building internet infrastructure 2nd unit of competency.doc

LO1: Plan and design internet infrastructure
What is a protocol? 2
Why protocols are used in networking 2
Examples of different protocols 3
The ISO/OSI reference model 4
The seven layers explained 6
Introduction to TCP/IP 9
How TCP/IP works 9
What is an IP address? 12
Components of an IP address 12
Classes of IP addresses 13
Subnet masks 15
Binary and decimal conversion 17
Subnetting 19
Routing 20
Routing tables 21
IP Version 6 (IPv6) 23
Summary 24
Check your progress 24
Oza.T 1
2012

What is a protocol?
For communication to occur there has to be some form of common language and
some guidelines that are used to manage the communication process. With respect
to computers and information technology, a protocol is a standard framework, which
dictates how two or more computers communicate with each other and share
information over a particular data link.
Why protocols are used in networking
Protocols define the rules or standards for communication between network devices.
A printer cannot interpret signals sent by other devices, such as a workstation or file
server, unless there is a common protocol. Protocols enable data to be sent
between two devices in sequence and without errors.
Examples of protocols used on networks include:
Transmission Control Protocol/Internet Protocol (TCP/IP)
Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX)
NetBIOS (Network Basic Input Output System)
NetBIOS Enhanced User Interface (NetBEUI)
AppleTalk.
Protocols need to be installed and configured on both devices before communication
can take place between those devices, eg a workstation and a file server.
With respect to networking, the term ‘protocol’ actually refers to a group or suite of
individual protocols that work together. Different tasks are assigned to protocols
within a suite, such as data translation, data handling, addressing or error checking.
There are many factors that determine which protocol (protocol suite) you may use
on a network. Factors include:
the error rate on the data link
whether Internet access is required (this is important as some protocols are
not routable)
the network operating system being used
how much network security will be required
the speed requirements of the network.
2 Readings: Design an IP address scheme according to organisational requirements
2005

Examples of different protocols
Below you will find some examples of the different protocols with a brief explanation
for each.
Internet Packet Exchange (IPX) and Sequenced Packet Exchange
(SPX)
This is a suite of protocols, made up of many protocols, not just IPX and SPX. It was
originally developed by Xerox and adopted by Novell in the 1980s.
Novell’s NetWare clients and servers use this suite of protocols. It is routable,
meaning that it can cross many LAN segments. IPX works at the network layer and
is connectionless, that is the protocol does not guarantee delivery of data.
The IPX protocol is responsible for addressing. SPX is responsible for ensuring that
data is received in sequence and error free.
NetBIOS and NetBEUI
The Network Basic Input Output System (NetBIOS) was originally developed by IBM
and later adopted by Microsoft to be used in small local area networks.
NetBEUI (NetBIOS Enhanced User Interface) is a fast and efficient protocol that is
still used on small networks.
However, this protocol is not routable, that is it cannot span the Internet. However,
many systems still require the presence of the NetBIOS protocol services to function
correctly. The NetBIOS protocol services can be implemented on routed networks
by ‘riding’ on TCP/IP through the routers, that is TCP/IP encapsulates NetBIOS.
AppleTalk
This protocol was developed to interconnect Apple Macintosh computers. This is a
routable protocol.
To find out more information on these and other protocols, you can follow the links in
the Research section of this Learning Pack.
Oza.T 3
2012

The ISO/OSI reference model
In the early 1980s the International Standards Organisation (ISO) developed a
model or theoretical representation of what happens between two computers on a
network. The model known as the Open Systems Interconnection (OSI) is the
blueprint that has helped networking specialists to understand and develop
computer-to-computer communications.
The goal of establishing the reference model was to allow different computers from
different manufacturers, running different operating systems to communicate with
each other, so long as each system conformed to the OSI reference model.
The model has seven layers:
1application
2presentation
3session
4transport
4network
6data link
7physical.
Each layer of the OSI model has its own function and interacts with the layers
directly above and below it.
Figure 1 below shows information going down the seven layers from one device
across intermediate devices, and then up through the seven layers on the
destination device. These devices can be any type of network equipment such as
networked computers, printers and internetworking devices such as routers and
switches.
4 Readings: Design an IP address scheme according to organisational requirements
2005

Sending device Receiving device
Figure 1: The ISO/OSI reference model showing communication between two devices
Here is a simple mnemonic to help you remember the order of the seven layers of
the OSI model:
All Application 7
People Presentation 6
Seem Session 5
To Transport 4
Need Network 3
Data Data Link 2
Processing Physical 1
Figure 2: Remembering the seven layers of the OSI model
Oza.T 5
2012
Application
\
Presentation
Session
Transport
Network
Data Link
Physical
Application
Presentation
Session
Transport
Network
Data Link
Physical
Network Network
Data Link Data Link
Physical Physical

The seven layers explained
Physical layer
The physical layer is the bottom layer of the OSI model. Its function is to simply:
Transmit bits over the network media. This layer contains the physical
networking media such as cabling, connectors and repeaters.
Specify the mechanical, electrical and functional means of establishing and
maintaining the physical connections. That is, how the electrical signals are
amplified and transmitted over the wire. The layer sets the data transmission
rate and monitors data error rates, although it does not provide for error
correction — which is done at another level.
The physical layer thus activates and deactivates the physical connection. A
severed wire or a NIC (network interface card) not seated deeply enough are some
of the network problems that can be experienced at the physical layer.
Data link layer
The second layer of the OSI model is the data link layer. Its primary purpose is to
provide a reliable method of transmitting data across the physical media.
The data link layer divides data it receives from the network layer into frames that
can then be transmitted by the physical layer. A header and trailer are added to the
frames. These allow the destination device to see when a frame begins or ends on
the physical media.
The frames are then transmitted sequentially, and the sender’s data link layer waits
for an acknowledgement from the receiver that data was received correctly. If the
sender does not get this acknowledgment, its data link layer gives instructions to
retransmit the information. The data link layer is divided into two sub-layers — the
Media Access Control (MAC) sub-layer and the Logical Link Control (LLC) sub-layer.
Media Access Control (MAC)
The MAC sub-layer is responsible for the physical addressing of devices on the
network and how these devices gain access to the network media. The physical
addressing at the data link layer is called a physical address, because this address
is hard-coded into the network interface card by the manufacturer. The address is
also known as the MAC layer address. Each device has a unique address that
provides the necessary information to direct data to and from devices on the local
network.
6 Readings: Design an IP address scheme according to organisational requirements
2005

Logical Link Control (LLC)
The LLC sub-layer is responsible for flow control and error correction at this layer
and provides two service types:
The unacknowledged connectionless service is unreliable as data is transferred with
no error checking. The Connection-oriented service — is slower than the
connectionless service, as data is checked for errors using Cyclic Redundancy
Checks (CRC). CRC is one method of detecting errors in transmitted data. Before
the data is sent, a CRC number is calculated by running the data through an
algorithm, which produces a unique number. The data is run through the same
algorithm again at the receiving end. If the numbers are the same, the data was then
sent error free. The number generated by the algorithm is called a checksum.
Flow control is important not only at the LLC sub-layer but also at all layers of the
OSI model. It’s important to make sure that the transmitter doesn’t flood the receiver
with data resulting in buffer overflow and lost data.
Network layer
The network layer is responsible for routing information from the sender to the
receiver. It accepts messages from the transport layer, converts them into packets
and ensures that the packets are directed towards their destination. The network
layer determines the best path that the packets should take from point A on one
network to point B on another network. It does this by checking to see if the
destination device is on another network.
Transport layer
The prime responsibility of the transport layer is to ensure that the data transferred
from point A to point B is reliable, in the correct sequence and without errors.
The transport layer accepts the data from the session layer and splits it up, if
required. It then forwards the data to the network layer and checks that the data has
arrived successfully on the destination device — this is a connection-oriented
service. If an acknowledgement is not received within a specified period of time, the
data is re-sent by the sending device. Acknowledgements are used to control the
flow of data.
Session layer
The session layer allows users to establish a connection — a session. Once the
session has been established the session layer maintains and co-ordinates the
communication. For the user to establish a session, they need to provide a remote
address. The address can be a domain name such as www.tafensw.edu.au or the
NetBIOS name of the computer, for example, Serv007.
Oza.T 7
2012

Presentation layer
The presentation layer is responsible for translating data into a format that can be
understood by each computer. The important task at this layer is code translation.
For example an IBM mainframe may transmit a message in EBCDIC format to a PC
that uses ASCII format. Despite the coding differences, data can still be displayed
on the receiving device, the PC.
ASCII, EBCDIC, BMP, WAV and UNICODE are examples of presentation layer code
translations. (Refer to Terms for definitions of these.) The presentation layer is also
responsible for data encryption and foreign language translations.
Application layer
The application layer is the seventh and last layer of the model. It is the only level at
which the user has direct contact with the model. This layer starts a network
application, such as transferring files, or provides access to the Internet. Do not
confuse the application layer with software such as word processing or spreadsheet
applications. The application layer makes network services such as file, print,
message, application and database services available to a computer’s local
operating system.
The application layer determines the quality of service at the lower layers. If a
problem occurs at a lower layer, the application layer provides a means of notifying
the user that there is a problem. The notification is usually in the form of an error
message, for example, host not reachable, printing device not connected, etc.
8 Readings: Design an IP address scheme according to organisational requirements
2005

Introduction to TCP/IP
TCP/IP stands for Transmission Control Protocol/Internet Protocol. It is the
basic protocol of the Internet. It is a scalable protocol, which can be used on a small
private network, such as your home network or a company’s private Intranet, or it
can be used on a large company network like the one at Forth Management
Associates.
TCP/IP has become the de-facto standard for Internet communications. There are
many reasons for this:
TCP/IP has been accepted as the industry standard protocol.
It is a routable protocol suite.
Almost all computer operating systems support the TCP/IP protocol.
It allows computers using different operating systems to connect to each
other (such as a UNIX computer to a Windows XP computer).
It is an open standard — no company has control over the protocol. Anyone
is allowed to use it and develop applications based on it.
It is a well-designed protocol.
How TCP/IP works
TCP/IP is not just two protocols, but a suite of which includes TCP, IP, UDP, ARP,
ICMP and other sub-protocols. The suite of protocols can be divided into four layers
that roughly correspond to the seven layers of the OSI model, as shown in Figure 3.
Application
ApplicationPresentation
Session
Transport Transport
Network Internet
Data link
Network interfacePhysical
Figure 3: Approximate correspondence of four layers of TCP/IP to OSI model
Oza.T 9
2012

TCP/IP is a multiple-layer protocol, which provides an application service as well as
a network service, as can be seen in Figure 4 below.
Figure 4: TCP/IP application and network services
TCP and IP are the core protocols in the suite, and along with UDP, ICMP, ARP and
other sub-protocols provide a network service.
Internet Protocol (IP)
The Internet Protocol belongs to the Internet Layer of the TCP/IP model. It provides
information on how and where data is to be delivered — a key feature of
Internetworking. For this reason the TCP/IP protocol is able to span more than one
LAN segment, usually through a router.
The IP portion of the data frame is called an IP datagram. The datagram contains
information for routers so that data can be transferred between individual networks.
IP is a connectionless protocol. This means that it does not guarantee delivery of
data. Higher-level protocols use IP information to ensure that data packets are
delivered to the right address.
Transmission Control Protocol (TCP)
TCP belongs to the transport layer of the TCP/IP suite. It provides a reliable data
delivery service known as a connection-oriented service — this means that a
10 Readings: Design an IP address scheme according to organisational requirements
2005

connection must be established between two devices before TCP will transmit data.
TCP provides checksum, flow control and sequencing information, which ensures
that the data is reassembled in the correct order.
User Datagram Protocol (UDP)
UDP belongs to the transport layer of the TCP/IP suite. It is a connectionless service
— it does not guarantee that the packets will be received in the correct order and
provides no error checking or sequencing. UDP is used when data needs to be
transferred quickly, for example, in live audio or video transmissions over the
Internet.
Internet Control Message Protocol (ICMP)
ICMP belongs to the Internet layer of the TCP/IP suite. It is responsible for notifying
the sending device of a problem with transmission, for example, when packets are
not delivered. It provides a message to the sending device, such as ‘Host
unreachable’ (how many times have you seen this?). ICMP is used by diagnostic
utilities, such as PING.
Address Resolution Protocol (ARP)
ARP also belongs to the Internet layer of the TCP/IP suite. ARP is used to determine
an unknown MAC address of a remote device to which a packet is to be sent. The
header of an IP packet contains the MAC and IP address of the source and the MAC
and IP address of the destination. The resulting IP/MAC address information is held
on the sending machine in an ARP table.
Application service
The TCP/IP suite also provides an application service with the protocols:
Hypertext Transfer Protocol (HTTP)Telnet
Hypertext Transfer Protocol security
(HTTPs)
File Transfer Protocol (FTP)
Simple Network Management Protocol
(SNMP)
Simple Mail Transfer
Protocol (SMTP)
Oza.T 11
2012

What is an IP address?
Every device on a network (printer, workstation, server, etc) requires a unique
identifier. If all the devices are on the same local area network, then only a physical
(MAC) address is required. This is the same as saying that all we need to uniquely
identify any house in the same street is to have its house number. However, if the
destination device is on a different network then a logical address is also required.
This is the same as saying that all we need to uniquely identify any house in NSW is
to have its house number, its street name and its town name. The IP address is the
logical address that allows data to be sent to devices on different networks. Logical
addresses must conform to the standards and rules of the protocol, thus IP
addresses are assigned according to specific rules and standards and are
configured by the network administrator.
Components of an IP address
An IP address is a 32-bit binary number, for example:
11001011 00111100 00000001 00000010
For ease of use, this is normally represented in a dotted decimal format, eg:
203.60.1.2.
Each 8-bit octet is represented by a whole number between 0 and 255. Each IP
address consists of two fields:
a net ID field that is the logical network address of the device
a host ID field, which is the logical device’s address that uniquely identifies
each device on the network.
Together, the net ID and the host ID provide each device on a network with a unique
IP address.
12 Readings: Design an IP address scheme according to organisational requirements
2005

Classes of IP addresses
There are five classes of IP addresses, however only three classes are commonly
used. Table 1 below shows the commonly used TCP/IP classes.
Table 1: Commonly used TCP/IP classes if IP addresses
Class First OctetNumber of Networks Number of addresses per
network
A 1 – 126 126 16, 777, 214
B 128 – 19116, 384 65, 534
C 192 – 2232, 097, 154 254
Note: Class D and E are not available for standard network addressing.
You can identify the class of an IP address by examining the first octet.
All nodes in a Class A network share the first octet of their IP address. Class A
addresses range between 1 and 126. An example of a Class A address is
125.10.15.1. The net ID portion of the IP address is 125 and the host ID portion of
the IP address is 10.15.1.
All nodes in a Class B network share the first two octets of their IP address. Class B
addresses range between 128 and 191. An example of a Class B address is
158.10.15.1. The net ID portion of the IP address is 158.10 and the host ID portion
of the IP address is 15.1.
All nodes in a Class C network share the first three octets of their IP address.
Class C addresses range between 192 and 223. An example of a Class C
address is 200.10.15.1. The net ID portion of the IP address is 200.10.15 and
the host ID portion of the IP address is 1.
Class A networks have a binary
address starting with 00 000000
as the first octet:
Class B networks have a binary
address starting with 10 000000
as the first octet;
Binary Decimal Binary Decimal
00 000000 0 10 000000 128
00 000001 1 10 000001 129
00 000010 2 10 000010 130
~ ~ ~ ~ ~ ~ ~ ~
00 111110 126 10 111110 190
00 111111 127 10 111111 191
Oza.T 13
2012

Class C networks have a binary
address starting with 11 000000
as the first octet.
As there are only 126 Class A networks
available on the Internet, most Class A
networks have been reserved by large
corporations or governments. Some IP
addresses have been reserved for
network functions such as broadcasts
and cannot be assigned to devices.
As you know, all rules have exceptions
and this also applies to IP addressing.
The following section discusses special
IP addresses.
Binary Decimal
11 000000 192
11 000001 193
11 000010 194
~ ~ ~ ~
11111110 222
11 111111 223
Special IP addresses
Here are some of the restrictions you should keep in mind — you will need to
remember them!
First octet value of 127
Any address with a first octet value of 127 is a loopback address, which is used for
diagnostics and testing. A message sent to an IP address with the first octet of 127
is returned to the sender. The IP address 127.0.0.1 is known as the loopback
address and is used for this purpose. Therefore, 127 cannot be used as a net ID,
although it is technically a Class A address.
255 in an octet
255 in an octet is designated as a broadcast. A message sent to 255.255.255.255 is
broadcast to every host on the local network. For example, a message sent to
158.8.255.255 is broadcasted to every host on network 158.8.
Addresses for private Local Area Networks (LANs)
There are three groups of IP addresses to choose from if you wish to create a
private LAN (for example, an Intranet for a company, for use at home and not on the
Internet):
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
The first octet cannot have a value above 223. Those addresses are reserved for
multicast and experimental purposes.
14 Readings: Design an IP address scheme according to organisational requirements
2005

Subnet masks
Besides an IP address, every computer on a network must be configured with a
subnet mask. The subnet mask allows routing devices to separate the IP address
into its net ID and host ID portions.
Network management is made easier if a network is broken into smaller segments.
However, a business is allocated a single IP address that covers its net ID address
and a range of host ID addresses. By using some of the host ID bits as segment
addresses, segmentation can occur and network management made easier.
The subnet mask identifies whether a computer is on the same local network or on
another network that needs to be contacted through a router. Subnet masks make it
easier and faster to identify the net ID portion of the IP address. It allows TCP/IP to
determine if network traffic destined for a given IP address should be transmitted on
the local network, or whether it should be routed to a remote network.
A subnet mask should be the same for all computers and other network devices on
the same network segment.
The subnet mask is a 32-bit binary number, broken into four 8-bit octets.
A common subnet mask is 255.255.255.0. This particular subnet mask specifies that
TCP/IP will use the first three octets of an IP address as the network id and the last
octet as the host ID.
The subnet mask is dependent on the class of IP addresses in use on the network.
The following subnet masks are used for the following Classes of IP addresses:
Class A:255.0.0.0
Class B:255.255.0.0
Class C255.255.255.0
Note: If subnet masks are incorrectly configured, routing errors will occur.
How do you obtain an IP address?
IP addresses can be requested from the Internet Corporation for Assigned Names
and Numbers (ICANN) — a non-profit organisation set up to maintain and assign IP
addresses. Here in Australia, various agents such as Internet Service Providers
(ISPs) can apply to the ICANN for IP addresses on your behalf or lease some of
their ‘reserved’ IP addresses to you.
Oza.T 15
2012

An organisation does not normally obtain an IP address for each staff member. The
range of IP addresses a company will lease will depend on the number of servers in
the organisation that will require Internet access such as a web or remote access
servers. Most organisations usually lease a small number of IP addresses.
Internally, organisations use addresses from the private address range to allocate to
staff members.
Real IP addresses are allocated to the web and proxy servers, as well as other
devices such as routers that communicate with other devices on the Internet. These
devices have a legitimate IP address, however, the workstations and other devices
on the company’s network use addresses from the private ranges.
A NAT (Network Address Translation) server can be used to hide the IP addresses
assigned to devices on the network from any public network, such as the Internet.
When a node’s transmission reaches the IP gateway, the gateway assigns the
client’s transmission with a valid IP address. In this way, the company’s internal IP
addresses are protected and network administrators have more flexibility in
assigning addresses.
16 Readings: Design an IP address scheme according to organisational requirements
2005

Binary and decimal conversion
Computers store information in binary form, that is, in 0s or 1s. Binary uses the
Base2 counting system. To create subnets and work out the decimal equivalents of
the binary bit pattens, it’s useful to learn how to convert decimal numbers into binary
and vice versa (without a calculator!)
To convert a number into binary or decimal it is best to use this table.
0/1 0/1 0/1 0/1 0/1 0/1 0/1 0/1
First row: the 0/1 refers to the value of a bit, that is, zero or one
2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0
Second row: represents the binary system; increases in value to the power of
2 (as opposed to the decimal system, which increases to the power of 10)
128 64 32 16 8 4 2 1
Third row: the decimal values of the second row.
Rules for converting
Using the table above, you will need to apply the following rules:
multiply the bit by its positional decimal equivalent
add the value of the decimal equivalents of all the bits to determine the total
decimal value of the binary number.
For example
1 1 0 0 1 0 1 1
X X X X X X X X
128 64 32 16 8 4 2 1
128 64 0 0 8 0 2 1
Decimal value = 203
0 0 1 1 1 1 0 0
Decimal value = 60
0 0 0 0 0 0 0 1
Decimal value = 1
0 0 0 0 0 0 1 0
Decimal value = 2
203 60 1 2
Oza.T 17
2012

So, the IP address 203.60.1.2 has
the corresponding binary values:
11001011001111000000000100000010
In binary within a computer, this would be stored as:
11001011001111000000000100000010
18 Readings: Design an IP address scheme according to organisational requirements
2005

Subnetting
A large network can be divided into smaller or multiple networks by subdividing a
single class of IP addresses. Network Administrators can use one class of
addresses for several network segments. A subnetted address includes the network,
subnet, and host information.
Say your organisation is assigned a Class B network ID of 152.77.0.0. The standard
subnet mask would be 255.255.0.0. The number of valid IP addresses would range
from 152.77.0.1 to 152.77.255.254. To divide this range of IP addresses into 6
networks you would need to apply the formula:
2
n
–2 where n = to the number of bits.
In the above example, the standard subnet mask is 255.255.0.0.which when
converted to binary is: 11111111.11111111.00000000.00000000.
By borrowing 3 bits, the new subnet mask becomes:
1111111.11111111.11100000.00000000 — which converts to the decimal format:
255.255.224.0. In this example, a 3-bit subnet mask is used. There are 6 (2
3
–2)
subnets available with this subnet mask. Remember that subnets with all 0s and all
1s are not allowed — these are reserved for specifying the local network. The valid
range of IP addresses for the five subnets is shown in Table 2.
Table 2: Valid range of IP addresses for five subnets
Subnet bits Network number Node Addresses
001 152.77.32.0 152.77.32.1 to 152.77.63.254
010 152.77.64.0 152.77.64.1 to 152.77.95.254
011 152.77.96.0 152.77.96.1 to 152.77.127.254
100 152.77.128.0 152.77.128.1 to 152.77.159.254
101 152.77.160.0 152.77.160.1 to 152.77.192.254
110 152.77.192.0 152.77.192.1 to 152.77.223.254
The combination of an address’s network and subnet information becomes an
extended network prefix. The extended network prefix, enables a device to
determine the subnet to which the address belongs. Subnet masks allow you to sub-
allocate network addresses. Subnetting, is a complex procedure, which you can
learn more about with further reading and after completing this unit.
Websites providing further exercises and examples of subnetting can be found in the
Research section of this Learning Pack.
Oza.T 19
2012

Routing
A router is a device that determines the next network point to which a packet should
be forwarded toward its destination. The router is connected to at least two networks
and decides which way to send each information packet based on its current
understanding of the state of the networks it is connected to.
Routers create and maintain a table of the available routes and their conditions and
use this information along with the distance to determine the best route for a given
packet. Typically, a packet may travel through a number of network points with
routers, before arriving at its destination. Routing is a function associated with the
network layer (layer 3) in the standard model of network programming, the OSI
model.
In most cases, a router is located at any gateway (where one network meets
another). In Figure 5 below two networks are connected by a router with IP address
192.168.1.1 and 203.60.1.4, subnet mask 255.255.255.0. The router acts as a
gateway and will handle all the incoming and outgoing network traffic, and as can be
seen in Figure 5, the router will handle the traffic between these two networks,
which will also apply to the way the router connects to the Internet.
Figure 5: Two networks connected by a router
20 Readings: Design an IP address scheme according to organisational requirements
2005

Routing tables
TCP/IP hosts use a routing table to maintain knowledge about other IP networks and
IP hosts. As you now know, using an IP address and a subnet mask identifies
networks and hosts.
In addition, routing tables are important because they give needed information to
each local host regarding how to communicate with remote networks and hosts.
For each computer on an IP network, you can maintain a routing table with an entry
for every other computer or network that communicates with the local computer. In
general, this is not practical, and a default gateway (IP router) is used instead.
When a computer prepares to send an IP datagram, it inserts its own source IP
address and the destination IP address of the recipient into the IP header. The
computer then examines the destination IP address, compares it to a locally
maintained IP routing table, and takes appropriate action based on what it finds. The
computer does one of three things, it:
passes the datagram up to a protocol layer above IP on the local host.
forwards the datagram through one of its attached network interfaces.
discards the datagram.
IP searches the routing table for the route that is the closest match to the destination
IP address. The most specific to the least specific route is searched for in the
following order:
a route that matches the destination IP address (host route)
a route that matches the network ID of the destination IP address (network
route)
the default route.
Figure 6 shows a default routing table that can be accessed through the command
prompt ‘route print’. It shows the current IP address and subnet mask of the local
interface card and where it should forward its network traffic, in this case 0.0.0.0 of
network destination will have to forward to 192.168.0.1. This means that all traffic
will be handled by the 192.168.0.1 (which is default gateway/router), and the router
will decide where to forward the traffic.
Oza.T 21
2012

Figure 6: A default routing table
22 Readings: Design an IP address scheme according to organisational requirements
2005

IP Version 6 (IPv6)
For over 20 years now, the IT industry has been using IPv4. As you have read, with
IPv4, IP addresses are unique — each computer or device on the network is
allocated an IP address and a subnet mask. By the late 1980s it was realised that
the world would run out of IP addresses and work began on the IP Next Generation
(IPng) project: IPv6.
IPv4 uses a 32-bit address space, which permits an absolute maximum of 2
32
(4,294,967,296) hosts to connect to the Internet at any given time. Today, not only
do businesses, government departments and schools have Internet access, but also
most homes have at least one computer that accesses the Internet.
IPv6 addresses are four times as long as IPv4 addresses and at 128 bits provide an
absolute maximum of 2
128
individual hosts. This is roughly 340 billion billion billion
different hosts! (Would you like to check this calculation!)
IPv6 is now included as part of IP support in many products, from 3Com and Hitachi,
and including the major computer operating systems. There are no plans (at this
stage anyway) for a cutover date when IPv6 would be turned on and IPv4 turned off.
One of the strategies chosen for the upgrade is to deploy the IPv6 protocol stack in
parallel with IPv4. This means that hosts that upgrade to IPv6 will continue to exist
as IPv4 hosts at the same time.
An experimental IPv6 backbone or 6bone, has been set up to handle IPv6 Internet
traffic in parallel with the regular Internet. These devices will continue to have 32-bit
IPv4 addresses but will add 128 bit IPv6 addresses.
We suggest you do some follow up reading on IPv6 at: http://www.ipv6.org/
Oza.T 23
2012

Summary
In this topic the term protocol and its definition were introduced with respect to
information technology.
A protocol is a standard or rule that dictates how two or more computers
communicate with each other and share information. There are many network
protocols in use today, such as IPX/SPX, AppleTalk, NetBEUI and TCP/IP.
However, TCP/IP has become the de-facto standard of the Internet. It is the protocol
of choice for most networks, whether they are connected to the Internet or not. It
enables different computers running different operating systems on different
networks to communicate with each other and share information.
The TCP/IP protocol is a suite of protocols or protocol stack, made up of core
protocols such as TCP, IP and sub-protocols such as UDP, ARP, ICMP to name a
few.
Every device on a network is logically configured with a unique IP address and
subnet mask which determines the network the device is located on. Each IP
address and subnet mask is a 32-bit binary number normally represented in dotted
decimal format.
IP addressing and subnet masks provide useful information to network devices such
as servers, other workstations and routers. This information enables data to be
routed from one network to another.
Transition strategies have been in place since 1999 to migrate from IPv4 to IPv6 in
the near future.
Check your progress
Now you should try and do the Practice activities in this topic. If you’ve already tried
them, have another go and see if you can improve your responses.
When you feel ready, try the ‘Check your understanding’ activity in the Preview
section of this topic. This will help you decide if you’re ready for assessment.
24 Readings: Design an IP address scheme according to organisational requirements
2005

LO2: Install and configure Internet
Infrastructure and services
TCP/IP services 2
Dynamic Host Configuration Protocol (DHCP) 3
Windows Internet Naming Service (WINS) 6
Domain Name Service (DNS) 8
Installing and configuring TCP/IP 11
Manual configuration 11
Automatic configuration 12
TCP/IP tools 13
Summary 15
Check your progress 15
Oza.T 25
2012

TCP/IP services
TCP/IP is the basic protocol of the Internet and is comprised of other protocols
including UDP, ARP and ICMP. The TCP/IP protocol suite also provides a number
of useful services, which include:
Dynamic Host Configuration Protocol (DHCP)
Windows Internet Naming Service (WINS)
Domain Name Service (DNS)
Hypertext Transfer Protocol (HTTP).
With all the new Windows operating systems TCP/IP is automatically installed during
the installation of the operating system. You can choose to configure your computer
with an IP address during the installation or wait until after the installation has been
completed.
26 Readings: Design an IP address scheme according to organisational requirements
2005

Dynamic Host Configuration Protocol (DHCP)
Dynamic Host Configuration Protocol (DHCP) enables the assignment of dynamic
TCP/IP network addresses on a first come, first served basis, based on a specified
pool of available addresses. An organisation may only have a limited number of IP
addresses to be shared among the client computers. By configuring the DHCP
server with a pool of IP addresses, these addresses can then be shared by the
users within the organisation, thus simplifying IP address administration.
The client computer is configured to obtain an IP address automatically from a
DHCP server. When the client machine starts up, the DHCP service assigns the
next available TCP/IP address for the period of the lease, as configured on the
server. The DHCP server can also be configured to assign the same IP address to a
particular machine every time it starts up. The DHCP server service is installed and
configured on a server computer.
Figure 1 below shows the configuration of an IP address scope on a DHCP server.
Any computer starting up on this network will be allocated an IP address from the
range 192.168.1.1 to 192.168.1.100.
Figure 1: IP address scope on a DHCP server
For a client computer to be allocated an IP address, you will need to check the
option ‘Obtain an IP address automatically’ from the TCP/IP Properties window as
can be seen in Figure 2.
Oza.T 27
2012

Figure 2 below shows an example of how TCP/IP properties are configured for
automatic assignment of an IP address on a client computer. To get to this screen
on a Windows 2000 or XP computer, you will need to go to:
My Network Places / Local Area Connection, Properties / TCP/IP Properties.
Figure 2: Configuration for automatic assignment of an IP address on a client computer
Once you have chosen to obtain an IP address automatically, the Advanced TCP/IP
Setting option will display that DHCP has been enabled on the client computer, as
can be seen from Figure 3 below.
28 Readings: Design an IP address scheme according to organisational requirements
2005

Figure 3: Advanced TCP/IP Settings show that DHCP has been enabled
Oza.T 29
2012

Windows Internet Naming Service (WINS)
Windows Internet Naming Service (WINS) enables the resolution of computer
names to IP addresses. When an operating system is first installed on a computer
one of the tasks is to configure the computer with a unique name known as the
NetBIOS name. The NetBIOS name can contain up to 15 characters, for example,
ACCOUNTS1, or LEGAL or PHILLIP. The computer name must be unique and no
two computers on the network can have the same name.
By having a unique name for each computer, an administrator or user on the
network does not need to remember the IP address of the client computer. To
communicate with another computer on the network you need only enter the name
of the computer — the operating system does the rest.
WINS maintains a database on the server that accepts requests from Windows or
DOS clients to register with a particular NetBIOS name. The server keeps track of
which NetBIOS names are linked to which IP addresses. Because WINS manages
the mappings between IP addresses and NetBIOS names, clients do not have to
broadcast their NetBIOS names to the rest of the network. The elimination of this
broadcast traffic improves network performance.
The WINS Server service is installed on a server computer; however, both a
Windows server computer and a workstation can use the WINS server to resolve
network names.
Figure 4 below shows how a user adds the IP address of the WINS server in the
Advanced TCP/IP Settings window from the WINS tab.
30 Readings: Design an IP address scheme according to organisational requirements
2005

Figure 4: IP address of WINS server added in the TCP/IP properties on the client computer
Oza.T 31
2012

Domain Name Service (DNS)
The Domain Name Service (DNS) was introduced in 1984 when the Internet was a
relatively small network established by the US Defence Department for research.
DNS lets us use hierarchical, friendly names to easily locate computers and other
resources on a TCP/IP network that contains data similar to the Yellow Pages.
DNS is a database that contains mappings of DNS domain names, such as
‘legal.forth.com’ to an IP address. DNS is a:
mechanism for querying and updating the database
mechanism for replicating information in the database among servers
schema for the database.
The DNS is implemented as a hierarchical system including host names and domain
names. The names in a DNS database form a hierarchical tree structure called the
domain name space. Domain names have individual labels separated by stops or
dots (.) for example: legal.forth.com.
A Fully Qualified Domain Name (FQDN) uniquely identifies where the host is located
within the DNS hierarchical tree by specifying a list of names separated by dots on
the path from the referenced host to the root server.
Figure 5 below shows an example of a DNS tree with a host called ‘legal’ within the
‘forth.com.’ domain. The FQDN for the host would be legal.forth.com.
Figure 5: An example of a DNS tree
32 Readings: Design an IP address scheme according to organisational requirements
2005

The DNS service resolves computer names to IP addresses, such as resolving the
computer name ‘legal.forth.com’ to the IP address 203.70.1.2.
Domain names must be registered with an Internet naming authority that works on
behalf of the ICANN (Internet Corporation for Assigned Names and Numbers).
ICANN has established conventions for the Top Level Domains (TLDs) that apply to
every type of organisation that uses the Internet, an example of which can be seen
in Table 1 below. Existing abbreviations are reserved for use by organisations, as
well as two- and three-letter abbreviations used for countries.
Table 1: Criteria for domain name registration
DNS domain name Type of organisation
com Commercial organisations
edu Educational institutions
org Non-profit organisations
gov Non-military government organisations
net Networks (the backbone of the Internet)
mil Military government organisations
arpa Reverse DNS
xx Two-letter country code for example:
.au for Australia.jp for Japan.ca for Canada
Accredited registrars carry out registration, and each country has its own controlling
body. In Australia this is currently the Australian Domain Names Authority (AuDA),
which accredits local registrars such as NetRegistry. Figure 6 below shows the IP
address of the Domain Name Server configured on the client computer.
Oza.T 33
2012

Figure 6: Domain Name Server configuration on a client computer
34 Readings: Design an IP address scheme according to organisational requirements
2005

Installing and configuring TCP/IP
With most recent Windows operating systems the TCP/IP protocol is automatically
installed during installation of the operating system. By default, the TCP/IP settings
are set to ‘Obtain an IP Address Automatically’, that is, through a DHCP server.
If a DHCP server cannot be located by the workstation when it starts, the
workstation will automatically be assigned an address from the range 169.254.0.1 to
169.254.255.254. This range is set aside by the Internet Assigned Numbers
Authority (IANA) for this purpose. The workstation broadcasts its intended use of the
randomly chosen address to ensure that no other workstation on the same network
has chosen the same address.
You will need to determine if you will be manually configuring TCP/IP on your
computer, or whether a DHCP server will assign IP addresses to all computers on
the network.
Manual configuration
If you are required to manually configure your computer with an IP address, you will
need to have the following information to hand:
Your workstation’s IP address. This is the unique address that identifies a
particular computer on a TCP/IP network. This consists of four numbers,
separated by a dot, for example: 203.60.1.2.
Your network’s subnet mask for each network adapter on the network. The
subnet mask is a number mathematically applied to the IP address that
determines the network that the computer belongs to. For example, given
the subnet mask of 255.255.255.0 to the above IP address 203.60.1.2, the
net ID is 203.60.1.0 and the host ID is 0.0.0.2.
Your default gateway. The default gateway is a device that servers as a
router. If a default gateway is not specified, the computer is unable to
communicate with other devices outside its subnet, that is, outside its own
network.
The domain name server for the network. This is a computer that serves as
an Internet host and performs translation of Fully Qualified Domain Names
(FQDNs) into IP addresses.
Figure 7 shows manual configuration of an IP address, subnet mask, and default
gateway with preferred and alternate DNS servers.
Oza.T 35
2012

Figure 7: Manual configuration of an IP address, subnet mask, default gateway with preferred and
alternate DNS servers
Automatic configuration
For automatic configuration, a user just needs to check the ‘Obtain an IP address
automatically’ option in the Internet Protocol Properties window. The DHCP server
will then configure all the information without any input from a user. The server will
assign:
an IP address
subnet mask.
If an organisation has been assigned a range of IP addresses for use by staff, this
range can be created as the scope for the DHCP server, accompanied by a subnet
mask, default gateway, DNS and WINS, if they have been configured.
Figure 8 below shows the TCP/IP configuration information of the computer with a
host name of G1C1. What information can you see from this screen?
36 Readings: Design an IP address scheme according to organisational requirements
2005

Figure 8: TCP/IP configuration of the computer named G1C1
TCP/IP tools
Once TCP/IP has been configured, there are a few tools that can be used to check
to see if TCP/IP has been configured correctly on your computer.
IPCONFIG/ALL command
As you can see from Figure 8 above, the command IPCONFIG/ALL displays all the
current local TCP/IP configuration information, including:
the host name
MAC address of the network adapter as well as its brand and type
whether this interface has been configured to use DHCP
IP address of the host
subnet mask
default gateway
DHCP server
when an IP address was leased (obtained) and is due to expire.
Oza.T 37
2012

PING
PING is a tool to determine the connectivity between two nodes. This command is
used from the command line, and as you can see from Figure 9, you can use PING
with the loopback address, 127.0.0.1 or the host’s own IP address. You can also
PING any other valid address of a host, on this or any connected network.
Figure 9: The PING command
NSLOOKUP
NSLOOKUP is a tool to determine whether DNS has been successfully configured.
TRACERT
TRACERT displays the route taken by the Internet Control Message Protocol
(ICMP) to a remote host.
NETSTAT
NETSTAT displays the current connectivity information such as port number and
any connected ‘foreign’ IP address.
38 Readings: Design an IP address scheme according to organisational requirements
2005

Summary
TCP/IP is automatically installed during the installation of most operating systems,
by default. A Network Administrator can choose to manually configure a computer
with a TCP/IP address or have several computers on a network assigned an IP
address through a Dynamic Host Configuration Protocol (DHCP) server.
A range of IP addresses are configured within the scope of the DHCP server. The IP
addresses are leased for a specific period of time.
Once TCP/IP has been configured on a computer, there are various tools that can
be used to test the TCP/IP installation and configuration such as IPCONFIG and
PING.
Check your progress
Now you should try and do the Practice activities in this topic. If you’ve already tried
them, have another go and see if you can improve your responses.
When you feel ready, try the ‘Check your understanding’ activity in the Preview
section of this topic. This will help you decide if you’re ready for assessment.
Oza.T 39
2012

LO3: Test Security and Internet Access
Inside this reading:
Internet Connection Models 2
Basic Firewall and Proxy Features 7
Types of ISP accounts 8
Summary 10
40 Readings: Design an IP address scheme according to organisational requirements
2005

Internet Connection Models
Many businesses require an Internet connection as part of the standard network
facilities required to operate effectively. Email, ordering supplies, electronic banking
and Web research facilities are all now common business activities.
However, connecting your local business network to the Internet is not without risk.
The Internet in the 21
st
Century is a place of hackers and viruses. Visible Internet
hosts may receive thousands of hacking attempts each day as part of the ‘normal’
network traffic brought in by an Internet connection.
So what are the issues that should be considered in the design, installation and
management of an Internet connection?
There are a range of Internet connection types available, each with their own costs
and benefits. Every type of Internet connection will require an Internet Service
Provider (ISP). An ISP is a network that you connect to, which inturn has another
connection to other parts of the Internet. This is why the Internet is often referred to
as ‘The Web’, a maze of interconnecting networks, each network paying for access
to the other networks.
Internet Connection Hardware/Software
To connect a LAN to the Internet, a number of additional pieces of hardware and
software are required. The type of network connection will determine the actual
equipment used, but the following is required as a minimum:
IP LAN segment.
Valid IP address range
Gateway
WAN link
More complicated LAN Internet connections may require further equipment, but the
above items will provide a ‘standard’ level of Internet connectivity.
Oza.T 41
2012

IP LAN Segment.
For Internet connectivity, the local LAN segment must run as an IP network
segment. Each machine must have an IP address. DHCP may be implemented to
assist in the management of IP address allocation to computer hosts. DNS would
also be present to allow client computers to use domain names to access resources
instead of the numerical IP address.
Valid IP address range
IP addresses must be unique on a network – in other words, no two devices can
have the same IP address. When connecting an entire LAN segment to the Internet,
the organisation’s IP addressing scheme must be revised. For all of the computers
on the LAN segment to be visible on the Internet, all must have valid IP addresses.
To achieve this, an entire IP network (or subnet) range of addresses must be
leased.
Most businesses do not go to the expense of leasing a new set of IP addresses to
allow their computers access the Internet. Normally, only one valid IP address is
required for the local network to have access to the Internet and the ISP would
supply this address. This means that only a single host system would be visible on
the Internet.
The valid IP address would then be given to the router gateway that connects the
LAN to the Internet. It is this device that provides the Network Address Translation
(NAT) service to computers on the LAN. NAT allows the local network segment to
use private IP addresses, which are hidden from the internet. The local network’s IP
addresses are then replaced by the one valid IP address (public) when the network
traffic goes through the gateway to the Internet.
Gateway
A gateway is simply a device that links two different networks together. In the
context of the IP network behaviour, the gateway has a special role. It is the device
where any network traffic is sent that is addressed to a non-local host (one that is on
a different IP network). The gateway device provides a link between the local LAN
segment and the ISP’s network. Gateways, often implemented as routers, come in
many forms. Common types of gateways are ADSL routers, Ethernet routers, Dialup
routers and PC-based routers just to name a few.
The gateway must have network interfaces that match the WAN connection media
to the ISP as well as the LAN connection media to the local network. So the
purchase of an appropriate gateway is specific to the inter-network situation.
WAN Link
Normally the ISP that the local LAN connects to is physically remote from it. As a
result, a Wide Area Network (WAN) link is required to join the networks. While
standard dialup telephone lines provide this link for many home computers, higher
42 Readings: Design an IP address scheme according to organisational requirements
2005

speed ISDN and ADSL broadband connections are popular where available. While
ADSL is quite common in metropolitan areas, ISDN still has a role for small
businesses in many areas of NSW where ADSL is not available. Large businesses
will use even higher speed links often implemented as a T1 connection. As with
most capacity related services, it all comes down to cost.
Internet Connection Topologies
The term topology is related to the layout of the network. In the examples below the
topologies are not meant to represent the physical layout in a particular office
environment, but rather the network connections that exist between network
components, where the device names given refer to their functions. In many cases,
especially on the ISP side, a single piece of hardware may provide multiple routing
interfaces instead of having racks of individual routers.
The most common types of Internet connection topologies are listed below.
Basic Internet Gateway with Leased IP address range.
A basic IP based LAN with an Internet gateway connecting it to an ISP is a simple
network. Here the client’s gateway router is connected to the ISP’s router through an
ADSL or ISDN segment. This network segment will normally hold a small two-IP-
address subnet of public IP addresses, one address for each router ADSL/ISDN
interface.
Figure 1: Diagram of basic internet gateway
In this example the local LAN administrator has arranged for both an ISP connection
as well as a leased IP address range. Normally this will take the form of a subnet of
an existing network range managed by the ISP. The domain of the local network
would normally be registered and the DNS server linked to the parent DNS. The
HTTP Servers on the client network could host a public company web site and a
public email service. Because the client network is fully integrated in the Internet,
Oza.T 43
2012

they could use video streaming, voice over IP and all other Internet available
facilities. The public IP addresses of the client network’s Gateway Router, DNS and
Web-related servers would be static (fixed).
Basic Internet Gateway with NAT Server.
An Internet connection using Network Address Translation (NAT) is a common type
of network used by business. This type of network is used where the client network
requires only limited Internet access such as browsing.
All of the client computers linked to the gateway router running NAT will have a
private, non-routable IP address. The NAT router substitutes its own public IP
address in place of the private IP address of the internal network, every time a
packet goes out from the client’s network to the Internet.
This will make these machines invisible to the Internet. As a result Internet based
services such as Email and the client’s HTTP site must be hosted on the ISP’s
servers, instead of being located within the client network. The client network will not
normally have a domain name for their network as it only consists of one public IP
address – that held by the ADSL interface of the gateway router.
Figure 2: Diagram of internet gateway with NAT server
This type of network minimises exposure to hacking attempts, as the client’s internal
network is invisible to the Internet. However, it still allows for viruses to enter via
email messages and downloaded files. The public IP addresses of the client
network’s Gateway Router may be allocated as either dynamic or static.
Basic Internet Gateway with DMZ.
This type of network connection is a combination of the previous two. Here the client
network leases a small public IP subnet, will have its own domain name, web sites,
44 Readings: Design an IP address scheme according to organisational requirements
2005

and email servers, while their local LAN segment is protected by the NAT router at a
lower level. This model is normally used by businesses that require full Internet
capabilities as well as the security of isolating their internal network segment.
Figure 3: Diagram of internet gateway with DMZ
The De-Militarized Zone (DMZ) refers to a section of the network that has full
Internet access but is partially protected by a firewall. Firewalls are discussed in the
next section.
It is also possible to link other networks to any existing router in the client network.
This would be achieved by providing the existing routers with an additional WAN
interface leading to the other network. The public IP addresses of the client network
DMZ’s Gateway Router, DNS and Web-related servers would be static (fixed).
Basic Firewall and Proxy Features
Firewalls
A firewall refers to a type of service that may be hosted on a variety of devices.
Gateway routers can have firewalls, computers can have firewalls and dedicated
firewall devices are also available. Importantly, a firewall protecting a network
segment has two network interfaces. One network interface is connected to the
unrestricted Internet and the other provides filtered network traffic for the internal
client network.
Oza.T 45
2012

A firewall examines all traffic wanting to enter the internal network. The network
traffic is compared to a set of selection rules and if the traffic does not meet the
requirements, is discarded. For example, a client Internet site may only want to allow
incoming packets addressed to the HTTP server 203.34.200.150 using port 80. If
that rule is set up in the firewall, all packets trying to pass the firewall that do not
match that rule are discarded.
The reason that a network segment protected by a firewall is often referred to as a
DMZ is that the firewall provides a degree of protection, while still allowing some
amount of Internet traffic. The local network is not, however totally protected.
Remember, the only way to be totally protected from the Internet is to disconnect
your network from it!
When configuring a firewall, examine the types of services you want to provide to
the Internet from the computers that hold visible public IP addresses. They may
include services such as Email, HTTP, HTTPS, FTP, terminal services, etc. Each of
these services will be available on a specific IP address and will send its traffic
through a specific port number. The IP address will be the IP address of the
computer hosting the service. The port number can be found from the software
supplier of that service. Some port numbers are standard. HTTP traffic for example
needs port 80 to be available. By matching your incoming traffic filter to your
services you can secure your network.
Figure 4: Diagram showing best locations for firewall
If you are trying to protect the network from denial of service (DOS) attacks, then the
firewall must be as close to the Internet source as possible. Some ISP’s can provide
(at a cost) basic firewall filtering of traffic before it enters your network. If incoming
traffic has to ‘bounce’ around the client network before being filtered at the
destination computer (as many personal firewall products do), then it has already
degraded your network service. This type of DOS attack is most effective against
slow devices, such as routers and their WAN links.
46 Readings: Design an IP address scheme according to organisational requirements
2005

Proxy Servers
Proxy servers are used as a traffic minimisation device. A proxy server is used as an
intermediary. It takes requests for Internet data from a client computer, gets the data
from the Internet site and keeps a local copy of that data for itself. The next time that
data is requested, it will provide its local copy of the data instead of accessing the
data from the original Internet site. This reduces Internet traffic in an environment
where many users require access to the same data. By themselves, they do not
provide any security, but can save large amounts of network traffic. Remember most
ISP connections (especially ADSL and other broadband options) are charged by
traffic volume.
Types of ISP accounts
There are many types of ISP accounts or plans available today. Tomorrow, there will
be others. It is a constantly changing marketplace, with many similarities to the
marketing of mobile phones.
There are a number of features that need to be considered when selecting the best
type of account for a client. Most ISP plans are based on a recurring monthly fee.
The amount charged will be depend upon the:
connection type and speed,
traffic and time allowances,
number of IP addresses,
value added services such as Email hosting or Web hosting.
Connection Type and Speed
One of the main determining factors of the monthly cost of an ISP connection relates
to the network type and its speed. Different fee structures are used for Dialup plans,
ADSL, ISDN or satellite. ADSL and ISDN will have a range of plans depending upon
the different network speeds available.
When deciding on a type of network connection to use, check the following:
Availability: Not all network types are available at all locations.
Installation costs: ADSL, ISDN and Satellite plans will all have additional
installation costs.
Reliability: Some of these connections are more reliable than others. ADSL
for example may have some level of unavailability each day.
Traffic/Time allowances
The other main determining factor is the ISP’s allowance of network traffic or
network time for your monthly fee. Many ISPs will differ in the amount of traffic or
time the connection is allowed to use each month. Some ISP connections, such as
Oza.T 47
2012

ADSL are only interested in traffic volume, as ADSL is a permanently connected
digital service. Dial-up ISP accounts mainly record time usage. ISDN ISP packages
may record both time usage and network traffic.
Some ISPs charge additional monthly fees when the estimated traffic volume or time
limits are exceeded. This can be very expensive! Others simply reduce the network
speed for the balance of the month. This is a safer approach that is often referred to
as an unlimited account.
Dial-up and ISDN accounts may have a duration of connection restriction with a set
time limit before being forcibly disconnected with a minimum time before you can
reconnect. Such a restriction may be unsuitable for businesses and a premium
business account may need to be used.
Number of IP addresses
ISPs will normally provide one public IP address per connection by default. This IP
address will be held by the computer’s dialup adapter, in the case of a modem
connection and by the router if a network shares the connection. As shown in the
Internet Connection Models shown previously, one address may or may not suit the
client’s needs.
Additional IP addresses cost more. So examine the type of Internet connection that
is required by the client carefully.
Value Added Services
There will be additional costs for email, Web hosting, traffic filtering or domain
hosting services that the client network may require. Once again, evaluate the
client’s requirements.
Summary
This learning pack has covered the basic methods of connecting a network to the
Internet. There are many different ways in which to approach the implementation of
Internet access from a local area network. However, the main goal of any system
upgrade is that it meets the needs of the client. It is clear that the area of Internet
connectivity will continually change as new technologies are released.
48 Readings: Design an IP address scheme according to organisational requirements
2005

LO4: Ensure user accounts are verified for security
Making Networks Secure
Planning for security is an important element in designing a network. It is far easier
to implement a secure network from a plan than it is to recover from data loss. This
lesson presents an overview of network security. We examine two primary models
for ensuring data security and take a look at how to secure the physical components
of a network.
After this lesson, you will be able to:
List the basic security requirements for a network.
Describe ways to restrict access to the network by unauthorized
users.
Describe the features of password-protected shares and access
permissions.
Identify the common types of computer viruses and describe ways
to protect against them.
Estimated lesson time: 35 minutes
Planning for Network Security
In a networking environment there must be assurance that sensitive data will remain
private. Not only is it important to secure sensitive information, it is equally important
to protect network operations from deliberate or unintentional damage.
Maintaining network security requires a balance between facilitating easy access to
data by authorized users and restricting access to data by unauthorized users. It's
the job of the network administrator to create this balance.
Oza.T 49
2012

Even in networks that handle sensitive and valuable business data, security
is sometimes an afterthought. Four major threats to the security of data on a network
are:
Unauthorized access.
Electronic tampering.
Theft.
Intentional or unintentional damage.
Despite the seriousness of these threats, data security is not always implemented or
supported properly. The administrator's task is to ensure that the network remains
reliable and secure, free from those threats.
Level of Security
The extent and level of the network security system required depends on the type of
environment in which the network is running. A network that stores data for a major
bank, for example, requires more extensive security than a LAN that links the
computers in a small community volunteer organization.
Setting Policies
Making a network secure requires establishing a set of rules, regulations, and
policies so that nothing is left to chance. The first step toward ensuring data security
is to implement policies that set the tone and help to guide the administrator and
users through changes, both expected and unplanned, in their network's
development.
Prevention
The best way to design data security policies is to take a proactive, preventive
approach. When unauthorized access is prevented, the data remains secure. A
prevention-based system requires that the administrator understand the tools and
methods available with which to keep data safe.
Authentication
To access a network, a user must enter a valid user name and password. Because
passwords are linked to user accounts, a password authentication system is the first
line of defense against unauthorized users.
It is important not to let overreliance on this authentication process fool you into a
false sense of security. For example, in a peer-to-peer network, almost anyone can
log on with a unique name and password. This alone can provide a user with
complete access to the network, so that anything that is shared becomes available
to that user. Authentication works only in a server-based network in which the user
name and password must be authenticated from the security database.
Training
50 Readings: Design an IP address scheme according to organisational requirements
2005

Unintentional errors can lead to security failures. A well-trained network user is less
likely than an inexperienced novice to accidentally cause an error and ruin a
resource by permanently corrupting or deleting data. Figure 10.1 illustrates such
a problem.
The administrator should ensure that everyone who uses the network is familiar with
its operating and security procedures. To accomplish this, the administrator can
develop a short, clear guide to what users need to know, and require that new users
attend appropriate training classes.
Securing Equipment
The first step in keeping data safe is to provide for the physical security of the
network hardware. (Establishing and maintaining an optimal environment for
the physical network is discussed in detail in Lesson 2.) The extent of security
required depends on:
The size of the company.
The sensitivity of the data.
The available resources.
In a peer-to-peer network, there is sometimes no organized hardware-security
policy, and users are responsible for the security of their own computers and data. In
a server-based network, security is the responsibility of the network administrator.
Securing the Servers
In a larger, centralized system, in which much individual user and organization data
is sensitive, it is important to secure the servers from accidental or deliberate
tampering.
It is not uncommon for some individuals to want to demonstrate their technical
abilities when the servers have problems. They may or may not know what they are
doing. It is best to tactfully prevent these people from "fixing" the server. The
simplest solution is to lock the servers in a dedicated computer room with limited
access; depending on the size of the company, this might not be workable. Locking
the servers in an office or even a large storage closet is often practicable and goes
some way toward securing the servers.
Securing the Cables
Copper media, such as coaxial cable, much like a radio emits electronic signals that
mimic the information it carries. Information carried in these signals can be
monitored with electronic listening equipment. Copper cable can also be tapped into
so that information can be stolen directly from the original cable.
Cable runs that handle sensitive data should be accessible only to authorized
people. Proper planning can make cable runs inaccessible to unauthorized people.
For example, cable can be run inside the building structure, through ceilings, walls,
and floors.
Security Models
Oza.T 51
2012

After implementing security for the network's physical components, the administrator
needs to ensure that the network resources will be safe from both unauthorized
access and accidental or deliberate damage. Policies for assigning permissions and
rights to network resources are at the heart of securing the network.
Two security models have evolved for keeping data and hardware resources safe:
Password-protected shares
Access permissions
These models are also called "share-level security" (for password-protected shares)
and "user-level security" (for access permissions).
Password-Protected Shares
Implementing password-protected shares requires assigning a password to each
shared resource. Access to the shared resource is granted when a user enters the
correct password.
In many systems, resources can be shared with different types of permissions. To
illustrate, we use Windows 95 and 98 as examples
Read Only If a share is set up as Read Only, users who know the password have
Read access to the files in that directory. They can view the documents, copy them
to their machines, and print them, but they cannot change the original documents.
Full With Full access, users who know the password have complete access
to the files in that directory. In other words, they can view, modify, add, and
delete the shared directory's files.
Depends On Password Depends On Password involves setting up a share
that uses two levels of passwords: Read access and Full access. Users who
know the Read access password have Read access, and users who know
the Full access password have Full access.
The password-protected share system is a simple security method that allows
anyone who knows the password to obtain access to that particular resource.
Access Permissions
Access-permission security involves assigning certain rights on a user-by-user
basis. A user types a password when logging on to the network. The server
validates this user name and password combination and uses it to grant or deny
access to shared resources by checking access to the resource against a user-
access database on the server.
Access-permission security provides a higher level of control over access rights. It is
much easier for one person to give another person a printer password, as in share-
level security. It is less likely for that person to give away a personal password.
Because user-level security is more extensive and can determine various levels
of security, it is usually the preferred model in larger organizations.
Resource Security
52 Readings: Design an IP address scheme according to organisational requirements
2005

After the user has been authenticated and allowed on the network, the security
system gives the user access to the appropriate resources.
Users have passwords, but resources have permissions. In a sense, a security
fence guards each resource. The fence has several gates through which users can
pass to access the resource. Certain gates allow users to do more to the resource
than other gates. Certain gates, in other words, allow the user more privileges with
the resource.
The administrator determines which users should be allowed through which gates.
One gate grants the user full access to or full control of a resource. Another gate
grants the user read-only access.
As shown in Figure 10.2, each shared resource or file is stored with a list of users or
groups and their associated permissions (gates).
NOTE
Different network operating systems (NOSs) give different names to these
permissions. The following table shows some of the typical permissions that
can be set on Windows NT Server directories.
Permission Functionality
Read Reads and copies files in the shared directory.
ExecuteRuns (executes) the files in the directory.
Write Creates new files in the directory.
Delete Deletes files in the directory.
No AccessPrevents the user from gaining access to directories, files, or
resources.
Group Permissions
The administrator's job includes assigning each user the appropriate permissions to
each resource. The most efficient way to accomplish this is through groups,
especially in a large organization with many users and resources. As shown in
Figure 10.3, Windows NT Server allows users to select the file or folder for which
they want to set group permissions.
Permissions for groups work in the same way as they work for individuals. The
administrator reviews which permissions are required by each account and assigns
the accounts to the proper groups. This is the preferred method of assigning
permissions, rather than assigning each account's permissions individually.
Assigning users to appropriate groups is more convenient than having to assign
separate permissions to every user individually. For example, giving the group
Everyone full control of the public directory might not be the best choice. Full access
would allow anyone to delete or modify the contents of the files in the public
directory.
Oza.T 53
2012

In Figure 10.4, the group Everyone has been granted Read access to the directory
public. This allows members of the group Everyone to read, but not delete or modify,
the files in the public directory.
The administrator could create a group called Reviewers, grant complete access
permissions to the student files to that group, and assign staff to the Reviewers
group. Another group, called Faculty, would have only Read permissions in the
student files. Faculty members assigned to the
Security Enhancements
The network administrator can increase the level of security on a network in several
ways. This section explores some of the options.
Firewalls
A firewall is a security system, usually a combination of hardware and software, that
is intended to protect an organization's network against external threats coming from
another network, including the Internet.
Firewalls prevent an organization's networked computers from communicating
directly with computers that are external to the network, and vice versa. Instead, all
incoming and outgoing communication is routed through a proxy server outside the
organization's network. Firewalls also audit network activity, recording the volume of
traffic and providing information about unauthorized attempts to gain access.
A proxy server is a firewall component that manages Internet traffic to and from a
local area network (LAN). The proxy server decides whether it is safe to let a
particular message or file pass through to the organization's network. It provides
access control to the network, filtering and discarding requests that the owner does
not consider appropriate, including requests for unauthorized access to proprietary
data.
Auditing
Reviewing records of events in the security log of a server is called auditing. This
process tracks network activities by user accounts. Auditing should be a routine
element of network security. Audit records list the users that have accessed—or
attempted to access—specific resources. Auditing helps administrators identify
unauthorized activity. It can also provide usage information for departments that
charge a fee for making certain network resources available and need some way to
determine the cost of those resources.
Auditing can track functions such as:
Logon attempts.
Connection and disconnection from designated resources.
Connection termination.
Disabling of accounts.
Opening and closing of files.
54 Readings: Design an IP address scheme according to organisational requirements
2005

Changes made to files.
Creation or deletion of directories.
Directory modification.
Server events and modifications.
Password changes.
Logon parameter changes.
Audit records can indicate how the network is being used. The administrator can use
the audit records to produce reports that show activities and their date and time
ranges. For example, repeated failed logon attempts or efforts to log on at odd hours
can indicate that an unauthorized user is attempting to gain access to the network.
Diskless Computers
Diskless computers, as the name implies, have no floppy-disk drives or hard disks.
They can do everything a computer with disk drives can do except store data on a
local floppy disk or hard disk. Diskless computers are an ideal choice for maintaining
security because users cannot download data and take it away.
Diskless computers do not require boot disks. They communicate with the server
and log on by means of a special ROM boot chip installed on the computer's
network interface card (NIC). When the diskless computer is turned on, the
ROM boot chip signals the server that it is ready to start. The server responds by
downloading boot software into the diskless computer's RAM and automatically
presents the user with a logon screen as part of the boot process. After the user logs
on, the computer is connected to the network.
Although a diskless computer can provide a high level of security, it has
shortcomings. Without a local disk available on which to store applications and data,
all computer activity must be conducted over the network. Network traffic
will increase accordingly, and the network will have to be capable of handling
increased demands.
Data Encryption
A data-encryption utility scrambles data before it goes onto the network. This makes
the data unreadable even by someone who taps the cable and attempts to read the
data as it passes over the network. When the data arrives at the proper computer,
the code for deciphering encrypted data decodes the bits, translating them into
understandable information. Advanced data-encryption schemes automate both
encryption and decryption. The best encryption systems are hardware-based and
can be expensive.
The traditional standard for encryption is the Data Encryption Standard (DES).
Developed by IBM and adopted in 1975 as a specification for encryption by
the government of the United States, this system describes how data should be
encrypted and provides the specifications for the key to decryption. The U.S.
Government continues to use DES. Both the sender and the receiver need to
have access to the decryption key. However, the only way to get the key from
Oza.T 55
2012

one location to another is to physically or electronically transmit it, which makes DES
vulnerable to unauthorized interception.
Today, the U. S. Government is also using a newer standard, called the Commercial
COMSEC Endorsement Program (CCEP), which may eventually replace DES. The
National Security Agency (NSA) introduced CCEP and allows vendors with the
proper security clearance to join CCEP. Approved vendors are authorized to
incorporate classified algorithms into communications systems.
Computer Viruses
Computer viruses are becoming an all-too-familiar fact of life. It is not uncommon to
see a report on a local news channel describing the latest virus and warning about
its destructive impact. Computer viruses are bits of computer programming, or code,
that hide in computer programs or on the boot sector of storage devices, such as
hard-disk drives and floppy-disk drives. The primary purpose of a virus is to
reproduce itself as often as possible and thereby disrupt the operation of the
infected computer or the program. Once activated, a virus can be a simple
annoyance or completely catastrophic in its effect. Viruses are written by people with
an intent to do harm.
Viruses are classified into two categories, based on how they propagate themselves.
The first type, called a "boot-sector virus," resides in the first sector of a floppy-disk
or hard-disk drive. When the computer is booted, the virus executes. This is a
common method of transmitting viruses from one floppy disk to another. Each time a
new disk is inserted and accessed, the virus replicates itself onto the new drive. The
second type of virus is known as a "file infector." Such a virus attaches itself to a file
or program and activates any time the file is used. Many subcategories of file
infectors exist.
The following list describes a few of the more common file infectors:
Companion Virus A companion virus is so named because it uses the
name of a real program—its companion. A companion virus activates by
using a different file extension from its companion. For example, suppose
we decide to start a program called "wordprocessor.exe." When the
command is given to execute the application, a virus named
"wordprocessor.com" will execute in its place. It is able to do so because
a .com file takes priority over an .exe file.
Macro Virus A macro virus is difficult to detect and is becoming more
common. It is so named because it is written as a macro for a specific
application. Popular applications, such as Microsoft Word, are targets for
these viruses. When the user opens a file that contains the virus, the virus
attaches itself to the application and then infects any other files accessed by
that application.
Polymorphic Virus A polymorphic virus is so named because it changes its
appearance every time it is replicated. This renders it more difficult to detect
because no two are exactly the same.
56 Readings: Design an IP address scheme according to organisational requirements
2005

Stealth Virus A stealth virus is so named because it attempts to hide from
detection. When an antivirus program attempts to find it, the stealth virus
tries to intercept the probe and return false information indicating that it does
not exist.
Virus Propagation
Just as computer viruses do not create themselves, neither do they spread through
the air unaided. Some kind of exchange between the two computers must take place
before transmission can occur. In the early days of computing and viruses, the
principal source of infection was through the exchange of data on floppy disks. One
infected computer in an organization could easily infect all the computers in the
organization, merely by a single user passing around a copy of the latest
screensaver program.
The proliferation of LANs and the growth of the Internet have opened many new
pathways to rapidly spreading viruses. Now, virtually any computer in the world can
be connected to any other computer in the world. As a consequence, the creation of
viruses is also on the rise. In fact, some virus creators provide easy-to-use software
containing directions for how to create a virus.
A recently emerging method of spreading a virus is through e-mail services. After an
e-mail message containing the virus is opened, it attaches itself to the computer and
can even send itself to names in the computer's e-mail address book. Usually, the
virus is located in an inviting attachment to an e-mail message.
Convincing unsuspecting victims to activate a virus is a goal for virus writers. This is
often accomplished by packaging the virus in an enticing cover. Such a virus is
known as a "Trojan horse." To attract users, it is presented in the guise of something
familiar, safe, or intriguing.
Remember that any means by which computers exchange information provides a
potential path for a virus. Methods in common use include:
CD-ROMs.
Cabling directly connecting two computers.
Floppy-disk drives.
Hard-disk drives.
Internet connections.
LAN connections.
Modem connections.
Portable or removable drives.
Tape.
Consequences of a Virus
Oza.T 57
2012

A virus can cause many kinds of harm to a computer; the creativity of its creator is
the only limitation. The following list describes common symptoms of computer virus
infection:
The computer won't boot.
The data is scrambled or corrupted.
The computer operates erratically.
A partition is lost.
The hard drive is reformatted.
The most common symptom of virus infection in a network is one or more
misbehaving workstations. A peer-to-peer network is the most vulnerable. Server-
based networks have some built-in protection because permission is required to
obtain access to some portions of the server and, therefore, the network. In these
networks, it is more likely that workstations will be infected than a server, although
servers are not immune. The server, as the conduit from one computer to another,
participates in the transmission of the virus, even though it might not be affected.
Virus Prevention
Disastrous viruses are becoming more commonplace and should be taken into
account when network security procedures are developed. An effective antivirus
strategy is an essential part of a network plan. Good antivirus software is essential.
Although no virus protection software can prevent all viruses, it can do some of the
following:
Warn of a potential virus
Keep a virus from activating
Remove a virus
Repair some of the damage that a virus has caused
Keep a virus in check after it activates
Preventing unauthorized access to the network is one of the best ways to avoid a
virus. For example, the best way to prevent a virus from infecting a floppy disk is to
use write protection. If you cannot write to the floppy disk, you cannot infect it.
Because prevention is the key, the network administrator needs to make sure that all
standard preventive measures are in place.
These include:
Passwords to reduce the chance of unauthorized access.
Well-planned access and privilege assignments for all users.
User profiles to structure the user's network environment, including network
connections and program items that appear when the user logs on.
58 Readings: Design an IP address scheme according to organisational requirements
2005

A policy that sets out which software can be loaded.
A policy that specifies rules for implementing virus protection on client
workstations and network servers.
Ensuring that all users are well-trained and informed about computer
viruses and how to prevent their activation.
Lesson Checkup
1.Describe two common ways by which unauthorized users can gain access
to a network; for each, describe how unauthorized access can be
prevented.
2.Describe the differences between password-protected shares and access
permissions.
3.Define data encryption and DES.
4.Identify four common types of computer viruses and describe how they are
transmitted; describe three ways to help protect computers in a network
against viruses.
Answers
1.Describe two common ways by which unauthorized users can gain access
to a network; for each, describe how unauthorized access can be
prevented.
Unauthorized users can gain access to most peer-to-peer networks by
typing in a unique username and password at any of the networked
computers. The best preventative measures include making the
networked computers physically inaccessible by locking the area that
contains them, or to enable BIOS security which allows the user to set
a computer access name and password.
Unauthorized users can also access a server-based network by using
someone else's name and password. The best way to prevent this is to
have an enforced password policy in which passwords are not written
down and are changed regularly.
2.Describe the differences between password-protected shares and access
permissions.
Password-protected shares require that a password be assigned to
each shared resource. Access to the shared resource is granted when
a user enters the correct password. Access-permission security
involves assigning certain rights on a user-by-user basis. A user types
a password when logging on to the network. The server validates this
user name and password combination and uses it to grant or deny
access to shared resources.
Oza.T 59
2012

3.Define data encryption and DES.
Data encryption is the scrambling of data to make it inaccessible to
unauthorized persons. In a network environment, data can be
encrypted before being sent onto the network. This makes the data
unreadable, even by someone who taps the cable and attempts to read
the data as it passes over the network. When the data arrives at the
proper computer, the code for deciphering encrypted data decodes the
bits, translating them into understandable information.
The Data Encryption Standard (DES) was developed by IBM and
adopted as a specification for encryption by the government of the
United States. DES describes how data should be encrypted and
provides the specifications for the key to decryption. Both the sender
and the receiver need to have access to the decryption key. Because
the only way to get the key from one location to another is to
physically or electronically transmit it, DES is vulnerable to
unauthorized interception.
4.Identify four common types of computer viruses and describe how they are
transmitted; describe three ways to help protect computers in a network
against viruses.
Four types of computer virus are called companion, macro,
polymorphic and stealth. Each is a kind of file infector virus. They can
be transmitted by any physical means such as CDs, floppy disks or a
direct cable connection between computers, and by electronic means
such as e-mail and internet downloads. Three means of protection
against a computer virus are the installation of current anti-virus
software, write-protection of disks, and disabling macro capabilities in
vulnerable software.
60 Readings: Design an IP address scheme according to organisational requirements
2005

building internet infrastructure 2nd unit of competency.doc

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

building internet infrastructure 2nd unit of competency.doc

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Pray For The Peace Of Jerusalem and You Will Prosper

Don_t_Waste_Your_Life_God.....powerpoint

VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf

Fertility awareness methods for women in the society

Chapter 5 Arithmetic Functions Computer Organisation and Architecture

syakira bhasa inggris (1) (1).pptx.......