New Microsoft Word Document

What is PPP? PPP (Point-to-Point Protocol), is the most widely used method for transporting IP packets over a serial link between the user and the Internet Service Provider (ISP). Although PPP is primarily used over dialup lines, variants such as PPoE (PPP over Ethernet) and PPoA (PPP over ATM) extend PPP to new data-link layer protocols. PPP was designed to enable the transmission of different protocols over one point-topoint link by utilizing encapsulation. Encapsulation is the process of storing packets from the foreign protocol inside PPP frames. In addition to this encapsulation function, PPP also provides: • •

A Link Control Protocol (LCP) for establishing, configuring, and testing the datalink connection. A suite of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols.

PPP LCP The PPP Link Control Protocol is responsible for establishing, configururing, managing, and terminating the point-to-point link. LCP accomplishes these tasks through the use of simple control messages: Link Configuration messages used to establish and configure a link: • • • •

Configure-Request Configure-Ack Configure-Nak Configure-Reject

Link Termination messages used to terminate a link: • •

Terminate-Request Terminate-Ack

Link Maintenance messages used to manage and debug a link: • • •

Code-Reject Protocol-Reject Echo-Request

• •

Echo-Reply Discard-Request

PPP NCP's A PPP Network Control Protocol must be defined for each type of network packet which is to be encapsulated and transmitted across the PPP link. Some of the defined PPP NCP's are: • • • • • • • • • • • • • • • • • • • • • •

Internet Protocol Control Protocol OSI Network Layer Control Protocol Xerox NS IDP Control Protocol DECnet Phase IV Control Protocol Appletalk Control Protocol Novell IPX Control Protocol Bridging NCP Stream Protocol Control Protocol Banyan Vines Control Protocol Multi-Link Control Protocol NETBIOS Framing Control Protocol Cisco Systems Control Protocol Ascom Timeplex Fujitsu LBLB Control Protocol DCA Remote Lan Network Control Protocol (RLNCP) Serial Data Control Protocol (PPP-SDCP) SNA over 802.2 Control Protocol SNA Control Protocol IP6 Header Compression Control Protocol Stampede Bridging Control Protocol Compression on single link in multilink group control Compression Control Protocol

What is Token Ring? Token Ring is a local area networking system originally conceived in the late 1960s by IBM and patented in 1981, with IBM promoting its use throughout most of the 1980s. Although initially very successful, it was eventually displaced by Ethernet as the favored technology and architecture for local area networks (LAN); although IBM undertook a valiant effort to compete, this was not successful and IBM itself eventually stopped using token ring as its LAN standard

How Token Ring Works The token ring network is simple in design and conceptual operation. The key to the system is a 'token' - which is actually a data frame or container for storing data that is to be transmitted down a 'ring' of computers connected to the network. A simple analogy is to imagine a clock with each number on the clock face representing one computer on a network; 12 numbers, 12 computers. A 'free' (or empty) token is released into the network, moving around the network, 'stopping off' at each computer to check if it is needed. Assume that computer 3 wants to send a data package to computer 9. When the free token 'stops off' at computer 3, it is grabbed and the data is 'injected' into the empty vessel and then sent on its way. The token passes each computer in the sequence (e.g. computer 4, 5, 6 and so on); each computer notes that the packet is not addressed to it and 'rejects' it, in effect, "passing" it on to the next computer in the series. Once the packet or token reaches computer 9 (to which the data is addressed), it is 'grabbed' again and an exchange of data occurs - the data is released to computer 9, and the computer 'injects' an acknowledgement receipt into the token. The token (with the acknowledgement receipt) is released back into the network, proceeding down the chain (e.g. moving to computers 9, 10 and so on) with each one again 'rejecting' the token since it is not addressed to them.

What is a VLAN? The Basic Definition The acronym VLAN expands to Virtual Local Area Network. A VLAN is a logical local area network (or LAN) that extends beyond a single traditional LAN to a group of LAN segments, given specific configurations. Because a VLAN is a logical entity, its creation and configuration is done completely in software.

How Is a VLAN Identified Since a VLAN is a software concept, identifiers and configurations for a VLAN must be properly prepared for it to function as expected. Frame coloring is the process used to ensure that VLAN members or groups are properly identified and handled. With frame coloring, packets are given the proper VLAN ID at their origin so that they may be properly processed as they pass through the network. The VLAN ID is then used to enable switching and routing engines to make the appropriate decisions as defined in the VLAN configuration.

Why Use VLANs Traditional network designs use routers to create broadcast domains and limit broadcasts between multiple subnets. This prevents broadcast floods in larger networks from consuming resources, or causing unintentional denials of service unnecessarily. Unfortunately, the traditional network design methodology has some flaws in design •

•

•

Geographic Focus - Traditional network designs focus on physical locations of equipment and personnel for addressing and LAN segment placement. Because of this there are a few significant drawbacks: Network segments for physically disjointed organizations cannot be part of the same address space. Each physical location must be addressed independently, and be part of its own broadcast domain. This can force personnel to be located in a central location, or to have additional latency or connectivity shortfalls. Relocations of personnel and departments can become difficult, especially if the original location retains its network segments. Relocated equipment will have to be reconfigured based on the new network configuration.

A VLAN solution can alleviate both of these drawbacks by permitting the same broadcast domain to extend beyond a single segment.

•

Additional Bandwidth Usage - Traditional network designs require additional bandwidth because packets have to pass through multiple levels of network connectivity because the network is segmented.

A proper VLAN design can ensure that only devices that have that VLAN defined on it will receive and forward packets intended as source or destination of the network flow.

Types of VLAN There are only two types of VLAN possible today, cell-based VLANs and frame-based VLANs. •

•

Cell-based VLANs are used in ATM switched networks with LAN Emulation (or LANE). LANE is used to allow hosts on legacy LAN segments to communicate using ATM networks without having to use special hardware or software modification. Frame-based VLANs are used in ethernet networks with frame tagging. The two primary types of frame tagging are IEEE 802.10 and ISL (Inter Switch Link is a Cisco proprietary frame-tagging). Keep in mind that the 802.10 standard makes it possible to deploy VLANs with 802.3 (Ethernet), 802.5 (Token-Ring), and FDDI, but ethernet is most common.

VLAN modes There are three different modes in which a VLAN can be configured. These modes are covered below: • •

•

VLAN Switching Mode - The VLAN forms a switching bridge in which frames are forwarded unmodified. VLAN Translation Mode - VLAN translation mode is used when the frame tagging method is changed in the network path, or if the frame traverses from a VLAN group to a legacy or native interface which is not configured in a VLAN. When the packet is to pass into a native interface, the VLAN tag is removed so that the packet can properly enter the native interface. VLAN Routing Mode - When a packet is routed from one VLAN to a different VLAN, you use VLAN routing mode. The packet is modified, usually by a router, which places its own MAC address as the source, and then changes the VLAN ID of the packet.

VLAN configurations Different terminology is used between different hardware manufacturers when it comes to VLANs. Because of this there is often confusion at implementation time. Following are a few details, and some examples to assist you in defining your VLANs so confusion is not an issue.

Cisco VLAN terminology You need a few details to define a VLAN on most Cisco equipment. Unfortunately, because Cisco sometimes acquires the technologies they use to fill their switching, routing and security product lines, naming conventions are not always consistent. For this article, we are focusing only one Cisco switching and routing product lines running Cisco IOS. •

•

•

•

VLAN ID - The VLAN ID is a unique value you assign to each VLAN on a single device. With a Cisco routing or switching device running IOS, your range is from 1-4096. When you define a VLAN you usually use the syntax "vlan x" where x is the number you would like to assign to the VLAN ID. VLAN 1 is reserved as an administrative VLAN. If VLAN technologies are enabled, all ports are a member of VLAN 1 by default. VLAN Name - The VLAN name is an text based name you use to identify your VLAN, perhaps to help technical staff in understanding its function. The string you use can be between 1 and 32 characters in length. Private VLAN - You also define if the VLAN is to be a private vlan in the VLAN definition, and what other VLAN might be associated with it in the definition section. When you configure a Cisco VLAN as a private-vlan, this means that ports that are members of the VLAN cannot communicate directly with each other by default. Normally all ports which are members of a VLAN can communicate directly with each other just as they would be able to would they have been a member of a standard network segment. Private vlans are created to enhance the security on a network where hosts coexisting on the network cannot or should not trust each other. This is a common practice to use on web farms or in other high risk environments where communication between hosts on the same subnet are not necessary. Check your Cisco documentation if you have questions about how to configure and deploy private VLANs. VLAN modes - in Cisco IOS, there are only two modes an interface can operate in, "mode access" and "mode trunk". Access mode is for end devices or devices that will not require multiple VLANs. Trunk mode is used for passing multiple VLANs to other network devices, or for end devices that need to have membership to multiple VLANs at once. If you are wondering what mode to use, the mode is probably "mode access".

Cisco VLAN implementations VLAN Definition To define a VLAN on a cisco device, you need a VLAN ID, a VLAN name, ports you would like to participate in the VLAN, and the type of membership the port will have with the VLAN. • •

Step 1 - Log into the router or switch in question and get into enable mode. Step 2 - Get into configuration mode using "conf t".

• • •

• •

Step 3 - Create your VLAN by entering "vlan X" where X is the ID you would like to assign the VLAN. Step 4 - Name your VLAN by entering "name ". Replace with the string you would like to identify your VLAN by. Step 5 - If you want your new VLAN to be a private-vlan, you now enter "privatevlan primary" and "private-vlan association Y" where Y is the secondary VLAN you want to associate with the primary vlan. If you would like the private VLAN to be community based, you enter "private-vlan community" instead. Step 6 - Exit configuration mode by entering "end". Step 7 - Save your configuration to memory by entering "wr mem" and to the network if you have need using "wr net". You may have to supply additional information to write configurations to the network depending on your device configuration.

You have now created a vlan by assigning it an ID, and giving it a name. At this point, the VLAN has no special configuration to handle IP traffic, nor are there any ports that are members of the VLAN. The next section describes how you complete your vlan configuration. VLAN Configuration A VLAN isn't much use if you haven't assigned it an IP Address, the subnet netmask, and port membership. In normal network segment configurations on routers, individual interfaces or groups of interfaces (called channels) are assigned IP addresses . When you use VLANs, individual interfaces are members of VLANs and do not have individual IP addresses, and generally don't have access lists applied to them. Those features are usually reserved for the VLAN interfaces. The following steps detail one method of creating and configuring your VLAN interface. NOTE: These steps have already assumed that you have logged into the router, gotten into enable mode, and entered configuration mode. These specific examples are based on the Cisco 6500 series devices. • •

•

•

Step 1 - Enter "Interface VlanX" where X is the VLAN ID you used in the VLAN definition above. Step 2 - This step is optional. Enter "description " where VLAN description details what the VLAN is going to be used for. You can just simply re-use the VLAN name you used above if you like. Step 3 - Enter "ip address

" where

is the address you want to assign this device in the VLAN, and is the network mask for the subnet you have assigned the VLAN. Step 4 - The step is optional. Create and apply an access list to the VLAN for inbound and outbound access controls. For a standard access list enter "accessgroup XXX in" and "access-group YYY out" where XXX and YYY corresponds to access-lists you have previously configured. Remember that the terms are taken in respect to the specific subnet or interface, so "in" means from the VLAN INTO the router, and "out" means from the router OUT to the VLAN.

•

• • •

Step 5 - This step is optional. Enter the private VLAN mapping you would like to use if the port is part of a private VLAN. This should be the same secondary VLAN you associated with the primary VLAN in VLAN definition above. Enter "private-vlan mapping XX" where XX is the VLAN ID of the secondary VLAN you would like to associate with this VLAN. Step 6 - This step is optional. Configure HSRP and any other basic interface configurations you would normally use for your Cisco device. Step 7 - Exit configuration mode by entering "end". Step 8 - Save your configuration to memory by entering "wr mem" and to the network if you have need using "wr net". You may have to supply additional information to write configurations to the network depending on your device configuration.

Now you have your vlan defined and configured, but no physical ports are a member of the VLAN, so the VLAN still isn't of much use. Next port membership in the VLAN is described. IOS devices describe interfaces based on a technology and a port number, as with "FastEthernet3/1" or "GigabitEthernet8/16". Once you have determined which physical ports you want to be members of the VLAN you can use the following steps to configure it. NOTE: These steps have already assumed that you have logged into the router, gotten into enable mode, and entered configuration mode. For access ports • •

•

• • • •

Step 1 - Enter "Interface " where is the name Cisco has assigned the interface you would like to associate with the VLAN. Step 2 - This step is optional. Enter "description " where is text describing the system connected to the interface in question. It is usually helpful to provide DNS hostname, IP Address, which port on the remote system is connected, and its function. Step 3 - This step depends on your equipment and IOS version, and requirements. Enter "switchport" if you need the interface to act as a switch port. Some hardware does not support switchport mode, and can only be used as a router port. Check your documentation if you don't know the difference between a router port and a switch port. Step 4 - Only use this step if you used step 3 above. Enter "switchport access vlan X" where X is the VLAN ID of the VLAN you want the port to be a member of. Step 5 - Only use this step if you used step 3 above. Enter "switchport mode access" to tell the port that you want it to be used as an access port. Step 6 - Exit configuration mode by entering "end". Step 7 - Save your configuration to memory by entering "wr mem" and to the network if you have need using "wr net". You may have to supply additional information to write configurations to the network depending on your device configuration.

For trunk ports

• •

•

•

•

• • •

Step 1 - Enter "Interface " where is the name Cisco has assigned the interface you would like to associate with the VLAN. Step 2 - This step is optional. Enter "description " where is text describing the system connected to the interface in question. It is usually helpful to provide DNS hostname, IP Address, which port on the remote system is connected, and its function. Step 3 - This step depends on your equipment and IOS version, and requirements. Enter "switchport" if you need the interface to act as a switch port. Some hardware does not support switchport mode, and can only be used as a router port. Check your documentation if you don't know the difference between a router port and a switch port. Step 4 - Only use this step if you used step 3 above. Enter "switchport trunk encapsulation dot1q". This tells the VLAN to use dot1q encapsulation for the VLAN, which is the industry standard encapsulation for trunking. There are other encapsulation options, but your equipment may not operate with non Cisco equipment if you use them. Step 5 - Only use this step if you used step 3 above. Enter "switchport trunk allowed vlan XX, YY, ZZ" where XX, YY, and ZZ are VLANs you want the trunk to include. You can define one or more VLANs to be allowed in the trunk. Step 6 - Only use this step if you used step 3 above. Enter "switchport mode trunk" to tell the port to operate as a VLAN trunk, and not as an access port. Step 7 - Exit configuration mode by entering "end". Step 8 - Save your configuration to memory by entering "wr mem" and to the network if you have need using "wr net". You may have to supply additional information to write configurations to the network depending on your device configuration.

For private VLAN ports • •

•

•

• •

Step 1 - Enter "Interface " where is the name Cisco has assigned the interface you would like to associate with the VLAN. Step 2 - This step is optional. Enter "description " where is text describing the system connected to the interface in question. It is usually helpful to provide DNS hostname, IP Address, which port on the remote system is connected, and its function. Step 3 - This step depends on your equipment and IOS version, and requirements. Enter "switchport" if you need the interface to act as a switch port. Some hardware does not support switchport mode, and can only be used as a router port. Check your documentation if you don't know the difference between a router port and a switch port. Step 4 - Enter "switchport private-vlan host association XX YY" where XX is the primary VLAN you want to assign, YY is the secondary VLAN you want to associate with it. Step 5 - Enter "switchport mode private-vlan host" to force the port to operate as a private-vlan in host mode. Step 6 - Exit configuration mode by entering "end".

•

Step 7 - Save your configuration to memory by entering "wr mem" and to the network if you have need using "wr net". You may have to supply additional information to write configurations to the network depending on your device configuration.

You should now have your VLAN properly implemented on a Cisco IOS device.

HP VLAN terminology HP's Procurve line of switchgear is becoming more and more prevalent in enterprise and other business environments. Because of this, it isn't uncommon to have to get Cisco and Procurve hardware to integrate, and because of terminology this can be a challenge. Below some of the VLAN terminology is defined so there is less opportunity for confusion. •

•

•

•

VLAN ID - Fortunately, VLAN id's are pretty much the same everywhere, the only significant differences are the range of IDs that can be used. With Procurve devices, the number of VLANs is defined in the configuration. The default maximum VLANs supported on a Procurve device differs between models and firmware revisions, but is commonly set to 8. Newer Procurve hardware supports 4,096 VLAN ids, but only 256 concurrently defined VLANs on a single device. VLAN ID 1 is reserved for the "DEFAULT_VLAN" or the default administrative VLAN. VLAN names - VLAN names are text fields that assist technicians to identify VLANs. Procurve allows names up to 32 characters, but if you want it to properly display in menu configuration mode, you should probably limit the name to 12 characters. VLAN modes - Procurve has three modes of operation for VLANs on the chassis, Untagged, Tagged, and No. Untagged mode is cisco's access mode. This mode is used for ports that connect to end nodes, or devices that will not be passing VLAN traffic forward. Tagged mode is the same as Cisco's trunk mode. This mode is used for ports that are connecting to devices that will be passing VLAN traffic forward, or for trunking multiple VLANs. No mode means that the port in question has no association whatsoever with that VLAN. Special note on "trunk" - Lots of confusion surrounds the word "trunk" when you go between vendor equipment. In Cisco's case, trunking is only used with VLANs. If you want to group multiple ethernet ports into a single logical ethernet group, they call it a channel-group. This is regardless of whether FEC or LACP is used for the channel properties. Procurve uses "trunk" to define a group of ethernet ports when using the HP trunking protocol, and the term "Tagged" for what Cisco calls a VLAN trunk. Of course, these two technologies have nothing to do with each other, but because of naming conventions, confusion arises.

HP Procurve VLAN implementations VLAN Definition

Most modern Procurve switches enable VLAN use by default, but if, for some reason, you have an older model, log into the switch, get into manager mode, go to the switch configuration menu (usually item 2), then the VLAN menu (usually item 8), then the VLAN support item (usually item 1), and make sure VLANs are enabled. If you change this setting, you will need to reboot the switch to get it to activate properly. The configuration menu is useful for these kinds of activities, troubleshooting, and other things, but is a little more difficult for configuring multiple switches or for using configuration templates, so the rest of the HP Procurve configuration details will be provided for the console configuration mode. Aside for enabling VLAN support as a whole, VLAN definitions and configuration are created in the same place, so the rest of the configuration examples will be provided under the VLAN configuration topic. VLAN Configuration Configuring VLANs on a modern Procurve is pretty simple, you must first define the VLAN, set its properties, and then set up membership for ports and the VLAN mode they will support. The following list should help you accomplish these tasks. NOTE: HP has defined its interface ports by using a module/port convention. If you have a non-modular chassis (such as the 3448cl) then ports are numbered only using numbers, such as 1 or 36. If the chassis is modular (such as the 5308) then the ports number is prepended with the module slot, such as A1 or H6. No reference to the type of switch port (ethernet, fast ethernet , gigabit ethernet) is used for port reference. •

• • •

•

•

•

Step 1 - Log into the switch and get into manager mode. If, after logging in, you are in the configuration menu, exit the configuration menu by selecting item 5 (in most cases) or by using the arrow keys on your keyboard to highlight the "Command Line (CLI)" item. Step 2 - Enter "conf t" to get into terminal configuration mode. Step 3 - Enter "vlan X" where X is the VLAN id of the VLAN you would like to create. Step 4 - Name your VLAN by entering "name """ where is a text string from 1 to 32 characters (12 characters if you care about the configuration menu display). You should use quotes when naming the VLAN. Step 5 - Give the VLAN an IP address by entering "ip address " where is the IP address you want to assign this switch in that subnet, and is the network mask for the subnet assigned. Step 6 - This step is optional. If you want to assign some end node ports to the VLAN enter "untagged <port-list>" where <port-list> is a list of ports either comma delimited if they are non-sequential, or using a dash between list beginning and end if they are. An example of this is "untagged 1,3,5,7-16". This would configure ports 1, 3, 5, and 7 through 16 to be untagged on that VLAN. Step 7 - This step is optional. If you want to assign some VLAN trunk ports to the VLAN enter "tagged <port-list>" where <port-list> is a list of ports either comma delimited if they are non-sequential, or using a dash between list beginning and end if they are. An example of this is "untagged 1,3,5,7-16". This would configure ports 1, 3, 5, and 7 through 16 to be untagged on that VLAN.

• • •

Step 8 - Enter "exit" to leave VLAN configuration mode. Step 9 - Exit configuration mode by entering "exit" again. Step 10 - Save your configuration by entering "wr memory".

You have now successfully configured your HP Procurve VLAN.

What is a Firewall? A firewall is a system that is set up to control traffic flow between two networks. Firewalls are most commonly specially configured Unix systems, but firewalls have also been built out of many other systems, including systems designed specifically for use as firewalls. The most common commercial firewall today is CheckPoint FireWall-1, but competitors such as Cisco's PIX are quickly catching up on CheckPoint. Many people disagree on the definition of a firewall, and in this discussion I will use the term loosely.

The Packet Filtering Firewall One type of firewall is the packet filtering firewall. In a packet filtering firewall, the firewall examines five characteristics of a packet: • • • • •

Source IP address Source port Destination IP address Destination port IP protocol (TCP or UDP)

Based upon rules configured into the firewall, the packet will either be allowed through, rejected, or dropped. If the firewall rejects the packet, it sends a message back to the sender letting him know that the packet was rejected. If the packet was dropped, the firewall simply does not respond to the packet. The sender must wait for the communications to time out. Dropping packets instead of rejecting them greatly increases the time required to scan your network. Packet filtering firewalls operate on Layer 3 of the OSI model, the Network Layer. Routers are a very common form of packet filtering firewall. An improved form of the packet filtering firewall is a packet filtering firewall with a stateful inspection engine. With this enhancement, the firewall "remembers" conversations between systems. It is then necessary to fully examine only the first packet of a conversation.

The Application-Proxy Firewall Another type of firewall is the application-proxy firewall. In a proxying firewall, every packet is stopped at the firewall. The packet is then examined and compared to the rules configured into the firewall. If the packet passes the examinations, it is re-created and sent out. Because each packet is destroyed and re-created, there is a potential that an application-proxy firewall can prevent unknown attacks based upon weaknesses in the TCP/IP protocol suite that would not be prevented by a packet filtering firewall. The drawback is that a separate application-proxy must be written for each application type being proxied. You need an HTTP proxy for web traffic, an FTP proxy for file transfers, a Gopher proxy for Gopher traffic, etc... Application-proxy firewalls operate on Layer 7 of the OSI model, the Application Layer.

The Application-Gateway Firewall Application-gateway firewalls also operate on Layer 7 of the OSI model. Applicationgateway firewalls exist for only a few network applications. A typical applicationgateway firewall is a system where you must telnet to one system in order telnet again to a system outside of the network.

The SOCKS Firewall Another type of application-proxy firewall are SOCKS firewalls. Where normal application-proxy firewalls do not require modifications to network clients, SOCKS firewalls requires specially modified network clients. This means you have to modify every system on your internal network which needs to communicate with the external network. On a Windows or OS/2 system, this can be as easy as swapping a few DLL's

How do I configure Wireless Security? Wireless security is used to limit the scope of users that have access to services you install when implementing a wireless access point or wireless router device. These devices are used to provide convenient intranet and/or Internet access without having to run cable through buildings or other areas of coverage where return on investment is low. There are two methods used with wireless systems today to limit access: • •

Coverage Area Authentication and Authorization Mechanisms

Coverage Area You can limit coverage area with an access point by using the proper antenna for the coverage needs. This prevents our wireless signals from emitting beyond your coverage area. Unfortunately, with the proper antenna in place on the receiver side, this method is easily defeated. An individual or group who has enough interest and funding to buy better equipment is the limiting factor here.

Authentication and Authorization You can also limit access to services by having proper authentication and authorization services in place that are required before wireless system access is permitted. This requires configuration of authentication services on your wireless devices which should include encryption in the transport.

Disabling SSID Broadcast Some devices allow you to disable "SSID Broadcast". Although this helps to limit who might see which networks are available to attack, knowledgeable attackers do not rely on SSID values to attack systems. SSID values can also be determined if an attacker is using a network sniffer with wireless capabilities. Disabling SSID broadcast also makes it more difficult for the intended users of the wireless network to configure and connect to the wireless network. This is considered to be a "security through obscurity" technique.

Picking an Encryption Technology There are a few common encryption technologies used in wireless infrastructures today.

WEP or Wired Equivalent Privacy WEP is usually found in 64bit, 128bit, and 256bit implementations. WEP has been found to be weak cryptographically, and should not be used for any wireless infrastructure you

would like to have secured. Choosing a good passphrase or password does not increase the level of security offered by WEP.

WPA - Wifi Protected Access WPA is based on WEP, but the WPA algorithm changes the effective key more often. WPA is still weak cryptographically, so choosing a passphrase or password of 20 characters or more is important to keep your wireless network secure. If you use a good passphrase with WPA is it believed that attacks are impractical.

WPA2 - the Second Generation of Wifi Protected Access WPA2 uses new encryption technologies called AES or TKIP which are not based on WEP. WPA2 is the preferred encryption technology if it is available. As of March 13, 2006, all equipment using the WiFi trademark must be certified for WPA2.

Mixing WPA and WPA2 clients Devices that support WPA2 mixed mode allow clients using both AES and WEP configurations to interoperate. This does not include broadcast and multicast traffic.

Encryption Keys Encryption requires a key exchange for the algorithms to have a common starting point. Wireless devices usually provide two methods for key exchange, pre-shared keys (PSK or password), and enterprise (RADIUS). For individuals and small businesses it is better to use a pre-shared key mechanism. For environments that will have many different wireless access devices, enterprise is generally a better choice. •

•

Pre-shared keys - A pre-shared key is just a password or passphrase you configure on all of your wireless devices and clients so they can initiate communication. Selecting a good password is imperative in providing the proper level of security for your wireless network. Enterprise - Enterprise key exchange is usually provided by a RADIUS service. Both systems connect to the RADIUS system for the initial key exchange. This method makes it easier to manage more wireless devices and clients with less effort.

Authentication and Authorization can be provided by many means including: • • • •

MAC address filters Login and Password credentials validation Identity validation through public key encryption, soft-token, or certificates Identity validation through hard-token or key FOB

MAC Address Filters MAC address filtering prevents or allows clients to attach to your wireless network using a look-up table. If the wireless network card MAC address is on the list it can be permitted or allowed. Unfortunately, a knowledgeable attacker can use a wireless network sniffer to capture MAC address values of currently connected systems and change his MAC address value accordingly. It is a trivial matter to change your systems MAC address. Because of this, this security technique is considered "security through obscurity".

Login and Passwords Some systems will not pass traffic from connected systems until the user authenticates with the wireless device. The authentication details may be stored in a table locally on the wireless device, or they may be checked remotely from the device using the RADIUS protocol, TACACS, or some other remote authentication technology.

Soft-tokens and Certificates Soft-tokens is a software package installed on client systems that interact with the authentication and authorization software on the wireless device to validate users. Certificates are special files installed on the client machine that must properly match up with certificate information on the wireless device to validate a wireless network client.

Hard-tokens and Fobs Hard-tokens are small computing devices that use a challenge-response mechanism with the wireless device to validate a user or wireless network client. A Fob is a piece of hardware you can attach and detach from a client system that provides credentials to the wireless device for client validation.

Conclusion In conclusion, you should use WPA2, then WPA, and then WEP in that order, for your wireless encryption if you have a choice. Setting up WEP is better than having a completely open wireless network. For key exchange use pre-shared keys if you don't many wireless devices to manage, or set up a RADIUS server for that function if you have lots of devices to manage. You can disable SSID Broadcast, and use MAC filtering, but don't rely on them solely to secure your wireless network.

What is a RADIUS Server?

RADIUS stands for "Remote Authentication Dial In User Service", which is a system procedure and offers centralized entrance, approval, as well as accounting administration for individuals or computers to add and utilize a network service. There is often need of "Authentication" when an individual tries to fix to a network. People have to face a lot more problems while connecting their computers to a telecommunication network. For example-the telco wants to know the operator of the computer. When the identification is given, it may ask what services are preferred by the user. Plus, at that moment the telco collects billing date concerning to the consumed time or capability. To solve all these problems and allow people to easily connect their computers to telecommunication network, RADIUS is used by most of the widespread open source and decorum systems. Systems associated with RADIUS are frequently put into services by telcos or several companies to identify their customers or employees with ease. RADIUS is good to use because it can easily determine the authorized rights of the users to execute and create a testimony of the entrance in the "Accounting" feature of the server. RADIUS is in fact, an open-regular and UDP-based protocol that is originally developed by the IETF. It mechanically combines the verification and authorization procedures that make it quite hard to run only one but no more. Furthermore, RADIUS doesn't hold up the Novell Async Services Interface protocol, the NetBIOS Frame Protocol Control Protocol, X.25 Packet Assembler/ Dissembler or even Apple Talk Remote Access Protocol. However, the RADIUS associated servers can verify that the information is exact through confirmation schemes including PAP, CHAP and EAP as well. Moreover, the RADIUS is frequently utilized to ease roaming services between ISPs and many companies use it because it provides a particular universal position of testimonials that can be used by most of public networks. The primary use of RADIUS is for Internet Service Providers, since it can be used on any network, which requires a centralized verification and accounting services for its workstations. Hence, RADIUS enables centralized running of certification data like, usernames and passwords as well. The RADIUS server can accumulate these certified data locally but it may also store authentication data in an outdoor SQL database or even an external UNIX file. In fact, the RADIUS is an exceptional option to perform accounting without any hassle. It can also appreciably improve safety by enabling the centralization of password executive. Overall, if people take over the RADIUS server, they would have everything. SUMMARY: overall, RADIUS is good for internet services providers, as well as companies to identify their customers or workers with ease. It can help users connect their computers to telecommunication without hassles.

What is Access Control?

Access control is a term taken from the linguistic world of security. In general, it means the execution of limitations and constrictions on whoever tries to occupy a certain protected property. Guarding an entrance of a person is also a practice of access control. There are many types of access control. Some of them are mentioned in this article. You, the reader of this article, will have several types of access control around you.

Access Control for Computers (Anti-Virus etc) Nowadays, almost every computer user has a firewall or antivirus running on his computer, a popup blocker and many other programs. All of these are with access control functions. All of these programs guard us from intruders of sorts. They inspect everything trying to enter the computer and let it in or leave it out. Computers have complicated access control abilities. They ask for authentication and search for the digital signatures.

Access Control for Buildings/Landscapes If you leave your computer chair for a moment and go out of room, you will pass through a door. This door is similar to the window close to it. This is the most famous method of access control in any basic home security. Take a look at the door's handle. You twist it in order to open or close the door. It is the access control at its very centre. Without this handle the door would be swinging and wouldn't stop anyone from entering the room. Below this handle, there is a sort of lock and a keyhole. This keyhole will stop anyone trying to get through the door. Nowadays, there are different types of keypads and access control systems. In today's world the keys and locks are beginning to look different. With the passage of time, the key locks also got smarter. They can identify the patterns of your physical features, your voice, and fingerprint locks can read your fingerprints.

Huge Market for Access Control Access control is a rapidly growing market and soon may manifest itself in such ways we cannot even imagine. Nowadays, security access control is a necessary component for businesses. There are many ways to create this security. Some companies hire a security guard to stand in the gateway. There are many security devices that prevent or permit access such as a turnstile. The best most effective access control systems are operated by computers.

What is IP Address Spoofing? IP address spoofing denotes the action of generating IP packets with fake source IP addresses in order to impersonate other systems or to protect the identity of the sender. Spoofing can also refer to forging or using fake headers on emails or netnews to - again protect the identity of the sender and to mislead the receiver or the network as to the origin and validity of sent data.

Basics of IP Address Spoofing The Internet Protocol or IP is the fundamental protocol for sending/receiving data over computer networks and the Internet. With the Internet protocol, each packet sent or received contains information relevant to the operation such as the source and the destination of the packet. With IP address spoofing, the information placed on the source field is not the actual source of the packet. By using a different address in the source field of the packet, the actual sender can make it look like the packet was sent by another computer and thus the response of the target computer will be sent to the fake address specified in the packet - unless the attacker wants to redirect the response to his own computer.

Effects of IP Address Spoofing IP address spoofing is very useful especially in the case of denial of service (DoS) attacks where large amounts of information are sent to a target computer or system without the perpetrators caring about the response of the target systems. This type of attack is especially effective since the attack packets seem to be coming from different sources and thus the perpetrators are hard to trace. Hackers using IP address spoofing frequently make use of randomly chosen IP addresses from the entire spectrum of IP address space while some more advanced hackers only use the unregistered portions of the IP address range. IP address spoofing, however, is less effective than using botnets for DoS attacks because it can be monitored by Internet authorities using backscatter technique which can determine a DoS attack based on the number of invalid IP addresses used in the attack. Nevertheless, it remains a viable alternative for hackers. IP address spoofing is also a very useful tool in infiltrating networks and overcoming network security measures. This happens when IP address spoofers use a trusted IP address within the network and thus circumvent the need to provide a username or password to log in to the system. This sort of attack generally is based on a specific set of host controls (such as rhosts) that are configured insecurely.

IP Address Spoofing Defense Ingress filtering or packet filtering the incoming traffic from outside the system using a technology is an effective way of defending against IP address spoofing since this technique can determine if packets are coming from inside or outside the system. Consequently, egress filtering can also block spoofed IP address packets from exiting the system and launching an attack on other networks. Upper layer protocols such as the TCP or Transmission Control Protocol in which a sequence of numbers is used to established a secure connection with other systems is also an effective way of defending against IP address spoofing. Turning off source routing (loose and strict) on your network routers can also assist in preventing hackers from taking advantage of many spoofing features. Source routing was a technology used widely in the past to prevent a single network fault from causing a major network outage, but the current routing protocols on the Internet today makes it all but unnecessary.

What are Passwords? Passwords are strings of characters used to authenticate computer system users. Computer users are normally asked to enter their username (or login name) and their password (or pass phrase) before they are give access to a system. If the person knows the username and the password, the computer systems trusts that they are the account owner and grants them access to their data.

Selecting a good password Choosing a good password is critical for personal security, requiring password crackers to take additional time and resources to get access to your personal information and computer credentials. A poor password creates a false sense of security, and may endanger your personal information, access to computer resources, or even allow another individual to spawn attacks and viruses using your personal credentials.

Password Construction Password crackers have many tools at their disposal to cut down the amount of time it takes to crack your password. Selecting a secure password will help to ensure that the

password cracker must take as much time as possible to guess or otherwise identify your password. No password is ultimately secure, but if it takes the password cracker longer to crack the password than it takes for the password to become useless, you will have succeeded in thwarting the cracker's attack.

Insecure methods •

•

•

•

•

•

Passwords should not be created using personal information about yourself or your family. A password cracker with incentive to break your personal password will use this information first, making these passwords the least secure passwords. Examples of bad passwords of this type are: your name, birthplace, nickname, family name, names of pets, street address, parents names, names of siblings and the like. Passwords should not be formed of words out of any dictionary or book. Longer words do not generally add much protection. Using known words in any language allows the password cracker to take shortcuts in his password cracking schemes, allowing him to guess your password in a very small fraction of the time it would take otherwise. Examples of bad passwords of this type are: dragon, secret, cheese, god, love, sex, life and similar words. Passwords should not be composed of proper nouns of places, ideas, or people. These words are commonly found in password cracker databases. Examples are: Jehovah, Tylenol, edutainment, Coolio, beesknees, transformers. Passwords should not be simple variations of words. Although these passwords don't appear in a book or dictionary, it is a simple matter to generate a replacement word list automatically. These passwords are more secure than the above two examples, but not significantly more secure. Examples of passwords of this type are drowssap, l0ve, s3cr3t, dr@gon, and similar word-like terms. Passwords should not be a concatenation of two words commonly following each other in a sentence. These passwords are more secure than the above password concepts, but still fall far short for password security. Examples of these kinds of passwords are: whatfor, divineright, bigpig, ilove, farfetched, catspajamas. Do not reuse recently employed passwords again. If you find it difficult to pick a new password, you should wait until you changed you password at least 5 times before reusing an old password, or 12 months if password changes are common.

Secure methods •

•

Always change your password immediately if you feel that your password has been compromised. Always do this directly. Never follow links sent to you in email, through an instant messenger client, or from a phone call you received. Ask for administrative assistance if you have trouble changing your password. Do not write your password down where others may find it. If you must write it down, ensure it is in a locked location that is only accessible to you. Hiding your password in places you feel it is unlikely to be found is not helpful. Password crackers have a criminal mind, and generally know where to look.

•

•

•

•

•

It is important that you change your password on a regular schedule, at least every six months. This assists you by throwing off any cracking efforts that might be in progress, but have not yet been completed. It also helps you if somehow you have compromised your password in some other way without knowing it. Select passwords that use a mixture of capital letters, numbers, and special characters. Take heed however, some systems do not allow you to use some or any special characters. Make sure you check the password criteria for the system you are using ahead of time, if possible. Use substitution of numbers for letters and letters for numbers in your passwords. Although this is not a primary method of securing your password, it will add another layer of security on top of a good password, and will prevent the accidental guess of your password due to circumstances. Where it is not possible to use many characters in your password (less than 14), it is advisable to create a password by creating a passphrase, and selecting letters in a specific position in each word. An example of this is "jJjshnImn2". As you notice, it's unlikely that any cracker would guess this password; however, it is easy to remember when you note the passphrase "John Jacob Jingleheimer Schmidt, his name is my name too". Notice the use of number substitution and capitalization in the password. The best passwords are complete phrases if the system will allow them. They are sometimes called "passphrases" in reflection of this. For example, a good passphrase might be "I clean my Glock in the dishwasher." You can also use number and letter substitution on passphrases as well. Longer passphrases generally mean better password security.

Password Secrecy Passwords are useless if they are distributed to other than to their intended users. Below is a list of methods to keep your passwords private. •

•

If you have a large number of passwords to remember, or you don't feel you can remember important ones, you can use your computer to assist you in the storage of passwords. You can encrypt your password list with an acceptable master password using reliable encryption software. Many password managers are available for this purpose. For experienced users Gnu Privacy Guard and Pretty Good Privacy are free for individual use. Ensure you know how to use encryption properly; improper use of encryption technologies may defeat the whole purpose of using encryption in the first place. Seek help from an encryption expert, or purchase commercial encryption software if understanding is not forthcoming. Do not store your encrypted passwords, or your encryption keys, somewhere that another person may gain access to them. Refrain from using the same password on multiple systems, especially systems that do not serve the same function. Never use passwords you use on Internet forums, games, websites, or otherwise for any important password. It is trivial for the owners of these systems to extract your passwords if they are willing.

•

•

•

Never tell another a password through e-mail, instant messenger clients, chat rooms, forums or other shared environments. These conversations are almost never entirely private. Do not tell someone your passwords over a cell phone or cordless telephone, as these are insecure mediums for conversation, and may easily be monitored. If you must tell someone a password over a telephone land line, make sure the party you are speaking with is the only listener. You may want to validate that additional parties are not listening in by calling the original party on a number you know is owned by them. Do not use shared passwords unless it is entirely unavoidable. Passwords shared between multiple users prevents the determination of which user performed which actions. Of course, never tell your passwords to anyone. Once you tell someone else your password, you no longer have control over the scope of password knowledge. If you absolutely must share your account access to a computer system, change the password to a new password first before sharing it, and then change the password back to its original form once the other users are done performing the necessary efforts.

Two-Factor Authentication The original password concept has been proven to be insecure. There have been cases where passwords have been compromised without a users knowledge, through coersion, or because they were conned into revealing it. The core problem with legacy passwords is that it is very difficult or impossible for an administrator or a computer system to differentiate between a legitimate user and illegitimate user gaining access through the same password. Because of this inherent flaw in the original password system, Two Factor Authentication was invented. A password is "something you know." This information is understood to be known by a single individual. Two-factor authentication systems add in another factor, "something you have", electronic card key, electronic token, dongle, fob or some other physical item you keep in a secure place when not in use. A common stand in replacement for this second factor when higher levels of security are needed is "something you are". A biological fingerprint, retina pattern, person's weight, specific vital signs or a combination of these items is used in place of the electronic device. The biological factor for authentication and authorization has been found to be unreliable, but not in that it permits those that should not be permitted when used properly, but because there is a tendency for it to deny legitimate users access due to sickness, physical body changes, or other physical impairments. There are two common methods of authentication when users use electronic components for two-factor authentication, response-only, and challenge-response systems. Response-only systems require a user to present your electronic device to an electronic reading system, or for you to enter data displayed on the electronic device without user input. The user must provide a username or pin that is not known to outsiders, and then

enter specific credential data generated by the electronic device when prompted. In many cases, this mechanism returns the user back to a single factor authentication, where the user does not need to know something, but just posseses the item in question. An example of this is the standard electronic card key used to enter a facility or building perimiter. The user need not provide any other factor to prove their identity. Challenge-response systems require the user to enter a specific passphrase or pin into the electronic device first, before the device responds with the proper access credentials data. This varient is always considered two-factor authentication, since the user must provide both "something they know" (the pin), and use "something they have" (the electronic device). Both the response-only and challenge-response systems can be defeated if the user both reveals the private information they keep secret, such as their username or pin code, and the attacker takes ownership of the electronic device. Due to this weakness, the bioligcal factor was invented. Biological factors have been in use for several decades, and have proven to be reliable and secure ways to prevent unauthorized users from gaining access to secure systems or environments, regardless of the privacy of their passwords used. Systems monitor fingerprints, eye retina patterns, weight, ambient temperature, and other biological signs to determine the authenticity of the user requesting access. Movies have been touting methods of defeating these systems by cutting off body parts, using retinal masks, or forcing legitimate users into bypassing the authentication mechanisms for the attacker. These are largely Hollywood schemes and rarely work in the real world. In most cases where this level of security is required, local or remote monitoring of entry points through cameras and security personnell is common. Deadlock portals, remote activated magnetically controlled entranceways, and visual idenfitication are the norm. Many simple methods have been devised to defeat weakly designed biological factor systems, so be sure you thoroughly test the security measures you plan to put in place before implementation.

How do I Disable the Netgear Router Firewall? In most cases, disabling the firewall on your Netgear router is a really bad idea. In fact, it is such a bad idea that Netgear doesn't even make a button in their GUI that does this. Nevertheless, we can effectively disable a Netgear router firewall just by adding a rule or two to the firewall configuration.

Netgear Router Firewall Default Rules Netgear devices with firewalls have two default rules: • •

Outbound Services: Allow all access from the inside to the outside. Inbound Services: Block all access from the outside to the inside, except responses to requests from the inside.

How to Disable the Netgear Router Firewall To disable the Netgear Router Firewall, all we need to do is to add a new rule that allows all access from the outside to the inside. To do this, type the router's address (the default is either 192.168.0.1 or 192.168.1.1) in your Web browser Enter your username and password in the prompt that appears. The default username is admin and the default password is password. From the main menu, choose Security -> Rules Add a new rule for Inbound Services with a service name of "ANY" and an action of "ALLOW always." Then, move your new rule up until it is the first rule in the Inbound Services section. Finally, make certain that this rule is enabled by checking the Enable column. Your Netgear Router firewall is now disabled and your internal network is now completely unprotected and open to attack from the Internet.

What is RADIUS (Remote Authentication Dial In User Service)? RADIUS (Remote Authentication Dial In User Service), defined in RFC 2865, is a protocol for remote user authentication and accounting. RADIUS enables centralized management of authentication data, such as usernames and passwords. When a user attempts to login to a RADIUS client, such as a router, the router send the authentication request to the RADIUS server. The communication between the RADIUS client and the RADIUS server are authenticated and encrypted through the use of a shared secret, which is not transmitted over the network. The RADIUS server may store the authentication data locally, but it can also store authentication data in an external SQL database or an external Unix /etc/passwd file. The RADIUS server can also plug into a PAM (Pluggable Authentication Service) architecture to retrieve authentication data. The role of the RADIUS server as the centralized authentication server makes is an excellent choice for also performing accounting. RADIUS can significantly increase security by enabling the centralization of password management. Of course, the other side of that argument is that once you take over the RADIUS server, you have everything. RADIUS servers are available from many vendors. In addition, GNU RADIUS is an excellent non-commercial option. RADIUS utilizes the MD5 algorithm for secure password hashing. RADIUS is the de facto authentication provider in 802.11i wireless networks.

Q: How easy is it to change mac address? A: Very easy! You can change MAC address in six easy steps.

1) Install your SpeedDemon.

2) Place the configuration disk in the floppy drive and turn your computer on.

3) Type "M" to change MAC address, press 4) Type your desired Ethernet address, press enter. enter.

5) Press "Y" to change mac address. 6) Press "E" and enter to reboot. Q: I want to change MAC address, should I buy a SpeedDemon network card?

A: Software manufacturers can limit software so that it can be used only with an authorized network card. This form of copy protection relies on the network card's hardware address. This effective method of copy protection disadvantages legitimate users because network cards often fail. Having SpeedDemon network cards available ensures that your network will endure a hardware failure. Furthermore, you can connect to the Internet through your Broadband Internet Service Provider (ISP) only if your computer has a network card or cable modem with an authorized network address. If you change mac address, your SpeedDemon network card clones your network card that is authorized to access the Internet. Your SpeedDemon with change mac address will allow you to connect two different computers to the Internet with only one subscription. This method of broadband connection sharing requires only a single Internet account and does not require the two computers to be connected. Every other method to change MAC address is inferior. Softwarebased methods to change mac address merely modify your registry or other system files. They don't really change MAC address, they only fool your computer into thinking that you have a new Ethernet address for a short time. With software-based solutions, your hardware address will eventually reset back and there is no moneyback guarantee. Furthermore, computer programmers and network

professionals detect this inferior method and prevent it. Now that SpeedDemon adapters are available, a new; easy; and practical method to change mac address is available. Q: What is significant about SpeedDemon network card ability to change mac address? A: SpeedDemon network cards allow you to change MAC address thousands of times. When you change MAC address so that the SpeedDemon duplicates another computer's network address makes the computer with the SpeedDemon appear to be the same computer as the one with the original network address. ISP's rely on a computer's Ethernet address in order to authorize (or deny) access to the internet. If you change MAC address, using a SpeedDemon will allow you to have two computers authorized to access the internet; one computer at home that is authorized by your ISP and the other computer at your office with a SpeedDemon. Q: If I'm connecting two computers to my ISP's network, why don't I just get two accounts from my ISP instead of change mac address? A: Because you will pay double in subscription fees. ISP's offer major discounts if two computers are connected to the Internet using only one subscription, one computer with a SpeedDemon with a change mac address and an additional IP address. Q: Why don't I just buy a hub or switch? A: A hub or switch may suit you better than a SpeedDemon if the computers you are trying to connect to the Internet are physically located next to one another. However, if the computers you are trying to connect to the Internet are located across a house or in different buildings, the SpeedDemon would be a better choice because the SpeedDemon doesn't require the two computers to be connected in any way. If you don't want network cables cluttering your hallways, you want a SpeedDemon. Q: Is there another way to change MAC address? A: YES, BUT WE DO NOT SUGGEST THAT ANYONE ATTEMPT THIS: 1. Carefully desolder the EEPROM from your network card. 2. Place the EEPROM into an EEPROM programmer and hex dump the EEPROM's data to your computer.

3. Find the data that corresponds to your hardware address (instructions on how to find your network address follow.) 4. Change MAC address EEPROM data to reflect your desired network address and checksum. Information on modifying the checksum varies among network card manufacturers; in order to find the information, you must contact your NIC manufacturer. 5. After you change MAC address data, dump the modified data back to your EEPROM and resolder the EEPROM onto your NIC board. Q: How can I find my MAC address? A: For windows 2000 and windows xp computers:

1) Click "start", then "run".

2) Type "command".

3) Type "ipconfig /all" and locate your ethernet address in the "Physical Address" field. A: For windows 95, windows 98, and windows me computers:

1) Click "start", then "run".

2) Type "winipcfg".

3) Locate and click your network card.

4) Locate your change mac address in the "Adapter Address" field.

What is the OSI Model? The OSI model is a reference model which most IT professionals use to describe networks and network applications. The OSI model was originally intended to describe a complete set of production network protocols, but the cost and complexity of the government processes involved in defining the OSI network made the project unviable. In the time that the OSI designers spent arguing over who would be responsible for what, TCP/IP conquered the world.

The Seven Layers of the OSI Model The seven layers of the OSI model are: Layer Name 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical The easiest way to remember the layers of the OSI model is to use the handy mnemonic "All People Seem To Need Data Processing": Layer Name 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical

Mnemonic All People Seem To Need Data Processing

The functions of the seven layers of the OSI model are: Layer Seven of the OSI Model

The Application Layer of the OSI model is responsible for providing end-user services, such as file transfers, electronic messaging, e-mail, virtual terminal access, and network management . This is the layer with which the user interacts. Layer Six of the OSI Model The Presentation Layer of the OSI model is responsible for defining the syntax which two network hosts use to communicate. Encryption and compression should be Presentation Layer functions. Layer Five of the OSI Model The Session Layer of the OSI model is responsible for establishing process-to-process commnunications between networked hosts. Layer Four of the OSI Model The Transport Layer of the OSI model is responsible for delivering messages between networked hosts. The Transport Layer should be responsible for fragmentation and reassembly. Layer Three of the OSI Model The Network Layer of the OSI model is responsible for establishing paths for data transfer through the network. Routers operate at the Network Layer. Layer Two of the OSI Model The Data Link Layer of the OSI model is responsible for communications between adjacent network nodes. Hubs and switches operate at the Data Link Layer. Layer One of the OSI Model The Physical Layer of the OSI model is responsible for bit-level transmission between network nodes. The Physical Layer defines items such as: connector types, cable types, voltages, and pin-outs.

The OSI Model vs. The Real World The most major difficulty with the OSI model is that is does not map well to the real world! The OSI was created after many of todays protocols were already in production use. These existing protocols, such as TCP/IP, were designed and built around the needs of real users with real problems to solve. The OSI model was created by academicians for academic purposes.

The OSI model is a very poor standard, but it's the only well-recognized standard we have which describes networked applications. The easiest way to deal with the OSI model is to map the real-world protocols to the model, as well as they can be mapped. Layer Name 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data Link 1 Physical

Common Protocols SSH, telnet, FTP HTTP, SMTP, SNMP RPC, Named Pipes, NETBIOS TCP, UDP IP Ethernet Cat-5

The difficulty with this approach is that there is no general agreement as to which layer of the OSI model to map any specific protocol. You could argue forever about what OSI model layer SSH maps to. A much more accurate model of real-world networking is the TCP/IP model: TCP/IP Model Application Layer Transport Layer Internet Layer Network Interface Layer The most significant downside with the TCP/IP model is that if you reference it, fewer people will know what you are talking about! For a better description of why the OSI model should go the way of the dodo, disco, and DivX, read Kill the Beast: Why the Seven-Layer Model Must Die