Net + Domains

Network Implementation

   
 

 

3.1 Describe the basic capabilities (i.e., client support, interoperability, authentication, file and print services, application support, and security) of the following server operating systems:

UNIX/Linux

Interoperability

Open source software such as SAMBA is used to provide Windows users with Server Message Block (SMB) file sharing.

Authentication

Centralized login authentication

File and Print Services

Network File System (NFS) is a distributed file system that allows users to access files and directories located on remote computers and treat those files and directories as if they were local.

LPR/LPD is the primary UNIX printing protocol used to submit jobs to the printer. The LPR component initiates commands such as "print waiting jobs," "receive job," and "send queue state," and the LPD component in the print server responds to them.

Security

With most Unix operating systems, the network services can be individually controlled to increase security.

Netware

Client Support

NetWare 5 comes with Novell Client software for three client platforms: DOS and Windows 3.1x, Windows 95/98, and Windows NT.

Interoperability

You can set the Novell Clients for Windows 95/98 and Windows NT to work with one of three network protocol options: IP only, IP and IPX, or IPX only.

Authentication

Centralized login authentication

File and Print Services

File Services NetWare offers two choices of mutually compatible file services: Novell Storage Services (NSS) and the traditional NetWare File System. Both kinds of file services let you store, organize, manage, access, and retrieve data on the network.

NSS gathers all unpartitioned free space that exists on all the hard drives connected to your server, together with any unused space in NetWare volumes, and places it into a storage pool. You create NSS volumes from this storage pool during server installation or later through NWCONFIG.

Novell Distributed Print Services (NDPS) is the default and preferred print system in NetWare. NDPS supports IP-based as well as IPX-based printing.

Security

Novell has support for a public key infrastructure built into NetWare 5 using a public certificate, developed by RSA Security.

Windows 2000

Client Support

Windows 3.x, Windows 95, Windows 98, and Windows NT Workstation 4.0.

Interoperability

Windows 2000 Server supports UNIX, Novell NetWare, Windows NT Server 4.0, and Macintosh.

Authentication

Successful user authentication in a Windows 2000 computing environment consists of two separate processes: interactive logon, which confirms the user's identification to either a domain account or a local computer, and network authentication, which confirms the user's identification to any network service that the user attempts to access.

Types of authentication that Windows 2000 supports are:

  • Kerberos V5 is used with either a password or a smart card for interactive logon. It is also the default method of network authentication for services.The Kerberos V5 protocol verifies both the identity of the user and network services.
  • Secure Socket Layer/Transport Layer Security (SSL/TLS) authentication, is used when a user attempts to access a secure Web server.

File and Print Services

You can add and maintain printers in Windows 2000 using the print administration wizard, and you can add file shares using Active Directory management tools. Windows 2000 also offers Distributed File Services, which let you combine files on more than one server into a single share.

Security

User-level security protects shared network resources by requiring that a security provider authenticate a user’s request to access resources. The domain controller , grants access to the shared resource by verifying that the user name and password are the same as those on the user account list stored on the network security provider. Because the security provider maintains a network-wide list of user accounts and passwords, each client computer does not have to store a list of accounts.

Share-level security protects shared network resources on the computer with individually assigned passwords. For example, you can assign a password to a folder or a locally attached printer. If other users want to access it, they need to type in the appropriate password. If you do not assign a password to a shared resource, every user with access to the network can access that resource.

See also Encrypting File System

AppleShare

Client Support

TCP/IP file sharing with Macintosh clients using Network File System (NFS), and File Transfer Apple File Protocol 3.0.

Interoperability

Windows Server Message Block (SMB) file sharing.

File and Print Services

File Services:

  • Apple Filing Protocol (AFP) over TCP/IP and AppleTalk
  • Server Message Block (SMB) over TCP/IP
  • File Transfer Protocol (FTP) over TCP/IP

Print Services:

  • PAP (AppleTalk)
  • LPR/LPD

Application Support

  • HTTP
  • Mail (SMTP, POP, IMAP and Authenticated Post Office Protocol APOP)
  • Mac CGI

Mac OS X Server

Client Support

TCP/IP file sharing with Macintosh clients using Network File System (NFS), and File Transfer Apple File Protocol 3.0.

Interoperability

Mac OS X Server uses the Open Source SAMBA to provide Windows users with Server Message Block (SMB) file sharing. Network File System (NFS) lets you make folders available to UNIX and Linux users.

Authentication

Kerberos support for centralized login authentication.

File and Print Services

Mac OS X Server provides support for native Macintosh, Windows, UNIX, and Linux file sharing. Protocols supported include:

  • Apple file services (AFP 3.0) from any AppleShare client over TCP/IP
  • Windows (SMB/CIFS) file sharing using Samba
  • Network File System (NFS) for UNIX and Linux file access
  • Internet (FTP)

Built-in print services can spool files to any PostScript-capable printer over TCP/IP, AppleTalk, or USB. Macintosh customers can use the LPR support in Print Center or the Desktop Printer utility to connect to a shared printer. Windows users can use their native SMB/CIFS protocol to connect to a shared printer. Print services for OS X Server

  • Macintosh and UNIX (LPR/LPD)
  • Windows (SMB/CIFS)

Application Support

  • Apache web server
  • WebObjects 5 Deployment
  • WebDAV
  • MySQL
  • JavaServer Pages
  • Mac CGI
  • Caching web proxy
  • QuickTime Streaming Server
  • Mail (SMTP, POP, IMAP)
  • SSL
  • PHP
  • Java Servlets
  • Perl

Security

  • Multiple-user architecture and user-level access privileges.
  • Secure Sockets Layer (SSL) support provides encrypted and authenticated client/server communications.
  • Secure Shell (SSH) provides encryption and authentication for secure remote administration.
  • Kerberos support for centralized login authentication.

3.2 Describe the basic capabilities, (i.e., client connectivity, local security mechanisms, and authentication) of the following client operating systems:

See 3.1 above

3.3 Describe the main characteristics of VLANs.

A Virtual LAN is a group of devices on one or more LANs that are configured using management software so that they can communicate as if they were attached to the same LAN segment, when in fact they are located on a number of different segments. Because VLANs are based on logical instead of physical connections, they are more flexible.

For a computer to communicate with devices on different LAN segments other than the segment it is located on, requires the use of a router. And as networks expand, more routers are needed to separate users into broadcast and collision domains, and provide connectivity to other LANs. Since routers add latency, this can result in the delay of data transfer over the network.

Switches are used in VLANs to create the same division of the network into separate broadcast domains, but without the latency problems of a router.

Advantages to using VLANs:

Switched networks increase performance, by reducing the size of collision domains. Users can be grouped into logical networks which will increase performance by limiting broadcast traffic to users performing similar functions or within individual workgroups. Less traffic needs to be routed, causing the latency added by routers to be reduced.

VLANs provide an easier way to modify logical groups in changing environments. VLANs make large networks more manageable by allowing centralized configuration of devices located in different physically locations.

Software configurations can be made across machines with the consolidation of a department’s resources into a single subnet. IP addresses, subnet masks, and local network protocols will be more consistent across the entire VLAN.

VLANs provide independence from the physical topology of the network by allowing physically diverse workgroups to be logically connected within a single broadcast domain.

A switched network delivers frames only to the intended recipients, and broadcast frames only to other members of the VLAN. This allows the network administrator to segment users requiring access to sensitive information into separate VLANs from the rest of the general user community regardless of physical location, thus enhancing security.

3.4 Describe the main characteristics of network-attached storage.

RAID

Redundant Array of Inexpensive (or Independent) Disks. A RAID array is a collection of drives which collectively act as a single storage system, which can tolerate the failure of a drive without losing data, and which can operate independently of each other.

Level 0 referred to as striping, is not redundant. Data is split across drives, resulting in higher data throughput. Since no redundant information is stored, performance is very good, but the failure of any disk in the array results in all data loss.

Level 1 referred to as mirroring with 2 hard drives. It provides redundancy by duplicating all data from one drive on another drive. Performance is better than a single drive, but if either drive fails, no data is lost. This is a good entry-level redundant system, since only two drives are required.

Level 2, which uses Hamming error correction codes, is intended for use with drives which do not have built-in error detection. All SCSI drives support built-in error detection, so this level is not needed if using SCSI drives.

Level 3 stripes data at a byte level across several drives, with parity stored on one drive. It is otherwise similar to level 4. Byte-level striping requires hardware support for efficient use.

Level 4 stripes data at a block level across several drives, with parity stored on one drive. The parity information allows recovery from the failure of any single drive. Performance is very good for reads. Writes, however, require that parity data be updated each time. This slows small random writes, in particular, though large writes or sequential writes are fairly fast.

Level 5 striping with distributed parity. Similar to level 4, but distributes parity among the drives. No single disk is devoted to parity. This can speed small writes in multiprocessing systems. Because parity data must be distributed on each drive during reads, the performance for reads tends to be considerably lower than a level 4 array.

3.5 Explain when to implement fault tolerance and disaster recovery.

Fault tolerance is the ability of a system to continue functioning when part of the system fails. Normally, fault tolerance is used in describing disk subsystems, but it can also apply to other parts of the system or the entire system. Fully fault-tolerant systems use redundant disk controllers and power supplies as well as fault-tolerant disk subsystems. You can also use an uninterruptible power supply (UPS) to safeguard against local power failure.

Although the data is always available in a fault-tolerant system, you still need to make backups that are stored offsite to protect the data against disasters such as a fire.

3.6 Given a remote connectivity scenario, select the appropriate communication approach, protocol, and settings to apply.

IP

Determine whether the remote access server will use DHCP or a static IP address pool to obtain addresses for dial-up clients. If you use a static IP address pool, determine whether the pool will be ranges of addresses that are a subset of addresses from the IP network to which the server is attached or a separate subnet. If the static IP address pool address ranges represent a different subnet, ensure that routes to the address ranges exist in the routers of your intranet so that traffic to connected remote access clients is forwarded to the remote access server.

IPX

Internetwork Packet Exchange (IPX) is the traditional Novell communications protocol that sends data packets to requested destinations (such as workstations or servers).

An IPX network address is a hexadecimal number, one to eight digits (1 to FFFFFFFE), that identifies a specific network cable segment. IPX network segments can process more than one frame type. Each frame type that is used on the network is treated as a logical network segment and requires its own IPX address—even though each frame type is using the same network board and physical cable segment.

PPP

Point-to-Point Protocol, is a set of industry-standard framing and authentication protocols that enable remote access solutions to function in a multivendor network. It is recommended that you use PPP because of its flexibility and its role as an industry standard as well as for future flexibility with client and server hardware and software.

PPP support enables computers to dial in to remote networks through any server that complies with the PPP standard. PPP also enables remote access clients to use any combination of IPX, TCP/IP, NetBEUI, and AppleTalk. Remote access clients running Windows NT and Windows 2000, Windows 98, and Windows 95 can use any combination of TCP/IP, IPX, and NetBEUI and programs written to the Windows Sockets, NetBIOS, or IPX interface. Microsoft remote access clients do not support the use of the AppleTalk protocol over a remote access connection.

PPP standards are defined in Requests for Comments (RFCs), which are published by the Internet Engineering Task Force and other working groups.

PPP connection sequence

When you connect to a remote computer, PPP negotiation accomplishes the following:

  • Framing rules are established between the remote computer and server. This allows continued communication (frame transfer) to occur.
  • The remote access server then authenticates the remote user by using the PPP authentication protocols (MS-CHAP, EAP, CHAP, SPAP, PAP). The protocols that are invoked depend on the security configurations of the remote client and server.
  • Once authenticated, if callback is enabled, the remote access server hangs up and calls the remote access client.
  • The Network Control Protocols (NCPs) enable and configure the remote client for the desired LAN protocols.

PPTP Point-to-Point Tunneling Protocol is networking technology that supports multiprotocol virtual private networks (VPNs), enabling remote users to access corporate networks securely across the Internet. Unlike the Point-to-Point Protocol (PPP), which is designed to support a dial-up network connection to the Internet, PPTP does not rely upon a dial-up connection. It can be used to provide secure, tunneled end-to-end Internet connections through other remote access technologies, such as Internet access provided through DSL.

Authentication

Microsoft dial-up networking clients typically use MS-CHAP authentication. Non-Microsoft dial-up networking clients use CHAP, SPAP, and PAP authentication.

CHAP Challenge Handshake Authentication Protocol is a challenge-response authentication protocol that uses the industry-standard Message Digest 5 (MD5) hashing scheme to encrypt the response. CHAP is used by various vendors of network access servers and clients.

MS-CHAP Microsoft Challenge Handshake Authentication Protocol. MS-CHAP is a nonreversible, encrypted password authentication protocol. The challenge handshake process works as follows:

  • The remote access server or the IAS server sends a challenge to the remote access client that consists of a session identifier and an arbitrary challenge string.
  • The remote access client sends a response that contains the user name and a nonreversible encryption of the challenge string, the session identifier, and the password.
  • The authenticator checks the response and, if valid, the user's credentials are authenticated.

PAP Password Authentication Protocol uses plaintext passwords and is the least sophisticated authentication protocol. It is typically negotiated if the remote access client and remote access server cannot negotiate a more secure form of validation.

SPAP Shiva Password Authentication Protocol is a reversible encryption mechanism employed by Shiva. This form of authentication is more secure than plaintext but less secure than CHAP or MS-CHAP.

3.7 Identify the purpose and benefits of using a firewall/proxy.

Firewall

A firewall is used to prevent unauthorized access to or from a network. They are frequently used to prevent unauthorized users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Firewall techniques:

  • Packet filter looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules.
  • Application gateway applies security mechanisms to specific applications, such as FTP and Telnet servers.
  • Circuit-level gateway applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.

Proxy

Is a server that sits between a client application, such as a web browser, and a real server.When a client program makes a request, the proxy server responds by translating the request and passing it to the Internet. When a computer on the Internet responds, the proxy server passes that response back to the client program on the computer that made the request. The proxy server computer has two network interfaces: one connected to the LAN and one connected to the Internet.

The primary security features of Proxy Server are:

  • It blocks inbound connections.
  • LAN clients can initiate connections to Internet servers, but Internet clients cannot initiate connections to LAN servers.
  • It can restrict outbound connections.

3.8 Given a scenario, predict the effects of a particular security implementation on network performance.

Encryption

Windows 2000

The Encrypting File System (EFS) provides the core file encryption technology used to store encrypted files on NTFS file system volumes. Once you encrypt a file or folder, you work with the encrypted file or folder just as you do with any other files and folders. Encryption is transparent to the user that encrypted the file. This means that you do not have to decrypt the encrypted file before you can use it. You can open and change the file as you normally do. However, an intruder who tries to access your encrypted files or folders will be prevented from doing so. An intruder receives an access denied message if the intruder tries to open, copy, move, or rename your encrypted file or folder.

You encrypt or decrypt a folder or file by setting the encryption property for folders and files just as you set any other attribute such as read-only, compressed, or hidden. If you encrypt a folder, all files and subfolders created in the encrypted folder are automatically encrypted. It is recommended that you encrypt at the folder level.

You can also encrypt or decrypt a file or folder using the command-line function cipher. For more information about the cipher command, type cipher /? at a command prompt.

Main points about EFS

Only files and folders on NTFS volumes can be encrypted.

You cannot encrypt files or folders that are compressed. First you must uncompress the file or folder, then you can encrypt it. On a compressed volume, uncompress folders you want to encrypt.

You cannot share encrypted files.

Encrypted files can become decrypted if you copy or move the file to a volume that is not an NTFS volume.

Use cutting and pasting to move files into an encrypted folder. If you use a drag-and-drop operation to move the files, they will not automatically be encrypted in the new folder.

System files cannot be encrypted.

Encrypting a folder or file does not protect against deletion. Anyone with delete permission can delete encrypted folders or files.

3.9 Given a network installation scenario, select the appropriate NIC and configuration settings.

full/half duplex

Half duplex refers to the transmission of data in just one direction at a time. Full duplex refers to the transmission of data in two directions simultaneously. Most NICs contain a setting that lets you select between half-duplex and full-duplex modes.

Speeds

Make sure the NIC is the right speed for the network, if it is 100Base-TX then use a NIC capable of 100 Mbps.

 
A+ Review Menu Extra Information Techonology HTML