3-1 Network Implementation

3.1 Identify the basic capabilities (For example: client support, interoperability, authentication, file and print services, application support and security) of the following server operating systems to access network resources:

> UNIX / Linux

The UNIX operating systems are built around the TCP/IP protocols, and while all have certain similarities, they vary greatly in their capabilities. This is due to the variations in the additional software included with the operating system and the commercial (or non-commercial) nature of the various products. Some UNIX variants are commercial products marketed by large software companies, such as Hewlett Packard, Sun Microsystems, and IBM. Others are developed and maintained as part of the open source movement, in which volunteer programmers work on the software in their spare time, usually communicating with their colleagues over the Internet, and freely releasing their work to the public domain. There are many different UNIX operating systems that you can download from the Internet free of charge, such as FreeBSD, NetBSD, and various forms of Linux.

UNIX is primarily an application server platform, and is typically associated with Internet services, such as Web, FTP, and e-mail servers. As with Windows, UNIX systems can function as both servers and clients at the same time.

Interoperability

Open source software such as SAMBA is used to provide Windows users with Server Message Block (SMB) file sharing.

Authentication

Centralized login authentication

File and Print Services

Network File System (NFS) is a distributed file system that allows users to access files and directories located on remote computers and treat those files and directories as if they were local.

LPR/LPD is the primary UNIX printing protocol used to submit jobs to the printer. The LPR component initiates commands such as "print waiting jobs," "receive job," and "send queue state," and the LPD component in the print server responds to them.

Security

With most Unix operating systems, the network services can be individually controlled to increase security.

> MAC OS X Server

Client Support

TCP/IP file sharing with Macintosh clients using Network File System (NFS), and File Transfer Apple File Protocol 3.0

Interoperability

Mac OS X Server uses the Open Source SAMBA to provide Windows users with Server Message Block (SMB) file sharing. Network File System (NFS) lets you make folders available to UNIX and Linux users.

File and Print Services

Mac OS X Server provides support for native Macintosh, Windows, UNIX, and Linux file sharing. Protocols supported include:

• Apple file services (AFP 3.0) from any AppleShare client over TCP/IP
• Windows (SMB/CIFS) file sharing using Samba
• Network File System (NFS) for UNIX and Linux file access
• Internet (FTP)

Built-in print services can spool files to any PostScript-capable printer over TCP/IP, AppleTalk, or USB. Macintosh customers can use the LPR support in Print Center or the Desktop Printer utility to connect to a shared printer. Windows users can use their native SMB/CIFS protocol to connect to a shared printer.

Print services for OS X Server

Macintosh and UNIX (LPR/LPD)

Windows (SMB/CIFS)

Security

• Multiple-user architecture and user-level access privileges.
• Secure Sockets Layer (SSL) support provides encrypted and authenticated client/server communications.
• Secure Shell (SSH) provides encryption and authentication for secure remote administration.
• Kerberos support for centralized login authentication.

> Netware

NetWare 5

Client Support

NetWare 5 comes with Novell Client software for three client platforms: DOS and Windows 3.1x, Windows 95/98, and Windows NT.

Interoperability

You can set the Novell Clients for Windows 95/98 and Windows NT to work with one of three network protocol options: IP only, IP and IPX, or IPX only.

Authentication

Centralized login authentication

File and Print Services

File Services NetWare offers two choices of mutually compatible file services: Novell Storage Services (NSS) and the traditional NetWare File System. Both kinds of file services let you store, organize, manage, access, and retrieve data on the network.

NSS gathers all unpartitioned free space that exists on all the hard drives connected to your server, together with any unused space in NetWare volumes, and places it into a storage pool. You create NSS volumes from this storage pool during server installation or later through NWCONFIG.

Novell Distributed Print Services (NDPS) is the default and preferred print system in NetWare. NDPS supports IP-based as well as IPX-based printing.

Security

Novell has support for a public key infrastructure built into NetWare 5 using a public certificate, developed by RSA Security.

> Windows

Windows 2000 Server:

Client Support

Windows 3.x, Windows 95, Windows 98, and Windows NT Workstation 4.0.

Interoperability

Windows 2000 Server supports UNIX, Novell NetWare, Windows NT Server 4.0, and Macintosh.

Authentication

Successful user authentication in a Windows 2000 computing environment consists of two separate processes: interactive logon, which confirms the user's identification to either a domain account or a local computer, and network authentication, which confirms the user's identification to any network service that the user attempts to access.

Types of authentication that Windows 2000 supports are:

Kerberos V5 is used with either a password or a smart card for interactive logon. It is also the default method of network authentication for services.The Kerberos V5 protocol verifies both the identity of the user and network services.

Secure Socket Layer/Transport Layer Security (SSL/TLS) authentication, is used when a user attempts to access a secure Web server.

File and Print Services

You can add and maintain printers in Windows 2000 using the print administration wizard, and you can add file shares using Active Directory management tools. Windows 2000 also offers Distributed File Services, which let you combine files on more than one server into a single share.

Security

User-level security protects shared network resources by requiring that a security provider authenticate a user’s request to access resources. The domain controller , grants access to the shared resource by verifying that the user name and password are the same as those on the user account list stored on the network security provider. Because the security provider maintains a network-wide list of user accounts and passwords, each client computer does not have to store a list of accounts.

Share-level security protects shared network resources on the computer with individually assigned passwords. For example, you can assign a password to a folder or a locally attached printer. If other users want to access it, they need to type in the appropriate password. If you do not assign a password to a shared resource, every user with access to the network can access that resource.

> Appleshare IP (Internet Protocol)

Client Support

TCP/IP file sharing with Macintosh clients using Network File System (NFS), and File Transfer Apple File Protocol 3.0.

Interoperability

Windows Server Message Block (SMB) file sharing.

File and Print Services

File Services:

• Apple Filing Protocol (AFP) over TCP/IP and AppleTalk
• Server Message Block (SMB) over TCP/IP
• File Transfer Protocol (FTP) over TCP/IP

Print Services:

• PAP (AppleTalk)
• LPR/LPD

Application Support

• HTTP
• Mail (SMTP, POP, IMAP and Authenticated Post Office Protocol APOP)
• Mac CGI

3.2 Identify the basic capabilities needed for client workstations to connect to and use network resources (For example: media, network protocols and peer and server services)

see > Network Support Part 2

3.3 Identify the appropriate tool for a given wiring task (For example: wire crimper, media tester / certifier, punch down tool or tone generator).

> Wire Crimper

A wire crimper is a tool that you use to attach media connectors to the ends of cables. For instance, you use one type of wire crimper to attach RJ-45 connectors on Unshielded Twisted Pair (UTP) cable, and you use a different type of wire crimper to attach Bayonet Neill Concelman (BNCs) to coaxial cabling.

> Wire Map Testers

A wire map tester is a device that is similar in principle to the tone generator and locator, except that it tests all the wire connections in a UTP cable at once. This device also consists of two parts, which you connect to the opposite ends of a cable. The unit at one end transmits signals over all the wires, which are detected by the unit at the other end. A wire map tester can detect transposed wires, opens, and shorts, just as a tone generator and locator can, but it does all the tests simultaneously and provides you with a simple readout telling you what's wrong

> Multifunction Cable Testers

Multifunction cable testers are handheld devices, that perform a variety of tests on a cable connection and compare the results to standard values that have been programmed into the unit. The result is that these are devices that anyone can use. You simply connect the unit to the cable, press a button, and the device comes up with a list of pass or fail ratings for the individual tests.

Multifunction cable testers can test any of the following:

• Length The most common method for determining the length of a cable is called time domain reflectometry (TDR), in which the tester transmits a signal over the cable and measures how long it takes for the signal's reflection to return. Using the nominal velocity of propagation (NVP) for the cable, which is the speed at which signals travel through the cable (supplied by the manufacturer) you can compute the length of the cable. This function also enables you to determine the location of a break in a cable.
• Attenuation By comparing the strength of a signal at the far end of a cable to its strength when transmitted, the tester determines the cable's attenuation (measured in decibels).
• Near end crosstalk (NEXT) Testing for near end crosstalk is a matter of transmitting a signal over one of a cable's wires and then detecting the strength of the signal that bleeds over into the other wires near the end of the cable where the transmitter is located.
• Power sum NEXT (PSNEXT) This is a measurement of the crosstalk generated when three of the four wire pairs are carrying signals at one time. This test is intended for networks using technologies like Gigabit Ethernet, which transmit signals over several wire pairs simultaneously.
• Equal level far end crosstalk (ELFEXT) This is a measurement of the crosstalk at the opposite end of the cable from the transmitter, corrected to account for the amount of attenuation in the connection.
• Power sum ELFEXT (PSELFEXT) This is a measurement of the crosstalk generated at the far end of the cable by three signal-carrying wire pairs, corrected for attenuation.
• Propagation delay This indicates the amount of time required for a signal to travel from one end of a cable to the other.
• Delay skew This is the difference between the lowest and the highest propagation delay measurements for the wires in a cable. Because the wire pairs inside a UTP cable are twisted at different rates, their relative lengths can differ, and the delay skew measurement quantifies that difference.
• Return loss This is a measurement of the accumulated signal reflection caused by variations in the cable's impedance along its length. These impedance variations are typically caused by untwisting too much of the wire pairs when making connections.

> Tone Generator

One of the most basic ways to identify and test a cable connection is to use a tone generator and locator cable tester. The tone generator is a device that you connect to a cable at one end, and which transmits a signal over the cable. The tone locator is a separate device that has a probe capable of detecting the generator's signal, either by touching it to the conductor in the cable, or simply by touching it to the insulation on the outside of the cable. When the locator detects the generator's signal, it emits an audible tone. You can use this type of device to test an entire cable, or to test the individual wire connections inside a UTP cable.

Tone generators are most commonly used to identify the cable belonging to a particular connection.

Example:

If you're performing an internal cable installation, and you forget to label one of your cables, you can connect the tone generator at the wall plate end and touch the probe to each of the cables at the patch panel end until you find the one that produces a tone.

You can also use a tone generator and locator to test the individual wire connections inside a UTP cable.

1. Connect the generator to a single wire or connector contact using alligator clips
2. Then touch the locator to each wire or contact at the other end of the cable.

Using this method, you can test for any major wiring faults that affect internal UTP cable installations.

Example:

• If you fail to detect a signal on the contact to which you have the generator connected at the other end, you have an open circuit.
• If you detect a signal on the wrong contact, you have punched down the wires to the wrong contacts.
• If you detect a signal on two or more wires, you have a short.

Tone generator and locator Pros:

• Simple to use
• Most inexpensive type of cable tester
• Useful for troubleshooting a single cable connection.

Tone generator and locator Cons:

• Testing each of the wires in a UTP cable individually is time consuming
• You also need two people to use the equipment, one at the generator end and one at the locator end (unless you don't mind running back and forth from one end of your cable connections to the other)

3.4 Given a remote connectivity scenario comprised of a protocol, an authentication scheme, and physical connectivity, configure the connection. Includes connection to the following servers:

see > Network Support Part 2

3.5 Identify the purpose, benefits and characteristics of using a firewall.

A firewall is used to prevent unauthorized access to or from a network. They are frequently used to prevent unauthorized users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Firewall techniques:

• Packet filter looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules.
• Application gateway applies security mechanisms to specific applications, such as FTP and Telnet servers.
• Circuit-level gateway applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.

Network layer firewalls

Network layer firewalls operate at a low level of the TCP/IP protocol stack as IP-packet filters, not allowing packets to pass through the firewall unless they match the rules. The firewall administrator may define the rules; or default built-in rules may apply.

Modern firewalls can filter traffic based on many packet attributes like:

• source IP address
• source port
• destination IP address or port
• destination service like WWW or FTP

They can also filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes.

Application-layer firewalls

Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets without acknowledgement to the sender. Application firewalls can prevent all unwanted outside traffic from reaching protected machines.

3.6 Identify the purpose, benefits and characteristics of using a proxy service.

A proxy device that is running either on dedicated hardware or as software may act as a firewall by responding to input packets in the manner of an application, whilst blocking other packets.

The Proxy service sits between a client application, such as a web browser, and a real server. When a client program makes a request, the proxy server responds by translating the request and passing it to the Internet. When a computer on the Internet responds, the proxy server passes that response back to the client program on the computer that made the request. The proxy server computer has two network interfaces: one connected to the LAN and one connected to the Internet.

The primary security features of Proxy Server are:

• It blocks inbound connections.
• LAN clients can initiate connections to Internet servers, but Internet clients cannot initiate connections to LAN servers.
• It can restrict outbound connections.