Build Internet Infrastructure

1. What is Internet Infrastructure?

The internet infrastructure is an array of remote hardware and software working to send and
receive information to various systems. Every instance of a page loading on a computer's web
browser, a Voice over Internet Protocol (VoIP) call being made represents this complex internet
infrastructure. Its basic components include data centers, networks, servers, storage devices, and
server applications. The hardware may be localized in specific countries, but the network
infrastructure spans international boundaries to make the internet a worldwide phenomenon
available in any region that has a functioning localized network.

The home of the internet infrastructure is the data center, a secure building housing computer
equipment and network connectivity devices. It is staffed by a full-time team of operators and
equipped with enough power to run and cool the equipment. It also has systems to regulate
climate, suppress fires, and prevent unauthorized access.

A processor of network and storage devices within a data center is the second component of the
internet infrastructure. Measured in megabits per second (mbps), the network allows data to be
transferred between processors and storage devices in the data center and to other data centers. The
ultimate goal is for the information to reach the computer or device of the end-user.

The third component, servers, are high-end computers resembling a desktop PC, but with much
greater storage and processing capacity. Servers are measured in units of processing power and
RAM storage capability, and must be connected to a power supply, or several power supplies, as
well as to the network and an installed operating system. A server can consist of a single computer,
a pool of computers, or even a cluster of pools.

Data that ultimately appears on the device of an end-user must be stored somewhere, so the fourth
component of the internet infrastructure is storage devices. Storage capacity is measured in
gigabytes (GB) or terabytes (TB). Storage devices may be local, meaning on the hard drives of the
servers themselves, or they may be remote, connected to one server or many by means of a
network.

The fifth component of the internet infrastructure is the operating software for the servers, or the
server applications. In order to function, a server must have an operating system like Linux or
Windows, a web server application such as Apache or Microsoft IIS, and a database, for example
MySQL or Oracle. Once a server is equipped with this software, the user can install any other
subsidiary web applications on it that are needed. All of the components work together to form the
internet infrastructure, which transmits information worldwide.

Network protocols

Protocols are set of rules or standards for data communication. Computers should follow the same
rules in order to have common understandability. Include issues - What to communicate, When to

Page 1 of 21
 Build Internet Infrastructure

communicate and How to communicate. It also defines how computers identify one another in a
network. Network protocols are developed based on OSI reference model.

The OSI Reference Model

One of the greatest functions of the OSI specifications is to assist in data transfer between
disparate hosts meaning, for example, that they enable us to transfer data between a UNIX hosts
and a PC or a Mac. The OSI isn’t a physical model, though. Rather, it’s a set of guidelines that
application developers can use to create and implement applications that run on a network. It also
provides a framework for creating and implementing networking standards, devices, and
internetworking schemes.

The OSI has seven different layers, divided into two groups. The top three layers define how the
applications within the end stations will communicate with each other and with users. The bottom
four layers define how data is transmitted end to end.

No. Layer Function

1 Application • Provides a user interface
2 Presentation • Presents data
• Handles processing such as encryption
3 Session • Keeps different applications’ data separate
4 Transport • Provides reliable or unreliable delivery
• Performs error correction before retransmit
5 Network • Provides logical addressing, which routers use for path
determination
6 Data Link • Combines packets into bytes and bytes into frames
• Provides access to media using MAC address
• Performs error detection not correction
7 Physical • Moves bits between devices
• Specifies voltage, wire speed, and pin-out of cables

The following network devices operate at all seven layers of the OSI model:
 Network management stations (NMSs)
 Web and application servers
 Gateways (not default gateways)
 Network hosts

Page 2 of 21
 Build Internet Infrastructure

Internet Protocol (IP)

Internet Protocol (IP) essentially is the Internet layer. The other protocols found here merely
exist to support it. IP holds the big picture and could be said to “see all,” in that it’s aware of all the
interconnected networks. It can do this because all the machines on the network have software, or
logical, address called an IP address. IP looks at each packet’s address. Then, using a routing table,
it decides where a packet is to be sent next, choosing the best path.

Identifying devices on networks requires answering these two questions: Which network is it on?
And what is its ID on that network? The first answer is the software address, or logical address
(the correct street). The second answer is the hardware address (the correct mailbox).All hosts on a
network have a logical ID called an IP address. This is the software, or logical, address and
contains valuable encoded information, greatly simplifying the complex task of routing.

IP receives segments from the Host-to-Host layer and fragments them into data grams (packets) if
necessary. IP then reassembles datagram’s back into segments on the receiving side. Each
datagram is assigned the IP address of the sender and of the recipient. Each router (layer 3device)
that receives a datagram makes routing decisions based on the packet’s destination address.

IP Terminology

Bit A bit is one digit, either a 1 or a 0.

Byte A byte is 7 or 8 bits, depending on whether parity is used. For the rest of this chapter, always
assume a byte is 8 bits.
Octet An octet, made up of 8 bits, is just an ordinary 8-bit binary number. In this chapter, the
terms byte and octet are completely interchangeable.
Network address:-This is the designation used in routing to send packets to a remote network- for
example, 10.0.0.0, 172.16.0.0, and 192.168.10.0.
Broadcast address: The address used by applications and hosts to send information to all nodes
on a network is called the broadcast address. Examples include 255.255.255.255, which is all
networks, all nodes; 172.16.255.255, which is all subnets and hosts on network172.16.0.0; and
10.255.255.255, which broadcasts to all subnets and hosts on network 10.0.0.0.

Page 3 of 21
 Build Internet Infrastructure

The Hierarchical IP Addressing Scheme

An IP address consists of 32 bits of information. These bits are divided into four sections, referred
to as octets or bytes, each containing 1 byte (8 bits). You can depict an IP address using one of
three methods:
 Dotted-decimal, as in 172.16.30.56
 Binary, as in 10101100.00010000.00011110.00111000
 Hexadecimal, as in AC.10.1E.38

All these examples truly represent the same IP address. Hexadecimal isn’t used as often as dotted-
decimal or binary when IP addressing is discussed, but you still might find an IP address stored in
hexadecimal in some programs. The Windows Registry is a good example of a program that stores
a machine’s IP address in hex. The 32-bit IP address is a structured or hierarchical address, as
opposed to a flat or non-hierarchical address. Although either type of addressing scheme could
have been used, hierarchical addressing was chosen for a good reason. The advantage of this
scheme is that it can handle a large number of addresses, namely 4.3 billion (a 32-bit address space
with two possible values for each position—either 0 or 1—gives you 4,294,967,296). The
disadvantage of the flat addressing scheme, and the reason it’s not used for IP addressing, relates
to routing. If every address were unique, all routers on the Internet would need to store the address
of each and every machine on the Internet. This would make efficient routing impossible, even if
only a fraction of the possible addresses were used. The solution to this problem is to use a two- or
three-level hierarchical addressing scheme that is structured by network and host or by network,
subnet, and host.

This two- or three-level scheme is comparable to a telephone number. The first section, the area
code, designates a very large area. The second section, the prefix, narrows the scope to a local
calling area. The final segment, the customer number, zooms in on the specific connection. IP
addresses use the same type of layered structure. Rather than all 32 bits being treated as a unique
identifier, as in flat addressing, a part of the address is designated as the network address and the
other part is designated as either the subnet and host or just the node address. In the following
sections, IP network addressing and the different classes of address we can use to address our
networks are discussed.

Page 4 of 21
 Build Internet Infrastructure

The network address (which can also be called the network number) uniquely identifies each
network. Every machine on the same network shares that network address as part of its IP address.
In the IP address 172.16.30.56, for example, 172.16 is the network address. The node address is
assigned to, and uniquely identifies, each machine on a network. This part of the address must be
unique because it identifies a particular machine - an individual- as opposed to a network, which is
a group. This number can also be referred to as a host address. In the sample IP address
172.16.30.56, the 30.56 is the node address. The designers of the Internet decided to create classes
of networks based on network size. For the small number of networks possessing a very large
number of nodes, they created the rank Class A network. At the other extreme is the Class C
network, which is reserved for the numerous networks with a small number of nodes. The class
distinction for networks between very large and very small is predictably called the Class B
network. Subdividing an IP address into a network and node address is determined by the class
designation of one’s network. The following Figure summarizes the three classes of networks.

Summary of the three classes of networks

8 bits 8 bits 8 bits 8 bits
Class A: Network Host Host Host
Class B: Network Network Host Host
Class C: Network Network Network Host
Class D: Multicast
Class E: Research

To ensure efficient routing, Internet designers defined a mandate for the leading-bits section of the
address for each different network class. For example, since a router knows that a Class A network
address always starts with a 0, the router might be able to speed a packet on its way after reading
only the first bit of its address. This is where the address schemes define the difference between a
Class A, a Class B, and a Class C address.

Network Address Range: Class A

Page 5 of 21
 Build Internet Infrastructure

The designers of the IP address scheme said that the first bit of the first byte in a Class A network
address must always be off, or 0. This means a Class A address must be between 1 - 126 in the
first byte, inclusive. Consider the following network address scheme mechanism:-

0xxxxxxx

If we turn the other 7 bits all off and then turn them all on, we’ll find the Class A range of network
addresses:

00000000 = 0
01111111 = 127

So, a Class A network is defined in the first octet between 0 and 127, and it can’t be less or more.
(Yes, I know 0 and 127 are not valid in a Class A network. I’ll talk about reserved addresses in a
minute.)

Network Address Range: Class B

In a Class B network, the RFCs state that the first bit of the first byte must always be turned on but
the second bit must always be turned off. If you turn the other 6 bits all off and then all on, you
will find the range for a Class B network:

10000000 = 128
10111111 = 191

As you can see, a Class B network is defined when the first byte is configured from 128 to 191.

Network Address Range: Class C

For Class C networks, the RFCs define the first 2 bits of the first octet as always turned on, but the
third bit can never be on. Following the same process as the previous classes, convert from binary
to decimal to find the range. Here’s the range for a Class C network:

11000000 = 192
11011111 = 223

Page 6 of 21
 Build Internet Infrastructure

So, if you see an IP address that starts at 192 and goes to 223, you’ll know it is a Class CIP
address.

Network Address Ranges: Classes D and E

The addresses between 224 to 255 are reserved for Class D and E networks. Class D (224–239)is
used for multicast addresses and Class E (240–255) for scientific purposes,

Reserved IP Addresses
Address
Network address of all 0s
Network address of all 1s
Network 127.0.0.1
Node address of all 0s
Node address of all 1s
Entire IP address set to all 0s
Entire IP address set to all 1s (same as
255.255.255.255)
Function
Interpreted to mean “this network or segment.”
Interpreted to mean “all networks.”
Reserved for loopback tests. Designates the local node
and allows that node to send a test packet to it-self
without generating network traffic.
Interpreted to mean “network address” or any host on
specified network.
Interpreted to mean “all nodes” on the specified
Network; for example, 128.2.255.255 means “all nodes”
on network 128.2 (Class B address).
Used by Cisco routers to designate the default route.
Could also mean “any network.”
Broadcast to all nodes on the current network; sometimes
called an “all 1s broadcast” or limited broadcast.

Reserved or private IP Address Space

Address Class Reserved Address Space
Class A 10.0.0.0 through 10.255.255.255
Class B 172.16.0.0 through 172.31.255.255
Class C 192.168.0.0 through 192.168.255.255

Page 7 of 21
 Build Internet Infrastructure

Overview of Network Infrastructure Design

 Network Infrastructure: - is a set of physical and logical components that provide

connectivity, security, routing, management, access, and other integral features on a network.
 During a network’s planning phase, engineers select the hardware and software components
that will compose the network infrastructure and specify the particular location, installation,
and configuration of those components.
 In most cases, the elements of a network infrastructure are both inherited and designed.
 If you are building a network that will be connected to the Internet, for example, certain
aspects of the network, such as the use of the TCP/IP protocol suite, are inherited from the
Internet.
 Other network elements, such as the physical layout of basic network components, are chosen
by design when the network is first conceived and are then inherited by later versions of the
network as it evolves.
 It is rare for an engineer to have the opportunity to design a network from scratch, with no pre-
existing influences.
 Nearly always, the engineer must incorporate some existing elements into the network design,
such as specific applications, operating systems, protocols, or hardware components.
 Implementing a network infrastructure is the process of evaluating, purchasing, and assembling
the specified components, and installing them in the manner prescribed by the design plan.
 The implementation process begins with engineers installing the network’s hardware
infrastructure, including computers, cables, and connectivity devices such as hubs, switches,
and routers, as well as printers and other peripherals.
 Once the hardware is in place, the engineers install and configure the operating systems,
applications, and other software.
 The operating systems running on the computers are the primary software components in the
network infrastructure, because they incorporate the protocols and other routines that make
network communications possible.
 In addition to the standard communication protocols common to all network operating systems,
the Microsoft Windows Server 2008 family also includes a collection of applications and
services that implement important security and special communications capabilities on the
network.
 The significance of the network infrastructure does not end when the construction of the
network is complete, however.
 The personnel responsible for maintaining the network must have an intimate knowledge of the
network’s infrastructure to expand the network, perform upgrades, and troubleshoot problems.

Page 8 of 21
 Build Internet Infrastructure

Physical Vs. Logical Network Infrastructure

1. Physical Network Infrastructure: -is its topology, the physical design of the network, along
with hardware components such as cabling, routers, switches, hubs, servers, and
workstations.
 The hardware you select when planning the network’s physical infrastructure is frequently
dependent on elements of the network’s logical infrastructure.
 For example, if you decide to use Ethernet for your network’s data-link layer protocol, you are
limited to certain specific cable types supported by Ethernet, and the network’s connectivity
components—hubs, routers, and switches—must be designed for use with Ethernet as well.
 For a small network, the physical infrastructure can be very simple—computers, a hub, and a
few cables are generally all you need.
 For medium-to-large networks, however, the physical infrastructure can be extraordinarily
complex.
2. Logical Network Infrastructure:-comprises the many software elements that connect,
manage, and secure hosts on the network.
 The logical infrastructure allows communication between computers over the pathways
described in the physical topology.
 The logical infrastructure of a network consists of both abstract software elements, such as
networking protocols, and concrete elements, such as specific software products.
 In addition to basic communication protocols such as TCP/IP, the abstract elements of the
logical infrastructure can include security technologies such as digital certificates and the IP
Security (IP. Sec) protocols.

Planning a Network Infrastructure

 Planning the infrastructure is by far the most complicated part of building a network because
during this phase you create the blueprint you will use to implement the network and maintain
it later.
 A complete network infrastructure plan consists of a great deal more than a physical
infrastructure layout and a list of hardware and software products.
 To plan the infrastructure properly, a network designer must consider the requirements of the
network’s users, its owners, and its hardware and software components.
 What tasks do the network users have to accomplish?
 In addition to selecting applications, a network designer must also be conscious of the services
the network’s users need for their computers to function properly
 Security is also an omnipresent consideration in planning a network infrastructure.
 The designer must attempt to anticipate all possible dangers to the network and plan a suitable
security infrastructure to protect it from those dangers.

Page 9 of 21
 Build Internet Infrastructure

 The security infrastructure might include advanced configuration of the operating systems,
services, and applications, as well as the use of additional components, such as IPSec and
digital certificates.

Implementing a Network Infrastructure

 The network infrastructure plan planned should be implemented at this stage.
 The process of implementing the technologies outlined in a network infrastructure plan
typically involves a number of disciplines.
 The elements of the implementation process focus largely on the selection of protocols,
operating systems, applications, and security mechanisms that satisfy the requirements of a
network’s owners, administrators, and users, as determined in the planning process.
 This course focuses on the deployment of TCP/IP protocols (selecting IP addresses & subnet
mask), the DNS (DNS name space) and WINS name-resolution mechanisms, and the IPsec
(Creating IPsec policies) protocol extensions technologies on a medium-to-large network, and
it concentrates more on the organizational elements of the deployment than on the process of
configuring an individual computer.
Maintaining a Network Infrastructure
 To maintain the network properly, administrators must have an intimate knowledge of the
infrastructure and the technologies used to implement it.
 Network infrastructure maintenance includes tasks such as updating operating systems and
applications, monitoring ongoing processes, and troubleshooting problems.
 Keeping the network’s operating systems and applications updated is more complicated than
simply downloading the latest patch releases and installing them on all the computers.
 For a large and complex network infrastructure, you must be careful to test each release before
deploying it on the production network.
 Administrators must monitor many services that are essential to a large network at regular
intervals to ensure they are operating properly.
 This monitoring can include regular examination of logs, function testing, and network traffic
analysis.
 The network administrator must be capable of configuring these services to log the appropriate
information and of using Windows Server 2008 tools such as Network Monitor and the
Performance console.
 Troubleshooting is one of the primary maintenance functions of a network administrator.
 Although much of the infrastructure design and implementation process revolves around the
creation of a robust network, problems do occur, and in a large organization, network failures
can mean reduced productivity and loss of revenue.

What is a Security Threat?

Page 10 of 21
 Build Internet Infrastructure

Security Threat is defined as a risk that which can potentially harm computer systems and
organization. The cause could be physical such as someone stealing a computer that contains vital
data. The cause could also be non-physical such as a virus attack. In these tutorial series, we will
define a threat as a potential attack from a hacker that can allow them to gain unauthorized access
to a computer system.

What are Physical Threats?

A physical threat is a potential cause of an incident that may result in loss or physical damage to
the computer systems. The following list classifies the physical threats into three (3) main
categories;

Internal: The threats include fire, unstable power supply, humidity in the rooms housing the
hardware, etc.

External: These threats include Lightning, floods, earthquakes, etc.

Human: These threats include theft, vandalism of the infrastructure and/or hardware, disruption,
accidental or intentional errors.

To protect computer systems from the above mentioned physical threats, an organization must
have physical security control measures.

The following list shows some of the possible measures that can be taken:

Internal: Fire threats could be prevented by the use of automatic fire detectors and extinguishers
that do not use water to put out a fire. The unstable power supply can be prevented by the use of
voltage controllers. An air conditioner can be used to control the humidity in the computer room.

External: Lightning protection systems can be used to protect computer systems against such
attacks. Lightning protection systems are not 100% perfect, but to a certain extent; they reduce the
chances of Lightning causing damage. Housing computer systems in high lands are one of the
possible ways of protecting systems against floods.

Humans: Threats such as theft can be prevented by use of locked doors and restricted access to
computer rooms.

What are Non-physical threats?

A non-physical threat is a potential cause of an incident that may result in;

 Loss or corruption of system data

 Disrupt business operations that rely on computer systems

 Loss of sensitive information

Page 11 of 21
 Build Internet Infrastructure

 Illegal monitoring of activities on computer systems

 Cyber Security Breaches and others

The non-physical threats are also known as logical threats. The following list is the common types
of non-physical threats;

 Virus
 Trojans

 Worms

 Spyware

 Denial of Service Attacks

 Distributed Denial of Service Attacks

 Unauthorized access to computer systems resources such as data

Other Computer Security Risks

To protect computer systems from the above-mentioned threats, an organization must have logical
security measures in place. The following list shows some of the possible measures that can be
taken to protect cyber security threats

To protect against viruses, Trojans, worms, etc. an organization can use anti-virus software. In
additional to the anti-virus software, an organization can also have control measures on the usage
of external storage devices and visiting the website that is most likely to download unauthorized
programs onto the user’s computer.

Unauthorized access to computer system resources can be prevented by the use of authentication
methods. The authentication methods can be, in the form of user ids and strong passwords, smart
cards or biometric, etc.
Intrusion-detection/prevention systems can be used to protect against denial of service attacks.
There are other measures too that can be put in place to avoid denial of service attacks.

Testing and verifying security access level

An access list is essentially a list of conditions that categorize packets. They can be really helpful
when you need to exercise control over network traffic. An access list would be your tool of choice
for decision making in these situations. One of the most common and easiest to understand uses of
access lists is filtering unwanted packets when implementing security policies. For example, you

Page 12 of 21
 Build Internet Infrastructure

can set them up to make very specific decisions about regulating traffic patterns so that they’ll
allow only certain hosts to access web resources on the Internet while restricting others. With the
right combination of access lists, network managers arm themselves with the power to enforce
nearly any security policy they can invent.

Access lists can even be used in situations that don’t necessarily involve blocking packets. For
example, you can use them to control which networks will or won’t be advertised by dynamic
routing protocols. How you configure the access list is the same. The difference here is simply
how you apply it—to a routing protocol instead of an interface. When you apply an access list in
this way, it’s called a distribute list, and it doesn’t stop routing advertisements, it just controls their
content. You can also use access lists to categorize packets for queuing and for controlling which
types of traffic can activate a pricey ISDN link. There are a few important rules that a packet
follows when it’s being compared with an access list

 It’s always compared with each line of the access list in sequential order—that is, it’ll always
start with the first line of the access list, then go to line 2, then line 3, and so on.
 It’s compared with lines of the access list only until a match is made. Once the packet matches
the condition on a line of the access list, the packet is acted upon and no further comparisons
take place.
 There is an implicit “deny” at the end of each access list—this means that if a packet doesn’t
match the condition on any of the lines in the access list, the packet will be discarded.
 Each of these rules has some powerful implications when filtering IP packets with access lists.

There are two main types of access lists:

1. Standard access lists

These use only the source IP address in an IP packet as the condition test. All decisions are made
based on the source IP address. This means that standard access lists basically permit or deny an
entire suite of protocols. They don’t distinguish between any of the many types of IP traffic such
as web, Telnet, UDP, and so on.

2. Extended access lists

Page 13 of 21
 Build Internet Infrastructure

Extended access lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an
IP packet. They can evaluate source and destination IP addresses, the protocol field in the Network
layer header, and the port number at the Transport layer header. This gives extended access lists
the ability to make much more granular decisions when controlling traffic.

Security Mechanisms

Cryptographic algorithms are just one piece of the picture when it comes to providing security in a
network. The next thing we need is a set of mechanisms and protocols for solving various
problems. In this section we examine mechanisms that are used to authenticate participants,
techniques for assuring the integrity of messages, and some approaches to solving the problem of
distributing public keys.

Authentication and Authorization

 Authentication verifies user identification

 Client/server environment
 Ticket-granting system
 Authentication server system
 Cryptographic authentication
 Messaging environment
 E-mail
 E-commerce
 Authorization grants access to information
 Read, read-write, no-access
 Indefinite period, finite period, one-time use

Page 14 of 21
 Build Internet Infrastructure

Firewalls

 The main purpose of firewall is to protect a network from external attacks.

 It monitors and controls traffic into and out of a secure network.
 It can be implemented in a router, gateway, or special host.
 A firewall is normally located at the gateway to a network, but it may also be located at host
access points.
 Implementing a firewall to a network yields numerous benefits.
 It reduces the risk of access to hosts from an external network by filtering insecure services.
 Firewalls involve the use of packet filtering or

Application-level gateways as the two primary techniques of controlling undesired traffic.

A. Packet Filters

 Packet filtering is based on protocol-specific criteria.

 It is done at the OSI data link, network, and transport layers.
 Packet filters are implemented in some commercial routers, called screening routers or packet
filtering routers.
 We will use the generic term packet filtering rooters here.
 Although routers do not look at the transport layers, some vendors have implemented this
additional feature to sell them as firewall routers.
 The filtering is done on the following parameters:
 Source IP address, destination IP address, source TCP/UDP port, and destination TCP/IP port.
 The filtering is implemented in each port of the router and can be programmed independently.

Page 15 of 21
 Build Internet Infrastructure

 Packet filtering routers can either drop packets or redirect them to specific hosts for further
screening, as shown in the above Figure.
 Some packets never reach the local network because they are trashed.
 A packet filtering firewall works well when the rules to be implemented are simple.
 However, the more rules introduced, the more difficult it is to implement.
 The rules have to be implemented in the right order or they may produce adverse effects.

B. Application-Level Gateway
o An application-level gateway is used to overcome some of the problems identified
for packet filtering.


 From the figure Firewalls 1 and 2 will forward data only if it is going to or coming from the
application gateway.
 Thus a secured LAN is a gateway LAN.
 An application gateway behaves differently for each application, and filtering is handled by the
proxy services in the gateway.
 Firewalls protect a secure site by checking addresses (e.g., IP address), transport parameters
(e.g., as FTP and SMTP), and applications.
 However, how do we protect access from an external source based on a user who is using false
identification?
 Moreover, how do we protect against an intruder manipulating the data while it is traversing
the network between source and destination?

Page 16 of 21
 Build Internet Infrastructure

 These concerns are addressed by ensuring secure communication.

Cryptography
 For secure communication we need to ensure integrity protection and authentication validation.
 Integrity protection makes sure that information has not been tampered with as it moves
between source and destination.
 Authentication validation verifies originator identification.
 In other words, when someone receives a message that identifies the sender, can the receiver
really be sure who sent the message?

Cryptographic Communication
 Cryptography means secret (crypto) writing (graphy).
 It deals with techniques of transmitting information from a sender to a receiver without any
intermediary being able to decipher it.

 The basic model of cryptographic communication is shown in the Figure below.

 The input message, called plaintext, is encrypted with a secret (encryption) key.
 The encrypted message is called cipher text, which moves through an unsecure communication
channel, the Internet for example.

Secret key Cryptography

 The Caesar cipher was later enhanced by the makers of Oval tine and distributed as Captain
Midnight Secret Decoder rings. Each letter as replaced by another letter n letters later in the
alphabet (i.e., key of n). Of course, the sender and the receiver have to agree ahead of time on
the secret key for successful communication.
 It's the same key used for encryption and decryption and is called secret key cryptography.
 The encryption and decryption modules can be implemented in either: hardware or software.

Public Key Cryptography

 In private key cryptography each pair of users must have a secret key.
 Public key cryptography overcomes the difficulty of having too many cryptography keys.
 The secret key cryptography is symmetric in that the same key is used for both encryption and
decryption, but public key cryptography is asymmetric with a public key and a private key,
which are different.
 Let us return to Our Ian, Rita, and Ted scenario to illustrate. In Figure below,

Page 17 of 21
 Build Internet Infrastructure

Checking passwords
A password is a string of characters used to verify the identity of a user during the authentication
process. Passwords are typically used in conjuncture with a username; they are designed to be
known only to the user and allow that user to gain access to a device, application or website.
Passwords can vary in length and can contain letters, numbers and special characters. Other terms
that can be used interchangeably are passphrase for when the password uses more than one word,
and postcode and passkey for when the password uses only numbers instead of a mix of characters,
such as a personal identification number.

Creating a secure password

Many organizations set password policies so employees create strong passwords and use best
practices for their login credentials. Some of the best practices for password requirements include:
A minimum length of eight characters with a limit of anywhere from 16 to 64 characters or
possibly even higher;

 The inclusion of both uppercase and lowercase letters with case sensitivity;
 The use of at least one number; and
 The use of at least one special character.
Policies should prohibit certain characteristics in weak passwords. For instance, any recognizable
personal information -- such as birthdates, names of children, or favorite sports teams -- should not
be part of a password, as well as any words or phrases that are on a password blacklist.

Password blacklists are lists of passwords that are too easily cracked and thus are not secure
enough to use. Common offenders that wind up on blacklists include "123456," "password,"
"football," "qwerty" and so on.

Strong password policies also include a time limit for user passwords. This means that passwords
will expire after a set period of time -- such as 90 or 180 days -- and users will be forced to change
their password to prevent the reuse of the same couple of passwords. The policy may also require
the user to create a password that is different from any other they have used in the last six to 12
months.

Page 18 of 21
 Build Internet Infrastructure

While strong passwords are ideal, users often forget them. As a result, password recovery methods
might vary depending upon access to an application, website or device. Methods might include
answering security questions, confirming emails asking if users want to reset their passwords, or
entering numerical security codes sent via text to a mobile phone to authenticate users who need to
reset passwords or recover the original one.

Alternative methods to passwords

There are many authentication options available today so that users do not have to rely on
passwords that can be easily cracked or compromised.

These options include:

Two-factor authentication (2FA):- 2FA requires users to provide two authentication factors that
include a combination of something the user knows -- like a password or PIN; something the user
has -- like an ID card, security token or Smartphone; or something the user is -- biometrics.

Biometrics -- Biometric technology is mainly used for identification and access control.
Biometrics includes physiological characteristics such as fingerprints or retinal scans, and
behavioral characteristics such as typing patterns and voice recognition.

Multifactor authentication (MFA) -- MFA is similar to 2FA except that it is not limited to only two
authentication factors. It also uses something the user knows, something the user has and
something the user is.

Tokens -- A security token is a physical hardware device like a smart card or key fob that a user
carries to authorize access to a network.

One-time passwords (OTP):- An OTP is an automatically generated password that only

authenticates a user for a single transaction or session. These passwords change for every use and
are typically stored on security tokens.

Social logins:- A social login in when users can authenticate themselves on applications or
websites by connecting to their social media account such as Face book or Google instead of using
a separate login for each and every site.

Page 19 of 21
 Build Internet Infrastructure

Internet Infrastructure Practical Exercise Assignment

Harar Polytechnic College Department of ICT wants to install an internetwork infrastructure in its
training Labs and staff office. It has 7 Labs and one office, and the following network
infrastructures are needed in the project:

1. Each of the 7 Labs will have 14 computers with potential increase in number up to 20
2. The office will have 8 computers with the potential increase up to 12
3. There will be 3 different subnets in the internetwork as follows:
a. Lab 1 – Lab 3 will be for juniors and separate network
b. Lab 4 – Lab 7 will be for seniors and another network
c. The staff office will be still one separate network by its own
4. One high duty server computer will be installed in the staff office and will serve the whole
ICT internetwork
5. There will be three high duty printers: for Juniors, for seniors and for the staff one printer
each
6. The printers are IP configurable

Using the above requirements

Design a physical and logical network topology using MS-Visio or another compatible design
software of your interest

Design IP address and a network subnet mask for the internetwork

Write down bill of materials with detailed specifications

In addition: - do the following activities in your class room

Install MS-Windows 2008 Server on one computer and MS-Windows 10 client Operating
System on another server, join the client to the server and do the following exercises:

Install Active Directory, DNS, DHCP, File server and Mail Server

Create OUs, Users, Computers and three groups (teachers, students and admin staff)

Give permission to the groups as:

Group Access time

Teachers The whole day Monday – Saturday
Students 8:00 am – 5:00 pm Monday - Friday
Admin staff 8:00 am – 5:00 pm Monday – Saturday
Create and Share printers and folders for each groups

Page 20 of 21
Build Internet Infrastructure

Page 21 of 21