on
the Properties button.
 For dynamic IP addressing select both the Obtain an IP address
automatically and Obtain DNS server address automatically, as in
Figure 16.
Figure 15: Local Area
Connection Properties

28
 Figure 17: Setting for static IP addressing (substitute values for your
own network and Internet service provider)

To change the computer’s name to

conform to organisational policy and
standards you must:
 Login with an administrator level
account. Figure 16: Setting for dynamic
IP addressing.
 Select Start then right-click on the
My Computer option.  For Static IP addresses
 From the pop-up menu select you need to set all of the
Properties. information except an
Alternate DNS server in
 Click on the Computer Name tab order to access the
of the dialog. You should have a Internet, as in Figure 17.
dialog like that in Figure 18.
 Click on the Change button to
show the Computer Name Changes
dialog in Figure 19.

Figure 18: System Properties showing

Computer Name tab details (Note: Windows
XP Professional will also mention joining a
domain near the Change button)

When the name is displayed as required you

press the OK button.
If you are using Windows XP Professional
and you are joining a domain here then you
will be prompted for the username and
password of a domain administrator level
account to join the domain.
This will be followed by a short delay as
authentication and entry to the Active
Directory is made. When successful, a
welcome message is displayed.

Figure 19: Changing the computer’s name

(Note: Windows XP Professional will have
a section to join a Domain under the 29
Workgroup entry fields)
Setting the computer name
You need to set the computer name of all the computers in your network. This allows you to
organise how the network interacts with various devices and also allows shares to be re-shared
from a central source such as a server.
Testing the hardware and configuration
Now that everything is in place as planned, you must undertake a systematic (if not complete)
test of the network system.
You must confirm that the network functions as designed.
 Can users login? Note that the questions
 Can users reach the server to store and start with ‘Can users…’
retrieve files? You might be able to do
these things while
 Can users run applications that need
logged on as an
access to the server?
administrator, but the
 Can users print to all of the printers they test is ‘regular users’,
should have access to? probably with more
restrictive accounts.
 Can users reach the Internet?

You should have a checklist available with the functions you will test and the expected outcomes
of the test. Leave room for comments, which allows you to log the actual results, problems and
solutions.
It is impractical to test every login account and every function on every workstation. You need to
access all combinations of user groups and functionality with at least one network function from
each workstation. This ensures that all devices are physically connected to the network and that
group based policies and scripts are working. This only leaves doubt about a few possible non-
standard (often undocumented) modifications that exist in an existing network system. These
will be highlighted by help desk calls and allow them to be integrated into the standard system or
documented properly as exceptions if they are really necessary.
Table 6 on the next page has a sample checklist. Note the testing is planned to cover all the
workstations and both the sales and admin groups. Access to the H: drive, Internet and both
printers is confirmed from each group.

30
Table 6: Sample checklist

Computer Login as Access Access Print Print Tested Test Test

H: Internet colour laser by date OK
WS001 Testsales Test Test
WS002 Testsales Test
WS003 Testsales Test
WS004 Testadmi Test Test
n
WS005 Testadmi Test
n
WS006 Testadmi Test
n

The ping command

The ‘ping’ command helps confirm the basic connectivity of a network device. Ping stands for
packet Internet grouper (or groper or gopher). An echo request packet is sent out to the IP
address; the receiving system identifies it and sends back an acknowledgement. This round trip
ensures that there is an active network path between the two devices.

The ping command is

easily run from the Run
menu (Start->Run…)
type in the command
ping –t 192.168.0.101
which causes the system
to continue (-t) trying to
send an echo packet to
the IP address used until Figure 20: Running the ping command
you stop it using the
Ctrl-C key combination. Figure 21 shows the screen for a successful
(Note in UNIX/Linux response from a ping command. Note that many
systems the –t is firewalls can be set to reject ping and other
unnecessary as this is the packets.
default behaviour.)

31
Figure 21: Successful response from the ping command; an unsuccessful response will show the
words ‘Request timed out’

32
Summary

In this reading you have briefly considered the Ethernet protocol, the ISO reference model and
some of the broad range of network devices Ethernet supports, before some general notes on
ways of minimising disruption to clients when installing and configuring hardware devices.
A look at safe and professional installation procedures covered those involved for internal and
external hardware. Basic device configurations were outlined for setting IP address and computer
names, before testing was discussed, with the use of the ping command to test the connectivity of
network devices.
Remember that no installation should be done without first checking with the people who may be
affected; have plans for configuration and testing, and contingency plans in the event of failure.
Care also needs to be taken to keep things safe during the installation since business may be
continuing while you are working.

Check your progress

Have a look at the next section — Practice. If you have trouble, review these Readings or
perhaps take a look at some of the listed Resources.
When you feel ready, try the Self check section at the end of this topic. This will help you decide
if you are now able to complete the task and attempt assessment.

33
Install configure and test servers and software: Before you start an installation

Before you begin installing server hardware or software you need a plan. Some installations have
evolved into a simple task, based on user-friendly menus—they may not require any real
technical knowledge; but what about the existing IT and network environment? It may be very
tempting to get in and start installing without an approved plan because you think you’ll save
time. Yet an installation can interfere with or even stop other network hardware, services or
applications from working, and your working without a plan is tantamount to working blind.
Installation plans and the schedules ensure that disruptions to business operations are kept to a
minimum and that issues of installation requirements, interoperability and compatibility are all
addressed.
Before commencing installation of server hardware or software you should:
 Review the user requirements
 Review the installation plan
 Review and confirm the existing IT environment
 Confirm the availability of required resources and materials
 Review technical tasks (for installation and configuration)
 Review the testing tasks
 Review deployment task
 Confirm scheduling and communications
 Review all contingency plans.
All these items are considered in detail to follow.

Review user requirements

The user requirements (also known as user or client specifications) state what an organisation,
person or user requires from the installation; they define what the outcomes of an installation
will be, in functional terms. For example, a user requirement may be:
The organisation needs a method of sharing data and information between all staff using
organisation-owned infrastructure.
The solution may be to install a central file server and user workstations. The developed
installation plan would be based on this.
Reviewing user requirements allows you to see what is expected as an outcome, and this is the
measure by which the success of the installation will then be judged. There is no point in
following an installation plan, only to find that client requirements are not delivered. You must
34
have a clear understanding of user requirements to properly review the objectives of the
installation plan and the tasks defined within it.

Reviewing the installation plan

A well developed installation plan will include detailed tasks that cover installation,
configuration and testing.
As an IT professional you may be contracted to implement only certain tasks within an
installation plan developed by others. In this case, reviewing the plan will help you understand
your role and responsibilities and the roles and responsibilities of others involved, as well as the
task sequence in which your activity occurs.
For example, if you are contracted to undertake the ‘install server’ task in a network installation
plan for a large firm, you would need to know that beginning your task is dependent on activities
to install network switches and cabling having been completed.
In some cases your activity, as described in the plan, may need to be developed. There may be no
specific details given on how to ‘install server’—so you would need to develop an installation
plan for your task that fits into the overall installation plan.

Review and confirm the existing IT environment

The affect of the proposed installation on the existing IT environment must be considered and
documented. Issues to investigate include the system and installation requirements for the
proposed software and hardware, and interoperability and compatibility between existing and
proposed software and hardware.
Tasks in the plan should address changes to the existing IT environment, and include specific
installation and configuration details for all software and hardware, existing and proposed.
It is also important to confirm that details in the plan of the existing IT environment are in fact
correct. This is especially important if you did not develop the plan, or if some time has elapsed
since the plan was developed. If you simply assume all is as documented, and it isn’t, you may
run into installation problems or severely disrupt business operations.
This part of a review may involve visual inspections of the network and devices, alongside
checks of current configurations and settings. A wide range of tools come with operating systems
or are available from third-party vendors to help with this. Knowing how network devices and
software connect and interact will also help ensure installation and configuration tasks are
appropriately defined and implemented.

Confirm resources and material

Resources and materials needed should be set out in the installation plan, along with names and
details of those responsible for organising or providing resources.
You should confirm that all resources are available when required. For example, you may need
to install 50 XP workstations that will connect to a new server. The installation requires you and
four technical support staff to be on site to install the computers. You should therefore confirm
that the support people are in fact available to perform this task before you start, since fewer

35
hands will cause delays. Once again, you cannot simply assume availability, just because it is set
out in the installation plan.

Review tasks
Tasks define what you are required to do and how to do it. You will need to draw upon your IT
knowledge and skills to review individual tasks and confirm they are technically correct and
properly sequenced. Generally, the order of tasks for an installation will be as set out in Table 1.

Table 1: The general order of installation tasks

Tasks Hardware Software

Installation Physically installing the Loading the application
hardware and powering it up or program on the
appropriate device
Configuration Setting how the hardware will Setting how the
operate, such as what services software will operate
a server will provide (file and (user access, database
print, network services and so locations, connection,
on) etc)
Testing Activity carried out to ensure that the installed and
configured hardware or software operates as expected
Deployment Activity undertaken to make the installed hardware
and/or software available for use within the production
environment.
You need to review tasks to ensure that they are ordered correctly and that you are aware of any
dependencies between tasks. For example you may need to perform a data backup before starting
a configuration task.
You should also confirm that tasks are technically accurate. You may want to research and
practice tasks that are new to you. For example, if you have no experience of installing an
additional hard disk in a Linux server, you might obtain vendor instructions to install and
configure the disk and perform the task on a test computer, away from the client’s IT
environment.
By reviewing the tasks in an installation plan you make yourself familiar with what you need to
do, before you do it. You will be able to undertake the tasks with confidence and without
wondering what comes next.

Scheduling and communication

A part of knowing what to do and when to do it is the need to confirm the start and end date and
duration of tasks and activities (the schedule). You also need to confirm schedules to confirm
resource availability.

36
Scheduling is usually approved by organisational management, an appropriately authorised
person or end user groups, and broadly overseeing it can be the responsibility of a project
manager.
All parties involved in an installation need to be informed of the schedule and of any impact on
normal business operations must be clearly communicated. For example, the users of a corporate
database may require five working days notice before any work on the database can start.
Some of the most fundamental parts of communication can sometimes be overlooked—always
confirm your installation plan, and the schedule for it, are approved before you begin.

Reviewing contingency plans

Contingency plans help reduce the impact of a failed installation on business operations. You
need to be well aware of any contingency tasks or plans prior to starting an installation. If
something goes wrong you need to know what to do and how to recover. You may need to test
your contingency plan prior to commencing an installation.
Contingencies may include data backups before commencing installation, backup or duplicate
hardware or systems, pilot testing, and carrying out work after hours.

37
Installing server hardware and software

Installation means to place computer hardware or software in place, ready for use. Once you
have reviewed the installation plan, confirmed the scheduling and are familiar with the task, you
can start. To follow are some specific considerations for server hardware and software
installation.

Server hardware considerations

Server hardware is the computer equipment that will run specific software to provide services or
applications. The type of hardware, as determined in your installation plan, depends upon the
service to be provided.
For example, a server needs to have an operating system installed for it to operate and provide
services. Operating system software needs minimum hardware specifications, as recommended
by the hardware manufacturer, to run successfully. New or existing hardware needs to be able to
satisfy the minimum system requirements. Table 2 below is an example of the minimum
requirements for two operating systems.

Table 2: Minimum requirements for two operating systems—as an example

Windows 2003 standard edition Red Hat Linux V9

server
 PC with CPU of 133
megahertz or higher
processor clock speed
 128 megabytes (MB) of
RAM or higher (max
4GB)
 2 gigabytes (GB) of
available hard disk space
 Super VGA (800 x 600)
or higher-resolution video
adapter and monitor
 CD-ROM or DVD drive
 Keyboard and mouse or
compatible pointing
device
 Pentium Class CPU. For text mode:
200 MHz or better. For graphical
mode: 400 MHz Pentium II or
better
 Hard Disk Space: minimum of
475MB for basic install, a Server
requires a minimum of 850MB, a
personal desktop requires 1.7GB, a
workstation requires 2.1GB and if
you install everything then 5.0GB
 Memory for text mode is 64MB,
minimum for graphical mode is
128MB, Recommended for
graphical mode is 192MB
 Other hardware components may
be required to use other parts of the
operating system.

38
To install server hardware you will need to follow the installation plan along with any vendor or
manufacturer’s instructions. Generally you will need to:
 Unpack new hardware and/or assemble server hardware
 Site or mount the server hardware
 Power on server hardware
 Run hardware diagnostics.
Unpack new hardware and/or assemble server hardware
Server class hardware is generally manufactured to a higher standard than ordinary personal
computer hardware. The server hardware may be supplied by a vendor already assembled to your
specifications and requirements, or you may need to assemble a server from components
supplied by various vendors. Components can include those for storage (hard disks, optical disk,
tape drives and the like) memory, central processing units (CPUs), network adaptors, power
supplies and uninterruptible power supplies (UPS). You should check that the server hardware
supplied matches the requirements as stated in the installation plan.
Site or mount the server hardware
The assembled server hardware needs to be placed in an appropriate location. Usually this will
be in an environmentally controlled room or equipment cabinet. Some vendors manufacture their
server hardware to slide in and out of special racks like draws in a cupboard and share a single
keyboard, mouse and monitor between multiple servers via a switchbox.
Power on server hardware
This is where you connect the mains power and turn on the hardware. At this point, look for any
signs of hardware not operating as expected. Burning smells, smoke, severe vibrations and noises
are immediate indicators of hardware problems where the power should be immediately turned
off and the vendor contacted for advice.
Run hardware diagnostics (burn-in)
With server hardware successfully connected to mains power and turned on, any diagnostic
utilities or software recommended by the vendor or manufacturer should be run to check correct
operation. Third-party utilities or tools may be used for this. The process is known as ‘burn in’
where hardware is operated to its maximum specifications by diagnostic or ‘burn in’ utilities for
a period of time to find any faults or failings before the hardware is placed into normal operation.
The server is now ready for software installation.

Server software considerations

Server software refers to both the server operating system and any additional application
software running on the server. The server operating system must be installed prior to any
application software. Once again an installation plan should address these tasks.

39
Operating system installation
The server operating system is the software that will operate the server hardware to provide
network and services to users. The various methods of installing operating system software on to
server hardware depend on the software being used. Generally, methods used are:
 Local manual installation
 Local automated (or scripted) installation
 Remote installation
 Image installation.
Local manual installation
Local manual installation requires using installation media such as CDs, DVDs or a central
network repository that stores the installation files. The software is installed by physically
accessing the server hardware to run the operating system installation. Generally, you follow the
installation prompts and instructions using the local keyboard mouse and monitor.
Local automated (or scripted) installation
Local automated (or scripted) installation involves manipulating the installation process so that it
becomes a simple process of either running a single command, or clicking an install button. This
requires knowledge of the operating system and is usually done by using batch files or script
programs to set installation options that usually require user interaction or selection. If you have
multiple servers to install, this will ensure consistency and identical installations. The person
installing on-site does not require in-depth knowledge of operating systems to perform the
installation.
Remote installation
Remote installation is when the operating system software is installed by remote access from
another computer on the network. This also means that your server hardware does not require a
local keyboard, mouse and monitor and you do not need to physically attend to perform the
installation. The Mac OSX Server – Remote Installation option is an example of this. (For
applications software: using either the server operating system features or third-party remote
control software, the server is accessed from a remote location and the application or other
software installed, again without physically visiting the server. This method may also use
application packaging and delivery technology.)
Image installation
Image installation uses hard disk imaging to install the operating system on to the server
hardware. It may be performed locally or remotely and ensures consistent and identical
installations. Installation by disk imaging is much quicker than other methods. However, the
initial image creation may be time-consuming as a manual installation on server hardware is
usually required to create the initial disk image for installation on other servers.
Once the server operating system is installed it must be configured.

40
Application software installation
Application or other software is installed on the server only after the server operating system is
configured and tested. Other software and can be installed by manual, automated and remote
installation (as described above). :
Configuring server hardware and software
Configuring server hardware and software means setting up the way the hardware and software
operates to suit the IT environment and organisational or user requirements.
Generally, server hardware is configured before the server operating system is installed, or
afterwards if hardware components in an operating server are being changed or added. Software
may be configured when installed, as part of the installation process, or afterwards, if a default
installation has been performed.
Some specific considerations for configuring server hardware and software configuration follow.

Server hardware configuration

Server hardware configurations will depend on what components make up the server.
Configurations you may need to consider include those for:
 Storage
 Boot sequences
 Specific devices
 Redundant components.
Storage
Options like the hardware redundant array of independent disks (RAID), the system which uses
multiple hard drives to share or replicate data among the drives, are configured independently of
operating systems. You may need to configure RAID options and logical volumes. You may be
using remote storage with special adapter cards that may need configuration.
Boot sequences
A boot sequence is the set of operations the computer performs when it is switched on which
load an operating system. Usually you have the option to select boot orders such as network, CD,
which hard disk and so forth. The Intel WFM (Wired for Management) options may need to be
set.
Specific device configurations
Things like the addresses for small computer system interface (SCSI), which is a standard
interface and command set for transferring data between devices on both internal and external
computer buses, may need to be set on old SCSI devices. Generally bus, port, interrupt request
(IRQ) and other settings are usually automatically determined for you with current server
hardware. There may be external devices (for example tape drives) that require hardware
configuring to connect to the main server hardware.

41
Redundant components
Hardware such as that for standby power supplies or network adaptors may need configuration.
You may need to consult the hardware manufacturer or vendor for information and configuration
instructions.

Server software configuration

Configurations for server software depend on the purpose or function of the server. Generally, a
server may be configured for one or more of the following roles:
 An application server which runs specific software applications for end users, such as a
server that runs a central Oracle Database that is accessed by users across an
organisation.
 A storage server which provides a central storage place for data that can be accessed by
computer users around a network.
 A network services server which provides specific services, such as print, user
authentication and authorisations, dynamic host configuration protocol (DHCP), and
domain name system (DNS) are some examples of the services that can be provided.
Configuration for each of the above roles will be different and will depend on the client’s IT
environment.

Server items to be configured

Generally the following items will need to be configured on a server:
 Network setting, which includes network protocol to be used, network addressing, server
name and network adaptor settings.
 Services, which include enabling and configuring specific services to run on the server,
such as setting the server to run dynamic host configuration protocol (DHCP), and
domain name system (DNS) services for an organisation.
 Authentication, which involves setting how users of the server will be identified. This
may involve setting up local user accounts with passwords on the server or setting the
server to authenticate users via some other mechanism.
 Authorisation, which is setting up which authenticated users are permitted to access and
use the server, such as allocating user permission to access data storage or server
applications or programs.
 Environment setting and policies, which are settings for the server to operate as
required or settings dictated by organisational policy. Having data backup schedules for
the server is an example of environment setting. Policy settings are used to enforce
organisational policies and may include disabling certain functions or enforcing a
particular setting on end user computers, such as stopping a non-administrative user from
login on the server console, or forcing users to change their password after 30 days.

42
All server operating systems have the above configuration options, while the processes to set
them will vary. Generally, configurations will be carried out using a graphical user interface
(GUI) configuration program that is provided as part of the server operating system.
Testing server hardware and software
Once a server has been installed and configured you need to ensure it will operate as expected
and will meet client requirements. Basic hardware testing should have been done on installation.
You now need to test the combination of server hardware and server software before the server is
made available for use.

The test environment

To avoid disruption it is best to install and configure a server in an environment not connected to
the production network, and which is, ideally, a replica of the working environment. A replica
test environment allows testing of system integration and compatibility with existing systems.
Unfortunately, fully replicated test environments are not often available, in which case the new
server must be first tested in isolation and then completely tested in the production environment
in a manner that causes the least disruption. It is important that your installation plan addresses
the issue of testing, taking into account the existing client IT environment.

The testing process

With the server is in place, the following tests can be conducted in order.
1 System test—which checks the technical operation of the server and includes network
communications, operating services and schedules, system performance (disk I/O, memory,
CPU) application and program availability, authentication and authorisation, manual
procedures, backup and recovery procedures. The entire system needs to be tested. Test
strategies that work the system to its capacity are used. These strategies must ensure that all
problems that the server may have, are found before it is placed into production.
2 Integration test, to check that the server works with all applications, systems, servers and
network resources in the client’s IT environment.
3 User acceptance test, which is a functional test performed by the users to ensure that the
new system works and functions as expected and that it satisfies their needs. User
acceptance testing involves the clients using the operating system and performing normal
work activities for a period of time, to see if any problems occur. They also determine if
performance requirements, as defined in the user requirement statements, are met.
Performance requirements must be subjected to a specific set of tests that will decide if the
server and software are acceptable. If the server passes all of these tests, it is considered to
be acceptable by the users.

43
 The test plan
A plan for the above tests should be a part of the installation plan, with a time line, a list of
resources required and the roles and responsibilities of those involved set out. The test plan
should:
 list the function or service to be tested, and within each function or service, list items to
be tested in sequence
 list the procedure to test each item and the expected results of the test procedure
 provide for documenting actual test results with comments (as shown in the example in
Table 3).

Table 3: Simple test plan extract, as an example

Functio Item Procedure Expected Actual result Comment

n result
Printing Install On client computer Network
network login as user1. Printer installed
printer from Select Start on local
server on to select Printers and computer with
Windows Faxes test page
XP client select add printer successfully
computer browse to \\server\ptr-1 printed.
install printer
print test page
Printing Application On client computer Selected
printing login as user2. document
using server Access local MS Word printed
print application on client
services computer.
print a document to \\
server\prt-1
It is important that you know what the expected results of a test should be. If the actual results do
not match those expected, the test for the selected function and item has failed. This failure is
known as a defect or deficiency that will need to be rectified. Defects or deficiencies can be rated
in terms of severity or importance and this can help you create a priority list of defects to rectify.
Once you have rectified a deficiency or defect you need to redo the failed test to confirm the test
is passed.

After testing
A new server should be free of defects or deficiencies before it is put into production. Results of
the testing process should be documented, and documentation then reviewed and analysed to
confirm that all required testing is complete and that all defects and deficiencies are resolved.

44
In some cases that documentation (along with other information) may need to be presented to
confirm the results of the user acceptance tests, so to authorise the next step of deployment or
placing the server into production. Clients can also decide to deploy or implement the server with
minor defects or deficiencies, if that a plan exists to rectify them, especially if there is a need to
implement the server quickly.:
Deployment and implementation
Deploying of implementing the server means making it available for use in a working
environment. How you deploy the new server will depend on the existing IT environment and
whether the server is a completely new installation or a replacement or addition for an existing
server. You may need to test your deployment methods in conjunction with your server testing.
To follow are some considerations for deployment. The method you use may affect how you
undertake server testing prior to deployment.

New servers
Deploying new servers is generally a simple process because you are implementing all new
services. The server is usually connected to the production network and existing client computers
connect and use the new server, depending on its configured role.
There may be a need to install client software or reconfigure client computers to enable use of
the new server. This type of activity should have been included in the installation plan and
testing of client software and client connections would be done before deployment.
For example, if you deploy a new dynamic host configuration protocol (DHCP) server in a
network where client computers have static Internet protocol (IP) addresses, you need to
reconfigure client computers to dynamic IP addressing. You could use the following options:
 connect the new server to the production network, then
 visit each client computer to manually reconfigure or
 employ remote access technology (like Altiris, RDP) to reconfigure each computer, or
 create an executable configuration file that is sent to the computer and the user executes.
In the above example, connecting the server to the network was the easy part of the deployment.

Replacement or upgraded servers

Replacing servers requires some careful planning to ensure minimal disruption to existing
services. The following strategies can be used:
 parallel implementation
 abrupt implementation
 phased implementation
 pilot implementation.

45
Parallel implementation
Parallel implementation takes place where the old server and software run alongside the new
server and software. This is done for a period of time to ensure any problems not detected in the
prior testing phase are resolved. The old server and software are then terminated either abruptly
or phased out.
This method allows the organisation to keep functioning as normal, and it also allows much more
time for the users to become familiar with the new software. The disadvantage is that it is costly
and time consuming for the users to run both operating systems and applications simultaneously.
(To counter that disadvantage, a small group or section may pilot the proposed changes, as
below.)
Abrupt implementation
Abrupt implementation is when the old server and software are completely removed and the new
server and software put in place immediately. It requires no transition costs and is very fast, yet
there is the risk of costly data loss if the new system fails, or if existing data is not correctly
transferred to the new server. Operations can be seriously disrupted if this happens, or if the
users have not been adequately trained (with abrupt implementation users are under a lot of
pressure to learn the system before the change over).
Phased implementation
Phased implementation is used with larger applications that can be broken down and installed
separately at different times. An example of a phased implementation could be a server
providing an accounting application, with the accounts receivable, accounts payable, general
ledger and payroll modules all installed separately in phases with the new operating system. If
something does not work it may be only the (general ledger) that has problems or, since the
(general ledger) has just been installed, it can be quickly identified as the cause of other
problems.
Pilot implementation
Pilot implementation is where the new server and software are installed and used by one
department in the organisation, to be tested. Once this pilot site is working as expected, other
departments convert, using one of the above mentioned deployment methods.
It is wise to have a phased implementation process. This may include the following steps:
 Backing up important data in case there is a problem during installation
 Selecting a sample area to use the new server and software first. Document any problems
and considerations that arise from this ‘pilot site’.
 Break up the installation into smaller, more manageable units.
 Plan the installation timetable to cover different sections.
 Alert staff to the planned installation and training.
Regardless of implementation method, deployment should be addressed in the installation plan
and not run as an ad hoc process at the end of an installation.

46
Post installation review
Once the installation of the server is complete there remains one more task—reviewing the
installation process to ensure the client requirements are met. This requires a review of the
completed installation, by reflecting on the installation plan and its execution, discussing any
issues arising from the installation, and confirming that the installation delivered the user
requirements. It is at this point that the installation may be signed-off as completed.:
Summary
In this reading you’ve considered the importance of having a well developed installation plan,
which is also used after installation to judge effectiveness and to check that user requirements
have been met.
You looked at preparatory work including the need to review user requirements and the
installation plan before an installation begins (including review and survey of the existing IT
environment). Considerations and issues related to the installation of hardware and software and
its configuration were outlined. The process of testing was then discussed, followed by a
summary of methods of deployment and implementation.

Check your progress

Now you should try and do the Practice activities in this topic. If you’ve already tried them,
have another go and see if you can improve your responses.
When you feel ready, try the ‘Check your understanding’ activity in the Preview section of this
topic. This will help you decide if you’re ready for assessment.

LO 3 Evaluate network security status

Network Security
What is network security? Before we can evaluate the status of network security we need to
understand what network security is.
Security refers to the measures taken to protect certain things or elements of information. There
are three main elements.

Confidentiality
This means keeping information secret and safe. It means controlling access to information so
that only the people with authorisation will access the information. No one else should have
access to the information.
With Network Security this means keeping all information stored in a network environment
confidential and safe. This means keeping unauthorised people off the network and preventing
them from browsing around and accessing thing they have no authority to access.

47
Integrity
This refers to the correctness of information. It means making sure that the information is kept as
it should be and not altered or changed by unauthorised people. It also means protecting the
information from changes or corruption by other things like system or program failures or
external events.
With Network Security this means keeping all information stored in a network environment as it
should be. Information includes user generated data, programs, computer services and processes
(email, DNS, etc). This means protecting information from unauthorised changes and deletion by
people, network devices or external influences.

Availability
This refers to the ability to access and use information. It means making sure that the information
can be accessed whenever it’s required. If information is not available it is useless.
With Network Security this means keeping all information stored in a network environment
ready and accessible to those who need it when they need it. Information includes user-generated
data, programs, computer services and processes (email, word processing application, etc).

Evaluating Network Security Status

Knowing what network security refers to means we now know what to look for when assessing a
network. We need to look at what measures are in place to ensure that the confidentiality,
integrity and availability of network data, applications, services and processes are maintained to
the organisation’s requirements.

Threats
Threats are actions or events that could occur to compromise an organisations network security.
The threat will compromise confidentiality, integrity and/or availability of network information.
People or organisations that have possible access to the network may present threats. Threats
may be presented by people or organisations that have some reason for compromising network
security and have the knowledge and resources to pose a threat. Some examples of threats could
be hackers gaining access to confidential files, or a disgruntled employee deleting corporate data,
or virus infections corrupting data. Joy riders also pose a threat. They have no particular reason
for gaining access except for the challenge and a bit of fun or perhaps prestige within their peer
group.
Threats may also arise through circumstance. For example using second hand or old hardware
may pose a threat to network security.

Vulnerability
This refers to potential ways or avenues that could be used to compromise network security. For
a network to be vulnerable it must be accessed in some way. For example, Internet connection,
user workstations, wireless access via user laptops are all means of accessing the network. All

48
these access points use various systems such as firewall, computer operating systems,
transmission protocols to authenticate and authorise network access. Various methods can be
used to gain unauthorised access if vulnerabilities exist in the systems.
Operating system bugs, shortcomings in the authentication mechanism, and no security checks
for people entering the workplace are examples of vulnerabilities.

Countermeasures
Countermeasures are used to reduce the level of vulnerability in the organisation. They can be
physical devices, software, policies and procedures. Examples of countermeasures include
firewalls, antivirus software and security guards checking employee IDs as they enter the
building. In most cases, countermeasures are implemented at network access points or where the
vulnerability exists.

Impact
Impact means what will happen to the organisation if a threat actually happened. The
consequence of a threat occurring is usually measured in financial terms because the result may
be loss of business productivity, stolen equipment replacements and repairs, costs for
investigation and expert contractors. Other consequences may be damage to reputation, loss of
business or time and resource related.
Assessing impact can be an involved process and a topic in its self. However, in brief terms,
assessment is usually done by identifying systems or resources in the organisation. Then by
analysing usage patterns, business processes and work flow the importance of a system can be
determined. Finally, with user and management questionnaires, analysis of usage, business
processes and workflow, the consequence of the system or resource being unavailable or
compromised can be determined in financial and other terms.

Likelihood
Likelihood refers to the probability of an event occurring. Whether an event is likely to occur
depends upon a number of factors such as degree of technical difficulty and knowledge required
to cause the event, potential gain to the perpetrators and opportunity. Countermeasures reduce
the likelihood of occurrence. For example procedures ensuring that operating systems have the
latest security patches installed will reduce the likelihood of hackers compromising the system.

Risk
Risk refers to the potential or possibility for some form of loss. With network security this means
loss of confidentiality, integrity and/or availability of information or services. Risk is determined
directly by threats and vulnerabilities. For there to be a risk, a threat AND some vulnerability
must exist.
For example virus infection may compromise the integrity of information on a network. The
vulnerability or ways virus infection can occur may include the using of CDs or disks from
outside the organisation on local network computers. In this case a risk exists. If a

49
countermeasure or mitigation strategy such as using diskless workstations was employed, users
could not use external media. This means that there is no vulnerability and therefore no risk.
However, another vulnerability associated with virus threats may be the network’s Internet
connection. So the risk of virus infection via the Internet may exist depending upon firewall and
antivirus countermeasures employed.

Looking for Threats and Vulnerabilities

Evaluating the status of network security can be a daunting task if we don’t take a methodical
approach. We need to understand what makes up the network – the hardware and software.
Knowing this helps us break things down into smaller manageable parts. Once we identify the
individual systems and components (for example email service, web services, internet access,
applications, etc) we can then start to look at the security status of these one by one.
To work out threats and vulnerabilities, we need to examine:
 access to the system – including physical, electronic via authentication processes, via
local workstations, Internet, remote access server
 authorization mechanisms – including operating system or application permission or
access control methods, organisational processes and procedures to manage user access
 who has access and what can they do - this includes file access permissions for users
and access to services and this can be examined using auditing features built in to
operating systems and applications known vulnerabilities for example operating system
or application defects/bugs, hardware firmware
 Potential vulnerabilities and confirmed by testing any countermeasures in place.
For any breach of security, there must be some form of access so it is important to consider all
possible means of access (physical and electronic). While hackers are usually associated with
external 'criminals', network security is more often jeopardised from within an organisation.
Look for vulnerabilities in the following areas of the individual network components.
Network design and components
Vulnerabilities associated with hardware and network design include exploitation of topologies,
switches, routers, firewalls, servers, computers and operating systems to breach network security.
Threats associated with hardware and network design vulnerabilities include:
 interception of wireless transmissions by hackers
 networks that use public or external transmission systems; for example leased lines are
vulnerable to eavesdropping
 networks segments being exposed to sniffing
 physical access to hardware
 private network addresses accessed and read when routers and other devices are not
properly configured
 dial-in servers or remote access used by off-site staff not being secure or monitored
regularly.

50
  improper use of default security options – after operating systems or applications are
installed, default security options are offered automatically; these default prompts are
well known by crackers and, if they are not changed by the network administrator, will
allow easy access to the system
 network operating system software having holes in its security, allowing hackers to gain
unauthorised access
Network operation and usage
We need to examine how the network or system is used and also any policies and procedures that
relate to this. Threats from people exploiting vulnerabilities in the way networks or systems are
used may include:
 Intruders or hackers gaining user passwords through manipulation or monitoring.
Surprisingly, many people write their passwords down on sticky notes and leave them stuck
on the side of their monitor or under their keyboard. It is easy for an observant person to find
these notes, or even to unobtrusively watch passwords being typed in
 Social engineering—This practice involves manipulating social relationships in order to gain
information, specifically, passwords. For example, the intruder may pose as a network
administrator who asks for your password in order to investigate some problems with the
network
 incorrect configuration of user IDs and groups and their associated file or login access
 network administrators not noticing security gaps in the operating system or application
configuration
 lack of a security policy, leading to users not knowing or understanding security
requirements
 dishonest or disgruntled employees abusing their access rights
 an ’unused’ computer being left logged on to the network, thereby providing access to an
unauthorised user
 users or administrators choosing easy-to-guess passwords
 computer rooms being left unlocked, allowing unauthorised physical access
 back up tapes or floppy disks containing confidential information being discarded in public
waste bins
 administrators failing to delete system accounts of employees who have left the organisation.
Communications and connections
The security of network operating systems and application software is dependent on its
configuration. Some of the vulnerabilities in this area regarding communications and connections
include:
 IP addresses easily falsified and requiring little authentication
 flaws or gaps in network software allowing IP spoofing to occur.

51
 viruses – which can be contracted from the Internet or external email, or transferred from one
computer to another through internal network and emails.
 incorrectly configured firewalls not preventing unauthorised access
 authorised users transferring files using Telnet or FTP over the Internet, with user ID and
password transmitted in plain text, which can easily be accessed and used inappropriately
 hackers obtaining personal or user ID information entered into online forms or newsgroup
registrations
 access inadvertently allowed into chat session or email software while users remain logged in
to Internet chat sessions or Internet-based email.
 denial-of-service attacks. These are usually deluges of messages sent to a third party using
PCs on your network as ’drones’, resulting in the targeted system becoming disabled
 Clear text sniffing—Some protocols do not use encrypted passwords as they travel between
the client and the server. A cracker with a sniffer can detect these types of passwords, thus
gaining easy access to the information
 Encrypted sniffing—protocols may use encrypted passwords; hackers may carry out a
Dictionary attack. These are programs that will attempt to decrypt the password by trying
every word contained in English and foreign language dictionaries, as well as other famous
names, fictional characters and other common passwords.
Brute-force attacks are similar to Dictionary attacks. The difference is that Brute-force attack
intruders will use encrypted sniffing to try to crack passwords that use all possible
combinations of characters. These characters include not only letters, but other characters as
well.
 Replay attacks—By reprogramming their client software, a cracker may not need to decrypt
the password; the encrypted password can be used ’as is’ to log into systems

Third Party Tools

How long do you think it would take an administrator to manually check the configuration of
every network device for possible security vulnerabilities?
Administrators are human and humans are not well suited to looking at long detailed log files
and configuration listings. There is a good chance something will be missed. Fortunately, there
are a number of tools available that can accurately do this work for the administrator.
Network security tools evaluate the security of a network by
 Performing scans of security configuration for specific devices and operating systems –
for example account policies and security policy settings for windows operating systems.
These tools generally need administrative access to the devices and compare results to
expected best practice settings reporting the differences. These types of tools can also
audit file systems by listing security setting and permissions as applied to the files system
and services.
 Network traffic scans and probes that test for available network connections. This tests
for network addresses, protocols and gathers transmission and connection information
about the network. It may draw topology diagrams with device and host information.

52
  Penetration testing. These tools will attempt to gain access to the network by performing
a series of attacks on the network using methods that exploit known vulnerabilities. These
types of tests can be performed from outside the network (for example via the Internet) or
from inside the network to test internal security.

In all cases these tools use known vulnerabilities and methods to test network security and as
such need regular updating as new vulnerabilities are discovered. These tools should be used out
of normal business operation hours as they can impact on network performance. Links to these
types of tools and sources for are available at the end of this reading.

Evaluate Findings
Once we have completed the task of looking for risks and checking configurations, we need to
compile our findings and determine if any improvements or changes are needed.
We need to record the findings for each of the systems or network components we reviewed. In
summary, these were the things listed in the 'Looking for Threats and Vulnerabilities' section
above.
Using a table can help you evaluate your findings. Once you have listed your findings you need
to consider what issues or concerns result from your findings. These concerns may become
threats and risks. From the concerns and issues consider what you can do to remove the issue or
concern.
Take a look at the sample Risk Evaluation table on the next page. Note: You can also download
this table as a separate document from the Reading section of this online learning pack.

53
 Concerns or Issues Recommended Action
System or Results and findings
Network
Component
Identify the Physical environment (Example: Anyone can walk (Example: Lock the computer
network in and access the computer room and only authorised
system or (List here your findings
and console. They could copy people have keys)
component about the physical security
or delete information and
of the system)
damage the hardware)
(Example: (Example: insecure
Finance computer room)
database server,
windows 2000)

Access configurations (Example: Password (Example: Change system

complexity is low. Passwords requirements for longer and
(This includes
could be easily cracked) complex passwords)
authentication systems,
electronic access to the
system, operating system
configurations for access)
(Example: Password length
is set to 4 characters)

Authorised users and (Example: Default permission (Example: Do not use default
access levels is to read all files. Secure permissions. Develop required
information cannot be permissions for each group of
(List of authorised user and
changed or deleted by users and implement)
what they can do and access
unauthorised people but
on the system)
anyone logged in can see it)
(Example: Default
permission set on all files
for everyone accessing the
server)

54
 Concerns or Issues Recommended Action
System or Results and findings
Network
Component

Process or procedural (Example: Anyone can gain (Example: Set password

assessment access when authorised user is protected screensavers to
away from desk) activate after 5 minutes and
(List any failings in
educate user about the need for
procedures or work
security)
practices. This includes the
way the system or network
is used.)
(Example: Users are
leaving logged in
computers unattended)

Vulnerability test results (Example: results of code may (Example: Apply vendor
leave server open to remote supplied security patch to
(List test results from
control by unauthorised server)
specific tests or test utilities
people)
like penetration tests,
network scans, etc)
(for example operating
system ’buffer overflow
may cause arbitrary code to
execute)

Existing (Example: Antivirus software (Example: Update the antivirus

Countermeasures is 3 months out of date. The software and develop
server is vulnerable to the procedures to ensure regular
(List existing specific
latest virus) update)
countermeasures for the
system and any failings of
these)
(Example: Anti Virus
software)

Table: Sample Risk Evaluation table.

Using tables like the one above will give us a picture of the security status of the components and
the network as a whole. As network or system administrators we make technical

55
recommendation on these finding to improve or correct any network security deficiencies.
However it is up to organisation management to approve any recommendation.
Information on threats, vulnerabilities, impact or consequence along with recommendations
(including implementation costs) addressing the risks must be provided in a meaningful way for
organisational management to make sound decisions regarding network security.
Quantifying Risk
We know that risk is the result of threats and vulnerabilities, but how do we measure the risk?
One useful way is to scale risks based on impact and likelihood. Using this method
organisational management can identify the most likely and most damaging risks.
Consider table on the following page. Risk is calculated by multiplication of impact and
likelihood. Risk is now scaled between 0=no risk and 25= extreme risk. (Note: You can also
download this table as a separate document from the Reading section of this online learning
pack)

56
Threat Vulnerability Impact Likelihood Risk Comments Possible
0-5 0-5 Factor Countermeasures
0-25 and Mitigation
Strategy

Confidentiality Access to 5 0 0 Records kept None require as

of client information on database long as server
records from outside server on remains isolated
(Example: organisation separate
credit card via internet network
numbers may segment not
be gained by accessible via
unauthorised internet
people This risk does
not exist
because there
is no
vulnerability

Access via 5 2 10 Unauthorised Increase building

internal person may access security by
workstations gain access to introducing
the building security guards
and and key card
computers in access
the closed Employee
segment education on
Covert security issues
employee Implement
activity may auditing on
occur. sensitive resource
accesses

Access via 5 1 5 Procedure Audit procedures

failed process checks in and perform spot
and place checks
procedures Copies of Locked document
shredded destruction bins.
printouts may
be possible

In the above example both impact and likelihood are equally weighted. If an organisation is only
concerned with impact, then likelihood may use a smaller scale or not be used at all to calculate
the risk factor.

57
It is a management decision to accept the risk with consequences and potential cost to the
organisation. The alternative is to implement countermeasures or mitigation strategies to reduce
the impact or likelihood. These measures usually come at a cost and management need to decide
if they wish to spend potentially lots of money to prevent something that is unlikely to occur.

Prepare Report
As mentioned, your risk assessment findings must be presented using clear documentation. The
report presented to management regarding the status of network security should include:
 Your summary of concerns and recommendation in plain English
 Summary of findings should include your main concerns, possible consequences and
current network security compliance with existing organisation policy and standards
 Recommendations need to include implementation costs, resources required, time
required, potential impact on continuing business or systems access.
 A risk summary table including impact and likelihood (weighted if required)
 Your methods of evaluation and investigation of network security status.
 Any other relevant supporting documentation.
As an IT professional, management will be relying on your skills and judgement in presenting a
clear picture of the current network security status. Key points to remember here is that
management want to know if the organisation is exposed to potential risk, what is really at risk
and how much it will cost in financial terms, time and material to mitigate the risk.
As IT professionals, some times we may not look at the big picture and think in technical terms.
What you present must be understood by non technical people so that they can make valid and
justifiable business decisions using your information.
Summary

There is a lot of hype about network security and with it comes the potential to spend big dollars
in securing a network. We now know how to assess and evaluate the status of network security
by identifying real and valid threats. Without vulnerabilities to the threat there is no risk to
network security.
We have learnt that there must be some form of access to the network for security breeches to
occur. Evaluating network security means looking at the individual components that make up the
network, investigating how they are accessed specifically looking for vulnerabilities in
confidentiality, integrity and availability. Third party security evaluation tools are a most useful
resource when used in conjunction with our other findings to formulate recommendations.
Most importantly, our findings need to be interpreted and presented in a meaningful way with
recommendations that are easily understood. Management make decisions on acceptable risk not
administrators.

58
LO4 Manage user accounts

User Access

You’ve probably heard someone say that the most secure system is the one that has no users! It is
probably also one of the most useless systems. We do want our users to access the system; it’s
just that we want them to have the appropriate access.
The control of user access can take many forms and apply at several levels. Once a computer is
physically accessed, the user usually logs on to gain access to applications. These applications
will access data in files and folders.
We can simplify the process down to 3 things.
 Physical access
 Authentication
 Authorisation

Physical access
The first layer of management and security is the physical access to the computer. To prevent
unauthorised access, a company may make use of:
 locks on the front doors
 locks on each floor
 locks on offices, etc
 security guards
 cameras
 keys on computer systems.
Only those who have permission and keys will be able to access a computer in the company’s
premises. The Internet, however, presents issues concerning access to corporate information or
systems because physical restrictions cannot be imposed.

Authentication
Authentication is the process of verifying the identity of people who are attempting to access the
network or system. Typically, a user identifies themself to the system, then is required to provide
a second piece of information to prove their identity. This information is only known by the user
or can only be produced by the user.
The most common method used to authenticate users is the Username and Password method.
Using this method a user identifies itself with a username. They are then prompted for a
password. The combination of name and password are then compared by the system to its data
on configured users and if the combination matches the system’s data information the user is
granted access.

59
Other authentication methods include:
 Username with static passwords—the password stays the same untill changed by the user
at some time
 Usernames with dynamic passwords—the password is constantly changed by a password
generator synchronised with the user and system.
 Other challenge response systems—this may involve PINs, questions to the user
requiring various answers or actions
 Certificate Based—this requires the user to have an electronic certificate or token. This
may also need to be digitally signed by a trusted authority. Kerberos is an example.
 Physical devices—these include the use of smartcards and biometrics. Generally the
entire authentication process occurs on the local workstation, thus eliminating the need
for a special server.
Whatever method is used is determined by the organisational policy and security requirements.
Identity Management
In large organisations there may be thousands of users for a network. These users could be
employees, contractors, partners, vendors and customers. Being able to identify and manage each
of these users is most important because each user has different requirements and levels of
access.
This information is managed using either the Network Operating System, Directory Services or
specialised Identity Management Software. Essentially, all of these use a central repository or
database that contains all the user information and credentials. This presents a single location for
all applications and services to use when authenticating users as required.

Authorisation
Once a user has been authenticated (that is their identity validated) they are granted access to the
network or system. For the user to then access data or an application or execute some task or
command they need be authorised to do so. The authorisation process determines what the user
can do on the network. In other words it enforces the organisation policy as applicable to the
user.
The Network and System administrators are responsible for the technical configuration of
network operating systems, directory services and applications. Part of the configuration includes
security settings that authorise user access. The administrators use an organisational policy to
determine these settings.

User Account Configuration

Network and System Administrators are responsible for configuring user accounts. Network
operating systems and applications have many security options and setting relating to user
access. How does an administrator determine the configuration and setting for user accounts?
Organisation policies and procedures provide the guidelines for administrators.

60
User Account Settings
The organisation’s policies should make statements as to the degree of user control that is
required. Network procedures should contain details as to how these policies may be
implemented. For example, the policy may state that user passwords should not be less than six
characters. The procedures will then describe how the administrator should configure the
operating system to ensure that all passwords are at least six characters.
The administrator should review the policies to ensure that the procedures produce the desired
outcomes. The procedures should describe in detail how to make use of the operating system
facilities to configure user accounts in accordance with the security requirements.
The actual way you set these parameters will vary with each operating environment, however,
here are some basic parameters covered by most operating systems to consider when setting up
user account options:
 Password requirements—whether a password is required, minimum length, complexity,
needs to be changed at intervals, etc
 Account lock out settings—disabling accounts that have made a number of bad logon
attempts
 Access hours—the standard days and time that users will be permitted to access the
network
 Account expiry dates—date when account will be disabled
 Logon restrictions—accounts can only be used at specified locations or
workstations.
 Home directory information—a home directory is a folder that usually has the name of
the user and the user has full permissions over.
 Logon scripts—these perform specific tasks or run specific programs when the user logs
on

Configuring User Access

Once user account settings have been determined how do we know who should have accounts
and what access should be set?

Reflect: Configure user access

Before you read through the next section, think about who needs to be consulted in setting up
user access.
User Authorizations
Once again, organisational policy and procedures provide the necessary information for the
administrators. There should be procedures in place that inform the appropriate people that a
person requires a new user account or changes to an existing account or a deletion of accounts.
The notification procedure should cover circumstances such as new employees joining the
organisation, employees changing positions in the organisation and employees leaving the

61
organisation. These notifications must come from authorised people in the organisation
(managers, etc) as stated in the policy and procedures.
Notifications also need to specify what information, data, resources etc the account is permitted
to access. The request for access must be authorised by an appropriate person in the organisation
(usually department managers). The access permissions for users should be carefully planned
and determined in writing by appropriate people who have the authority to allocate the access.
Procedures should address:
 which managers can authorise a new user
 standards for user id and passwords
 groups that users can belong to and authority required for each group
 basic accesses that all users are allowed
 authorisation requirements to access sensitive data
 application accesses
 ability to install additional software
 email and Internet accesses
 special accesses that may be required.

User authorisation (access control)

Take a look on the net for examples or tutorials about Configuring user authorisation. You may
want to try Microsoft (www.microsoft.com) or Linux (www.linux.org). You could also search
for tutorials using Google (www.google.com) and searching for the phrase’ ’account creation
procedure’.
Use of Groups
The most common way of administering access permissions is to create groups and put user
accounts into appropriate groups. The group is then permitted or denied access as required.
Using groups is an efficient way of managing authorisation because you only need to set access
permission to a group and not individual accounts.
For example, a company may have thousands of users, but analysis of what those users want to
do may show that there are twenty or more different combinations of access permissions
required. By assigning users to groups and then allocating permissions to the group, the security
administration is greatly simplified.
Once we have users allocated to groups we can explore other levels of controlling access.
Allocating permissions to folders and files is a major security provision of network operating
systems and one that is important to set up correctly. Can we go lower and look at the content of
a specific file and restrict access there?
The restriction of file access is most applicable in controlling access to database files.
For example, imagine a Payroll system using a database in which the data is stored in tables.
These tables have columns and rows of data. Let us think about two groups of user, the payroll

62
department staff and the manager of a department. The payroll group are likely to be allowed full
access to all the data although in a very large organisation there may be segregation of access.
But what about a department manager? This person may be allowed to see salary details for the
staff that work in the department only.
In the table containing salary details there may be a row for every employee in the organisation.
This means that we only want to show this manager the rows that relate to the one department.
This would be secured with a filter that only displays staff in the department being examined.
Furthermore there may be information about an employee that even their manager may not be
able to see, such as medical or financial information. This information may be restricted by
controlling the columns returned in a report or query.
This type of security is really part of the application control rather than the network but it is still
an important part of the overall security of the system and needs to be addressed by the
organisational procedures.
Permissions and Rights
Permissions generally refer to file and directory access. The user account or group can be set
with the following type of permissions:
 No access at all to files and directories
 Read only.
 Modify where the contents of files and directories may be accesses but changed or added
to but not deleted
 Full Control or Supervisory where files and directories can be view modified and deleted.
Rights (or privileges) generally refer to the restriction on user accounts or group in performing
some task or activity. For example a user account or group may be assigned administrator or
supervisor rights meaning that the user can perform administration tasks like create, modify or
delete user accounts. Care must be taken with rights to ensure security is not compromised.

Managing User Accounts

Once user accounts are configured we still need to manage the accounts as required by
organisational policy. For example user accounts for contractors are active only for as long as the
contractor are physically on site. This means that accounts need to be enabled and disabled. This
activity should be addressed by procedures.
Note also that many networks on different OS’s allow’ ’guest’ and’ ’temporary’ accounts. These
are usually set up for either read-only or short-term access to people who would not normally
have access to the system. Great care must be taken in configuring or using these accounts firstly
because they can allow anonymous and uncontrolled use of a system and secondly guest
passwords can sometimes be guessed easily and provide a doorway for hackers/crackers.
Administrators need to review procedures to ensure that they remain current and address any
changes to the organisation and the network.

63
Administrators need to be aware of user activities and practices when accessing the network.
Organisational policy and procedures should address how users should access the network. In
time users may develop shortcuts and practices that knowingly or unknowingly are in breach of
policy and may compromise network security. For example a user may log on to the network on
one workstation. Then to allow access for a colleague who has forgotten their password the users
logs in on another workstation for the colleague. The result is two concurrently network
connections for one user account but for two different people who have different user access
requirements.
To manage user accounts appropriately administrators should
 Regularly review organisational policies and procedures to be aware of requirements and
address any organisational or network changes
 Conduct regular checks to ensure the change management procedures are working for
new, changed and deleted users
 Review and investigate current work practices regarding user network access
 Conduct information and training sessions for network users to reinforce appropriate
practices and organisational policy
 Conduct regular audits of network access—verifying current users and deleting expired
accounts
Managing user accounts can be a complex and tedious task but we can things easier by ensuring
appropriate policy and procedures are in place.

Policies and procedures

Many larger organisations post the policies that govern their user authorisation processes on their
intranets. Try searching intranet sites for larger companies—particularly IT based organisations.
You may need to look under’ ’Publications’ or’ ’Policies’. Also try a Google search for the term’
’user authorisation policy’ (use’ ’authorization’ for US companies).

Summary
How user accounts are managed is principally determined by organisational policy.
Administrators need to use policies and procedures to determine how to configure accounts and
how to set appropriate access permissions to application and data.
Once accounts are established, again policies and procedures will clearly define how the
accounts will be managed with regard to changes, disabling and

64