Middle East College of Information Technology
Module Name: Internet Administration
Module Code: COMP 0326
Module Guide
Department of computing
Internet Administration
1
Installing Windows 2000 Professional / Windows Xp Start the computer from the CD Select to install a new copy of Windows 2000 or XP Read and accept the Licensing agreement Select the file system Fat of NTFS Enter the name and organization. Enter the computer name and password for local administrator Select the date and time settings
Installation network components After completing the setup wizard, install network components by performing the following steps:
Choose a networking setting.
Setting
Description
Typical Installs Client for Microsoft Networks, File and Printer Sharing for Microsoft Networks, and Transmission Control Protocol/Internet Protocol (TCP/IP) as a Dynamic Host Control Protocol (DHCP) client.
Custom Creates custom network connections: for example, configuring a static IP address, configuring the computer as a WINS client, or adding NetBIOS Enhanced User Interface (NetBEUI)
Internet Administration
2
Provide a workgroup or domain name. Click Finish to restart the computer. Configure the network ID for the computer. After the computer restarts, Windows2000 Professional displays the Network ID wizard. In this wizard, you do either of the following. Configure a specific user account and password for the computer. When a user starts the computer, Windows2000 automatically logs on using the configured user name and password. Choose not to configure a specific user account for the computer. When a user starts the computer, the Log On t Windows dialog box appears. Apply all necessary software or security updates to the operating system.
Installing Windows 2003 Server To install Windows 2003 server from a CD you must restart the computer from a CD and then complete the setup wizard. With the exception of the optional components, the information you provide during the installation of Windows 2003 server is the same as the information you provide during the installation of Windows 2000 Professional. Start the computer from the CD Select to install a new copy of Windows 2003 Server Read and accept the Licensing agreement Select the Partition on which to install Windows 2003 Server Select the file system for the new partition. You can also choose to format the new partition. After running the text-based portion of the Setup program, complete the Setup wizard by providing the following information: Change regional settings, if necessary. Internet Administration
3
Enter your name and organization. Select the licensing mode. Enter the computer name and password for the local Administrator account. Select the Windows 2003 optional components. Optional components provide additional functionality to Windows 2003, such as Web services, Remote Installation Services (RIS), and management tools.
The following table describes these optional components. Certificate Services Allows you to create and request digital certificates for authentication. Certificates provide a verifiable means of identifying users on nonsecure network, such as the internet. Windows Clustering Enables two or more services to work together to keep server-based applications available, regardless of individual component features. This service is available only in Windows 2000 Advanced Server and Windows 2000 Datacenter Server. IIS Internet Information Server-Includes FTP and Web servers, the administrative interface for IIS, common IIS components, and documentation. Terminal Services Enables windows based clients to gain access to a virtual Windows 2000 advanced server desktop session and windows based applications.
Internet Administration
4
DNS The Domain Name System (DNS) is an integral part of client/server communications in Internet Protocol networks. DNS is a distributed database that is used in IP networks to translate, or resolve, computer names into IP addresses. Microsoft Windows 2000 uses DNS as its primary method for name resolution.
DNS is a distributed database system that can serve as the foundation for name resolution in an IP network. DNS Levels DNS is a hierarchical naming structure with the following levels:
Root designated by a dot (.).
First level - This indicates country or type of organization such as "org", "com", and "net".
Second level - Indicates the organization name and can be purchased for a yearly fee and can have many sub domains.
Notice that the highest level of the domain is listed last. An example of a domain name is: mecit.edu.om The common top-level domain names used are:
.com: commercial organizations
.edu: for educational institutes.
.gov: for government.
.int:
.mil: for military organizations
.net: for Internet providers, and networking organizations
for international organizations.
Internet Administration
5
.org: non-commercial organizations
.uk: United Kingdom
.us: United States
.ca: Canada
.jp: Japan
The additional top-level domains defined by ICANN in late 2000 are:
.aero: for the air transportation industry
.biz: for businesses
.coop: for cooperatives
.info: for information
.museum: for museums
.name: for individual names
.pro: for credentialed professions such as attorneys.
FQDN
A FQDN is a complete DNS name. For example, if a server named mail existed at the mecit, the FQDN of that server might be mail.mecit.edu.om.
Technically, a FQDN must end in a period. This rule is almost always ignored.
A FQDN is limited to a maximum length of 255 characters.
DNS uses the FQDN to resolve a host name to an IP address
DNS SERVER This is a computer running the DNS Server service, or BIND; that provides domain name services. The DNS server manages the DNS database that is located on it. The DNS server program, whether it is the DNS Server service or BIND; manages and maintains the DNS database located on the DNS server. The information in the DNS database of a DNS server pertains to a
Internet Administration
6
portion of the DNS domain tree structure or namespace. This information is used to provide responses to client requests for name resolution. When a DNS server is queried it can do one of the following: o Respond to the request directly by providing the requested information. o Provide a pointer (referral) to another DNS server that can assist in resolving the query o Respond that the information is unavailable o Respond that the information does not exist A DNS server is authoritative for the contiguous portion of the DNS namespace over which it resides. Types of DNS servers:
Primary DNS server: This DNS server owns the zones defined in its DNS database, and can make changes to these zones.
Secondary DNS server: This DNS server obtains a read-only copy of zones via DNS zone transfers. A secondary DNS server cannot make any changes to the information contained in its read-only copy. A secondary DNS server can however resolve queries for name resolution. Secondary DNS servers are usually implemented for the following reasons: o Provide redundancy: It is recommended to install one primary DNS server, and one secondary DNS server for each DNS zone (minimum requirement). Install the DNS servers on different subnets so that if one DNS server fails, the other DNS server can continue to resolve queries. o Distribution of DNS processing load: Implementing secondary DNS servers assist in reducing the load of the primary DNS server.
Internet Administration
7
o Provide fast access for clients in remote locations: Secondary DNS servers can also assist in preventing clients from transverse slow links for name resolution requests. DNS zones: A DNS zone is the contiguous portion of the DNS domain name space over which a DNS server has authority, or is authoritative. A zone is a portion of a namespace . it is not a domain. A domain is a branch of the DNS namespace. A DNS zone can contain one or more contiguous domains. A DNS server can be authoritative for multiple DNS zones. Zone files store resource records for the zones over which a DNS server has authority. Zone Types
Primary zone: This is only zone type that can be directly updated or edited because the data in the zone is the original source of the data for all domains in the zone. Updates made to the primary zone are made by the DNS server that is authoritative for the specific primary zone.
Secondary zone: This is a read-only copy of the zone that was copied from the master server during zone transfer. In fact, a secondary zone can only be updated through zone transfer.
Active Directory-integrated zone: This is an authoritative primary zone that stores its data in Active Directory. Active Directory-integrated zones can be regarded as enhanced standard primary zones.
Stub zone: Stub zones only contain those resource records necessary to identify the authoritative DNS servers for the master zone
DNS client: This is a machine that queries the DNS server for name resolution. To issue DNS requests to the DNS server, DNS resolvers are used. DNS Record types:
Internet Administration
8
A - Address record allowing a computer name to be translated into an IP address. Each computer must have this record for its IP address to be located. These names are not assigned for clients that have dynamically assigned IP addresses, but are a must for locating servers with static IP addresses.
AAAA Host resource record for IPv6 protocol.
AFDSB - Andrew File System Database resource record
ATMA - Asynchronous Transfer Mode resource record.
CNAME - Canonical name allowing additional names or aliases to be used to locate a computer.
HINFO - Host information record with CPU type and operating system.
ISDN - Integrated Services Digital Network resource record.
MB - Mailbox resource record.
MG - Mail group resource record.
MINFO - Mailbox mail list information resource record.
MR - Mailbox renamed resource record.
MX - Mail Exchange server record. There may be several.
NS - Name server record. There may be several.
PTR - Pointer resource record.
RP - Responsible person.
RT - Route through resource record for specifying routes for certain DNS names.
SOA - Start of Authority record defines the authoritative server and parameters for the DNS zone. These include timeout values, name of responsible person,
SRV - Service locator resource record to map a service to servers providing the service. Windows 2000 clients will use this record to find a domain controller.
TXT - Test resource record for informative text.
WKS - Well known service resource record.
X25 - To map a host name to an X.25 address.
Internet Administration
9
DNS Query Process There are 2 types of queries that can be performed in DNS
Iterative. A query made from a client to a DNS server in which the server returns the best answer that it can provide based on its cache or zone data. If a queried server does not have an exact match for the request, it provides a pointer to an Authoritative server in a lower level of the domain namespace.
Recursive. A query made from a client to a DNS server in which the server assumes the full workload and responsibility for providing a complete answer to the query. The DNS server has to reply with the requested information, or with an error. The DNS server cannot provide a referral to a different DNS server. The events that occur to resolve a name requested in a query are explained below: 1. The resolver sends a recursive DNS query to its local DNS server, to request the IP address of a particular name. 2. Because the local DNS server cannot refer the resolver to a different DNS server, the local DNS server attempts to resolve the requested domain name. 3. The local DNS server checks its zones. 4. If it finds no zones for the requested domain name, the local DNS server sends an iterative query for the requested name to the root DNS server. 5. The root DNS server is authoritative for the root domain. It responds with an IP address of a name server for the specific top-level domain.
Internet Administration
10
6. The local DNS server next sends an iterative query for the requested name to this name server who in turn replies with the IP address of the particular name server servicing the requested domain name. 7. The local DNS server then sends an iterative query for the requested name to the particular name server servicing the particular domain. 8. The name server responds with the requested IP address. 9. The IP address is returned to the resolver.
Zone Look up Types The zone lookup type determines the tasks that a DNS server will perform. When you create a zone, you specify whether the zone will be used for resolving forward or reverse lookup queries by specifying the zone type.
Forward Lookup: A request to map a name to IP address. This is the most common type of lookup and is used to locate a server’s IP address so that a connection can be made to it. This type of request requires name to address resolution.
Reverse lookup: A request to map an IP address to a name. This is most commonly used when you know an IP address, but you want to know the domain name that is associated with the IP address. It is used when monitoring IP connections that are made to the server.
Internet Administration
11
DHCP Dynamic Host Configuration Protocol (DHCP) This protocol is used to assign IP addresses to hosts or workstations on the network. Usually a DHCP server on the network performs this function. Basically it "leases" out address for specific times to the various hosts. If a host does not use a given address for some period of time, that IP address can then be assigned to another machine by the DHCP server. When assignments are made or changed, the DHCP server must update the information in the DNS server.
As with BOOTP, DHCP uses the machine's or NIC Ethernet (MAC) or hardware address to determine IP address assignments. The DHCP protocol is built on BOOTP and replaces BOOTP. DHCP extends the vendor specific area in BOOTP to 312 bytes from 64. RFC 1541 defines DHCP.
DHCP RFCs DHCP RFCs are 1533, 1534, 1541, and 1542. Information Sent from DHCP server to the client machine are:
IP address
Subnet mask
Default Gateway address
DNS server address(es)
NetBIOS Name server (NBNS) address(es).
Lease period in hours
IP address of DHCP server.
Internet Administration
12
Manual vs. Automatic TCP/IP Configuration Manual TCP/IP Configuration
Automatic TCP/IP Configuration
IP addresses entered manually on each
IP addresses are supplied
client computer
automatically to client computers
Possibility of entering incorrect or invalid Ensures that clients always use IP address
correct configuration information
Incorrect configuration can lead to
Elimination of common source of
communication and network problems
network problems
Administrative overload on networks
Client configuration updated
where computers are frequently moved
automatically to reflect changes in network structure
DHCP Lease Stages (DHCP Lease Generation Process) 1. Lease Request - The client sends a broadcast requesting an IP address 2. Lease Offer - The server sends the above information and marks the offered address as unavailable. The message sent is a DHCPOFFER broadcast message. 3. Lease Acceptance - The first offer received by the client is accepted. The
acceptance
is
sent
from
the
client
as
a
broadcast
(DHCPREQUEST message) including the IP address of the DNS server that sent the accepted offer. Other DHCP servers retract their offers and mark the offered address as available and the accepted address as unavailable.
Internet Administration
13
4. Server Lease Acknowledgement - The server sends a DHCPACK or a DHCPNACK if an unavailable address was requested.
DHCP CLIENT
IP Lease Request
DHCP SERVER
IP Lease Offer IP Lease Selection
IP Lease Acknowledgement
DHCP discover message - The initial broadcast sent by the client to obtain a DHCP lease. It contains the client MAC address and computer name. This is a broadcast using 255.255.255.255 as the destination address and 0.0.0.0 as the source address. The request is sent, then the client waits one second for an offer. The request is repeated at 9, 13, and 16 second intervals with additional 0 to 1000 milliseconds of randomness. The attempt is repeated every 5 minutes thereafter. The client uses its own port 68 as the source port with port 67 as the destination port on the server to send the request to the server. The server uses its own port 67 as the source port with port 68 as the destination port on the client to reply to the client. Therefore the server is listening and sending on its own port 67 and the client is listening and sending on its own port 68. This can be confusing when you consider which way the message is going. To be clear on this, I quote RFC 1531 which states "DHCP messages from a Internet Administration
14
client to a server are sent to the 'DHCP server' port (67), and DHCP messages from a server to a client are sent to the 'DHCP client' port (68)" DHCP Lease Renewal After 50% of the lease time has passed, the client will attempt to renew the lease with the original DHCP server that it obtained the lease from using a DHCPREQUEST message. Any time the client boots and the lease is 50% or more passed, the client will attempt to renew the lease. At 87.5% of the lease completion, the client will attempt to contact any DHCP server for a new lease. If the lease expires, the client will send a request as in the initial boot when the client had no IP address. If this fails, the client TCP/IP stack will cease functioning. DHCP Scope and Subnets One DHCP scope is required for each subnet. DHCP Relay Agents May be placed in two places:
Routers
Subnets that don't have a DHCP server to forward DHCP requests.
Client Reservation Client Reservation is used to be sure a computer gets the same IP address all the time. Therefore since DHCP IP address assignments use MAC addresses to control assignments, the following are required for client reservation:
MAC (hardware) address
IP address
Internet Administration
15
Exclusion Range Exclusion range is used to reserve a bank of IP addresses so computers with static IP addresses, such as servers may use the assigned addresses in this range. These addresses are not assigned by the DHCP server. IP address An IP address (also called an IP number) is a number (typically written as four numbers separated by periods, i.e. 107.4.1.3 or 84.2.1.111) which uniquely identifies a computer that is making use of the Internet. It is analogous to your telephone number in that the telephone number is used by the telephone network to direct calls to you. The IP address is used by the Internet to direct data to your computer, e.g. the data your web browser retrieves and displays when you surf the net. One task of DHCP is to assist in the problem of getting a functional and unique IP number into the hands of the computers that make use of the Internet. MAC address A MAC address (also called an Ethernet address or an IEEE MAC address) is a number (typically written as twelve hexadecimal digits, 0 through 9 and A through F, or as six hexadecimal numbers separated by periods or colons, i.e. 0080002012ef, 0:80:0:2:20:ef) which uniquely identifes a computer that has an Ethernet interface. Unlike the IP number, it includes no indication of where your computer is located. In DHCP's typical use, the server uses a requesting computer's MAC address to uniquely identify it. DHCP lease A DHCP lease is the amount of time that the DHCP server grants to the DHCP client permission to use a particular IP address. A typical server allows its administrator to set the lease time.
Internet Administration
16
DHCP Relay Agent Definition A DHCP relay agent is a computer or router that is configured to listen for DHCP/BOOTP broadcasts from DHCP clients and then relay those messages to DCHP servers on different subnets. DHCP/BOOTP relay agents are part of the DHCP and BOOTP standards, and they function according to the Request for Comments (RFCs) standard documents that describe protocol design and related behavior. An RFC 1542- compliant router is a router that supports the forwarding of DHCP broadcast traffic. Why use a DHCP relay agent? DHCP clients use broadcasts to secure a lease from a DHCP server. Routers normally do not pass broadcasts unless specifically configured to do so. Consequently, without additional configuration, DHCP servers can provide IP addresses only to clients located on the local subnet. Many organizations find it more efficient to centralize the servers that provide the DCHP Server service. To do so, they must configure the network so that DHCP broadcasts will be passed from the client to the DCHP server. This can be done in one of two ways: by configuring the routers that connect the subnets to forward DHCP broadcasts or by configuring them to implement DCHP relay agents. Windows Server 2003 supports the Routing and Remote Access service that is configured to function as a DHCP relay agent.
DHCP strategies in a routed network To understand why you would use a Microsoft DHCP relay agent, it is important to identify strategies that can be implemented in a routed network. For example:
Include at least one DHCP server on each subnet. This method requires at least one DHCP server on each subnet to directly respond to DHCP client requests. However, this configuration potentially requires more administrative and equipment overhead
Internet Administration
17
because of the need to locate a DHCP server on each individual subnet rather that providing DHCP server services from a centralized location to multiple subnets. In addition, to provide fault tolerance, this solution would require two servers configured on each subnet as DHCP servers. Placing two DHCP servers of each subnet is often impractical.
Configure an RFC 1542-compliant router to forward DHCP messages between subnets. An RFC 1542-compliant router can be configured to selectively forward DHCP broadcasts to another subnet. Although this option is preferable to using DHCP servers on each subnet, it can complicate router configuration and cause unnecessary broadcast traffic to be forwarded to other subnets.
Configure a Microsoft DHCP relay agent of each subnet to forward DHCP messages to one or more particular DHCP servers on another subnet. Configuring a Microsoft DHCP relay agent of each subnet has several advantages over the other options: It limits broadcasts to the subnet in which they originate, and adding DHCP relay agents to multiple subnets allows a single DHCP server to provide IP addresses to multiple subnets more efficiently than when using RFC 1542-compliant routers. You can also configure a Microsoft DHCP relay agent to delay its response to a client request by a few second, in effect creating primary and secondary DHCP responders.
Configure a DHCP server that has multiple network cards. When you configure a DHCP server that has multiple network cards, you can connect each network card to a different subnet. You can then configure DHCP scopes for each network that is attached to the server. This is the recommended configuration if all subnets are in a single location.
Internet Administration
18
Network Troubleshooting Commands
Troubleshooting computer network is among the most important job descriptions of the network administrators, system administrators, network technicians and the IT consultants. A computer network can have different kinds of problems such as it can be infected with virus and spyware, attacked by hackers, accessed by unauthorized users and may face connectivity failure issues due to the faulty network devices or configurations. Following is a list of the basic network troubleshooting commands that are built-in the Windows based operating systems and UNIX etc. The right use of these troubleshooting commands can helps a lot in diagnosing and resolving the issues with your computer network. PING Ping is the most important troubleshooting command and it checks the connectivity with the other computers. For example your system’s IP address is 10.10.10.10 and your network servers’ IP address is 10.10.10.1 and you can check the connectivity with the server by using the Ping command in following format. At DOS prompt type Ping 10.10.10.1 and press enter If you get the reply from the server then the connectivity is ok and if you get the error message like this ―Request time out‖ this means the there is some problem in the connectivity with the server. IPCONFIG Ipconfig is another important command in Windows. It shows the IP address of the computer and also it shows the DNS, DHCP, Gateway addresses of the network and subnet mask. At DOS prompt type ipconfig and press enter to see the IP address of your computer. At DOS prompt type ipconfig/all and press enter to see the detailed information.
Internet Administration
19
At DOS prompt type ipconfig/displaydns and press enter to display DNS Cache Info Configuration At DOS prompt type ipconfig /flushdns and press enter to Clear DNS Cache. At DOS prompt type ipconfig /release and press enter to Release All IP Address Connections At DOS prompt type ipconfig /renew and press enter to Renew All IP Address Connections NSLOOKUP NSLOOKUP is a TCP/IP based command and it checks domain name aliases, DNS records, operating system information by sending query to the Internet Domain Name Servers. You can resolve the errors with the DNS of your network server HOSTNAME Hostname command shows you the computer name. At DOS prompt type Hostname and press enter NETSTAT NETSTAT utility shows the protocols statistics and the current established TCP/IP connections in the computer. NBTSTAT NBTSTAT helps to troubleshoot the NETBIOS name resolutions problems. ARP ARP displays and modifies IP to Physical address translation table that is used by the ARP protocols. FINGER Finger command is used to retrieve the information about a user on a network. TRACERT Tracert command is used to determine the path of the remote system. This tool also provides the number of hops and the IP address of each hop. For example if you want to see that how many hops (routers) are involved to reach any URL and what’s the IP address of each hop then use the following command.
Internet Administration
20
At command prompt type tracert www.yahoo.com you will see a list of all the hops and their IP addresses. TRACEROUTE Traceroute is a very useful network debugging command and it is used in locating the server that is slowing down the transmission on the internet and it also shows the route between the two systems ROUTE Route command allows you to make manual entries in the routing table. Pathping combines functions of Ping and Tracert net session Shows all Windows networking sessions net use Retrieves a list of network connections net share Lists all Windows shares that are available on this machine net user Shows user account for the computer net user /domain Displays user accounts for the domain net view Displays domains in the network net user /domain <UserName> Shows account details for specific user
Internet Administration
21
whether the port is open
WEB SERVER A Web server is a program that, using the client/server model and the World Wide Web's Hypertext Transfer Protocol ( HTTP ), serves the files that form Web pages to Web users (whose computers contain HTTP clients that forward their requests). Every computer on the Internet that contains a Web site must have a Web server program. Two leading Web servers are Apache , the most widely-installed Web server, and Microsoft's Internet Information Server ( IIS ).
Other Web servers include Novell's Web Server for users of its NetWare operating system and IBM's family of Lotus Domino servers, primarily for IBM's OS/390 and AS/400 customers. Configuring a WEB SERVER
By default IIS is installed automatically when you install Windows 2000.IIS is designed to support simple websites in addition to multiple web sites on a single server. In addition to the World Wide Web (WWW) server other internet services that IIS include
FTP File Transfer Protocol Service: Enables you to set up FTP sites for uploading and downloading files.
NNTP Network News Transfer Protocol Service. Enables you to host electronic discussion groups or newsgroups.
SMPT Simple Mail Transfer Protocol. Enables you to receive mail messages from client applications and send these mail messages to another server over the Internet.
Internet Administration
22
Methods of Authentication Anonymous access provides users access to he public areas of your website without prompting them for user name and password. This authentication method id configured by default during IIS Installation. Basic Authentication prompts the users for a user name and password before allowing access to a web page. You can set basic authentication at the Web Site, Folder or File level. Digest Authentication is a new feature in IIS 5.0.This method is similar to Basic authentication, but it involves a different way of transmitting
the
authentication
Credentials.
The
authentication
Credentials pass through a process called Hashing. Integrated Windows Authentication: You are configuring an intranet site, where both the users and the web server are in the same domain, or in domains with a trust relationship
FTP What is FTP?
FTP (File Transfer Protocol) is the simplest and most secure way to exchange files over the Internet. Most often, a computer with an FTP address is dedicated to receive an FTP connection. Just as a computer that is setup to host Web pages is referred to as a Web server or Website, a computer dedicated to receiving an FTP connection is referred to as an FTP server or FTP site.
Internet Administration
23
What is an FTP Site?
An FTP site is like a large filing cabinet. With a traditional filing cabinet, the person who does the filing has the option to label and organize the files how ever they see fit. They also decide which files to keep locked and which remain public. It is the same with an FTP site.
The virtual 'key' to get into an FTP site is the UserID and Password. If the creator of the FTP site is willing to give everyone access to the files, the UserID is 'anonymous' and the Password is your e-mail address (e.g.
[email protected]).
If the FTP site is not public, there will be a unique UserID and Password for each person who is granted access.
When connecting to an FTP site that allows anonymous logins, you're frequently not prompted for a name and password.
Hence, when
downloading from the Internet, you most likely are using an anonymous FTP login and you don't even know it.
To make an FTP connection you can use a standard Web browser (Internet Explorer, Netscape, etc.) or a dedicated FTP software program, referred to as an FTP 'Client'.
When using a Web browser for an FTP connection, FTP uploads are difficult, or
sometimes
impossible,
and
downloads
are
not
protected
(not
recommended for uploading or downloading large files).
When connecting with an FTP Client, uploads and downloads couldn't be easier, and you have added security and additional features. For one, you're able to to resume a download that did not successfully finish, which is a very
Internet Administration
24
nice feature for people using dial-up connections who frequently loose their Internet connection.
What is an FTP Client?
An FTP Client is software that is designed to transfer files back-and-forth between two computers over the Internet. It needs to be installed on your computer and can only be used with a live connection to the Internet.
The classic FTP Client look is a two-pane design. The pane on the left displays the files on your computer and the pane on the right displays the files on the remote computer.
File transfers are as easy as dragging-and-dropping files from one pane to the other or by highlighting a file and clicking one of the direction arrows located between the panes. Additional features of the FTP Client include: multiple file transfer; the auto reget or resuming feature; a queuing utility; the scheduling feature; an FTP find utility; a synchronize utility; and for the advanced user, a scripting utility.
Internet Administration
25
FTP commands using DOS prompt FTP can also be done using the DOS prompt. The port number for FTP is 21. A user should type FTP and then open the port for the server
A user must login to a server with a valid username and Password.
Decide weather he has to send Images or Text, Html files.
If you need to send Images change from the default ASCII mode to Binary
If you need to send html, ASP or other text files use the default ACSCII mode.
To send a file the command is ―send‖ filename. To receive a file from the remote server it is ―get‖ filename. ―mput‖ and ―mget‖ can be used to send and receive multiple file. ―help‖ will display different commands ―lcd‖ is used to change the directory in the local machine and ―cd‖ is used to change the directory in the remote machine ―Dir‖ will display all then files and ―status‖ will show the status as to weather it is in ASCII mode or Binary mode. ―bye‖ is used to disconnect from the ftp server.
Internet Administration
26
NETWORK SECURITY What is PKI? PKI is the acronym for Public Key Infrastructure. The technology is called Public Key because, unlike earlier forms of cryptography, it works with a pair of keys. One of the two keys can be used to encrypt information that can only be decrypted with the other key. One key is made public and the other is kept secret. The secret key is usually called the private key. Since anyone can obtain the public key, users can initiate secure communications without having to previously share a secret through some other medium with their correspondent. The Infrastructure is the underlying system needed to issue keys and certificates and to publish the public information. PKI is a set of comprehensive system policies, procedures, and technologies
working
together
to
allow
secure
and
confidential
communication between internet users. PKI is based on the idea of encryption using public and private keys. PKI uses key pairs (public and private keys) where the public key is digitally signed by a third party known as a certification authority. Public Key Certificates A public key needs to be associated with the name of its owner. This is done by using a public key certificate, which is a data structure containing the owner's name, their public key and e-mail address, validity dates for the certificate, the location of revocation information, the location of the issuer's policies, and possibly other information such as their affiliation with the certificate issuer (often an employer or institution). The certificate data structure is signed with the private key of the issuer so that a recipient can verify the identity of the signer and prove that the data in the certificate has not been altered. Public Key Certificates are then published, often in an LDAP Internet Administration
27
directory, so users of PKI can locate the certificate for an individual with whom they wish to communicate securely. Encryption and Signing A secret key allows two transformations of data to occur. Plain text is transformed to cipher text, which is unreadable until it is transformed back to plain text using the secret key. A public key system uses the Encrypt and Decrypt functions to implement two primitive operations, data encryption and signatures. To encrypt data, the public key of the recipient is used to transform a plain text message to cipher text. The cipher text of the message can be converted back to plain text only by using the corresponding private key. Since this private key is known only by the intended recipient, only that individual can decrypt the message. A signature is created by transforming plain text to cipher text using the private key of the signer. A signature is verified by looking up the public key of the signer and attempting to transform the cipher text of the signature back to plain text. If the operation is successful, it verifies that the data encryption was done with the corresponding private key. This implies that the signature was produced by the owner of that private key. What is the relationship between PKI and security? The relationship between PKI and security lies in the fact that the public and private keys can be used for encryption. To secure online transactions one must hide the content of the data being transmitted over the wire, PKI is used to do this task through the use of SSL and TLS. What are the major elements of PKI? The major components of PKI are listed below.
Certification Authority
Digital certificates
Public & private key pairs
Internet Administration
28
Certificate Policy (CP)
Certification Practices Statement (CPS)
What is a Certificate Authority (CA)? A Certification Authority is a trusted third party that verifies the identity of an entity registering for a digital certificate. Once a Certification Authority authenticates the requesting entity's identity, it issues a digital certificate to the requesting entity binding his or her identity to a public key. (Digital certificates can be issued to organizations and devices in addition to people) What is digital certificate?
Digital Certificates are the electronic counterparts to driver licenses, passports and membership cards. You can present a Digital Certificate electronically to prove your identity or your right to access information or services online.
Digital Certificates bind an identity to a pair of electronic keys that can be used to encrypt and sign digital information.
Used in conjunction with encryption, Digital Certificates provide a more complete security solution, assuring the identity of all parties involved in a transaction.
A Digital Certificate is issued by a Certification Authority (CA) and signed with the CA's private key.
A Digital Certificate typically contains the: o Owner's public key o Owner's name o Expiration date of the public key o Name of the issuer (the CA that issued the Digital Certificate o Serial number of the Digital Certificate o Digital signature of the issuer
Internet Administration
29
The most widely accepted format for Digital Certificates is defined by the ITU-T X.509 international standard; thus certificates can be read or written by any application complying with X.509.
X.509 X.509 is an ITU-T (ITU Telecommunication Standardization Sector) standard for PKI (Public Key Infrastructure) in cryptography, which, amongst many other things, defines specific formats for PKC (Public Key Certificates) and the algorithm that verifies a given certificate path is valid Certificate Structure A X.509 version 3 digital certificate has three main variables - the certificate, the certificate signature algorithm and the certificate signature. The certificate is described by attributes such as version, algorithm ID, serial number, issuer, subject, validity, subject public key info, extensions and several other optional ones like subject and issuer unique identifier. The subject public key info attribute is further detailed by the public key algorithm and subject public key, while validity attribute comes has further options for an upper and lower date limit, which eventually decides the life of the certificate. Structure of a certificate The structure of a X.509 v3 digital certificate is as follows: Certificate Version Serial Number Algorithm ID Issuer Validity
Not Before
Not After Subject
Internet Administration
30
Subject Public Key Info
Public Key Algorithm
Subject Public Key Issuer Unique Identifier (Optional) Subject Unique Identifier (Optional) Extensions (Optional)
...
Certificate Signature Algorithm Certificate Signature
IPSec Internet Protocol Security (IPSec) is a collection of standards that was designed specifically to create secure end-to-end secure connections. The standards were developed by the Internet Engineering Task Force (IETF) to secure communications over both public and private networks, though it is particularly beneficial to public networks. Using Internet Protocol Security (IPSec), you can provide data privacy, integrity, authenticity, and anti-replay protection for network traffic The bundle of protocols, hashing, and encryption algorithms used in IPSec include: o IKE [Internet Key Exchange protocol] o ISAKMP [Internet Security Association and Key Management Protocol] o AH [Authentication Header protocol] o ESP [Encapsulating Security Payload protocol] o STS [Station-to-Station protocol] o HMAC [Hash Message Authentication Code] o MD5 [Message Digest 5] o SHA-1 [Security Hash Algorithm] o 3DES [Triple Data Encryption Standard]
Internet Administration
31
o XAUTH [Extended Authentication] o AES [Advanced Encryption Standard]AH versus ESP AH Vs ESP "Authentication Header" (AH) and "Encapsulating Security Payload" (ESP) are the two main wire-level protocols used by IPsec, and they authenticate (AH) and encrypt + authenticate (ESP) the data flowing over that connection. AH is used to authenticate — but not encrypt — IP traffic Authentication Header (AH): provides authenticity guarantee for packets, by attaching strong crypto checksum to packets. If you receive a packet with AH and the checksum operation was successful, you can be sure about two things if you and the peer share a secret key, and no other party knows the key: o The packet was originated by the expected peer. The packet was not generated by impersonator. o The packet was not modified in transit. Encapsulating Security Payload (ESP) provides confidentiality guarantee for packets, by encrypting packets with encryption algorithms. If you receive a packet with ESP and successfully decrypted it, you can be sure that the packet was not wiretapped in the middle, if you and the peer share a secret key, and no other party knows the key. Modes of Operation for IPSec There are two modes of operation for IPSec: transport mode and tunnel mode. Transport Mode
Internet Administration
32
In transport mode, only the payload of the message is encrypted. Transport Mode is used to protect an end-to-end conversation between two hosts. This protection is either authentication or encryption (or both), but it is not a tunneling protocol. It has nothing to do with a traditional VPN: it's simply a secured IP connection. Tunnel Mode In tunnel mode, the payload, the header, and the routing information are all encrypted. Tunnel mode is intended for secure site-to-site communications over an untrusted network. Each site has an IPsec gateway configured to route traffic to the other site. When a computer in one site needs to communicate with a computer in the other site, the traffic passes through the IPsec gateways Secure Socket Layer The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. This is in short how it works.
Internet Administration
33
1. A browser requests a secure page (usually https://). 2. The web server sends its public key with its certificate. 3. The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted. 4. The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data. 5. The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data. 6. The web server sends back the requested html document and http data encrypted with the symmetric key. 7. The browser decrypts the http data and html document using the symmetric key and displays the information.
The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP.
SSL server authentication allows a user to confirm a server's identity. SSLenabled client software can use standard techniques of public-key cryptography to check that a server's certificate and public ID are valid and
Internet Administration
34
have been issued by a certificate authority (CA) listed in the client's list of trusted CAs. This confirmation might be important if the user, for example, is sending a credit card number over the network and wants to check the receiving server's identity.
SSL client authentication allows a server to confirm a user's identity. Using the same techniques as those used for server authentication, SSL-enabled server software can check that a client's certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the server's list of trusted CAs. This confirmation might be important if the server, for example, is a bank sending confidential financial information to a customer and wants to check the recipient's identity
An encrypted SSL connection requires all information sent between a client and a server to be encrypted by the sending software and decrypted by the receiving software, thus providing a high degree of confidentiality. Confidentiality is important for both parties to any private transaction. In addition, all data sent over an encrypted SSL connection is protected with a mechanism for detecting tampering--that is, for automatically determining whether the data has been altered in transit.
The Algorithms used in SSL are
DES. Data Encryption Standard, an encryption algorithm used by the U.S. Government
RSA. A public-key algorithm for both encryption and authentication. Developed by Rivest, Shamir, and Adleman.
MD5. Message Digest algorithm developed by Rivest.
Internet Administration
35
Overview of Routers Introduction A router is a device that has more than one network interface (in other words, it is multi-homed) that can forward packets, based on network addressing (such as IP addresses), to multiple network segments. Routers are an intermediate system that functions at the network layer to connect networks based on a common network layer protocol. Purpose of routers Routers allow you to scale your network and to maintain bandwidth by segmenting network traffic. Routers are configured to make intelligent decisions to determine how packets should be forwarded between network segments. This helps ensure that a network segment is not inundated with traffic not destined for hosts on its segment. Routers also prevent certain types of traffic, such as broadcast traffic, from saturating the network.
Types of routers The two types of routers that are used in a network environment are: Hardware Routers. These dedicated hardware devices run specialized software for the exclusive purpose of routing. Hardware routers provide very good performance; however, they can be expensive and may provide little functionality beyond their intended purpose. Many hardware routers today provide greater flexibility by offering security services such as packet filtering and VPN access. Hardware routers should be used in environments that require high throughput between network segments.
Software Routers. These routers are not dedicated to routing alone; they perform routing as one of multiple processes running on the router computer. Windows Server 2003 Routing and Remote Access is a service that performs routing as one of its multiple processes. When enabled as a network router, Windows Server 2003 can also offer services such as Microsoft Windows Internet Name Service (WINS), Domain Name system (DNS), and Dynamic Host Configuration Protocol (DHCP).
Internet Administration
36
Main components of routing solution The three main components of a routing solution are:
Routing interface. This is a physical or logical interface over which packets are forwarded. Routing protocol. This is a set of messages that routers use to share routing tables so that routers can determine the path by which data should be forwarded. Routing table. This table of information is maintained on a system that determines the path to various network segments. Routing tables contain information about various network segments, based on their network ID and the routers that should be used to communicate with those network segments.
How information is routed Network communication between hosts is performed either directly or indirectly. Direct communications occur between two hosts on the same network segment. Indirect communications occur when a host needs to communicate with a remote system. Because the host cannot establish a direct communication with the remote system, it must forward the packet to a router. When sending a packet to a remote system, hosts forward packets to a router by using direct communications.
Internet Administration
37
Remote Access Types of Remote Access Connectivity
Dial-Up Connections.
To connect to the network with dial-up remote access, a remote access client uses a communications network, such as the Public Switched Telephone Network (PSTN), to create a physical connection to a port on a remote access server on the Private Network. This is done by using a Modem or a ISDN adapter to dial in to the remote access server.
Dial-up remote access allows an organization to keep users connected to their network when they are working remotely. However if your organization has a large number of users traveling to many locations, the expense of long distance telephone charges will become significant. An alternative to increasing the size of a dial-up remote access network is to consider a VPN solution for remote connectivity.
Virtual Private Network Connections.
A VPN provides secure remote access through the Internet, rather than through direct dial-up connection. A VPN client uses an IP internetwork to create an encrypted virtual point to point connection with a VPN gateway on the private network. Typically the user connects to the Internet through an Internet Service Provider (ISP) and then creates a VPN connection to the VPN gateway. By using the internet in this way, companies can reduce the long distance telephone expenses. Traveling employees can dial a local ISP and then make a VPN connection back to the corporate network
Internet Administration
38
How a VPN Connection Works Introduction The Routing and Remote Access service provides VPN services so that users can access corporate networks in a secure manner by encrypting the transmitted data over an insecure transport network such as the Internet. What a VPN does A VPN extends the capabilities of a private network to encompass links across shared or public networks such as the Internet. With a VPN, you can send encrypted data between two computers across a shared or public network in a manner that emulates a point-to-point link on a private network. To emulate a point-to point link, data is encapsulated, or wrapped, with a header that provides routing information, which allows the data to traverse the shared or public network to reach its endpoint. To emulate a private link, the data is encrypted for confidentiality. Packets that are intercepted on the shared or public network cannot be read without the encryption keys. The link in which the private data is encapsulated and encrypted is a VPN connection. The VPN connection is also referred to as a VPN tunnel. VPN connection process The process of a VPN connection is described in the following steps: 1. A VPN client makes a VPN connection to a remote access/VPN server that is connected to the Internet. (The VPN server acts as a gateway and is normally configured to provide access to entire network to which the VPN server is attached.) 2. The VPN server answers the virtual call. 3. The VPN server authenticates by contacting a domain controller and verifies the caller’s authorization to connect. 4. The VPN server transfers data between the VPN client and the corporate network. Advantages of a VPN VPNs allow users or corporations to connect to remote servers, branch offices, or to other organizations over a public network, while maintaining secure communications. In all of these cases, the secure connection appears to the user as a private network communication-despite the fact that this communication occurs over a public network. Other benefits include:
Internet Administration
39
Cost advantages. VPNs do not use a phone line and require less hardware (your Internet service provider, or ISP, maintains the communication hardware). Enhanced security. Sensitive data is hidden from unauthorized users, but it is accessible to users authorized through the connection. The VPN server enforces authentication and encryption. Network protocol support. You can remotely run and application that depends on the most common network protocols, such as Transmission Control Protocol/Internet Protocol (TCP/IP). IP address security. Because information sent over a VPN is encrypted, the private IP addresses that you specify are protected, and the traffic transmitted over the Internet will have only the external IP address visible.
Components of a VPN Connection Introduction A VPN connection is made up of several components including VPN servers, VPN clients, tunneling protocols, and authentication methods. Components of a VPN connection A VPN connection includes the following components:
VPN server. A computer that accepts VPN connections from VPN clients. The Routing and Remote Access service on Windows Server 2003 can be configured as a VPN server. VPN client. A computer that initiates a VPN connection to a VPN server. Transit network. The shared or public network that the encapsulated data crosses. Common VPN implementations use the Internet as the transit network. VPN connection or tunnel. The portion of the connection in which your data is encrypted and encapsulated. Tunneling protocols that are used to manage tunnels and encapsulate private data (for example, Point-to-Point Tunneling Protocol, or PPTP). Tunneled data. Data that is sent across a private point-to-point link. Authentication. The identity of the client and the server in a VPN connection are authenticated. To ensure that received data originated from the other end of the connection and was not intercepted and
Internet Administration
40
modified, a BPN also authenticates the data that was sent. The VPN server use Active Directory as an account database. Address and name server allocation. The VPN server is responsible for assigning IP addresses, which it does either by using the default protocol, Dynamic Host Configuration Protocol (DHCP), or from a static pool of addresses that the administrator defines. The VPN server can also allocate Domain Name System (DNS) and Windows Internet Name Service (WINS) server addresses to clients.
Virtual Private Network Protocols PPTP
L2TP
Internetwork Internetwork Must Must Be Be IP IP Based Based
Internetwork Internetwork Can Can Be Be IP, IP, Frame Frame Relay, Relay, X.25, X.25, or or ATM ATM Based Based Header Header Compression Compression
No No Header Header Compression Compression No No Tunnel Tunnel Authentication Authentication
Tunnel Tunnel Authentication Authentication
Built-in Built-in PPP PPP Encryption Encryption
Uses Uses IPSec IPSec Encryption Encryption
Internet
Client
Internet Administration
PPTP or L2TP
Server
41
SLIP and PPP
#
SLIP
PPP
1
Serial Link Internet Protocol is widely used to connect systems to the Internet over a dial up line using a modem. It does not do any error detection or correction
Point to Point Protocol has several advantages over SLIP.
SLIP supports only IP
Supports multiple protocols.
Each side must know the others IP address in advance. IP address cannot be assigned dynamically during setup.
Allows IP addresses to be negotiated at connection time dynamically.
No Authentication
Provides Authentication
2
It does provide error detection or correction.
3 4
5
Components of a Network Access Infrastructure Introduction To provide a secure network access infrastructure, an administr5ator needs to have an understanding of the following basic components that make up network access infrastructure:
Network access server Network access clients Authentication service Active Directory- directory service
Network access server A network access server is a server that acts as a gateway to a network for a remote client. The Microsoft Routing and Remote Access service supports remote access to a network. By configuring the Routing and Remote Access service to act as remote access server, you can connect remote workers to and organization’s networks. The network access server for these remote clients authenticates sessions for users and services until the user or network
Internet Administration
42
administrator terminates them. Remote users can work as if their computers are physically connected to the network. Network access clients A network access server provides network access connectivity for VPN and dial-up clients. These network access clients can use standard tools to access resources. For example, on a server that is configured with the Routing and Remote Access service, remote clients can use Windows Explorer to make drive connections and to connect to printers. Connections are persistent so that the clients do not need to reconnect to network resources during remote sessions. Authentication service When you provide greater network access, you need to increase the level of security in your network to safeguard against unauthorized access and usage of internal resources. You can help safeguard our network by providing strong authentication to validate identity in addition to providing strong encryption to protect data. Authentication methods typically use an authentication protocol that is negotiated during the process of establishing a connection. The remote access server (a server configured with the Routing and Remote Access service) handles authentication between the remote access client and the domain controller. If you have multiple network access severs, you can centralize authentication by using Remote Authentication Dial-In User Service (RADIUS) to authenticate and authorize network access clients. Using RADIUS eliminates the need for each network access server in your network to perform authentication and authorization. Active Directory Active Directory domains contain the user accounts, passwords, and dial-up properties that are required to authenticate user credentials and evaluate both authorization and connection constraints. After a client is connected to your network, you can control access to resources by various administrative controls on both the client computer and the network access servers. These administrative controls include File and Printer Sharing, Local Group Policy, and Group Policy through the Active Directory service.
Internet Administration
43
Wireless Networks Wireless networks utilize radio waves and/or microwaves to maintain communication channels between computers. Wireless networking is a more modern alternative to wired networking that relies on copper and/or fiber optic cabling between network devices. A wireless network offers advantages and disadvantages compared to a wired network. Advantages of wireless include mobility and elimination of cables. Disadvantages of wireless include the potential for radio interference due to weather, other wireless devices, or obstructions like walls.
Wireless is rapidly gaining in popularity for both home and business networking. Wireless technology continues to improve, and the cost of wireless products continues to decrease. Popular wireless local area networking (WLAN) products conform to the 802.11 "Wi-Fi" standards. The gear a person needs to build wireless networks includes network adapters (NICs), access points (APs), and routers.
Benefits of Wireless Networks
Companies can realize the following benefits by implementing wireless networks: • Mobility • Ease of installation in difficult-to-wire areas • Reduced installation time • Increased reliability • Long-term cost savings
Internet Administration
44
Mobility
User mobility indicates constant physical movement of the person and their network appliance. Many jobs require workers to be mobile, such as inventory clerks, healthcare workers, policemen, emergency care specialists, and so on. Wireless networking offers mobility to its users much like the wireless phone, providing a constant connection to information on the network.
Installation in Difficult-to-Wire Areas
The implementation of wireless networks offers many tangible cost savings when performing installations in difficult-to-wire areas. If rivers, freeways, or other obstacles separate buildings you want to connect, a wireless MAN solution may be much more economical than installing physical cable or leasing communications circuits such as T1 service or 56 Kbps lines.
Reduced Installation Time
The installation of cabling is often a time-consuming activity. For LANs, installers must pull twisted-pair wires above the ceiling and drop cables through walls to network outlets that they must affix to the wall. These tasks can take days or weeks, depending on the size of the installation.
Increased Reliability
A problem inherent to wired networks is the downtime due to cable faults. The accidental cutting of cables can also bring a network down quickly. Water intrusion can also damage communications lines during storms.. The advantage of wireless networking, then, is experiencing fewer problems because less cable is used.
Internet Administration
45
Long-Term Cost Savings
Companies reorganize, resulting in the movement of people, new floor plans, office partitions, and other renovations. These changes often require recabling the network, incurring both labor and material costs. In some cases, the re-cabling costs of organizational changes are substantial, especially with large enterprise networks.
Wireless Devices Antenna The antenna radiates the modulated signal through the air so that the destination can receive it. Antennas come in many shapes and sizes and have the following specific electrical characteristics: • Propagation pattern • Radiation power • Gain • Bandwidth
The propagation pattern of an antenna defines its coverage. A truly omnidirectional antenna transmits its power in all directions, whereas a directional antenna concentrates most of its power in one direction.
Radiation power is the output of the radio transmitter. Most wireless network devices operate at less than 5 watts of power.
A directional antenna has more gain (degree of amplification) than the omnidirectional type and is capable of propagating the modulated signal farther because it focuses the power in a single direction. Internet Administration
46
Most wireless LANs and WANs utilize omnidirectional antennas, and wireless MANs use antennas that are more directives.
Bandwidth is the effective part of the frequency spectrum that the signal propagates. For example, the telephone system operates over a bandwidth roughly from 0–4 KHz. This is enough bandwidth to accommodate most of the frequency components within our voices. Radio wave systems have greater amounts of bandwidth located at much higher frequencies. Data rates and bandwidth are directly proportional—the higher the data rates, the more bandwidth you will need.
Access Points The main thing to remember is that access points allow wireless clients access to a single network A wireless network uses an access point, or base station. The access point acts like a hub, providing connectivity for the wireless computers. It can connect (or "bridge") the wireless LAN to a wired LAN, allowing wireless computer access to LAN resources, such as file servers or existing Internet Connectivity.
There are two types of access points:
Dedicated hardware access points (HAP) such as Lucent's WaveLAN. Hardware access points offer comprehensive support of most wireless features.
Software Access Points runs on a computer equipped with a wireless network interface card as used in an ad-hoc or peer-to-peer wireless network.
Multiple access points can be connected to a wired LAN, or sometimes even to a second wireless LAN if the access point supports this.
Internet Administration
47
In most cases, separate access points are interconnected via a wired LAN, providing wireless connectivity in specific areas such as offices or classrooms, but connected to a main wired LAN for access to network resources, such as file servers If a single area is too large to be covered by a single access point, then multiple access points or extension points can be used. -- Note that an "extension point" is not defined in the wireless standard, but have been developed by some manufacturers. When using multiple access points, each access point wireless area should overlap its neighbors. This provides a seamless area for users to move around in using a feature called "roaming.‖
WLAN Configurations Independent WLANs The simplest WLAN configuration is an independent (or peer-to-peer) WLAN that connects a set of PCs with wireless adapters. Any time two or more wireless adapters are within range of each other, they can set up an independent network These on-demand networks typically require no administration or preconfiguration.
Access points can extend the range of independent WLANs by acting as a repeater effectively doubling the distance between wireless PCs.
Internet Administration
48
Infrastructure WLANs In infrastructure WLANs, multiple access points link the WLAN to the wired network and allow users to efficiently share network resources. The access points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. Multiple access points can provide wireless coverage for an entire building or campus.
Microcells and Roaming Wireless communication is limited by how far signals carry for given power output. WLANs use cells, called microcells, similar to the cellular telephone system to extend the range of wireless connectivity. At any point in time, a
Internet Administration
49
mobile PC equipped with a WLAN adapter is associated with a single access point and its microcell, or area of coverage. Individual microcells overlap to allow continuous communication within wired network. They handle lowpower signals and ―hand off‖ users as they roam through a given geographic area.
Wireless Network Standards 802.11a, 802.11b, 802.11g, and 802.11n are the wireless standards collectively known as Wi-Fi technologies. Additionally, Bluetooth and various other non Wi-Fi technologies also exist, each also designed for specific networking applications. 802.11b
Very common and inexpensive
Communicates on the 2.4GHz frequency
Maximum data transmission rate up to 11 Mbps
Indoor range of about 150 feet
Week Security
Pros of 802.11b - lowest cost; signal range is good and not easily obstructed
Internet Administration
50
Cons of 802.11b - slowest maximum speed; home appliances may interfere on the unregulated frequency band 802.11a
Not as common as 802.11b.
More expensive than 802.11b equipment
Communicates on the 5 GHz frequency
Maximum data transmission rate up to 54 Mbps
Indoor range of about 75 feet
Not backward compatible with 802.11b
Weak Security – Uses WEP
Pros of 802.11a - fast maximum speed; regulated frequencies prevent signal interference from other devices Cons of 802.11a - highest cost; shorter range signal that is more easily obstructed 802.11g
Most common Wireless network standard.
More expensive than 802.11b equipment
Communicates on the 2.4 GHz frequency
Maximum data transmission rate up to 54 Mbps
Good Indoor range of about 150 feet
backward compatible with 802.11b
Improved Security – Uses WPA
Pros of 802.11g - fast maximum speed; signal range is good and not easily obstructed Cons of 802.11g - costs more than 802.11b; appliances may interfere on the unregulated signal frequency
Internet Administration
51
802.11n The newest IEEE standard in the Wi-Fi category is 802.11n. It was designed to improve on 802.11g in the amount of bandwidth supported by utilizing multiple wireless signals and antennas (called MIMO technology) instead of one. When this standard is finalized, 802.11n connections should support data rates of over 100 Mbps. 802.11n also offers somewhat better range over earlier Wi-Fi standards due to its increased signal intensity. 802.11n equipment will be backward compatible with 802.11g gear. Pros of 802.11n - fastest maximum speed and best signal range; more resistant to signal interference from outside sources Cons of 802.11n - standard is not yet finalized; costs more than 802.11g; the use of multiple signals may greatly interfere with nearby 802.11b/g based networks. Bluetooth Bluetooth is an alternative wireless network technology that followed a different development path than the 802.11 family. Bluetooth supports a very short range (approximately 10 meters) and relatively low bandwidth (1-3 Mbps in practice) designed for low-power network devices like handhelds. The low manufacturing cost of Bluetooth hardware also appeals to industry vendors. You can readily find Bluetooth in the networking of PDAs or cell phones with PCs, but it is rarely used for general-purpose WLAN networking due to the range and speed considerations. WiMax WiMax also was developed separately from Wi-Fi. WiMax is designed for long-range networking (spanning miles or kilometers) as opposed to local area wireless networking.
Internet Administration
52
SSID An SSID is the name of a wireless local area network (WLAN). All wireless devices on a WLAN must employ the same SSID in order to communicate with each other. The SSID on wireless clients can be set either manually, by entering the SSID into the client network settings, or automatically, by leaving the SSID unspecified or blank. A network administrator often uses a public SSID, that is set on the access point and broadcast to all wireless devices in range. Some newer wireless access points disable the automatic SSID broadcast feature in an attempt to improve network security. SSIDs are case sensitive text strings. The SSID is a sequence of alphanumeric characters (letters or numbers). SSIDs have a maximum length of 32 characters. Also Known As: Service Set Identifier, Network Name Wireless Security WEP (Wired Equivalent Privacy)
WEP is a protocol that adds security to wireless local area networks (WLANs) based on the 802.11 Wi-Fi standard. WEP is an OSI Data Link layer (Layer 2) security technology that can be turned "on" or "off." WEP was designed to give wireless networks the equivalent level of privacy protection as a comparable wired network. WEP is based on a security scheme called RC4 that utilizes a combination of secret user keys and system-generated values. The original implementations of WEP supported so-called 40-bit encryption, having a key of length 40 bits and 24 additional bits of system-generated data (64 bits total). Research has shown that 40-bit WEP encryption is too easy to decode, and consequently
Internet Administration
53
product vendors today employ 128-bit encryption (having a key length of 104 bits, not 128 bits) or better (including 152-bit and 256-bit WEP systems). When communicating over the wire, wireless network equipment uses WEP keys to encrypt the data stream. The keys themselves are not sent over the network but rather are generally stored on the wireless adapter or in the Windows Registry. Regardless of how it is implemented on a wireless LAN, WEP represents just one element of an overall WLAN security strategy.
WPA (Wi-Fi Protected Access) WPA is a security technology for wireless networks. WPA improves on the authentication and encryption features of WEP (Wired Equivalent Privacy). In fact, WPA was developed by the networking industry in response to the shortcomings of WEP. One of the key technologies behind WPA is the Temporal Key Integrity Protocol (TKIP). TKIP addresses the encryption weaknesses of WEP. Another key component of WPA is built-in authentication that WEP does not offer. With this feature, WPA provides roughly comparable security to VPN tunneling with WEP, with the benefit of easier administration and use. One variation of WPA is called WPA Pre Shared Key or WPA-PSK for short. WPA-PSK is a simplified but still powerful form of WPA most suitable for home Wi-Fi networking. To use WPA-PSK, a person sets a static key or "pass phrase" as with WEP. But, using TKIP, WPA-PSK automatically changes the keys at a preset time interval, making it much more difficult for hackers to find and exploit them. WEP Keys A WEP key is a security code used on some WiFi networks. WEP keys allow a group of devices on a local network (such as a home network) to exchange encoded messages with each other while hiding the contents of the messages from easy viewing by outsiders. Internet Administration
54
A WEP key is a sequence of hexadecimal digits. These digits include the numbers 0-9 and the letters A-F. Some examples of WEP keys are:
1A648C9FE2 99D767BAC38EA23B0C0176D15
WEP keys are chosen by a network administrator. WEP keys are set on WiFi routers, adapters and other wireless network devices. Matching WEP keys must be set on each device for them to communicate with each other. The length of a WEP key depends on the type of WEP security (called "encryption") utilized:
40- / 64-bit WEP: 10 digit key 104- / 128-bit WEP: 26 digit key 256-bit WEP: 58 digit key
To assist with the process of creating correct WEP keys, some brands of wireless network equipment automatically generates WEP keys from ordinary text called a "pass phrase." 10 Tips for Wireless Home Network Security 1. Change Default Administrator Passwords (and Usernames) At the core of most Wi-Fi home networks is an access point or router. To set up these pieces of equipment, manufacturers provide Web pages that allow owners to enter their network address and account information. These Web tools are protected with a login screen (username and password) so that only the rightful owner can do this. However, for any given piece of equipment, the logins provided are simple and very well-known to hackers on the Internet. Change these settings immediately 2. Turn on (Compatible) WPA / WEP Encryption All Wi-Fi equipment supports some form of encryption. Encryption technology scrambles messages sent over wireless networks so that they cannot be
Internet Administration
55
easily read by humans. Several encryption technologies exist for Wi-Fi today. Naturally you will want to pick the strongest form of encryption that works with your wireless network. However, the way these technologies work, all Wi-Fi devices on your network must share the identical encryption settings. 3. Change the Default SSID Access points and routers all use a network name called the SSID. Manufacturers normally ship their products with the same SSID set. For example, the SSID for Linksys devices is normally "linksys." True, knowing the SSID does not by itself allow your neighbors to break into your network, but it is a start. More importantly, when someone finds a default SSID, they see it is a poorly configured network and are much more likely to attack it. Change the default SSID immediately when configuring wireless security on your network. 4. Enable MAC Address Filtering Each piece of Wi-Fi gear possesses a unique identifier called the physical address or MAC address. Access points and routers keep track of the MAC addresses of all devices that connect to them. Many such products offer the owner an option to key in the MAC addresses of their home equipment, that restricts the network to only allow connections from those devices. Do this, but also know that the feature is not so powerful as it may seem. Hackers and their software programs can fake MAC addresses easily. 5. Disable SSID Broadcast In Wi-Fi networking, the wireless access point or router typically broadcasts the network name (SSID) over the air at regular intervals. This feature was designed for businesses and mobile hotspots where Wi-Fi clients may roam in and out of range. In the home, this roaming feature is unnecessary, and it increases the likelihood someone will try to log in to your home network. Fortunately, most Wi-Fi access points allow the SSID broadcast feature to be disabled by the network administrator. Internet Administration
56
6. Do Not Auto-Connect to Open Wi-Fi Networks Connecting to an open Wi-Fi network such as a free wireless hotspot or your neighbor's router exposes your computer to security risks. Although not normally enabled, most computers have a setting available allowing these connections to happen automatically without notifying you (the user). This setting should not be enabled except in temporary situations. 7. Assign Static IP Addresses to Devices Most home networkers gravitate toward using dynamic IP addresses. DHCP technology is indeed easy to set up. Unfortunately, this convenience also works to the advantage of network attackers, who can easily obtain valid IP addresses from your network's DHCP pool. Turn off DHCP on the router or access point, set a fixed IP address range instead, then configure each connected device to match. Use a private IP address range (like 10.0.0.x) to prevent computers from being directly reached from the Internet.
8. Enable Firewalls On Each Computer and the Router Modern network routers contain built-in firewall capability, but the option also exists to disable them. Ensure that your router's firewall is turned on. For extra protection, consider installing and running personal firewall software on each computer connected to the router.
9. Position the Router or Access Point Safely Wi-Fi signals normally reach to the exterior of a home. A small amount of signal leakage outdoors is not a problem, but the further this signal reaches, the easier it is for others to detect and exploit. Wi-Fi signals often reach through neighboring homes and into streets, for example. When installing a wireless home network, the position of the access point or router determines its reach. Try to position these devices near the center of the home rather than near windows to minimize leakage. Internet Administration
57
10. Turn Off the Network During Extended Periods of Non-Use The ultimate in wireless security measures, shutting down your network will most certainly prevent outside hackers from breaking in! While impractical to turn off and on the devices frequently, at least consider doing so during travel or extended periods offline. Computer disk drives have been known to suffer from power cycle wear-and-tear, but this is a secondary concern for broadband modems and routers.
If you own a wireless router but are only using it wired (Ethernet) connections, you can also sometimes turn off Wi-Fi on a broadband router without powering down the entire network.
References : Mackin, J.C. and Ian Mc Lean. Windows server 2003 network infrastructure : implementing, managing and maintaining a microsoft . New Delhi: Prentice Hall India,2006. ISBN:8120324684.
Compiled By: Arun
Revised By: R. Meganathan
Internet Administration
58