Hawassa poly college

Build Internet Infrastructure

LO1: Plan and design internet infrastructure

LO2: Install and configure Internet Infrastructure and
services
LO3: Test Security and Internet Access
LO4: Ensure user accounts are verified for security

Amassing by Fitsum 1
 Hawassa poly college
LO1: Plan and design internet infrastructure
What is a protocol?
For communication to occur there has to be some form of common language and some
guidelines that are used to manage the communication process. With respect to computers
and information technology, a protocol is a standard framework, which dictates how two or
more computers communicate with each other and share information over a particular data
link.

Why protocols are used in networking

Protocols define the rules or standards for communication between network devices. A
printer cannot interpret signals sent by other devices, such as a workstation or file server,
unless there is a common protocol. Protocols enable data to be sent between two devices in
sequence and without errors.

Examples of protocols used on networks include:

 Transmission Control Protocol/Internet Protocol (TCP/IP)
 Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX)
 NetBIOS (Network Basic Input Output System)
 NetBIOS Enhanced User Interface (NetBEUI)
 AppleTalk.

Protocols need to be installed and configured on both devices before communication can take
place between those devices, eg a workstation and a file server.

With respect to networking, the term ‘protocol’ actually refers to a group or suite of
individual protocols that work together. Different tasks are assigned to protocols within a
suite, such as data translation, data handling, addressing or error checking.

There are many factors that determine which protocol (protocol suite) you may use on a
network. Factors include:
 the error rate on the data link
 whether Internet access is required (this is important as some protocols are not
routable)
 the network operating system being used
 how much network security will be required
 the speed requirements of the network.

Examples of different protocols

Below you will find some examples of the different protocols with a brief explanation for
each.

Amassing by Fitsum 2
 Hawassa poly college
Internet Packet Exchange (IPX) and Sequenced Packet Exchange
(SPX)
This is a suite of protocols, made up of many protocols, not just IPX and SPX. It was
originally developed by Xerox and adopted by Novell in the 1980s.

Novell’s NetWare clients and servers use this suite of protocols. It is routable, meaning that it
can cross many LAN segments. IPX works at the network layer and is connectionless, that is
the protocol does not guarantee delivery of data.

The IPX protocol is responsible for addressing. SPX is responsible for ensuring that data is
received in sequence and error free.

NetBIOS and NetBEUI

The Network Basic Input Output System (NetBIOS) was originally developed by IBM and
later adopted by Microsoft to be used in small local area networks.

NetBEUI (NetBIOS Enhanced User Interface) is a fast and efficient protocol that is still used
on small networks.

However, this protocol is not routable, that is it cannot span the Internet. However, many
systems still require the presence of the NetBIOS protocol services to function correctly. The
NetBIOS protocol services can be implemented on routed networks by ‘riding’ on TCP/IP
through the routers, that is TCP/IP encapsulates NetBIOS.

AppleTalk
This protocol was developed to interconnect Apple Macintosh computers. This is a routable
protocol.

To find out more information on these and other protocols, you can follow the links in the
Research section of this Learning Pack.

Amassing by Fitsum 3
 Hawassa poly college

The ISO/OSI reference model

In the early 1980s the International Standards Organisation (ISO) developed a model or
theoretical representation of what happens between two computers on a network. The model
known as the Open Systems Interconnection (OSI) is the blueprint that has helped
networking specialists to understand and develop computer-to-computer communications.

The goal of establishing the reference model was to allow different computers from different
manufacturers, running different operating systems to communicate with each other, so long
as each system conformed to the OSI reference model.

The model has seven layers:

1 application
2 presentation
3 session
4 transport
4 network
6 data link
7 physical.

Each layer of the OSI model has its own function and interacts with the layers directly above
and below it.

Figure 1 below shows information going down the seven layers from one device across
intermediate devices, and then up through the seven layers on the destination device. These
devices can be any type of network equipment such as networked computers, printers and
internetworking devices such as routers and switches.

Amassing by Fitsum 4
 Hawassa poly college
Sending device Receiving device

Application Application

\
Presentation Presentation

Session Session

Transport Transport

Network Network Network Network

Data Link Data Link Data Link Data Link

Physical Physical Physical Physical

Figure 1: The ISO/OSI reference model showing communication between two devices

Here is a simple mnemonic to help you remember the order of the seven layers of the OSI
model:
All Application 7

People Presentation 6

Seem Session 5

To Transport 4

Need Network 3

Data Data Link 2

Processing Physical 1

Figure 2: Remembering the seven layers of the OSI model

Amassing by Fitsum 5
 Hawassa poly college
The seven layers explained

Physical layer
The physical layer is the bottom layer of the OSI model. Its function is to simply:
 Transmit bits over the network media. This layer contains the physical networking
media such as cabling, connectors and repeaters.
 Specify the mechanical, electrical and functional means of establishing and maintaining
the physical connections. That is, how the electrical signals are amplified and
transmitted over the wire. The layer sets the data transmission rate and monitors data
error rates, although it does not provide for error correction — which is done at another
level.

The physical layer thus activates and deactivates the physical connection. A severed wire or a
NIC (network interface card) not seated deeply enough are some of the network problems
that can be experienced at the physical layer.

Data link layer

The second layer of the OSI model is the data link layer. Its primary purpose is to provide a
reliable method of transmitting data across the physical media.

The data link layer divides data it receives from the network layer into frames that can then
be transmitted by the physical layer. A header and trailer are added to the frames. These
allow the destination device to see when a frame begins or ends on the physical media.

The frames are then transmitted sequentially, and the sender’s data link layer waits for an
acknowledgement from the receiver that data was received correctly. If the sender does not
get this acknowledgment, its data link layer gives instructions to retransmit the information.
The data link layer is divided into two sub-layers — the Media Access Control (MAC) sub-
layer and the Logical Link Control (LLC) sub-layer.

Media Access Control (MAC)

The MAC sub-layer is responsible for the physical addressing of devices on the network and
how these devices gain access to the network media. The physical addressing at the data link
layer is called a physical address, because this address is hard-coded into the network
interface card by the manufacturer. The address is also known as the MAC layer address.
Each device has a unique address that provides the necessary information to direct data to and
from devices on the local network.

Logical Link Control (LLC)

The LLC sub-layer is responsible for flow control and error correction at this layer and
provides two service types:

The unacknowledged connectionless service is unreliable as data is transferred with no error

checking. The Connection-oriented service — is slower than the connectionless service, as
Amassing by Fitsum 6
 Hawassa poly college
data is checked for errors using Cyclic Redundancy Checks (CRC). CRC is one method of
detecting errors in transmitted data. Before the data is sent, a CRC number is calculated by
running the data through an algorithm, which produces a unique number. The data is run
through the same algorithm again at the receiving end. If the numbers are the same, the data
was then sent error free. The number generated by the algorithm is called a checksum.

Flow control is important not only at the LLC sub-layer but also at all layers of the OSI
model. It’s important to make sure that the transmitter doesn’t flood the receiver with data
resulting in buffer overflow and lost data.

Network layer
The network layer is responsible for routing information from the sender to the receiver. It
accepts messages from the transport layer, converts them into packets and ensures that the
packets are directed towards their destination. The network layer determines the best path that
the packets should take from point A on one network to point B on another network. It does
this by checking to see if the destination device is on another network.

Transport layer
The prime responsibility of the transport layer is to ensure that the data transferred from point
A to point B is reliable, in the correct sequence and without errors. The transport layer
accepts the data from the session layer and splits it up, if required. It then forwards the data to
the network layer and checks that the data has arrived successfully on the destination device
— this is a connection-oriented service. If an acknowledgement is not received within a
specified period of time, the data is re-sent by the sending device. Acknowledgements are
used to control the flow of data.

Session layer
The session layer allows users to establish a connection — a session. Once the session has
been established the session layer maintains and co-ordinates the communication. For the
user to establish a session, they need to provide a remote address. The address can be a
domain name such as www.tafensw.edu.au or the NetBIOS name of the computer, for
example, Serv007.

Presentation layer
The presentation layer is responsible for translating data into a format that can be
understood by each computer. The important task at this layer is code translation. For
example an IBM mainframe may transmit a message in EBCDIC format to a PC that uses
ASCII format. Despite the coding differences, data can still be displayed on the receiving
device, the PC.

ASCII, EBCDIC, BMP, WAV and UNICODE are examples of presentation layer code
translations. (Refer to Terms for definitions of these.) The presentation layer is also
responsible for data encryption and foreign language translations.

Amassing by Fitsum 7
 Hawassa poly college
Application layer
The application layer is the seventh and last layer of the model. It is the only level at which
the user has direct contact with the model. This layer starts a network application, such as
transferring files, or provides access to the Internet. Do not confuse the application layer with
software such as word processing or spreadsheet applications. The application layer makes
network services such as file, print, message, application and database services available to a
computer’s local operating system.

The application layer determines the quality of service at the lower layers. If a problem
occurs at a lower layer, the application layer provides a means of notifying the user that there
is a problem. The notification is usually in the form of an error message, for example, host
not reachable, printing device not connected, etc.

Amassing by Fitsum 8
 Hawassa poly college

Introduction to TCP/IP
TCP/IP stands for Transmission Control Protocol/Internet Protocol. It is the basic
protocol of the Internet. It is a scalable protocol, which can be used on a small private
network, such as your home network or a company’s private Intranet, or it can be used on a
large company network like the one at Forth Management Associates.

TCP/IP has become the de-facto standard for Internet communications. There are many
reasons for this:
 TCP/IP has been accepted as the industry standard protocol.
 It is a routable protocol suite.
 Almost all computer operating systems support the TCP/IP protocol.
 It allows computers using different operating systems to connect to each other (such as
a UNIX computer to a Windows XP computer).
 It is an open standard — no company has control over the protocol. Anyone is allowed
to use it and develop applications based on it.
 It is a well-designed protocol.

How TCP/IP works

TCP/IP is not just two protocols, but a suite of which includes TCP, IP, UDP, ARP, ICMP
and other sub-protocols. The suite of protocols can be divided into four layers that roughly
correspond to the seven layers of the OSI model, as shown in Figure 3.

Application

Presentation Application

Session

Transport Transport

Network Internet

Data link

Physical Network interface

Figure 3: Approximate correspondence of four layers of TCP/IP to OSI model

TCP/IP is a multiple-layer protocol, which provides an application service as well as a

network service, as can be seen in Figure 4 below.

Amassing by Fitsum 9
 Hawassa poly college

HTTP FTP

Application
Sockets

Transportation TCP UDP

ICMP
Internet IP
ARP

Network
Interface Network Device

Figure 4: TCP/IP application and network services

TCP and IP are the core protocols in the suite, and along with UDP, ICMP, ARP and other
sub-protocols provide a network service.

Internet Protocol (IP)

The Internet Protocol belongs to the Internet Layer of the TCP/IP model. It provides
information on how and where data is to be delivered — a key feature of Internetworking.
For this reason the TCP/IP protocol is able to span more than one LAN segment, usually
through a router.

The IP portion of the data frame is called an IP datagram. The datagram contains information
for routers so that data can be transferred between individual networks.

IP is a connectionless protocol. This means that it does not guarantee delivery of data.
Higher-level protocols use IP information to ensure that data packets are delivered to the right
address.

Transmission Control Protocol (TCP)

TCP belongs to the transport layer of the TCP/IP suite. It provides a reliable data delivery
service known as a connection-oriented service — this means that a connection must be
established between two devices before TCP will transmit data. TCP provides checksum,
flow control and sequencing information, which ensures that the data is reassembled in the
correct order.

Amassing by Fitsum 10
 Hawassa poly college
User Datagram Protocol (UDP)
UDP belongs to the transport layer of the TCP/IP suite. It is a connectionless service — it
does not guarantee that the packets will be received in the correct order and provides no error
checking or sequencing. UDP is used when data needs to be transferred quickly, for example,
in live audio or video transmissions over the Internet.

Internet Control Message Protocol (ICMP)

ICMP belongs to the Internet layer of the TCP/IP suite. It is responsible for notifying the
sending device of a problem with transmission, for example, when packets are not delivered.
It provides a message to the sending device, such as ‘Host unreachable’ (how many times
have you seen this?). ICMP is used by diagnostic utilities, such as PING.

Address Resolution Protocol (ARP)

ARP also belongs to the Internet layer of the TCP/IP suite. ARP is used to determine an
unknown MAC address of a remote device to which a packet is to be sent. The header of an
IP packet contains the MAC and IP address of the source and the MAC and IP address of the
destination. The resulting IP/MAC address information is held on the sending machine in an
ARP table.

Application service
The TCP/IP suite also provides an application service with the protocols:
 Hypertext Transfer Protocol (HTTP)  Telnet
 Hypertext Transfer Protocol security  File Transfer Protocol
(HTTPs) (FTP)
 Simple Network Management Protocol  Simple Mail Transfer
(SNMP) Protocol (SMTP)

Amassing by Fitsum 11
 Hawassa poly college

What is an IP address?
Every device on a network (printer, workstation, server, etc) requires a unique identifier. If all
the devices are on the same local area network, then only a physical (MAC) address is
required. This is the same as saying that all we need to uniquely identify any house in the
same street is to have its house number. However, if the destination device is on a different
network then a logical address is also required. This is the same as saying that all we need to
uniquely identify any house in NSW is to have its house number, its street name and its town
name. The IP address is the logical address that allows data to be sent to devices on different
networks. Logical addresses must conform to the standards and rules of the protocol, thus IP
addresses are assigned according to specific rules and standards and are configured by the
network administrator.

Components of an IP address
An IP address is a 32-bit binary number, for example:

11001011 00111100 00000001 00000010

For ease of use, this is normally represented in a dotted decimal format, eg:

203.60.1.2.

Each 8-bit octet is represented by a whole number between 0 and 255. Each IP address
consists of two fields:
 a net ID field that is the logical network address of the device
 a host ID field, which is the logical device’s address that uniquely identifies each
device on the network.

Together, the net ID and the host ID provide each device on a network with a unique IP
address.

Amassing by Fitsum 12
 Hawassa poly college

Classes of IP addresses
There are five classes of IP addresses, however only three classes are commonly used. Table
1 below shows the commonly used TCP/IP classes.

Table 1: Commonly used TCP/IP classes if IP addresses

Class First Octet Number of Networks Number of addresses per

network

A 1 – 126 126 16, 777, 214

B 128 – 191 16, 384 65, 534
C 192 – 223 2, 097, 154 254

Note: Class D and E are not available for standard network addressing.

You can identify the class of an IP address by examining the first octet.

All nodes in a Class A network share the first octet of their IP address. Class A addresses
range between 1 and 126. An example of a Class A address is 125.10.15.1. The net ID
portion of the IP address is 125 and the host ID portion of the IP address is 10.15.1.

All nodes in a Class B network share the first two octets of their IP address. Class B
addresses range between 128 and 191. An example of a Class B address is 158.10.15.1. The
net ID portion of the IP address is 158.10 and the host ID portion of the IP address is 15.1.

All nodes in a Class C network share the first three octets of their IP address. Class C
addresses range between 192 and 223. An example of a Class C address is 200.10.15.1. The
net ID portion of the IP address is 200.10.15 and the host ID portion of the IP address is 1.
Class A networks have a Class B networks have a
binary address starting with binary address starting with
00 000000 as the first octet: 10 000000 as the first octet;

Binary Decimal Binary Decimal

00 000000 0 10 000000 128

00 000001 1 10 000001 129

00 000010 2 10 000010 130

~~ ~~ ~~ ~~
00 111110 126 10 111110 190
00 111111 127 10 111111 191

As there are only 126 Class A

Class C networks have a
binary address starting with
11 000000 as the first octet.
networks available on the Internet,
most Class A networks have been
reserved by large corporations or
governments. Some IP addresses
have been reserved for network

Amassing by Fitsum 13
 Hawassa poly college
Binary Decimal functions such as broadcasts and
cannot be assigned to devices.
11 000000 192

11 000001 193 As you know, all rules have

exceptions and this also applies to IP
11 000010 194 addressing. The following section
~~ ~~ discusses special IP addresses.
11111110 222
11 111111 223

Special IP addresses
Here are some of the restrictions you should keep in mind — you will need to remember
them!

First octet value of 127

Any address with a first octet value of 127 is a loopback address, which is used for
diagnostics and testing. A message sent to an IP address with the first octet of 127 is returned
to the sender. The IP address 127.0.0.1 is known as the loopback address and is used for this
purpose. Therefore, 127 cannot be used as a net ID, although it is technically a Class A
address.

255 in an octet
255 in an octet is designated as a broadcast. A message sent to 255.255.255.255 is broadcast
to every host on the local network. For example, a message sent to 158.8.255.255 is
broadcasted to every host on network 158.8.

Addresses for private Local Area Networks (LANs)

There are three groups of IP addresses to choose from if you wish to create a private LAN
(for example, an Intranet for a company, for use at home and not on the Internet):
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
The first octet cannot have a value above 223. Those addresses are reserved for multicast and
experimental purposes.

Amassing by Fitsum 14
 Hawassa poly college

Subnet masks
Besides an IP address, every computer on a network must be configured with a subnet mask.
The subnet mask allows routing devices to separate the IP address into its net ID and host ID
portions.

Network management is made easier if a network is broken into smaller segments. However,
a business is allocated a single IP address that covers its net ID address and a range of host ID
addresses. By using some of the host ID bits as segment addresses, segmentation can occur
and network management made easier.

The subnet mask identifies whether a computer is on the same local network or on another
network that needs to be contacted through a router. Subnet masks make it easier and faster to
identify the net ID portion of the IP address. It allows TCP/IP to determine if network traffic
destined for a given IP address should be transmitted on the local network, or whether it
should be routed to a remote network.

A subnet mask should be the same for all computers and other network devices on the same
network segment.

The subnet mask is a 32-bit binary number, broken into four 8-bit octets.

A common subnet mask is 255.255.255.0. This particular subnet mask specifies that TCP/IP
will use the first three octets of an IP address as the network id and the last octet as the host
ID.

The subnet mask is dependent on the class of IP addresses in use on the network. The
following subnet masks are used for the following Classes of IP addresses:
Class A: 255.0.0.0
Class B: 255.255.0.0
Class C 255.255.255.0
Note: If subnet masks are incorrectly configured, routing errors will occur.

How do you obtain an IP address?

IP addresses can be requested from the Internet Corporation for Assigned Names and
Numbers (ICANN) — a non-profit organisation set up to maintain and assign IP addresses.
Here in Australia, various agents such as Internet Service Providers (ISPs) can apply to the
ICANN for IP addresses on your behalf or lease some of their ‘reserved’ IP addresses to you.

An organisation does not normally obtain an IP address for each staff member. The range of
IP addresses a company will lease will depend on the number of servers in the organisation
that will require Internet access such as a web or remote access servers. Most organisations
usually lease a small number of IP addresses. Internally, organisations use addresses from the
private address range to allocate to staff members.

Real IP addresses are allocated to the web and proxy servers, as well as other devices such as
routers that communicate with other devices on the Internet. These devices have a legitimate

Amassing by Fitsum 15
 Hawassa poly college
IP address, however, the workstations and other devices on the company’s network use
addresses from the private ranges.

A NAT (Network Address Translation) server can be used to hide the IP addresses assigned
to devices on the network from any public network, such as the Internet. When a node’s
transmission reaches the IP gateway, the gateway assigns the client’s transmission with a
valid IP address. In this way, the company’s internal IP addresses are protected and network
administrators have more flexibility in assigning addresses.

Amassing by Fitsum 16
 Hawassa poly college

Binary and decimal conversion

Computers store information in binary form, that is, in 0s or 1s. Binary uses the Base2
counting system. To create subnets and work out the decimal equivalents of the binary bit
pattens, it’s useful to learn how to convert decimal numbers into binary and vice versa
(without a calculator!)

To convert a number into binary or decimal it is best to use this table.

0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1

First row: the 0/1 refers to the value of a bit, that is, zero or one
27 26 25 24 23 22 21 20

Second row: represents the binary system; increases in value to the power of 2 (as opposed to
the decimal system, which increases to the power of 10)
128 64 32 16 8 4 2 1

Third row: the decimal values of the second row.

Rules for converting

Using the table above, you will need to apply the following rules:
 multiply the bit by its positional decimal equivalent
 add the value of the decimal equivalents of all the bits to determine the total decimal
value of the binary number.

For example
1 1 0 0 1 0 1 1
X X X X X X X X
128 64 32 16 8 4 2 1
128 64 0 0 8 0 2 1
Decimal value = 203
0 0 1 1 1 1 0 0
Decimal value = 60
0 0 0 0 0 0 0 1
Decimal value = 1
0 0 0 0 0 0 1 0
Decimal value = 2

So, the IP address 203.60.1.2 203 60 1 2

has the corresponding binary 11001011 00111100 00000001 00000010
values:

In binary within a computer, this would be stored as: 11001011001111000000000100000010

Amassing by Fitsum 17
 Hawassa poly college

Sub netting
A large network can be divided into smaller or multiple networks by subdividing a single
class of IP addresses. Network Administrators can use one class of addresses for several
network segments. A subnetted address includes the network, subnet, and host information.

Say your organisation is assigned a Class B network ID of 152.77.0.0. The standard subnet
mask would be 255.255.0.0. The number of valid IP addresses would range from 152.77.0.1
to 152.77.255.254. To divide this range of IP addresses into 6 networks you would need to
apply the formula:

2n –2 where n = to the number of bits.

In the above example, the standard subnet mask is 255.255.0.0.which when converted to
binary is: 11111111.11111111.00000000.00000000.

By borrowing 3 bits, the new subnet mask becomes: 1111111.11111111.11100000.00000000

— which converts to the decimal format: 255.255.224.0. In this example, a 3-bit subnet mask
is used. There are 6 (23 –2) subnets available with this subnet mask. Remember that subnets
with all 0s and all 1s are not allowed — these are reserved for specifying the local network.
The valid range of IP addresses for the five subnets is shown in Table 2.

Table 2: Valid range of IP addresses for five subnets

Subnet bits Network number Node Addresses

001 152.77.32.0 152.77.32.1 to 152.77.63.254

010 152.77.64.0 152.77.64.1 to 152.77.95.254
011 152.77.96.0 152.77.96.1 to 152.77.127.254
100 152.77.128.0 152.77.128.1 to 152.77.159.254
101 152.77.160.0 152.77.160.1 to 152.77.192.254
110 152.77.192.0 152.77.192.1 to 152.77.223.254

The combination of an address’s network and subnet information becomes an extended

network prefix. The extended network prefix, enables a device to determine the subnet to
which the address belongs. Subnet masks allow you to sub-allocate network addresses.
Subnetting, is a complex procedure, which you can learn more about with further reading and
after completing this unit.

Websites providing further exercises and examples of subnetting can be found in the
Research section of this Learning Pack.

Amassing by Fitsum 18
 Hawassa poly college

Routing
A router is a device that determines the next network point to which a packet should be
forwarded toward its destination. The router is connected to at least two networks and decides
which way to send each information packet based on its current understanding of the state of
the networks it is connected to.

Routers create and maintain a table of the available routes and their conditions and use this
information along with the distance to determine the best route for a given packet. Typically,
a packet may travel through a number of network points with routers, before arriving at its
destination. Routing is a function associated with the network layer (layer 3) in the standard
model of network programming, the OSI model.

In most cases, a router is located at any gateway (where one network meets another). In
Figure 5 below two networks are connected by a router with IP address 192.168.1.1 and
203.60.1.4, subnet mask 255.255.255.0. The router acts as a gateway and will handle all the
incoming and outgoing network traffic, and as can be seen in Figure 5, the router will handle
the traffic between these two networks, which will also apply to the way the router connects
to the Internet.

203.60.1.1 203.60.1.2 203.60.1.3

203.60.1.4

192.168.1.1

192.168.1.2 192.168.1.3 192.168.1.4

Figure 5: Two networks connected by a router

Routing tables
TCP/IP hosts use a routing table to maintain knowledge about other IP networks and IP hosts.
As you now know, using an IP address and a subnet mask identifies networks and hosts.

In addition, routing tables are important because they give needed information to each local
host regarding how to communicate with remote networks and hosts.

Amassing by Fitsum 19
 Hawassa poly college
For each computer on an IP network, you can maintain a routing table with an entry for every
other computer or network that communicates with the local computer. In general, this is not
practical, and a default gateway (IP router) is used instead.

When a computer prepares to send an IP datagram, it inserts its own source IP address and
the destination IP address of the recipient into the IP header. The computer then examines the
destination IP address, compares it to a locally maintained IP routing table, and takes
appropriate action based on what it finds. The computer does one of three things, it:
 passes the datagram up to a protocol layer above IP on the local host.
 forwards the datagram through one of its attached network interfaces.
 discards the datagram.

IP searches the routing table for the route that is the closest match to the destination IP
address. The most specific to the least specific route is searched for in the following order:
 a route that matches the destination IP address (host route)
 a route that matches the network ID of the destination IP address (network route)
 the default route.

Figure 6 shows a default routing table that can be accessed through the command prompt
‘route print’. It shows the current IP address and subnet mask of the local interface card and
where it should forward its network traffic, in this case 0.0.0.0 of network destination will
have to forward to 192.168.0.1. This means that all traffic will be handled by the 192.168.0.1
(which is default gateway/router), and the router will decide where to forward the traffic.

Figure 6: A default routing table

Amassing by Fitsum 20
 Hawassa poly college

IP Version 6 (IPv6)
For over 20 years now, the IT industry has been using IPv4. As you have read, with IPv4, IP
addresses are unique — each computer or device on the network is allocated an IP address
and a subnet mask. By the late 1980s it was realised that the world would run out of IP
addresses and work began on the IP Next Generation (IPng) project: IPv6.

IPv4 uses a 32-bit address space, which permits an absolute maximum of 232 (4,294,967,296)
hosts to connect to the Internet at any given time. Today, not only do businesses, government
departments and schools have Internet access, but also most homes have at least one
computer that accesses the Internet.

IPv6 addresses are four times as long as IPv4 addresses and at 128 bits provide an absolute
maximum of 2128 individual hosts. This is roughly 340 billion billion billion different hosts!
(Would you like to check this calculation!)

IPv6 is now included as part of IP support in many products, from 3Com and Hitachi, and
including the major computer operating systems. There are no plans (at this stage anyway)
for a cutover date when IPv6 would be turned on and IPv4 turned off.

One of the strategies chosen for the upgrade is to deploy the IPv6 protocol stack in parallel
with IPv4. This means that hosts that upgrade to IPv6 will continue to exist as IPv4 hosts at
the same time.

An experimental IPv6 backbone or 6bone, has been set up to handle IPv6 Internet traffic in
parallel with the regular Internet. These devices will continue to have 32-bit IPv4 addresses
but will add 128 bit IPv6 addresses.

We suggest you do some follow up reading on IPv6 at: http://www.ipv6.org/

Amassing by Fitsum 21
 Hawassa poly college
LO2: Install and configure Internet Infrastructure and
services
TCP/IP services
TCP/IP is the basic protocol of the Internet and is comprised of other protocols including
UDP, ARP and ICMP. The TCP/IP protocol suite also provides a number of useful services,
which include:
 Dynamic Host Configuration Protocol (DHCP)
 Windows Internet Naming Service (WINS)
 Domain Name Service (DNS)
 Hypertext Transfer Protocol (HTTP).

With all the new Windows operating systems TCP/IP is automatically installed during the
installation of the operating system. You can choose to configure your computer with an IP
address during the installation or wait until after the installation has been completed.

Dynamic Host Configuration Protocol

(DHCP)
Dynamic Host Configuration Protocol (DHCP) enables the assignment of dynamic TCP/IP
network addresses on a first come, first served basis, based on a specified pool of available
addresses. An organisation may only have a limited number of IP addresses to be shared
among the client computers. By configuring the DHCP server with a pool of IP addresses,
these addresses can then be shared by the users within the organisation, thus simplifying IP
address administration.

The client computer is configured to obtain an IP address automatically from a DHCP server.
When the client machine starts up, the DHCP service assigns the next available TCP/IP
address for the period of the lease, as configured on the server. The DHCP server can also be
configured to assign the same IP address to a particular machine every time it starts up. The
DHCP server service is installed and configured on a server computer.

Figure 1 below shows the configuration of an IP address scope on a DHCP server. Any
computer starting up on this network will be allocated an IP address from the range
192.168.1.1 to 192.168.1.100.

Amassing by Fitsum 22
 Hawassa poly college

Figure 1: IP address scope on a DHCP server

For a client computer to be allocated an IP address, you will need to check the option ‘Obtain
an IP address automatically’ from the TCP/IP Properties window as can be seen in Figure
2.

Figure 2 below shows an example of how TCP/IP properties are configured for automatic
assignment of an IP address on a client computer. To get to this screen on a Windows 2000 or
XP computer, you will need to go to:
My Network Places / Local Area Connection, Properties / TCP/IP Properties.

Amassing by Fitsum 23
 Hawassa poly college

Figure 2: Configuration for automatic assignment of an IP address on a client computer

Once you have chosen to obtain an IP address automatically, the Advanced TCP/IP Setting
option will display that DHCP has been enabled on the client computer, as can be seen from
Figure 3 below.

Amassing by Fitsum 24
 Hawassa poly college

Figure 3: Advanced TCP/IP Settings show that DHCP has been enabled

Amassing by Fitsum 25
 Hawassa poly college

Windows Internet Naming Service (WINS)

Windows Internet Naming Service (WINS) enables the resolution of computer names to IP
addresses. When an operating system is first installed on a computer one of the tasks is to
configure the computer with a unique name known as the NetBIOS name. The NetBIOS
name can contain up to 15 characters, for example, ACCOUNTS1, or LEGAL or PHILLIP.
The computer name must be unique and no two computers on the network can have the same
name.

By having a unique name for each computer, an administrator or user on the network does
not need to remember the IP address of the client computer. To communicate with another
computer on the network you need only enter the name of the computer — the operating
system does the rest.

WINS maintains a database on the server that accepts requests from Windows or DOS clients
to register with a particular NetBIOS name. The server keeps track of which NetBIOS names
are linked to which IP addresses. Because WINS manages the mappings between IP
addresses and NetBIOS names, clients do not have to broadcast their NetBIOS names to the
rest of the network. The elimination of this broadcast traffic improves network performance.

The WINS Server service is installed on a server computer; however, both a Windows server
computer and a workstation can use the WINS server to resolve network names.

Figure 4 below shows how a user adds the IP address of the WINS server in the Advanced
TCP/IP Settings window from the WINS tab.

Figure 4: IP address of WINS server added in the TCP/IP properties on the client computer

Amassing by Fitsum 26
 Hawassa poly college

Domain Name Service (DNS)

The Domain Name Service (DNS) was introduced in 1984 when the Internet was a relatively
small network established by the US Defence Department for research. DNS lets us use
hierarchical, friendly names to easily locate computers and other resources on a TCP/IP
network that contains data similar to the Yellow Pages.

DNS is a database that contains mappings of DNS domain names, such as ‘legal.forth.com’
to an IP address. DNS is a:
 mechanism for querying and updating the database
 mechanism for replicating information in the database among servers
 schema for the database.

The DNS is implemented as a hierarchical system including host names and domain names.
The names in a DNS database form a hierarchical tree structure called the domain name
space. Domain names have individual labels separated by stops or dots (.) for example:
legal.forth.com.

A Fully Qualified Domain Name (FQDN) uniquely identifies where the host is located within
the DNS hierarchical tree by specifying a list of names separated by dots on the path from the
referenced host to the root server.

Figure 5 below shows an example of a DNS tree with a host called ‘legal’ within the
‘forth.com.’ domain. The FQDN for the host would be legal.forth.com.

.Root

.com .edu .net .gov .xx

(country)

.forth

.legal
FQDN: legal.forth.com

Figure 5: An example of a DNS tree

The DNS service resolves computer names to IP addresses, such as resolving the computer
name ‘legal.forth.com’ to the IP address 203.70.1.2.

Domain names must be registered with an Internet naming authority that works on behalf of
the ICANN (Internet Corporation for Assigned Names and Numbers). ICANN has
established conventions for the Top Level Domains (TLDs) that apply to every type of
organisation that uses the Internet, an example of which can be seen in Table 1 below.
Existing abbreviations are reserved for use by organisations, as well as two- and three-letter
abbreviations used for countries.

Amassing by Fitsum 27
 Hawassa poly college
Table 1: Criteria for domain name registration

DNS domain name Type of organisation

com Commercial organisations

edu Educational institutions
org Non-profit organisations
gov Non-military government organisations
net Networks (the backbone of the Internet)
mil Military government organisations
arpa Reverse DNS
xx Two-letter country code for example:

.au for Australia .jp for Japan .ca for Canada

Accredited registrars carry out registration, and each country has its own controlling body. In
Australia this is currently the Australian Domain Names Authority (AuDA), which accredits
local registrars such as NetRegistry. Figure 6 below shows the IP address of the Domain
Name Server configured on the client computer.

Figure 6: Domain Name Server configuration on a client computer

Amassing by Fitsum 28
 Hawassa poly college

Installing and configuring TCP/IP

With most recent Windows operating systems the TCP/IP protocol is automatically installed
during installation of the operating system. By default, the TCP/IP settings are set to ‘Obtain
an IP Address Automatically’, that is, through a DHCP server.

If a DHCP server cannot be located by the workstation when it starts, the workstation will
automatically be assigned an address from the range 169.254.0.1 to 169.254.255.254. This
range is set aside by the Internet Assigned Numbers Authority (IANA) for this purpose. The
workstation broadcasts its intended use of the randomly chosen address to ensure that no
other workstation on the same network has chosen the same address.

You will need to determine if you will be manually configuring TCP/IP on your computer, or
whether a DHCP server will assign IP addresses to all computers on the network.

Manual configuration
If you are required to manually configure your computer with an IP address, you will need to
have the following information to hand:
 Your workstation’s IP address. This is the unique address that identifies a particular
computer on a TCP/IP network. This consists of four numbers, separated by a dot, for
example: 203.60.1.2.
 Your network’s subnet mask for each network adapter on the network. The subnet
mask is a number mathematically applied to the IP address that determines the
network that the computer belongs to. For example, given the subnet mask of
255.255.255.0 to the above IP address 203.60.1.2, the net ID is 203.60.1.0 and the
host ID is 0.0.0.2.
 Your default gateway. The default gateway is a device that servers as a router. If a
default gateway is not specified, the computer is unable to communicate with other
devices outside its subnet, that is, outside its own network.
 The domain name server for the network. This is a computer that serves as an Internet
host and performs translation of Fully Qualified Domain Names (FQDNs) into IP
addresses.

Figure 7 shows manual configuration of an IP address, subnet mask, and default gateway
with preferred and alternate DNS servers.

Amassing by Fitsum 29
 Hawassa poly college

Figure 7: Manual configuration of an IP address, subnet mask, default gateway with preferred and
alternate DNS servers

Automatic configuration
For automatic configuration, a user just needs to check the ‘Obtain an IP address
automatically’ option in the Internet Protocol Properties window. The DHCP server will
then configure all the information without any input from a user. The server will assign:
 an IP address
 subnet mask.

If an organisation has been assigned a range of IP addresses for use by staff, this range can be
created as the scope for the DHCP server, accompanied by a subnet mask, default gateway,
DNS and WINS, if they have been configured.

Figure 8 below shows the TCP/IP configuration information of the computer with a host
name of G1C1. What information can you see from this screen?

Amassing by Fitsum 30
 Hawassa poly college

Figure 8: TCP/IP configuration of the computer named G1C1

TCP/IP tools
Once TCP/IP has been configured, there are a few tools that can be used to check to see if
TCP/IP has been configured correctly on your computer.

IPCONFIG/ALL command
As you can see from Figure 8 above, the command IPCONFIG/ALL displays all the current
local TCP/IP configuration information, including:
 the host name
 MAC address of the network adapter as well as its brand and type
 whether this interface has been configured to use DHCP
 IP address of the host
 subnet mask
 default gateway
 DHCP server
 when an IP address was leased (obtained) and is due to expire.

Amassing by Fitsum 31
 Hawassa poly college

PING
PING is a tool to determine the connectivity between two nodes. This command is used from
the command line, and as you can see from Figure 9, you can use PING with the loopback
address, 127.0.0.1 or the host’s own IP address. You can also PING any other valid address
of a host, on this or any connected network.

Figure 9: The PING command

NSLOOKUP
NSLOOKUP is a tool to determine whether DNS has been successfully configured.

TRACERT
TRACERT displays the route taken by the Internet Control Message Protocol (ICMP) to a
remote host.

NETSTAT
NETSTAT displays the current connectivity information such as port number and any
connected ‘foreign’ IP address.

Amassing by Fitsum 32
 Hawassa poly college

LO 3: Internet Connection Models

Many businesses require an Internet connection as part of the standard network facilities
required to operate effectively. Email, ordering supplies, electronic banking and Web
research facilities are all now common business activities.

However, connecting your local business network to the Internet is not without risk. The
Internet in the 21st Century is a place of hackers and viruses. Visible Internet hosts may
receive thousands of hacking attempts each day as part of the ‘normal’ network traffic
brought in by an Internet connection.

So what are the issues that should be considered in the design, installation and management
of an Internet connection?

There are a range of Internet connection types available, each with their own costs and
benefits. Every type of Internet connection will require an Internet Service Provider (ISP). An
ISP is a network that you connect to, which inturn has another connection to other parts of the
Internet. This is why the Internet is often referred to as ‘The Web’, a maze of interconnecting
networks, each network paying for access to the other networks.

Internet Connection Hardware/Software

To connect a LAN to the Internet, a number of additional pieces of hardware and software are
required. The type of network connection will determine the actual equipment used, but the
following is required as a minimum:
 IP LAN segment.
 Valid IP address range
 Gateway
 WAN link

More complicated LAN Internet connections may require further equipment, but the above
items will provide a ‘standard’ level of Internet connectivity.

IP LAN Segment.
For Internet connectivity, the local LAN segment must run as an IP network segment. Each
machine must have an IP address. DHCP may be implemented to assist in the management of
IP address allocation to computer hosts. DNS would also be present to allow client computers
to use domain names to access resources instead of the numerical IP address.

Valid IP address range

IP addresses must be unique on a network – in other words, no two devices can have the
same IP address. When connecting an entire LAN segment to the Internet, the organisation’s
IP addressing scheme must be revised. For all of the computers on the LAN segment to be

Amassing by Fitsum 33
 Hawassa poly college
visible on the Internet, all must have valid IP addresses. To achieve this, an entire IP network
(or subnet) range of addresses must be leased.

Most businesses do not go to the expense of leasing a new set of IP addresses to allow their
computers access the Internet. Normally, only one valid IP address is required for the local
network to have access to the Internet and the ISP would supply this address. This means that
only a single host system would be visible on the Internet.

The valid IP address would then be given to the router gateway that connects the LAN to the
Internet. It is this device that provides the Network Address Translation (NAT) service to
computers on the LAN. NAT allows the local network segment to use private IP addresses,
which are hidden from the internet. The local network’s IP addresses are then replaced by the
one valid IP address (public) when the network traffic goes through the gateway to the
Internet.

Gateway
A gateway is simply a device that links two different networks together. In the context of the
IP network behaviour, the gateway has a special role. It is the device where any network
traffic is sent that is addressed to a non-local host (one that is on a different IP network). The
gateway device provides a link between the local LAN segment and the ISP’s network.
Gateways, often implemented as routers, come in many forms. Common types of gateways
are ADSL routers, Ethernet routers, Dialup routers and PC-based routers just to name a few.

The gateway must have network interfaces that match the WAN connection media to the ISP
as well as the LAN connection media to the local network. So the purchase of an appropriate
gateway is specific to the inter-network situation.

WAN Link
Normally the ISP that the local LAN connects to is physically remote from it. As a result, a
Wide Area Network (WAN) link is required to join the networks. While standard dialup
telephone lines provide this link for many home computers, higher speed ISDN and ADSL
broadband connections are popular where available. While ADSL is quite common in
metropolitan areas, ISDN still has a role for small businesses in many areas of NSW where
ADSL is not available. Large businesses will use even higher speed links often implemented
as a T1 connection. As with most capacity related services, it all comes down to cost.

Internet Connection Topologies

The term topology is related to the layout of the network. In the examples below the
topologies are not meant to represent the physical layout in a particular office environment,
but rather the network connections that exist between network components, where the device
names given refer to their functions. In many cases, especially on the ISP side, a single piece
of hardware may provide multiple routing interfaces instead of having racks of individual
routers.

The most common types of Internet connection topologies are listed below.

Amassing by Fitsum 34
 Hawassa poly college
Basic Internet Gateway with Leased IP address range.

A basic IP based LAN with an Internet gateway connecting it to an ISP is a simple network.
Here the client’s gateway router is connected to the ISP’s router through an ADSL or ISDN
segment. This network segment will normally hold a small two-IP-address subnet of public
IP addresses, one address for each router ADSL/ISDN interface.

Figure 1: Diagram of basic internet gateway

In this example the local LAN administrator has arranged for both an ISP connection as well
as a leased IP address range. Normally this will take the form of a subnet of an existing
network range managed by the ISP. The domain of the local network would normally be
registered and the DNS server linked to the parent DNS. The HTTP Servers on the client
network could host a public company web site and a public email service. Because the client
network is fully integrated in the Internet, they could use video streaming, voice over IP and
all other Internet available facilities. The public IP addresses of the client network’s Gateway
Router, DNS and Web-related servers would be static (fixed).

Basic Internet Gateway with NAT Server.

An Internet connection using Network Address Translation (NAT) is a common type of
network used by business. This type of network is used where the client network requires
only limited Internet access such as browsing.

All of the client computers linked to the gateway router running NAT will have a private,
non-routable IP address. The NAT router substitutes its own public IP address in place of the
private IP address of the internal network, every time a packet goes out from the client’s
network to the Internet.

This will make these machines invisible to the Internet. As a result Internet based services
such as Email and the client’s HTTP site must be hosted on the ISP’s servers, instead of
being located within the client network. The client network will not normally have a domain
name for their network as it only consists of one public IP address – that held by the ADSL
interface of the gateway router.

Amassing by Fitsum 35
 Hawassa poly college

Figure 2: Diagram of internet gateway with NAT server

This type of network minimises exposure to hacking attempts, as the client’s internal network
is invisible to the Internet. However, it still allows for viruses to enter via email messages and
downloaded files. The public IP addresses of the client network’s Gateway Router may be
allocated as either dynamic or static.

Basic Internet Gateway with DMZ.

This type of network connection is a combination of the previous two. Here the client
network leases a small public IP subnet, will have its own domain name, web sites, and email
servers, while their local LAN segment is protected by the NAT router at a lower level. This
model is normally used by businesses that require full Internet capabilities as well as the
security of isolating their internal network segment.

Amassing by Fitsum 36
 Hawassa poly college

Figure 3: Diagram of internet gateway with DMZ

The De-Militarized Zone (DMZ) refers to a section of the network that has full Internet
access but is partially protected by a firewall. Firewalls are discussed in the next section.

It is also possible to link other networks to any existing router in the client network. This
would be achieved by providing the existing routers with an additional WAN interface
leading to the other network. The public IP addresses of the client network DMZ’s Gateway
Router, DNS and Web-related servers would be static (fixed).

Basic Firewall and Proxy Features

Firewalls
A firewall refers to a type of service that may be hosted on a variety of devices. Gateway
routers can have firewalls, computers can have firewalls and dedicated firewall devices are
also available. Importantly, a firewall protecting a network segment has two network
interfaces. One network interface is connected to the unrestricted Internet and the other
provides filtered network traffic for the internal client network.

A firewall examines all traffic wanting to enter the internal network. The network traffic is
compared to a set of selection rules and if the traffic does not meet the requirements, is
discarded. For example, a client Internet site may only want to allow incoming packets
addressed to the HTTP server 203.34.200.150 using port 80. If that rule is set up in the
firewall, all packets trying to pass the firewall that do not match that rule are discarded.

The reason that a network segment protected by a firewall is often referred to as a DMZ is
that the firewall provides a degree of protection, while still allowing some amount of Internet

Amassing by Fitsum 37
 Hawassa poly college
traffic. The local network is not, however totally protected. Remember, the only way to be
totally protected from the Internet is to disconnect your network from it!

When configuring a firewall, examine the types of services you want to provide to the
Internet from the computers that hold visible public IP addresses. They may include services
such as Email, HTTP, HTTPS, FTP, terminal services, etc. Each of these services will be
available on a specific IP address and will send its traffic through a specific port number. The
IP address will be the IP address of the computer hosting the service. The port number can be
found from the software supplier of that service. Some port numbers are standard. HTTP
traffic for example needs port 80 to be available. By matching your incoming traffic filter to
your services you can secure your network.

Figure 4: Diagram showing best locations for firewall

If you are trying to protect the network from denial of service (DOS) attacks, then the
firewall must be as close to the Internet source as possible. Some ISP’s can provide (at a cost)
basic firewall filtering of traffic before it enters your network. If incoming traffic has to
‘bounce’ around the client network before being filtered at the destination computer (as many
personal firewall products do), then it has already degraded your network service. This type
of DOS attack is most effective against slow devices, such as routers and their WAN links.

Proxy Servers
Proxy servers are used as a traffic minimisation device. A proxy server is used as an
intermediary. It takes requests for Internet data from a client computer, gets the data from the
Internet site and keeps a local copy of that data for itself. The next time that data is requested,
it will provide its local copy of the data instead of accessing the data from the original
Internet site. This reduces Internet traffic in an environment where many users require access
to the same data. By themselves, they do not provide any security, but can save large amounts
of network traffic. Remember most ISP connections (especially ADSL and other broadband
options) are charged by traffic volume.

Amassing by Fitsum 38
 Hawassa poly college
Types of ISP accounts
There are many types of ISP accounts or plans available today. Tomorrow, there will be
others. It is a constantly changing marketplace, with many similarities to the marketing of
mobile phones.

There are a number of features that need to be considered when selecting the best type of
account for a client. Most ISP plans are based on a recurring monthly fee. The amount
charged will be depend upon the:
 connection type and speed,
 traffic and time allowances,
 number of IP addresses,
 value added services such as Email hosting or Web hosting.

Connection Type and Speed

One of the main determining factors of the monthly cost of an ISP connection relates to the
network type and its speed. Different fee structures are used for Dialup plans, ADSL, ISDN
or satellite. ADSL and ISDN will have a range of plans depending upon the different network
speeds available.

When deciding on a type of network connection to use, check the following:

 Availability: Not all network types are available at all locations.
 Installation costs: ADSL, ISDN and Satellite plans will all have additional
installation costs.
 Reliability: Some of these connections are more reliable than others. ADSL for
example may have some level of unavailability each day.

Traffic/Time allowances
The other main determining factor is the ISP’s allowance of network traffic or network time
for your monthly fee. Many ISPs will differ in the amount of traffic or time the connection is
allowed to use each month. Some ISP connections, such as ADSL are only interested in
traffic volume, as ADSL is a permanently connected digital service. Dial-up ISP accounts
mainly record time usage. ISDN ISP packages may record both time usage and network
traffic.

Some ISPs charge additional monthly fees when the estimated traffic volume or time limits
are exceeded. This can be very expensive! Others simply reduce the network speed for the
balance of the month. This is a safer approach that is often referred to as an unlimited
account.

Dial-up and ISDN accounts may have a duration of connection restriction with a set time
limit before being forcibly disconnected with a minimum time before you can reconnect.
Such a restriction may be unsuitable for businesses and a premium business account may
need to be used.

Amassing by Fitsum 39
 Hawassa poly college
Number of IP addresses

ISPs will normally provide one public IP address per connection by default. This IP address
will be held by the computer’s dialup adapter, in the case of a modem connection and by the
router if a network shares the connection. As shown in the Internet Connection Models
shown previously, one address may or may not suit the client’s needs.

Additional IP addresses cost more. So examine the type of Internet connection that is
required by the client carefully.

Value Added Services

There will be additional costs for email, Web hosting, traffic filtering or domain hosting
services that the client network may require. Once again, evaluate the client’s requirements.

Amassing by Fitsum 40
 Hawassa poly college

LO4: Ensure user accounts are verified for security

Making Networks Secure
Planning for security is an important element in designing a network. It is far easier to
implement a secure network from a plan than it is to recover from data loss. This lesson
presents an overview of network security. We examine two primary models for ensuring data
security and take a look at how to secure the physical components of a network.
After this lesson, you will be able to:
 List the basic security requirements for a network.
 Describe ways to restrict access to the network by unauthorized users.
 Describe the features of password-protected shares and access permissions.
 Identify the common types of computer viruses and describe ways to protect
against them.

Estimated lesson time: 35 minutes

Planning for Network Security

In a networking environment there must be assurance that sensitive data will remain private.
Not only is it important to secure sensitive information, it is equally important to protect
network operations from deliberate or unintentional damage.
Maintaining network security requires a balance between facilitating easy access to data by
authorized users and restricting access to data by unauthorized users. It's the job of the
network administrator to create this balance.
Even in networks that handle sensitive and valuable business data, security is sometimes an
afterthought. Four major threats to the security of data on a network are:
 Unauthorized access.
 Electronic tampering.
 Theft.
 Intentional or unintentional damage.
Despite the seriousness of these threats, data security is not always implemented or supported
properly. The administrator's task is to ensure that the network remains reliable and secure,
free from those threats.

Level of Security
The extent and level of the network security system required depends on the type of
environment in which the network is running. A network that stores data for a major bank, for
example, requires more extensive security than a LAN that links the computers in a small
community volunteer organization.

Amassing by Fitsum 41
 Hawassa poly college
Setting Policies
Making a network secure requires establishing a set of rules, regulations, and policies so that
nothing is left to chance. The first step toward ensuring data security is to implement policies
that set the tone and help to guide the administrator and users through changes, both expected
and unplanned, in their network's development.

Prevention
The best way to design data security policies is to take a proactive, preventive approach.
When unauthorized access is prevented, the data remains secure. A prevention-based system
requires that the administrator understand the tools and methods available with which to keep
data safe.

Authentication
To access a network, a user must enter a valid user name and password. Because passwords
are linked to user accounts, a password authentication system is the first line of defense
against unauthorized users.
It is important not to let overreliance on this authentication process fool you into a false sense
of security. For example, in a peer-to-peer network, almost anyone can log on with a unique
name and password. This alone can provide a user with complete access to the network, so
that anything that is shared becomes available to that user. Authentication works only in a
server-based network in which the user name and password must be authenticated from the
security database.

Training
Unintentional errors can lead to security failures. A well-trained network user is less likely
than an inexperienced novice to accidentally cause an error and ruin a resource by
permanently corrupting or deleting data. Figure 10.1 illustrates such a problem.
The administrator should ensure that everyone who uses the network is familiar with its
operating and security procedures. To accomplish this, the administrator can develop a short,
clear guide to what users need to know, and require that new users attend appropriate training
classes.

Securing Equipment
The first step in keeping data safe is to provide for the physical security of the network
hardware. (Establishing and maintaining an optimal environment for the physical network is
discussed in detail in Lesson 2.) The extent of security required depends on:
 The size of the company.
 The sensitivity of the data.
 The available resources.
In a peer-to-peer network, there is sometimes no organized hardware-security policy, and
users are responsible for the security of their own computers and data. In a server-based
network, security is the responsibility of the network administrator.

Securing the Servers

Amassing by Fitsum 42
 Hawassa poly college
In a larger, centralized system, in which much individual user and organization data is
sensitive, it is important to secure the servers from accidental or deliberate tampering.
It is not uncommon for some individuals to want to demonstrate their technical abilities when
the servers have problems. They may or may not know what they are doing. It is best to
tactfully prevent these people from "fixing" the server. The simplest solution is to lock the
servers in a dedicated computer room with limited access; depending on the size of the
company, this might not be workable. Locking the servers in an office or even a large storage
closet is often practicable and goes some way toward securing the servers.

Securing the Cables

Copper media, such as coaxial cable, much like a radio emits electronic signals that mimic
the information it carries. Information carried in these signals can be monitored with
electronic listening equipment. Copper cable can also be tapped into so that information can
be stolen directly from the original cable.
Cable runs that handle sensitive data should be accessible only to authorized people. Proper
planning can make cable runs inaccessible to unauthorized people. For example, cable can be
run inside the building structure, through ceilings, walls, and floors.

Security Models
After implementing security for the network's physical components, the administrator needs
to ensure that the network resources will be safe from both unauthorized access and
accidental or deliberate damage. Policies for assigning permissions and rights to network
resources are at the heart of securing the network.
Two security models have evolved for keeping data and hardware resources safe:
 Password-protected shares
 Access permissions
These models are also called "share-level security" (for password-protected shares) and
"user-level security" (for access permissions).

Password-Protected Shares
Implementing password-protected shares requires assigning a password to each shared
resource. Access to the shared resource is granted when a user enters the correct password.
In many systems, resources can be shared with different types of permissions. To illustrate,
we use Windows 95 and 98 as examples
Read Only If a share is set up as Read Only, users who know the password have Read access
to the files in that directory. They can view the documents, copy them to their machines, and
print them, but they cannot change the original documents.
 Full With Full access, users who know the password have complete access to the files
in that directory. In other words, they can view, modify, add, and delete the shared
directory's files.
 Depends On Password Depends On Password involves setting up a share that uses
two levels of passwords: Read access and Full access. Users who know the Read
access password have Read access, and users who know the Full access password
have Full access.
Amassing by Fitsum 43
 Hawassa poly college
The password-protected share system is a simple security method that allows anyone who
knows the password to obtain access to that particular resource.

Access Permissions
Access-permission security involves assigning certain rights on a user-by-user basis. A user
types a password when logging on to the network. The server validates this user name and
password combination and uses it to grant or deny access to shared resources by checking
access to the resource against a user- access database on the server.
Access-permission security provides a higher level of control over access rights. It is much
easier for one person to give another person a printer password, as in share-level security. It is
less likely for that person to give away a personal password.
Because user-level security is more extensive and can determine various levels of security, it
is usually the preferred model in larger organizations.

Resource Security
After the user has been authenticated and allowed on the network, the security system gives
the user access to the appropriate resources.
Users have passwords, but resources have permissions. In a sense, a security fence guards
each resource. The fence has several gates through which users can pass to access the
resource. Certain gates allow users to do more to the resource than other gates. Certain gates,
in other words, allow the user more privileges with the resource.
The administrator determines which users should be allowed through which gates. One gate
grants the user full access to or full control of a resource. Another gate grants the user read-
only access.
As shown in Figure 10.2, each shared resource or file is stored with a list of users or groups
and their associated permissions (gates).
NOTE

Different network operating systems (NOSs) give different names to these permissions. The
following table shows some of the typical permissions that can be set on Windows NT Server
directories.

Permission Functionality
Read Reads and copies files in the shared directory.
Execute Runs (executes) the files in the directory.
Write Creates new files in the directory.
Delete Deletes files in the directory.
No Access Prevents the user from gaining access to directories, files, or resources.

Group Permissions
The administrator's job includes assigning each user the appropriate permissions to each
resource. The most efficient way to accomplish this is through groups, especially in a large

Amassing by Fitsum 44
 Hawassa poly college
organization with many users and resources. As shown in Figure 10.3, Windows NT Server
allows users to select the file or folder for which they want to set group permissions.
Permissions for groups work in the same way as they work for individuals. The administrator
reviews which permissions are required by each account and assigns the accounts to the
proper groups. This is the preferred method of assigning permissions, rather than assigning
each account's permissions individually.
Assigning users to appropriate groups is more convenient than having to assign separate
permissions to every user individually. For example, giving the group Everyone full control
of the public directory might not be the best choice. Full access would allow anyone to delete
or modify the contents of the files in the public directory.
In Figure 10.4, the group Everyone has been granted Read access to the directory public. This
allows members of the group Everyone to read, but not delete or modify, the files in the
public directory.
The administrator could create a group called Reviewers, grant complete access permissions
to the student files to that group, and assign staff to the Reviewers group. Another group,
called Faculty, would have only Read permissions in the student files. Faculty members
assigned to the

Security Enhancements
The network administrator can increase the level of security on a network in several ways.
This section explores some of the options.

Firewalls
A firewall is a security system, usually a combination of hardware and software, that is
intended to protect an organization's network against external threats coming from another
network, including the Internet.
Firewalls prevent an organization's networked computers from communicating directly with
computers that are external to the network, and vice versa. Instead, all incoming and outgoing
communication is routed through a proxy server outside the organization's network. Firewalls
also audit network activity, recording the volume of traffic and providing information about
unauthorized attempts to gain access.
A proxy server is a firewall component that manages Internet traffic to and from a local area
network (LAN). The proxy server decides whether it is safe to let a particular message or file
pass through to the organization's network. It provides access control to the network, filtering
and discarding requests that the owner does not consider appropriate, including requests for
unauthorized access to proprietary data.

Auditing
Reviewing records of events in the security log of a server is called auditing. This process
tracks network activities by user accounts. Auditing should be a routine element of network
security. Audit records list the users that have accessed—or attempted to access—specific
resources. Auditing helps administrators identify unauthorized activity. It can also provide
usage information for departments that charge a fee for making certain network resources
available and need some way to determine the cost of those resources.
Auditing can track functions such as:

Amassing by Fitsum 45
 Hawassa poly college
 Logon attempts.
 Connection and disconnection from designated resources.
 Connection termination.
 Disabling of accounts.
 Opening and closing of files.
 Changes made to files.
 Creation or deletion of directories.
 Directory modification.
 Server events and modifications.
 Password changes.
 Logon parameter changes.
Audit records can indicate how the network is being used. The administrator can use the audit
records to produce reports that show activities and their date and time ranges. For example,
repeated failed logon attempts or efforts to log on at odd hours can indicate that an
unauthorized user is attempting to gain access to the network.

Diskless Computers
Diskless computers, as the name implies, have no floppy-disk drives or hard disks. They can
do everything a computer with disk drives can do except store data on a local floppy disk or
hard disk. Diskless computers are an ideal choice for maintaining security because users
cannot download data and take it away.
Diskless computers do not require boot disks. They communicate with the server and log on
by means of a special ROM boot chip installed on the computer's network interface card
(NIC). When the diskless computer is turned on, the ROM boot chip signals the server that it
is ready to start. The server responds by downloading boot software into the diskless
computer's RAM and automatically presents the user with a logon screen as part of the boot
process. After the user logs on, the computer is connected to the network.
Although a diskless computer can provide a high level of security, it has shortcomings.
Without a local disk available on which to store applications and data, all computer activity
must be conducted over the network. Network traffic will increase accordingly, and the
network will have to be capable of handling increased demands.

Data Encryption
A data-encryption utility scrambles data before it goes onto the network. This makes the data
unreadable even by someone who taps the cable and attempts to read the data as it passes
over the network. When the data arrives at the proper computer, the code for deciphering
encrypted data decodes the bits, translating them into understandable information. Advanced
data-encryption schemes automate both encryption and decryption. The best encryption
systems are hardware-based and can be expensive.
The traditional standard for encryption is the Data Encryption Standard (DES). Developed by
IBM and adopted in 1975 as a specification for encryption by the government of the United

Amassing by Fitsum 46
 Hawassa poly college
States, this system describes how data should be encrypted and provides the specifications for
the key to decryption. The U.S. Government continues to use DES. Both the sender and the
receiver need to have access to the decryption key. However, the only way to get the key
from one location to another is to physically or electronically transmit it, which makes DES
vulnerable to unauthorized interception.
Today, the U. S. Government is also using a newer standard, called the Commercial
COMSEC Endorsement Program (CCEP), which may eventually replace DES. The National
Security Agency (NSA) introduced CCEP and allows vendors with the proper security
clearance to join CCEP. Approved vendors are authorized to incorporate classified algorithms
into communications systems.

Computer Viruses
Computer viruses are becoming an all-too-familiar fact of life. It is not uncommon to see a
report on a local news channel describing the latest virus and warning about its destructive
impact. Computer viruses are bits of computer programming, or code, that hide in computer
programs or on the boot sector of storage devices, such as hard-disk drives and floppy-disk
drives. The primary purpose of a virus is to reproduce itself as often as possible and thereby
disrupt the operation of the infected computer or the program. Once activated, a virus can be
a simple annoyance or completely catastrophic in its effect. Viruses are written by people
with an intent to do harm.
Viruses are classified into two categories, based on how they propagate themselves. The first
type, called a "boot-sector virus," resides in the first sector of a floppy-disk or hard-disk
drive. When the computer is booted, the virus executes. This is a common method of
transmitting viruses from one floppy disk to another. Each time a new disk is inserted and
accessed, the virus replicates itself onto the new drive. The second type of virus is known as a
"file infector." Such a virus attaches itself to a file or program and activates any time the file
is used. Many subcategories of file infectors exist.
The following list describes a few of the more common file infectors:
 Companion Virus A companion virus is so named because it uses the name of a real
program—its companion. A companion virus activates by using a different file
extension from its companion. For example, suppose we decide to start a program
called "wordprocessor.exe." When the command is given to execute the application, a
virus named "wordprocessor.com" will execute in its place. It is able to do so because
a .com file takes priority over an .exe file.
 Macro Virus A macro virus is difficult to detect and is becoming more common. It is
so named because it is written as a macro for a specific application. Popular
applications, such as Microsoft Word, are targets for these viruses. When the user
opens a file that contains the virus, the virus attaches itself to the application and then
infects any other files accessed by that application.
 Polymorphic Virus A polymorphic virus is so named because it changes its
appearance every time it is replicated. This renders it more difficult to detect because
no two are exactly the same.
 Stealth Virus A stealth virus is so named because it attempts to hide from detection.
When an antivirus program attempts to find it, the stealth virus tries to intercept the
probe and return false information indicating that it does not exist.
Amassing by Fitsum 47
 Hawassa poly college
Virus Propagation
Just as computer viruses do not create themselves, neither do they spread through the air
unaided. Some kind of exchange between the two computers must take place before
transmission can occur. In the early days of computing and viruses, the principal source of
infection was through the exchange of data on floppy disks. One infected computer in an
organization could easily infect all the computers in the organization, merely by a single user
passing around a copy of the latest screensaver program.
The proliferation of LANs and the growth of the Internet have opened many new pathways to
rapidly spreading viruses. Now, virtually any computer in the world can be connected to any
other computer in the world. As a consequence, the creation of viruses is also on the rise. In
fact, some virus creators provide easy-to-use software containing directions for how to create
a virus.
A recently emerging method of spreading a virus is through e-mail services. After an e-mail
message containing the virus is opened, it attaches itself to the computer and can even send
itself to names in the computer's e-mail address book. Usually, the virus is located in an
inviting attachment to an e-mail message.
Convincing unsuspecting victims to activate a virus is a goal for virus writers. This is often
accomplished by packaging the virus in an enticing cover. Such a virus is known as a "Trojan
horse." To attract users, it is presented in the guise of something familiar, safe, or intriguing.
Remember that any means by which computers exchange information provides a potential
path for a virus. Methods in common use include:
 CD-ROMs.
 Cabling directly connecting two computers.
 Floppy-disk drives.
 Hard-disk drives.
 Internet connections.
 LAN connections.
 Modem connections.
 Portable or removable drives.
 Tape.

Consequences of a Virus
A virus can cause many kinds of harm to a computer; the creativity of its creator is the only
limitation. The following list describes common symptoms of computer virus infection:
 The computer won't boot.
 The data is scrambled or corrupted.
 The computer operates erratically.
 A partition is lost.

Amassing by Fitsum 48
 Hawassa poly college
 The hard drive is reformatted.
The most common symptom of virus infection in a network is one or more misbehaving
workstations. A peer-to-peer network is the most vulnerable. Server-based networks have
some built-in protection because permission is required to obtain access to some portions of
the server and, therefore, the network. In these networks, it is more likely that workstations
will be infected than a server, although servers are not immune. The server, as the conduit
from one computer to another, participates in the transmission of the virus, even though it
might not be affected.

Virus Prevention
Disastrous viruses are becoming more commonplace and should be taken into account when
network security procedures are developed. An effective antivirus strategy is an essential part
of a network plan. Good antivirus software is essential. Although no virus protection software
can prevent all viruses, it can do some of the following:
 Warn of a potential virus
 Keep a virus from activating
 Remove a virus
 Repair some of the damage that a virus has caused
 Keep a virus in check after it activates
Preventing unauthorized access to the network is one of the best ways to avoid a virus. For
example, the best way to prevent a virus from infecting a floppy disk is to use write
protection. If you cannot write to the floppy disk, you cannot infect it. Because prevention is
the key, the network administrator needs to make sure that all standard preventive measures
are in place.
These include:
 Passwords to reduce the chance of unauthorized access.
 Well-planned access and privilege assignments for all users.
 User profiles to structure the user's network environment, including network
connections and program items that appear when the user logs on.
 A policy that sets out which software can be loaded.
 A policy that specifies rules for implementing virus protection on client workstations
and network servers.
 Ensuring that all users are well-trained and informed about computer viruses and how
to prevent their activation.

Amassing by Fitsum 49
 Hawassa poly college

Summary OF LO1
In this topic the term protocol and its definition were introduced with respect to information
technology.

A protocol is a standard or rule that dictates how two or more computers communicate with
each other and share information. There are many network protocols in use today, such as
IPX/SPX, AppleTalk, NetBEUI and TCP/IP. However, TCP/IP has become the de-facto
standard of the Internet. It is the protocol of choice for most networks, whether they are
connected to the Internet or not. It enables different computers running different operating
systems on different networks to communicate with each other and share information.

The TCP/IP protocol is a suite of protocols or protocol stack, made up of core protocols such
as TCP, IP and sub-protocols such as UDP, ARP, ICMP to name a few.

Every device on a network is logically configured with a unique IP address and subnet mask
which determines the network the device is located on. Each IP address and subnet mask is a
32-bit binary number normally represented in dotted decimal format.

IP addressing and subnet masks provide useful information to network devices such as
servers, other workstations and routers. This information enables data to be routed from one
network to another.

Transition strategies have been in place since 1999 to migrate from IPv4 to IPv6 in the near
future.

Check your progress

Now you should try and do the Practice activities in this topic. If you’ve already tried them,
have another go and see if you can improve your responses.

When you feel ready, try the ‘Check your understanding’ activity in the Preview section of
this topic. This will help you decide if you’re ready for assessment.

Amassing by Fitsum 50
 Hawassa poly college

Summary of LO2
TCP/IP is automatically installed during the installation of most operating systems, by
default. A Network Administrator can choose to manually configure a computer with a
TCP/IP address or have several computers on a network assigned an IP address through a
Dynamic Host Configuration Protocol (DHCP) server.

A range of IP addresses are configured within the scope of the DHCP server. The IP
addresses are leased for a specific period of time.

Once TCP/IP has been configured on a computer, there are various tools that can be used to
test the TCP/IP installation and configuration such as IPCONFIG and PING.

Check your progress

Now you should try and do the Practice activities in this topic. If you’ve already tried them,
have another go and see if you can improve your responses.

When you feel ready, try the ‘Check your understanding’ activity in the Preview section of
this topic. This will help you decide if you’re ready for assessment.

Summary of LO3
This learning pack has covered the basic methods of connecting a network to the Internet.
There are many different ways in which to approach the implementation of Internet access
from a local area network. However, the main goal of any system upgrade is that it meets the
needs of the client. It is clear that the area of Internet connectivity will continually change as
new technologies are released.

Lesson Check-up
1. Describe two common ways by which unauthorized users can gain access to a
network; for each, describe how unauthorized access can be prevented.
2. Describe the differences between password-protected shares and access permissions.
3. Define data encryption and DES.
4. Identify four common types of computer viruses and describe how they are
transmitted; describe three ways to help protect computers in a network against
viruses.
Answers
1. Describe two common ways by which unauthorized users can gain access to
a network; for each, describe how unauthorized access can be prevented.

Amassing by Fitsum 51
 Hawassa poly college
Unauthorized users can gain access to most peer-to-peer networks by typing in a
unique username and password at any of the networked computers. The best
preventative measures include making the networked computers physically
inaccessible by locking the area that contains them, or to enable BIOS security
which allows the user to set a computer access name and password.
Unauthorized users can also access a server-based network by using someone
else's name and password. The best way to prevent this is to have an enforced
password policy in which passwords are not written down and are changed
regularly.
2. Describe the differences between password-protected shares and access permissions.

Password-protected shares require that a password be assigned to each shared

resource. Access to the shared resource is granted when a user enters the correct
password. Access-permission security involves assigning certain rights on a user-
by-user basis. A user types a password when logging on to the network. The
server validates this user name and password combination and uses it to grant or
deny access to shared resources.
3. Define data encryption and DES.

Data encryption is the scrambling of data to make it inaccessible to unauthorized

persons. In a network environment, data can be encrypted before being sent onto
the network. This makes the data unreadable, even by someone who taps the
cable and attempts to read the data as it passes over the network. When the data
arrives at the proper computer, the code for deciphering encrypted data decodes
the bits, translating them into understandable information.
The Data Encryption Standard (DES) was developed by IBM and adopted as a
specification for encryption by the government of the United States. DES
describes how data should be encrypted and provides the specifications for the
key to decryption. Both the sender and the receiver need to have access to the
decryption key. Because the only way to get the key from one location to another
is to physically or electronically transmit it, DES is vulnerable to unauthorized
interception.
4. Identify four common types of computer viruses and describe how they are
transmitted; describe three ways to help protect computers in a network against
viruses.

Four types of computer virus are called companion, macro, polymorphic and stealth.
Each is a kind of file infector virus. They can be transmitted by any physical means
such as CDs, floppy disks or a direct cable connection between computers, and by
electronic means such as e-mail and internet downloads. Three means of protection
against a computer virus are the installation of current anti-virus software, write-
protection of disks, and disabling macro capabilities in vulnerable software.

Amassing by Fitsum 52