Nando007 Groups: 07/01/2007

Thursday, July 26, 2007

VPN Security

http://nando.hyperphp.com

Virtual private network (VPN) connections are made across public networks such as the Internet. This is a simple statement, but it packs a lot of issues behind it. When going across a public network, there are several items that have to be dealt with to make sure that the security of your network is not compromised. For instance: How do I ensure that the person establishing a connection with my gateway is authorized to do so? How do make sure that there is no way for a hacker to capture the conversation and use it to gain information like user credentials and confidential information? How do I maintain control over what a VPN user accesses in the network once they have established communications? How do I know if their VPN client machine is not going to infect the network with a virus? Obviously, there are a lot of concerns if we are going to make a remote system “part of the network.” Therefore, attention must be paid to ensure that the VPN servers and the private data that is sent across a VPN connection are protected from malicious users. Security for Windows VPN connections is a combination of basic elements that are required (authentication, authorization, encryption, and packet filtering) and advanced features that provide additional protection (such as certificate- based authentication, network access quarantine control, and remote access account lockout).

Basic Elements of Windows VPN Security

In order for a VPN connection to be secure, it must provide the following:

· Authentication security. Security credentials take the form of either a user name and password or a certificate. If you use the proper authentication security protocol (the different options are listed below), you can ensure that the confidential portions of the credentials (such as the password or the private key for a certificate) are never sent. Rather, the connecting VPN client provides proof of knowledge of the confidential credentials.

· Authorization security. Authorization security ensures that the VPN client is allowed to make a VPN connection, and can provide a set of connection constraints such as maximum connection time, idle timeout, required authentication method, and so on. You can also apply IP filters based on a user’s Active Directory group membership so that the individual in question can only access the information that he is supposed to see. This allows for administrators to add extra security to remote-based users.

· Encryption security. Before the data between a VPN client and VPN server is sent over the VPN connection, it is encrypted using an encryption algorithm and a secret key, which is known only to the VPN client and VPN server. Encryption provides data confidentiality; even if a copy of the packet is captured, it is not readable (except for the IP header) without the knowledge of the secret key. When using PPTP, the encryption is done with a password-based hash algorithm. When using L2TP/IPSec, certificates are used to set up an IPSec encrypted tunnel that all authentication and authorization processes can take place in. This is one of the advantages to using L2TP/IPSec–the entire transaction even before authentication happens occurs in an encrypted state.

· Packet filtering. When you connect a VPN server to the Internet, the server and your private intranet are now exposed to attack. An Internet- based attacker can try to attack the VPN server by flooding it with various types of packets or try to access your intranet by using your VPN server as a router. To combat both of types of attacks, the Internet interface of the VPN server is configured with a series of IP packet filters that only allow VPN traffic. This is different than the internal IP filters that apply to a user’s authentication–this process makes sure that only authorized conversations will be accepted by the VPN server. This will ensure that Denial-of-Service attacks and internet hacks cannot affect operations.

Each of these basic elements of VPN security is discussed in further detail in the following sections

Basic Elements of Windows VPN Security

In order for a VPN connection to be secure, it must provide the following:

Each of these basic elements of VPN security is discussed in further detail in the following sections

VPN Administration

http://nando.hyperphp.com

In selecting a VPN technology, it is important to consider administrative issues. Large networks need to store per-user directory information in a centralized data store, or directory service, so that administrators and applications can add to, modify, or query this information. Each access or tunnel server could maintain its own internal database of per-user properties, such as names, passwords, and dial-in permission attributes. However, because it is administratively prohibitive to maintain multiple user accounts on multiple servers and keep them simultaneously current, most administrators set up an account database at the directory server or primary domain controller, or on a RADIUS server. By using the Microsoft Active Directory as your account database, Windows Server 2003 VPNs become part of a single sign- on solution: the same set of credentials are used for both VPN connections to log on to the organization’s domain. Although Active Directory is the preferred method for authentication and authorization because of all the advanced policy and quarantine features that become available with the use of Active Directory, Microsoft VPN solutions are not required to use Active Directory. Windows VPN servers can use standards-based RADIUS as well to perform authentication for Microsoft VPNs. The methods in this book will focus on the use of Active Directory as the directory service solution because we’ll be showing and enabling all the advanced VPN features that come with the use of Active Directory.

Authorizing VPN Connections

To provide authorization for VPN connections and to provide a method of enforcing connection restraints, Windows Server 2003 VPN connections use a combination of the dial-in properties of user accounts in a local or domain account database and remote access policies.

Remote access policies are an ordered set of rules that define how connections are either accepted or rejected. For connections that are accepted, remote access policies can also define connection restrictions. For each rule, there are one or more conditions, a set of profile settings, and a remote access permission setting. Connection attempts are evaluated against the remote access policies in order, trying to determine whether the connection attempt matches all the conditions of each policy. If the connection attempt does not match all the conditions of any policy, the connection attempt is rejected.

If a connection matches all the conditions of a remote access policy and is granted remote access permission, the remote access policy profile specifies a set of connection restrictions. The dial-in properties of the user account also provide a set of restrictions. Where applicable, user account connection restrictions override the remote access policy profile connection restrictions. Remote access policy profile restrictions include connection settings (such as maximum connection time or an idle timeout), IP packet filtering, required authentication protocols, and required encryption strengths.

Scalability

Redundancy and load balancing are accomplished using either Domain Name System (DNS) or Network Load Balancing (NLB):

· Round-robin DNS is used to split requests among a number of VPN servers that share a common security perimeter. A security perimeter has one external DNS name—for example, microsoft.com—but several IP addresses, and loads are randomly distributed across all the IP addresses.

· With NLB, a cluster of VPN server computers can provide high availability and load balancing for both PPTP and L2TP/IPSec connections. NLB is available only with the Enterprise Edition or the Datacenter Edition of Windows Server 2003. NLB is not available on Windows Server 2003 Standard Edition or Web Edition.

RADIUS

The RADIUS protocol is a popular method for managing remote user authentication and authorization. RADIUS is a lightweight, UDP-based protocol. RADIUS servers can be located anywhere on the Internet and provide authentication (including PPP PAP, CHAP, MS-CHAP, MS-CHAPv2, and EAP) and authorization for access servers such as NASes and VPN servers.

In addition, RADIUS servers can provide a proxy service to forward authentication requests to distant RADIUS servers. For example, many ISPs have agreements to allow roaming subscribers to use local services from the nearest ISP for dial-up access to the Internet. These roaming alliances take advantage of the RADIUS proxy service. If an ISP recognizes a user name as being a subscriber to a remote network, the ISP uses a RADIUS proxy to forward the access request to the appropriate network.

Windows Server 2003 includes a RADIUS server and proxy with IAS, which is an optional Windows networking component installed using Control Panel>Add Or Remove Programs> Add/Remove Windows Components, click on Networking Services, click Details, and then select Internet Authentication Service.

Connection Manager and Managed VPN Connections

To deploy the configuration of a large number of VPN remote access clients for enterprise or outsourced dial scenarios, use Connection Manager (CM). CM is a set of components included with Windows Server 2003 that consists of the following:

· Connection Manager (CM) client dialer

· Connection Manager Administration Kit (CMAK)

· Connection Point Services (CPS)

Connection Manager Client Dialer

The CM client dialer is software that can be installed on each VPN client. It includes advanced features that make it a superset of basic remote access networking. At the same time, CM presents a simplified dialing experience to the user. It limits the number of configuration options that a user can change, ensuring that the user can always connect successfully. For example, with the CM client dialer, a user can:

· Select from a list of phone numbers to use, based on physical location (for an outsourced VPN solution)

· Use customized graphics, icons, messages, and help

· Automatically create a dial-up connection before the VPN connection is made

· Run custom actions during various parts of the connection process, such as pre-connect and post-connect actions (executed before or after the dial-up or VPN connection is completed)

A customized CM client dialer package, also known as a profile, is a self-extracting executable file that is created by a network administrator with the CMAK. The CM profile is distributed to VPN users via CD-ROM, e-mail, Web site, or file share. When the user runs the CM profile, it automatically configures the appropriate dial-up and VPN connections. The CM profile does not require a specific version of Windows. It will configure connections for computers running Windows Server 2003, Windows XP, Windows 2000, Windows NT 4.0, Windows Me, and Windows 98.

Connection Manager Administration Kit

The CMAK is an optional management tool installed from:

· Add Or Remove Programs (in Control Panel) on a computer running Windows Server 2003. You must specify Connection Manager Administration Kit in the Management And Monitoring Tools category of Windows components.

· Windows Server 2003 Administration Tools on a computer running Windows XP. You must run the Adminpak.msi file from the \I386 folder on a Windows Server 2003 CD-ROM. After it is installed, you can run CMAK from Administrative Tools.

CMAK is a wizard that guides you through a variety of options when configuring a CM profile and creates the profile to distribute to your VPN users.

Connection Point Services

CPS allows you to create, distribute, and update custom phone books. Phone books contain one or more Point of Presence (POP) entries. Each POP has a telephone number used to access a dial-up network or the Internet. Phone books give users complete POP information, so when they travel they can connect to different organization or Internet access points based on location, rather than having to use a toll-free or long-distance number.

Without the ability to update phone books, users would not only have to contact their organization’s technical support staff to obtain changes in POP information, they would also have to reconfigure their client dialer software.

CPS is a combination of:

· Phone Book Administrator.A tool used to both create and maintain phone book files and publish new or updated phone book files on the phone book server.

· Phone Book Server.A computer running Windows Server 2003 and Internet Information Services (IIS) (including the FTP Publishing Service) and an Internet Server Application Programming Interface (ISAPI) extension that processes phone book update requests from CM clients.

The Phone Book Administrator is a tool that is installed by running Pbainst.exe from the Valueadd\Msft\Mgmt\Pba folder on the Windows Server 2003 product CD-ROM. Once it is installed, you can run Phone Book Administrator from Start>All Programs>Administrative Tools. You are not required to run the Phone Book Administrator on the phone book server.

You can use the Phone Book Administrator to create phone book entries and regions and publish them in the SystemRoot\Program Files\PBA\PhoneBookFileName folder of the phone book server.

After the phone book is configured and published, the CM profile is created with CMAK and configured with:

· Automatically downloaded phone book updates

· The phone book file

· The name of the phone book server

OSI LAYER MODEL

http://nando.hyperphp.com

Introduction
During the early years of our modern computer era, very few standards and protocols existed between various manufacturers. However, as time went on and computer technology continued to improve and become more widespread, it became apparent that standards would be necessary to ensure compatibility. This was especially true with regard to networks, and networking technology. Since the main purpose of a network is to share information, a standard that governs how this information is formatted, transmitted, received and verified would make it possible for information to be shared openly, even when dealing with dissimilar networks.

This need for a standard means of implementing open communications led the ISO and ANSI to develop the seven-layer network communications model known as Open Systems Interconnect. By providing guidelines regarding the way network equipment should be manufactured and how network operating systems communicate on a network, the OSI model became the common link that allows data to be transmitted and exchanged reliably. Although it does not actually perform any functions or do any of the actual work, the OSI model defines the way things should be done by the software and hardware on a network so that communications can take place between two computers or nodes.

In this way, the OSI model provides a universal set of rules that make it possible for various manufacturers and developers to create software and hardware that is compatible with each other. This makes for organized communications. As I thought about this, I related it to the freeways that connect the various states of the mainland U.S. Because all of these freeways were constructed with the same set of standards regarding the width of each lane, the proper side that a person should drive on, the speed at which they should travel, and so on, people can comfortably drive across the country in an organized and efficient manner and car manufacturers are able to design cars within these guidelines as well. On the other hand, if each state had devised its own set of rules, each differing from the other, not only would there be a lot more chaos on the roads, but also car manufacturers would have a hard time designing vehicles that would be compatible with each state's roads. To me, this illustrates the importance of the OSI model with respect to network communications. Not only is it the foundation for all network communications today, but also because it is such a fundamental part of these communications, it becomes very apparent to me that it is very important for a network technician to understand the OSI model in full detail.
The OSI model is made up of the following layers: the physical, data link, network, transport, session, presentation and application. Together, these seven layers are collectively referred to as a stack. As a node receives data, each layer starting with the physical layer extracts the various portions of the packet and this process works its way up to the application layer. When data is sent, it begins at the application layer and travels down to the physical layer. The information is pushed to the next layer of the stack by means of commands called primitives. Each layer uses a peer protocol to encode the information, which ensures that the same layer on the receiving node will be able to understand the information.

Physical Layer
Beginning at the bottom, the first layer is the physical layer. It governs the actual voltages, type of electrical signals, mechanical connections and other items relating to the actual data transmission medium. This includes cabling types, distances and connectors, as well as protocols like CSMA/CD.
Data Link Layer
The next layer is the data link layer. This is the layer that actually constructs the frames, and it also performs error checking using CRC. It ensures that the frames are sent up to the next layer in the same order that they were received, providing an error free virtual path to the network layer. The data link layer consists of two sub layers; the logical link control (LLC) and the media access control (MAC), which provide reliable communications by ensuring the data link is not broken and also by examining packet address information. A bridge is an example of a device that works at this layer. A bridge learns, forwards and filters traffic by examining the layer 2 MAC address. This helps segment network traffic. More recently, bridges have been replaced by switches, which performs the same functions as a bridge, but can do so on each port. To find out more about switches, visit the Products link on the left.
Network Layer
Moving up to the next layer in the stack we come to the network layer. This layer actually routes packets of data, finding a path (both physical and logical) to the receiving or destination computer. It provides a unique address for each node through address resolution. One of the most common protocols for routing information at this layer is the Internet Protocol (IP). An example of hardware that can operate at this layer is a router. Although routers are often used to allow a LAN to access a WAN, layer 3 switches can also provide routing capabilities, but often at full wire-speed.
Transport Layer
The transport layer makes sure that the data arrives without errors, in the proper sequence and in a reliable condition. It uses flow control to make sure that information is sent at the proper speed for the receiving device to be able to handle it, and it repackages large data into smaller messages and then back again at the receiving node. An example protocol at this layer is the Transmission Control Protocol (TCP). Layer 4 switches can use the port information found in the TCP header to provide QoS (Quality of Service) and load balancing. To learn more about multi-layer switches, visit the Products link.
Session Layer
The session layer establishes the link between two nodes and ensures that the link is maintained and then disconnected. This is referred to as the session. It also makes sure the session is orderly, establishing which node transmits first, how long it can transmit, and what to do in case of an error. It also handles the security of the session.
Presentation Layer
The presentation layer deals with the actual formatting of the data. It handles compression, encryption, as well as translation to make sure differences in formatting can be read by the receiving node. For example, data might be converted from EBCDIC to ASCII formatting so that the receiving node can understand it.
Application Layer
This brings us to the seventh and final layer, the application layer. It allows applications access to network services, such as file and printer sharing, as well as file transfer and management services. This would be the layer that a programmer uses to allow his application to access a network service, such as linking into a database.
Although this explains the flow of data and what processes are performed by each layer starting with the physical layer and working to the top, or application, layer, the process would be the same, only reversed, for data flowing from the application layer and down to the bottom, or the physical layer.
Conclusion

By adhering to this standard model of communications, modern networks, including the Internet, have come into existence. For anyone interested in implementing and supporting today's modern networks, an understanding of the OSI model and its various layers is crucial. Indeed, this standard of communications lays the foundation for all of todays modern network hardware and software.

NETWORK GLOSARRY

http://nando.hyperphp.com

AppleTalk
A communications protocol developed by Apple Computer to allow networking between Macintoshes. All Macintosh computers have a LocalTalk port, running AppleTalk over a 230K bps serial line. AppleTalk also runs over Ethernet (EtherTalk) and Token Ring (TokenTalk)
Auto-Negotiate
Clause 28 of the IEEE 802.3u standard specifies a MAC sublayer for the identification of the speed and duplex mode of connection being supported by a device. Support of this feature is optional for individual vendors.
Auto-sense
Ability of a 10/100 Ethernet device to interpret the speed or duplex mode of the attached device and to adjust to that rate. Official term is Auto-Negotiation in Clause 28 of the IEEE 802.3u standard.
AUI
Attachment Unit Interface. A 15-pin shielded, twisted pair Ethernet cable used (optionally) to connect between network devices and a MAU.
Autobaud
Automatic determination and matching of transmission speed.
AWG

American Wire Gauge. A system that specifies wire size. The gauge varies inversely with the wire diameter size.

Backbone
The main cable in a network.
Bandwidth on Demand
Feature that allows a remote access device to initiate a second connection to a particular site to increase the amount of data transferred to that site to increase the desired threshold. The network manager configuring the remote access server will specify a number of bits or a percentage of connection bandwidth threshold which will trigger the secondary connection. Multilink PPP is an emerging standard to allow this feature to be interoperable, but right now the only way to ensure correct operation is to use devices on both end from the same vendor.
Baseband LAN
A LAN that uses a single carrier frequency over a single channel. Ethernet, Token Ring and Arcnet LANs use baseband transmission.
Baud
Unit of signal frequency in signals per second. Not synonymous with bits per second since signals can represent more than one bit. Baud equals bits per second only when the signal represents a single bit.
Binaries
Binary, machine readable forms of programs that have been compiled or assembled. As opposed to Source language forms of programs.
Binary
Characteristic of having only two states, such as current on and current off. The binary number system uses only ones and zeros.
Bitronics
Specification for parallel printing which allows bidirectional communication on a Centronics-type interface. Pioneered by Hewlett-Packard, mainly used for postscript printers.
Bit
The smallest unit of data processing information. A bit (or binary digit) assumes the value of either 1 or 0.
BNC
A standardized connector used with Thinnet and coaxial cable.
BOOTP
A TCP/IP network protocol that lets network nodes request configuration information from a BOOTP "server" node.
bps
Bits per second, units of transmission speed.
Bridge
A networking device that connects two LANs and forwards or filters data packets between them, based on their destination addresses. Bridges operate at the data link level (or MAC-layer) of the OSI reference model, and are transparent to protocols and to higher level devices like routers.
Broadband
A data transmission technique allowing multiple high-speed signals to share the bandwidth of a single cable via frequency division multiplexing.
Broadband Network
A network that uses multiple carrier frequencies to transmit multiplexed signals on a single cable. Several networks may coexist on a single cable without interfering with one another.
Brouter
A device that routes specific protocols, such as TCP/IP and IPX, and bridges other protocols, thereby combining the functions of both routers and bridges.
Bus
A LAN topology in which all the nodes are connected to a single cable. All nodes are considered equal and receive all transmissions on the medium.
Byte
A data unit of eight bits.
Channel
The data path between two nodes.
CHAP
(Challenge Handshake Authentication Protocol) Authentication scheme for PPP where the password not only is required to begin connection but also is required during the connection - failure to provide correct password during either login or challenge mode will result in disconnect.
Coaxial Cable
An electrical cable with a solid wire conductor at its center surrounded by insulating materials and an outer metal screen conductor with an axis of curvature coinciding with the inner conductor - hence "coaxial." Examples are standard Ethernet cable and Thinwire Ethernet cable.
Collision
The result of two network nodes transmitting on the same channel at the same time. The transmitted data is not usable.
Collision Detect
A signal indicating that one or more stations are contending with the local station's transmission. The signal is sent by the Physical layer to the Data Link layer on an Ethernet/IEEE 802.3 node.
Communication Server
A dedicated, standalone system that manages communications activities for other computers.
Console
The terminal used to configure network devices at boot (start-up) time.
Crosstalk
Noise passed between communications cables or device elements.
Cut-through
Technique for examining incoming packets whereby an Ethernet switch looks only at the first few bytes of a packet before forwarding or filtering it. This process is faster than looking at the whole packet, but it also allows some bad packets to be forwarded.
CSMA/CD
Carrier Sense Multiple Access with Collision Detection is the Ethernet media access method. All network devices contend equally for access to transmit. If a device detects another device's signal while it is transmitting, it aborts transmission and retries after a brief pause.
Data Link
A logical connection between two nodes on the same circuit.
Data Link Layer
Layer 2 of the seven-layer OSI reference model for communication between computers on networks. This layer defines protocols for data packets and how they are transmitted to and from each network device. It is a medium-independent, link-level communications facility on top of the Physical layer, and is divided into two sublayers: medium-access control (MAC) and logical-link control (LLC).
DECnet™
Digital Equipment Corporation (DEC) proprietary network architecture, a system for networking computers. It runs on point-to-point, X.25 and Ethernet networks.
Dial on Demand
When a router detects the need to initiate a dial-up connection to a remote network, it does so automatically according to pre-defined parameters set by the network manager.
Dialback
A security feature that ensures people do not log into modems that they shouldn't have access to. When a connection is requested, the system checks the user name for validity, then "dials back" the number associated with that user name.
Distributed Processing
A system in which each computer or node in the network performs its own processing and manages some of its data while the network facilitates communications between the nodes.
Domain Name
A domain name is a text name appended to a host name to form a unique host name across internets.
Download
The transfer of a file or information from one network node to another. Generally refers to transferring a file from a "big" node, such as a computer, to a "small" node, such as a terminal server or printer.
End Node
A node such as a PC that can only send and receive information for its own use. It cannot route and forward information to another node.
Ethernet
The most popular LAN technology in use today. The IEEE standard 802.3 defines the rules for configuring an Ethernet network. It is a 10 Mbps, CSMA/CD baseband network that runs over thin coax, thick coax, twisted pair or fiber optic cable.
EtherTalk
Apple Computer's protocol for Ethernet transmissions.
FDDI
Fiberoptic Data Distribution Interface. A cable interface capable of transmitting data at 100 Mbps. Originally specified for fiber lines, FDDI can also operate over twisted-pair cable for short distances.
Fiber-Optic Cable
A transmission medium composed of a central glass optical fiber cable surrounded by cladding and an outer protective sheath. It transmits digital signals in the form of modulated light from a laser or LED (light-emitting diode).
File Server
A computer that stores data for network users and provides network access to that data.
Filtering
Process whereby an Ethernet switch or bridge reads the contents of a packet and then finds that the packet does not need to be forwarded, and drops it. A filtering rate is the rate at which a device can receive packets and drop them without any loss of incoming packets or delay in processing.
Firmware
Alterable programs in semipermanent storage, e.g., some type of read-only or flash reprogrammable memory.
Forwarding
Process whereby an Ethernet switch or bridge reads the contents of a packet and then passes that packet on to the appropriate attached segment. A forwarding rate is the time that it takes the device to execute all of the steps.
Flash ROM
See ROM.
Framing
Dividing data for transmission into groups of bits, and adding a header and a check sequence to form a frame.
FTP
File Transfer Protocol, a TCP/IP protocol for file transfer.
Full-Duplex
Independent, simultaneous two-way transmission in both directions, as opposed to half-duplex transmission.
Gateway
A device for interconnecting two or more dissimilar networks. It can translate all protocol levels from the Physical layer up through the Applications layer of the OSI model, and can therefore interconnect entities that differ in all details.
Hardware Address
See Network Address.
Header
The initial part of a data packet or frame containing identifying information such as the source of the data, its destination, and length.
Heartbeat
Ethernet defined SQE signal quality test function.
Hertz (Hz)
A frequency unit equal to one cycle per second.
Host
Generally a node on a network that can be used interactively, i.e., logged into, like a computer.
Host Table
A list of TCP/IP hosts on the network along with their IP addresses.
IEEE 802.3
The IEEE (Institute of Electrical and Electronic Engineers) standard that defines the CSMA/CD media-access method and the physical and data link layer specifications of a local area network. Among others, it includes 10BASE2, 10BASE5, 10BASE-FL and 10BASE-T Ethernet implementations.
Internet
A series of interconnected local, regional, national and international networks, linked using TCP/IP. Internet links many government, university and research sites. It provides E-mail, remote login and file transfer services.
Internetworking
General term used to describe the industry composed of products and technologies used to link networks together.
IP Address
See Network Address.
IPX
Internetwork Packet eXchange, a NetWare protocol similar to IP (Internet Protocol).
ISDN
(Integrated Services Digital Network): All digital service provided by telephone companies. Provides 144K bps over a single phone line (divided in two 64K bps "B" channels and one 16K bps "D" channel).
ISO Layered Model
The International Standards Organization (ISO) sets standards for computers and communications. Its Open Systems Interconnection (OSI) reference model specifies how dissimilar computing devices such as Network Interface Cards (NICs), bridges and routers exchange data over a network. The model consists of seven layers. From lowest to highest, they are: Physical, Data Link, Network, Transport, Session, Presentation and Application. Each layer performs services for the layer above it.
Jabber
Network error caused by an interface card placing corrupted data on the network. Or, an error condition due to an Ethernet node transmitting longer packets than allowed.
Kbps
Kilobits per second.
Kermit
A popular file transfer and terminal emulation program.
LAN
Local Area Network, a data communications system consisting of a group of interconnected computers, sharing applications, data and peripherals. The geographical area is usually a building or group of buildings.
LAT
Local Area Transport, a Digital Equipment Corporation proprietary network communication protocol. The protocol is based on the idea of a relatively small, known number of hosts on a local network sending small network packets at regular intervals. LAT will not work on a wide area network scale, as TCP/IP does.
Latency
The delay incurred by a switching or bridging device between receiving the frame and forwarding the frame.
Layer
In networks, layers refer to software protocol levels comprising the architecture, with each layer performing functions for the layers above it.
Line Speed
Expressed in bps, the maximum rate at which data can reliably be transmitted over a line using given hardware.
Load Balancing
Shifting a user job from a more heavily loaded resource to a less loaded resource.
Local Network Interconnect (LNI)
A Port Multiplier, or concentrator supporting multiple active devices or communications controllers, either used standalone or attached to standard Ethernet cable.
LocalTalk
Apple Computer's proprietary 230 Kbps baseband network protocol. It uses the CSMA/CD access method over unshielded twisted pair wire.
Logical Link
A temporary connection between source and destination nodes, or between two processes on the same node.
LPD
Line Printer Daemon, a process on Berkeley spooler implementations that provides LPR support.
LPR
The LPR command is used to queue print jobs on Berkeley queuing systems.
MAU
Medium Attachment Unit, a device used to convert signals from one Ethernet medium to another.
Mbps
Megabits per second.
MIB
Management Information Base, a database of network parameters used by SNMP and CMIP (Common Management Information Protocol) to monitor and change network device settings. It provides a logical naming of all information resources on the network that are pertinent to the network's management.
MII
Media Independent Interface, New standard developed for Fast Ethernet in IEEE 802.3u specification. The Fast Ethernet equivalent to the AUI in 10 Mbps Ethernet, allowing different types of Fast Ethernet media to be connected to a Fast Ethernet device via a common interface.
MJ
Modular Jack. A jack used for connecting voice cables to a faceplate, as for a telephone.
MMJ
Modified Modular Jack. These are the 6-pin connectors used to connect serial terminal lines to terminal devices. MMJs can be distinguished from the similar RJ12 jacks by having a side-locking tab, rather than a center-mounted one.
Modem
A modulator-demodulator device for changing transmission signals from digital to analog for transmission over phone lines. Used in pairs, one is required at each end of the line.
MOP
Maintenance Operations Protocol, a DEC protocol used for remote communications between hosts and servers.
Multicast
A multicast is a message that is sent out to multiple devices on the network by a host.
Multilink PPP
The ability of a dialup device to allocate more than one channel of bandwidth to a particular connection. Generally, this is termed to be the ability of an ISDN device to bond two B-channels together into a single data pipe, but some vendors can perform the same function with asychronous dial-up connections over modems by having a second connection initiated to support the additional bandwidth requirements.
Multiplexer
A device that allows several users to share a single circuit. It funnels different data streams into a single stream. At the other end of the communications link, another multiplexer reverses the process by splitting the data stream back into the original streams.
Multiplexing
Transmitting multiple signals simultaneously on a single channel.
Multiport Repeater
A repeater, either standalone or connected to standard Ethernet cable, for interconnecting up to eight Thinwire Ethernet segments.
Name Server
Software that runs on network hosts charged with translating (or resolving) text-style names into numeric IP addresses.
NCP
Network Control Program, a program run on VMS machines to configure local network hardware and remote network devices.
NetWare
A Novell developed Network Operating System (NOS). Provides file and printer sharing among networks of Personal Computers (PCs). Each NetWare network must have at least one file server, and access to other resources is dependent on connecting to and logging into the file server. The file server controls user logins and access to other network clients, such as user PCs, print servers, modem/fax servers, disk/file servers, etc.
NetBIOS/NetBEUI
Microsoft's networking protocols for its LAN Manager and Windows NT products.
Network
An interconnected system of computers that can communicate with each other and share files, data and resources.
Network Address
Every node on a network has one or more addresses associated with it, including at least one fixed hardware address such as "ae-34-2c-1d-69-f1" assigned by the device's manufacturer. Most nodes also have protocol specific addresses assigned by a network manager.
Network Management
Administrative services for managing a network, including configuring and tuning, maintaining network operation, monitoring network performance, and diagnosing network problems.
NIC
Network Interface Card, an adapter card that is inserted into a computer, and contains the necessary software and electronics to enable the station to communicate over the network.
Node
Any intelligent device connected to the network. This includes terminal servers, host computers, and any other devices (such as printers and terminals) that are directly connected to the network. A node can be thought of as any device that has a "hardware address."
NOS
Network Operating System, the software for a network that runs in a file server and controls access to files and other resources from multiple users. It provides security and administrative tools. Novell's NetWare, Banyan's VINES and IBM's LAN Server are NOS examples.
Open System Interconnect (OSI)
See "ISO."
Packet
A series of bits containing data and control information, including source and destination node addresses, formatted for transmission from one node to another.
PAP
(Password Authentication Protocol) Authentication scheme for PPP links. A password can be specified for both devices on a remote link. Failure to authenticate will result in a dropped connection prior to start of data transmission.
Physical Address
An address identifying a single node.
Physical Layer
Layer 1, the bottom layer of the OSI model, is implemented by the physical channel. The Physical layer insulates Layer 2, the Data Link layer, from medium-dependent physical characteristics such as baseband, broadband or fiber-optic transmission. Layer 1 defines the protocols that govern transmission media and signals.
Point-to-Point
A circuit connecting two nodes only, or a configuration requiring a separate physical connection between each pair of nodes.
Port
The physical connector on a device enabling the connection to be made.
Port Multiplier
A concentrator providing connection to a network for multiple devices.
PostScript
A printer/display protocol developed by Adobe Corp. PostScript is an actual printing and programming language to display text and graphics. Unlike line/ASCII printers, which print character input verbatim, PostScript printers accept and interpret an entire PostScript page before printing it.
PPP
Point-to-Point Protocol. The successor to SLIP, PPP provides router-to-router and host-to-network connections over both synchronous and asynchronous circuits.
Print Server
A dedicated computer that manages printers and print requests from other nodes on the network.
PROM
Programmable ROM, a read-only memory whose data content can be altered.
Protocol
Any standard method of communicating over a network.
Remote Access
Access to network resources not located on the same physical Ethernet. (Physical Ethernet here refers to an entire site network topology.)
Remote Control
Form of remote access where a device dialing in assumes control of another network node - all keystrokes on the remote are translated into keystrokes on the network node. Used primarily with IPX protocol.
Remote Node
Form of remote access where the device dialing in acts as a peer on the target network. Used with both IP and IPX protocols.
Repeater
A repeater is a network device that repeats signals from one cable onto one or more other cables, while restoring signal timing and waveforms.
Ring
A network topology in which the nodes are connected in a closed loop. Data is transmitted from node to node around the loop, always in the same direction.
RMON
SNMP-based standard for reporting various network conditions. RMON has 10 different management groups which provide detailed information about a network.
Rlogin
Rlogin is an application that provides a terminal interface between UNIX hosts using the TCP/IP network protocol. Unlike Telnet, Rlogin assumes the remote host is (or behaves like) a UNIX machine
ROM
Read-Only Memory, a memory device that retains its information even when power to it is removed. A ROM version of a network device does not need to download, since the ROM contains the entire executable code and thus never needs to reload it. Frequently the ROM is provided as "flash ROM", which can be reprogrammed by downloading if the user chooses.
Router
Device capable of filtering/forwarding packets based upon data link layer information. Whereas a bridge or switch may only read MAC layer addresses to filter, routers are able to read data such as IP addresses and route accordingly.
RTEL
Lantronix's "reverse Telnet" software allows hosts using TCP/IP to establish a session with a device attached to a terminal server port.
Server
A computer that provides resources to be shared on the network, such as files (file server) or terminals (terminal server).
Session
A connection to a network service.
Shared Ethernet
Ethernet configuration in which a number of segments are bound together in a single collision domain. Hubs produce this type of configuration where only one node can transmit at a time.
SLIP
Serial Line Internet Protocol, a protocol for running TCP/IP over serial lines.
SNA
Systems Network Architecture. IBM's layered protocols for mainframe communications.
SNMP
Simple Network Management Protocol, allows a TCP/IP host running an SNMP application to query other nodes for network-related statistics and error conditions. The other hosts, which provide SNMP agents, respond to these queries and allow a single host to gather network statistics from many other network nodes.
Source Code
Programs in an uncompiled or unassembled form.
Spanning Tree
An algorithm used by bridges to create a logical topology that connects all network segments, and ensures that only one path exists between any two stations.
Store and Forward
Technique for examining incoming packets on an Ethernet switch or bridge whereby the whole packet is read before forwarding or filtering takes place. Store and forward is a slightly slower process than cut-through, but it does ensure that all bad or misaligned packets are eliminated from the network by the switching device.
SPX
Sequential Packet exchange. Novell's implementation of SPP (Sequential Packet Protocol).
SQE
Ethernet-defined signal quality test function, frequently called "heartbeat."
Switch
Multiport Ethernet device designed to increase network performance by allowing only essential traffic on the attached individual Ethernet segments. Packets are filtered or forwarded based upon their source and destination addresses.
T-Connector
A T-shaped device with two female and one male BNC connectors.
TCP/IP
Transmission Control Protocol (TCP) and Internet Protocol (IP) are the standard network protocols in UNIX environments. They are almost always implemented and used together and called TCP/IP.
Telnet
Telnet is an application that provides a terminal interface between hosts using the TCP/IP network protocol. It has been standardized so that "telnetting" to any host should give one an interactive terminal session, regardless of the remote host type or operating system. Note that this is very different from the LAT software, which allows only local network access to LAT hosts only.
10BASE2
Ethernet running on thin coax network cable.
10BASE5
Ethernet running on Thickwire network cable.
10BASE-T
Ethernet running on unshielded twisted pair (UTP) cable. Note that 10BASE-T is a point-to-point network media, with one end of the cable typically going to a repeater/hub and the other to the network device.
Terminal Server
A concentrator that facilitates communication between hosts and terminals.
Terminator
Used on both ends of a standard Ethernet or Thinwire Ethernet segment, this special connector provides the 50 ohm termination resistance needed for the cable.
TFTP
Trivial File Transfer Protocol. On computers that run the TCP/IP networking software, TFTP is used to quickly send files across the network with fewer security features than FTP.
Thickwire
Half-inch diameter coax cable.
Thinwire
Thin coaxial cable similar to that used for television/video hookups.
Throughput
The amount of data transmitted between two points in a given amount of time, e.g., 10 Mbps.
Token
The character sequence or frame, passed in sequence from node to node, to indicate that the node controlling it has the right to transmit for a given amount of time.
Token Ring
Developed by IBM, this 4 or 16 Mbps network uses a ring topology and a token-passing access method.
Topology
The arrangement of the nodes and connecting hardware that comprises the network. Types include ring, bus, star and tree.
Transceiver
The actual device that interfaces between the network and the local node. The term generally refers to any connector, such as a MAU, that actively converts signals between the network and the local node.
Transceiver Cable
Cable that attaches a device either to a standard or thin coax Ethernet segment.
Twisted-Pair Cable
Inexpensive, multiple-conductor cable comprised of one or more pairs of 18 to 24 gauge copper strands. The strands are twisted to improve protection against electromagnetic and radio frequency interference. The cable, which may be either shielded or unshielded, is used in low-speed communications, as telephone cable. It is used only in baseband networks because of its narrow bandwidth.
Unix
A multitasking, multiuser computer operating system developed by AT&T. Several versions exist, e.g., the Berkeley version.
UTP
Unshielded twisted pair, one or more cable pairs surrounded by insulation. UTP is commonly used as telephone wire.
Wide Area Network (WAN)
A network using common carrier transmission services for transmission of data over a large geographical area.
Workgroup Switching
Configuration in which a number of users are connected to an Ethernet network via a switch. Switching allows each user to get greater throughput than would be available through a hub.
X.25 Gateway Access Protocol

Allows a node not directly connected to a public data network to access the facilities of that network through an intermediary gateway node. X.25 is the protocol standard governing packet-switched networks.

LOCAL AREA NETWORK

http://nando.hyperphp.com

LAN GLOSSARY

ATM
Asynchronous Transfer Mode is a high-speed, scalable cell switching protocol that breaks packets down into fixed 53-byte cells, well suited for quality of service transmissions of data, voice, and video.
BackPressure
The technique used for notifying end-nodes of a busy condition by sending an Etherent jam signal requesting that end-nodes refrain from tansmitting until buffers are emptied.
Bad Packet
A corrupted or damaged data packet that is often re-transmitted by other Etherent switches (particulary cut-through switches) chewing up valuable bandwidth.
Bandwidth
The transmission capacity of a data channel, often referred to as the network's speed (for Ethernet this is 10Mbps) can be thought of as the number of open lanes on a highway. See the Glossary item on Ethernet standards and speeds for more information.
Bottleneck
Any point or intersection in a network, often internet working devices such as switches, that could cause a data traffic jam when several points of transmission compete for full bandwidth.
Bridge
An unintelligent MAC-layer device that connects two similar network types together to form an internetwork.
Bursty Traffic
LAN traffic that requires very high bandwidth for short periods of time and relatively low bandwidth between tranmissions.
Client/Server
A model of distributed processing in which the client workstation is the requesting machine and the server is the supplying machine; processing is distributed between client and server requiring reliable communication between them for application integrity.

Cross-bar Switch
A first generation switch architecture designed for optimal point-to-point communication that inherently creates bottlenecks and introduces non-deterministic delay, not suitable for multimedia, client/server, or mission-critical environments.
Cut-through Switch
A type of switch that examines only the destination address of the Etherent header before it begins to send the packet on its way; may introduce network errors by forwarding bad packets without checking for errors.
Data Packet
A vairable-length slice of data formatted with a destination and source address, among other things, that is understandalbe to all devices supporting a particular protocol, such as Ethernet.
Ethernet
The IEEE 802.3 LAN standard that runs at 10Mbps bandwidth, supporting coaxial cable (10BASE5 or 10BASE2), twisted-pair (10BASET), fiber and wireless media; relying on CSMA/CD (Carrier Sense Multiple Access with Collision Detection) algorithm for channel contention arbitration.
FDDI/CDDI
Fiber Distributed Data Interface or Copper Distributed Data Interface that uses a dual counter-rotating ring, token passing protocol running at 100Mbps over fiber or copper media for CDDI.
Full-duplex Ethernet
Ethernet with only two nodes per segment running at double-speed, or 20Mbps, since nodes have no contention issues and can transmit and receive simultaneously, provides a mechanism for higher-bandwidth connections to servers and end-nodes without requireing reconfiguration or new technology deployment.
IEEE 802.1d
The industry standard for eliminating broadcast storms at the MAC layer in meshed networks that have redundant or cyclical paths.
Jitter
A flickering transmission signal or display caused by non-deterministic delay common to packet transmission devices and unacceptable for multimedia or client/server applications.
Latency
Delay introduced at any point in a network, due to processing, usually by an internetworking device such as a switch or router; non-deterministic delay causes network jitter, fixed-latency devcies introduce small and predictable delays at all levels of traffic load.
MAC Layer
The second layer of the Open System Interconnect (OSI) Model which bridges and switches use to determine the destination device; by contrast, routers use higher-level information of the OSI Layer 3, or Network Layer, to route data.
NAS
Network Access Storage is defined as a product that sits between the application server and the file system. The product could be hardware, software, or both.
Next-generation Technology
A quantum leap over first-generation technology because it has the benefit of learning from real-world situations and provides enhancements to previously deployed technology.
Non-blocking Switch
The ability of a switch to continue to accept transmissions from all ports at all times, effectively removing bottlenecks (blocking) at the switch port level.
Non-deterministic Delay
A variable time period during which data packets are delayed when encountering a network bottleneck or vairable-length packets; introduces jitter which is unacceptable in client/server and multimedia environments.
Redundacy
Increasing network reliability by providing multiple data paths or components so that a secondary route or device could take over in the event of the primary's failure.
SAN
Storage Access Network is defined as an architecture that sits between the application server and the file system. As such, a SAN is a separate network that connects storage and servers consisting of NAS devices.
Segmentation
Breaking up large Ethernet networks into smaller networks that are then connected by an internetworking device such as a a switch, router or bride; increases overall network bandwidth, isolating traffic by keeping unnecessary packets off segments.
SNMP
Simple Network Management Protocol, the industry standard way for devices to communicate with network management platforms.
Store-and-forward
A mechanism in which data packets are received in their entirety by a switch and examined for consistency before they are sent to their destination; reduces network errors by discarding bad packets but increases latency; also required to translate between networks of different speeds or types.
Switch
An internetworking device that intelligently segments networks to increase overall bandwitdth, isolate traffic, and provide an interface to high-speed networks. A typical Switch will be either a store-and-forward device or a cut-through device, one or the other, but not at the same time.
Virtual Collision A fake collision generated by the LANbooster to implement the BackPressure-based flow control mechanism.

DOMAIN NAME SYSTEM

http://nando.hyperphp.com

DNS name structure
In the early days of the Internet, all host names and their associated IP addresses were recorded in a single file called hosts.txt, maintained by the Network Information Centre in the USA. Not surprisingly, as the Internet grew so did this file, and by the mid-80's it had become impractically large to distribute to all systems over the network, and impossible to keep up to date. The Internet Domain Name System (DNS) was developed as a distributed database to solve this problem. It's primary goal is to allow the allocation of host names to be distributed amongst multiple naming authorities, rather than centralised at a single point.

DNS names are constructed hierarchichally. The highest level of the hierarchy being the last component or label of the DNS address. Labels can be up to 63 characters long and are case insensitive. A maximum length of 255 characters is allowed. Labels must start with a letter and can only consist of letters, digits and hyphens. [Unfortunately some administrators construct names that start with digits. This is wrong and can easily cause problems with software that simply inspects the first character of a host address to determine whether a DNS name or an IP address has been quoted.]
Note In the early days of the Internet users in at least one country (the United Kingdom) adopted a similar scheme with the highest hierarchical level appearing first rather than last. I.e. uk.ac.wlv.scit.sun rather than sunc.scit.wlv.ac.uk. This practice is, fortunately, obsolete.
DNS addresses can be relative or fully qualified. A fully qualified address includes all the labels and is globally unique. A relative address can be converted by appending the local domain information. For example sunc.scit.wlv.ac.uk is a fully qualified name for the host sunc in the domain scit.wlv.ac.uk. Strictly there should be a stop at the end of a fully qualified name but this is often overlooked.
The final most significant label of a fully qualified name can fall into one of three classes.

arpa

This is a special facility used for reverse translation, i.e. going from IP address to fully qualified domain address. If everything is properly configured a suitably framed query for 1.4.220.134.in-addr.arpa will return sunc.scit.wlv.ac.uk. Details of this will be described later.

3 letter codes

The DNS was orginally introduced in the United States of America and the final component of an address was intended to indicate the type of organisation hosting the computer. Some of the three letter final labels (edu, gov, mil) are still only used by organisations based in the USA, others can be used anywhere in the world.
The three letter codes are

code	meaning
com	Commercial. Now international.
edu	Educational.
gov	Government.
int	International Organisiation.
mil	Military.
net	Network related.
org	Miscellaneous Organisation.

Two letter codes

The final two letter codes indicate the country of origin and are defined in ISO 3166 with the minor exception that uk is used for the United Kingdom rather than gb although there are some .gb sites. [This apparently happened because the ISO committee was unaware that Northern Ireland was part of the United Kingdom but not part of Great Britain.]
The two letter code us is used by some sites in the United States of America.
In some countries there are sub-domains indicating the type of organisation such as ac.uk, co.uk, sch.uk in the United Kingdom and edu.au and com.au in Australia. Most European countries have not adopted this useful practice. A fuller discussion of the United Kingdom DNS domains is provided by To obtain a domain address it is necessary to identify the administrator of the required domain and then all that is basically necessary is to send the administrator the required code and the associated IP address and they will, if they accept the request, include the details in their databases. Conditions for acceptance vary widely between administrators, the administrators for the com and org being, apparently, quite happy to accept anything from anywhere.

A DNS server is just a computer that's running DNS software. Since most servers are Unix machines, the most popular program is BIND (Berkeley Internet Name Domain), but you can find software for the Mac and the PC as well.
DNS software is generally made up of two elements: the actual name server, and something called a resolver. The name server responds to browser requests by supplying name-to-address conversions. When it doesn't know the answer, the resolver will ask another name server for the information.

To see how it works, let's go back to the domain-name-space inverted tree.
When you type in a URL, your browser sends a request to the closest name server. If that server has ever fielded a request for the same host name (within a time period set by the administrator to prevent passing old information), it will locate the information in its cache and reply.
If the name server is unfamiliar with the domain name, the resolver will attempt to "solve" the problem by asking a server farther up the tree. If that doesn't work, the second server will ask yet another - until it finds one that knows. (When a server can supply an answer without asking another, it's known as an authoritative server.)

Once the information is located, it's passed back to your browser, and you're sent on your merry way. Usually this process occurs quickly, but occasionally it can take an excruciatingly long time (like 15 seconds). In the worst cases, you'll get a dialog box that says the domain name doesn't exist - even though you know damn well it does.
This happens because the authoritative server is slow replying to the first, and your computer gets tired of waiting so it times-out (drops the connection). But if you try again, there's a good chance it will work, because the authoritative server has had enough time to reply, and your name server has stored the information in its cache.

DNS Structure
The DNS is arranged as a hierarchy, both from the perspective of the structure of the names maintained within the DNS, and in terms of the delegation of naming authorities. At the top of the hierarchy is the root domain "." which is administered by the Internet Assigned Numbers Authority (IANA). Administration of the root domain gives the IANA the authority to allocate domains beneath the root. The process of assigning a domain to an organisational entity is called delegating, and involves the administrator of a domain creating a sub-domain and assigning the authority for allocating sub-domains of the new domain the subdomain's administrative entity.

This is a hierarchical delegation, which commences at the "root" of the Domain Name Space ("."). A fully qualified domain name, is obtained by writing the simple names obtained by tracing the DNS hierarchy from the leaf nodes to the root, from left to right, separating each name with a stop ".", eg. fred.xxxx.edu.au. is the name of a host system (huxley) within the XXXX University (xxx), an educational (edu) institution within Australia (au).

The sub-domains of the root are known as the top-level domains, and include the edu (educational), gov (government), and com (commercial) domains. Although an organisation anywhere in the world can register beneath these three-character top level domains, the vast majority that have are located within, or have parent companies based in, the United States. The top-level domains represented by the ISO two-character country codes are used in most other countries, thus organisations in Australia are registered beneath au.

The majority of country domains are sub-divided into organisational-type sub-domains. In some countries two character sub-domains are created (eg. ac.nz for New Zealand academic organisations), and in others three character sub-domains are used (eg. com.au for Australian commercial organisations). Regardless of the standard adopted each domain may be delegated to a separate authority.

Organisations that wish to register a domain name, even if they do not plan to establish an Internet connection in the immediate short term, should contact the administrator of the domain which most closely describes their activities.
Even though the DNS supports many levels of sub-domains, delegations should only be made where there is a requirement for an organisation or organisational sub-division to manage their own name space. Any sub-domain administrator must also demonstrate they have the technical competence to operate a domain name server (described below), or arrange for another organisation to do so on their behalf.

Domain Name Servers
The DNS is implemented as collection of inter-communicating nameservers. At any given level of the DNS hierarchy, a nameserver for a domain has knowledge of all the immediate sub-domains of that domain.

For each domain there is a primary nameserver, which contains authoritative information regarding Internet entities within that domain. In addition Secondary nameservers can be configured, which periodically download authoritative data from the primary server. Secondary nameservers provide backup to the primary nameserver when it is not operational, and further improve the overall performance of the DNS, since the nameservers of a domain that respond to queries most quickly are used in preference to any others.

Thus, in addition to having a primary nameserver on site, each organisation should have at least one secondary on site, and another elsewhere on the Internet, preferably well connected. This is particularly important for entities with slow speed or dial-up Internet connections to reduce use of their link to support the DNS.

Dynamic Host Configuration Protocol

http://nando.hyperphp.com

DHCP stands for Dynamic Host Configuration Protocol, and is used to centrally allocate and manage TCP/ IP configurations of client nodes. If you’ve got more than a handful of computers to manage, then DHCP can help to save a great deal of time and trouble in setting up and administering a TCP/ IP network. DHCP offers the following features:
The Dynamic Host Configuration Protocol (DHCP) provides configuration parameters to Internet hosts. DHCP consists of two components: a protocol for delivering host-specific configuration parameters from a DHCP server to a host and a mechanism for allocation of network addresses to hosts.

DHCP is built on a client-server model, where designated DHCP server hosts allocate network addresses and deliver configuration parameters to dynamically configured hosts. Throughout the remainder of this document, the term "server" refers to a host providing initialization parameters through DHCP, and the term "client" refers to a host requesting initialization parameters from a DHCP server.

A host should not act as a DHCP server unless explicitly configured to do so by a system administrator. The diversity of hardware and protocol implementations in the Internet would preclude reliable operation if random hosts were allowed to respond to DHCP requests. For example, IP requires the setting of many parameters within the protocol implementation software. Because IP can be used on many dissimilar kinds of network hardware, values for those parameters cannot be guessed or assumed to have correct defaults. Also, distributed address allocation schemes depend on a polling/defense mechanism for discovery of addresses that are already in use. IP hosts may not always be able to defend their network addresses, so that such a distributed address allocation scheme cannot be guaranteed to avoid allocation of duplicate network addresses.

DHCP supports three mechanisms for IP address allocation. In "automatic allocation", DHCP assigns a permanent IP address to a host. In "dynamic allocation", DHCP assigns an IP address to a host for a limited period of time (or until the host explicitly relinquishes the address). In "manual allocation", a host's IP address is assigned by the network administrator, and DHCP is used simply to convey the assigned address to the host. A particular network will use one or more of these mechanisms, depending on the policies of the network administrator.

Dynamic allocation is the only one of the three mechanisms that allows automatic reuse of an address that is no longer needed by the host to which it was assigned. Thus, dynamic allocation is particularly useful for assigning an address to a host that will be connected to the network only temporarily or for sharing a limited pool of IP addresses among a group of hosts that do not need permanent IP addresses. Dynamic allocation may also be a good choice for assigning an IP address to a new host being permanently connected to a network where IP addresses are sufficiently scarce that it is important to reclaim them when old hosts are retired. Manual allocation allows DHCP to be used to eliminate the error-prone process of manually configuring hosts with IP addresses in environments where (for whatever reasons) it is desirable to manage IP address assignment outside of the DHCP mechanisms.

The format of DHCP messages is based on the format of BOOTP messages, to capture the BOOTP relay agent behavior described as part of the BOOTP specification [7, 23] and to allow interoperability of existing BOOTP clients with DHCP servers. Using BOOTP relaying agents eliminates the necessity of having a DHCP server on each physical network segment.
DHCP can quickly become an essential piece of an organization's data network. Once set up, DHCP (Dynamic Host Configuration Protocol) is usually hardly noticed, silently and faithfully performing its duties day in and day out. Unfortunately, the hardest thing about DHCP is getting it to that point.
This article discusses some of the reasons why an organization would want to use DHCP, along with the many different issues that need to be considered when designing a DHCP infrastructure. Some of these considerations include planning for IP address use. An organization needs to determine how its existing environment is used and what types of users and workstations are being utilized (such as mobile users and network devices).

In large-scale DHCP implementations, the topology of the network becomes a very important factor. The network topology dictates where DHCP servers and/or relay agents must be placed. The needs of the DHCP client must be considered, including which DHCP options are supported by the client's operating system and which options and their correspomding values need to be assigned. Finally, all of these elements are brought together to implement the DHCP scopes.

How DHCP Works

For a detailed description of DHCP, we suggest that you download RFC 1541 from any of the Internet draft repository sites. A good place to start is ds.internic.net, available via FTP, Gopher and HTTP. For a less detailed description, read on.

DHCP is an extension of BOOTP, the previous IP allocation specification. So, existing BOOTP devices can communicate with DHCP servers and allow DHCP requests to cross routers running BOOTP forwarders. This level of backward compatibility makes it easy for administrators to upgrade their network devices from BOOTP to DHCP as needed, without having to replace all of the clients at once or having to upgrade all of the routers.

Several major advancements beyond the BOOTP specifications provide significant advantages. For example, DHCP supports the concept of a "lease" whereby a server can allocate an address to a client for a specific amount of time. If you have more devices than IP addresses, using shorter leases can help to keep you from running out of addresses. If you have more addresses than devices, you can utilize permanent leases or you can assign fixed addresses to specific devices similar to BOOTP's mechanism.

Also, DHCP incorporates a much more robust dialogue during lease negotiation. Since the addresses can be assigned to the devices on an ad-hoc basis, mechanisms need to be incorporated into the assignment procedure that allow for a broader range of options, as well as for a broader range of error handling conditions. BOOTP protocol only allowed for two types of messages (request and reply), while DHCP has seven possible message types that can be used during the address assignment sequence.

When a DHCP device attaches itself to the network for the first time, it broadcasts a DHCPDISCOVER packet. A DHCP servers on the local segment will see the broadcast and return a DHCPOFFER packet that contains an IP address and other information. The servers may or may not conduct some sort of preliminary testing prior to offering the address, such as generating an ARP or an ICMP echo to see if the address is already in use by another node somewhere. If your network does not have a DHCP server on every segment, you will need to configure your routers to provide BOOTP relay agents that forward the broadcasts to a predefined server on a remote segment.

The client may receive multiple DHCPOFFER packets from any number of servers, so it must choose between them, and broadcast a DHCPREQUEST packet that identifies the explicit server and lease offer that it likes the best. This decision may be based on which offer has the longest lease or which offer provides the most information that the specific client needs for optimal operation (more on this later). The non-chosen servers would notice the explicit DHCPREQUEST packet and go on about their business.

Assuming that the offer is still valid, the chosen server would return a DHCPACK that tells the client the lease is finalized. If the offer is no longer valid for some reason-perhaps due to a time-out or another client allocating the lease-then the selected server must respond with a DHCPNAK message. This would cause the client to send another DHCPDISCOVER packet, starting the process over again.

Once the client receives a DHCPACK, then all ownership and maintenance of the lease is the responsibility of the client. For example, a client may refuse an offer that is detailed in the DHCPACK message, and it is the client's responsibility to do so. Clients are supposed to test the addresses that have been offered to them by conducting ARP broadcasts. So if another node responds to the ARP, the client would assume that the offered address is in use. At this point, the client would reject the offer by sending a DHCPDECLINE message to the offering server, and would also send another DHCPDISCOVER packet, thereby starting the process yet again.

Once the client has the lease, it must be renewed prior to the lease expiration through another DHCPREQUEST message. If a client finishes using a lease prior to its expiration date, the client is supposed to send a DHCPRELEASE message to the server so that the lease can be made available to other nodes. If the server doesn't hear from the client by the end of the lease, it marks the lease as non-renewed, and makes it available for other clients to use.

This sequence of events is pretty straightforward and leaves a lot of room to correct any miscommunication between the clients and the servers. This is a good thing, because most of the implementations that we studied at in our labs didn't follow the letter of the law very well. Only because of the negotiation

Nando007 Groups

Thursday, July 26, 2007

VPN Security

Basic Elements of Windows VPN Security

Basic Elements of Windows VPN Security

VPN Administration

Authorizing VPN Connections

Scalability

RADIUS

Connection Manager and Managed VPN Connections

Connection Manager Client Dialer

Connection Manager Administration Kit

Connection Point Services

OSI LAYER MODEL

NETWORK GLOSARRY

LOCAL AREA NETWORK

DOMAIN NAME SYSTEM

Dynamic Host Configuration Protocol

Nando Collection

Blog Archive