This course will cover the most important aspects of networking, including protocols, architectures,

device integration, connectivity, and security.

Course Objectives:

ƒ Introduce basic functions and characteristics of a network

ƒ Introduce basic transport and printing protocols
ƒ Discuss TCP/IP, subnetting, DHCP, DNS, and WINS
ƒ Describe remote connectivity functionality and characteristics
ƒ Describe security principles and functions
ƒ D
Describe
ib interoperability
i bili for
f heterogeneous
h networksk

Please schedule sufficient time to complete this course and prepare for the ATSP Networking Certification
Core Exam.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
The creation of a network requires wired or wireless mediums for communication. Coax‐based networks
are almost extinct now, due to wireless networks becoming more popular and easier to implement. Many
networks today are a combination of wireless and wired mediums.

A common wire media used is twisted pair. Twisted pair is cheaper than coaxial cabling, and UTP
(unshielded twisted pair) is much cheaper than STP (shielded twisted pair). Both UTP and STP cables are
used in 10BaseT (10 million bits per second, 100BaseT (100 million bits per second), and 1000BaseT (1
Gigabit per second) speeds.

42
43
The star configuration is one topology (network wiring layout), and a popular one when using twisted pair
cabling.

44
Speeds of 1Gbps are now common across twisted pair networks, but require category 6 and 7 cable types
to be fully supported without incurring transmission errors. The category level of a cable refers to its
ability to handle higher MHz or bandwidths. For instance, a category 3 cable is rated to handle bandwidth
up to 16 MHz, while a category 6 cable is rated to handle up 250 MHz.

Twisted pair’s susceptibility to electromagnetic interference greatly depends on the pair twisting
schemes (usually patented by the manufacturers) staying intact during the installation. As a
result, twisted pair cables usually have stringent requirements for maximum pulling tension as
well as minimum bend radius. This relative fragility of twisted pair cables makes the installation
practices an important
p p p
part of ensuringg the cable’s performance.
p

Keep in mind that actual network upload and download speeds can fluctuate based on various
factors, including slower devices connecting to it and communication load (number of devices
using it at any given time).

45
Now let’s examine wireless networking with Infrared and Radio.

Infrared technology allows computing devices to communicate via short‐range wireless signals.
With infrared,
infrared computers can transfer files and other digital data bi‐directionally.
bi‐directionally The infrared
transmission technology used in computers is similar to that used in consumer product remote
control units.

Range ‐ Infrared communications span very short distances. Place two infrared devices within a
few feet (no more than 5 meters) of each other when networking them. Unlike Wi‐
Fi and Bluetooth technologies,
technologies infrared network signals cannot penetrate walls or other
obstructions and work only in the direct "line of sight.“

Performance ‐ Infrared technology used in local networks exists in three different forms:
IrDA‐SIR (slow speed) infrared supporting data rates up to 115 Kbps
IrDA‐MIR (medium speed) infrared supporting data rates up to 1.15 Mbps
IrDA‐FIR
IrDA FIR (fast speed) infrared supporting data rates up to 4 Mbps

46
More prevalent (and contrary to the “gradually being introduced” statement in the dated slide above),
radio wave use for wireless networking is now a common form of transmission with cellular networks and
mobile networks comprising the majority of radio communications. Radio waves can penetrate through
walls and are able to cover large areas with higher bandwidth rates.

Fixed wireless technology implements point‐to‐point links between computers or networks at

two distant locations, often using dedicated microwave or modulated laser light beams over line
of sight paths. It is often used in cities to connect networks in two or more buildings without
installing a wired link.

A cellular network or mobile network is a radio network distributed over land areas called cells,
each served by at least one fixed‐location transceiver, known as a cell site or base station. In a
cellular network, each cell characteristically uses a different set of radio frequencies from all their
immediate neighbouring cells to avoid any interference. When joined together these cells
provide radio coverage over a wide geographic area. This enables a large number of portable
transceivers ((e.g.,
g mobile phones,
p pagers,
p g etc.)) to communicate with each other and with fixed
transceivers and telephones anywhere in the network, via base stations, even if some of the
transceivers are moving through more than one cell during transmission.
Although originally intended for cell phones, with the development of smartphones, cellular
telephone networks routinely carry data in addition to telephone conversations:

47
IEEE 802.11 is a set of media access control (MAC) and physical layer (PHY) specifications for
implementing wireless local area network (WLAN) computer communication in the 2.4, 3.6, 5
and 60 GHz frequency bands. Based on which revision used, bandwidth speeds range from 20 to
160 MHz and data rates from 1Mbps to 6.75Gbs.
6 75Gbs

The 802.11 family consist of a series of half‐duplex over‐the‐air modulation techniques that use
the same basic protocol. The most popular are those defined by the 802.11b and 802.11g
protocols, which are amendments to the original standard. 802.11‐1997 was the first wireless
networking standard in the family, but 802.11b was the first widely accepted one, followed by
802 11a and 802.11g.
802.11a 802 11g 802 802.11n
11n is a new multi
multi‐streaming
streaming modulation technique
technique. Other standards
in the family (c–f, h, j) are service amendments and extensions or corrections to the previous
specifications.

48
With so many devices and computers connecting to a network, how do you keep track of who’s talking to
who? And how can each device and computer find the device and computer they want to specifically
communicate with?

Different types of addresses can be used but it starts by giving each device and computer (or node, if you
will) a unique address on the network, then making that address available to every device and computer
for their use when sending information back and forth.

The MAC (media access control) address (outlined in red on the slide) is a physical one, usually
permanently installed to the NIC (networking interface card) or similar interface device like a router,
b id etc., that
bridge, h connects a node d to a network.
k The
Th MAC Add
Address containsi 12 h hexadecimal
d i l digits,
di i and d this
hi
address is unique: no two devices or NICs will have the same MAC address. If they did that would cause
problems on the network.

49
More flexible (and human‐friendly) addressing is accomplished by using host names. While host names
must also be unique, they are changeable, and can be written in more easily remembered ways since a
full set of characters is allowed to be used.

50
TCP/IP (Transmission Control Protocol/Internet Protocol) addressing is required for Internet access.
TCP/IP provides end‐to‐end connectivity specifying how data should be formatted, addressed,
transmitted, routed, and received at the destination.

The Internet protocol suite is the networking model and a set of communications protocols used
for the Internet and similar networks. It is commonly known as TCP/IP, because its most
important protocols, the Transmission Control Protocol (TCP) and the Internet Protocol (IP) were
the first networking protocols defined in this standard. It is occasionally known as the DoD
model, because the development of the networking model was funded by DARPA, an agency of
the United States Department of Defense.
Defense

51
52
53
54
Now let’s see how the networking elements we covered so far work together.

The network board, or NIC (network interface card) is very important as it provides the connectivity from
the node to the network. Today, NICs come is wireless and wired flavors and sizes. Your cell phone uses it
as does your laptop or desktop computer.

A NIC can have different connector types for the media it needs to connect to. For instance, RJ‐45 (which
looks like a larger phone cable plug), coaxial, and fiber‐optic cabling can be used.

Once the NIC is ready to provide connection to the network, you will need the right protocol to
communicate
i with
i h other
h nodes
d on theh network.k The
Th protocoll is
i the
h common language
l allll the
h nodes
d
speak, and today the most common protocol used is TCP/IP.

55
After the NIC is set up to communicate with TCP/IP, a TCP/IP address must be assigned. Each NIC will need
a unique address so other nodes on the network aren’t confused (like having two houses with the same
street address, who would get their mail?).

56
Once the TCP/IP address is added to the node, the host name is associated with it. The MAC address is
also associated with it.

To send a message to you, the sending node must know your TCP/IP. The IP address is 32 bits, divided into
4 bytes. We’ll have more to show on IP addressing later.

57
The sending computer (or node) creates a “packet” containing the information and the address it needs
to go to. This packet also contains the sending computer’s address, too, so the receiving computer can
reply.

58
Once the message is received, a notification is sent back acknowledging receipt. Of course, all this
communication back and forth takes place in micro‐seconds.

59
60
When two nodes want to communicate with each other, their respective ability to send and receive data
at the same rate is important. This is where flow control takes over. Before the packets are sent, both
nodes negotiate the rate of transmission, so packets aren’t lost (or “dropped”) when one node is slower
than the other. The negotiation involves the protocol to be used and the transmission speed.

Buffering, the ability to store incoming data before it is processed, is another functional possibility that is
often used today, especially in web‐based transmissions.

If you’ve ever watched a video or listened to music streaming from the web, you’ve already seen buffering
in action to help provide a smooth, uninterrupted transmission. Of course, buffers vary in size, which
translates
l into
i those
h pauses you may also
l have
h experienced:
i d once the
h buffer
b ff iis full,
f ll a message isi sent
saying to stop sending until the buffer clears room for more temporary storage.

61
We’ve explained the NIC’s function. Now let’s examine the other networking components that help
provide connectivity.

A network hub is an unsophisticated device in comparison with with, for example

example, a switch.
switch A hub
does not examine or manage any of the traffic that comes through it: any packet entering any
port is rebroadcast on all other ports. Effectively, it is barely aware of frames or packets and
mostly operates on raw bits. Consequently, due to the larger collision domains, packet collisions
are more frequent in networks connected using hubs than in networks connected using more
sophisticated devices.
An Ethernet hub, active hub, network hub, repeater hub, multiport repeater or hub is a device
for connecting multipleEthernet devices together and making them act as a single network
segment. It has multiple input/output (I/O) ports, in which a signal introduced at the input of
any port appears at the output of every port except the original incoming. A hub works at
the physical layer (layer 1) of the OSI model. The device is a form of multiport repeater. Repeater
hubs also participate in collision detection, forwarding a jam signal to all ports if it detects
a collision.

62
63
A bridge device filters data traffic at a network boundary. Bridges reduce the amount of traffic on
a LAN by dividing it into two segments.Bridges operate at the data link layer (Layer 2) of the OSI
model.

Bridges inspect incoming traffic and decide whether to forward or discard it. An Ethernet bridge,
for example, inspects each incoming Ethernet frame ‐ including the source and destination MAC
addresses, and sometimes the frame size ‐ in making individual forwarding decisions.

Bridges serve a similar function as switches, that also operate at Layer 2. Traditional bridges,
though support one network boundary
though, boundary, whereas switches usually offer four or more hardware
ports. Switches are sometimes called "multi‐port bridges" for this reason.

Bridges compile and maintain MAC address tables of the nodes on the network. The addresses
are used to speed up the flow of data.

64
Routers are small physical devices that join multiple networks together, and routers are generally
more intelligent than a bridge.

Technically a router is a Layer 3 gateway device,

Technically, device meaning that it connects two or more networks
and that the router operates at the network layer of the OSI model.Home networks typically use
a wireless or wired Internet Protocol (IP) router, IP being the most common OSI network layer
protocol. An IP router such as a DSL or cable modembroadband router joins the home's local area
network (LAN) to the wide‐area network (WAN)of the Internet.

By maintaining configuration information in a piece of storage called the routing table

table, wired or
wireless routers also have the ability to filter traffic, either incoming or outgoing, based on the IP
addresses of senders and receivers. Some routers allow a network administrator to update the
routing table from a Web browser interface.

Broadband routers combine the functions of a router with those of a network switch and a
firewall in a single unit
unit.

If a server has more than one NIC, the server can be used as a router, too.

65
A network gateway is an internetworking system capable of joining together two networks that
use different base protocols. A network gateway can be implemented completely in software,
completely in hardware, or as a combination of both.

Depending on the types of protocols they support, network gateways can operate at any level of
the OSI model. Because a network gateway, by definition, appears at the edge of a network,
related capabilities like firewalls tend to be integrated with it.

On home networks, a broadband router typically serves as the network gateway although
ordinary computers can also be configured to perform equivalent functions.
functions

66
Wireless access points (APs or WAPs) are specially configured nodes on wireless local area
networks (WLANs).

Access points act as a central transmitter and receiver of WLAN radio signals.
signals Access points used
in home or small business networks are generally small, dedicated hardware devices featuring a
built‐in network adapter, antenna, and radio transmitter. Access points support Wi‐Fi wireless
communication standards.

Although very small WLANs can function without access points in so‐called "ad hoc" or peer‐to‐
peer mode,
mode access points support "infrastructure"
infrastructure mode.
mode This mode bridges WLANs with a wired
Ethernet LAN and also scales the network to support more clients. Older and base model access
points allowed a maximum of only 10 or 20 clients; many newer access points support up to 255
clients.

67
68
The Ethernet standard employs the CSMA/CD control (carrier sense multiple access with collision
detection). CSMA/CD ensures all active computers on the network have an equal opportunity to transmit
data.

With CSMA/CD a node listens to the data traffic on the network. When no traffic is detected, the node
starts transmitting its packet data. If two nodes transmit at the same time by mistake, CSMA/CD stops
both transmissions, then assigns a randomly chosen wait period to each node before they check the
network again to see if they can transmit.

69
70
Unlike all other standard forms of LAN interconnects, Token Ring maintains one or more common
data frames that continuously circulates through the network. These frames are shared by all
connected devices on the network as follows:

1. a frame (packet) arrives at the next device in the ring sequence

2. that device checks whether the frame contains a message addressed to it. If so, the device
removes the message from the frame. If not, the frame is empty (called a token frame).
3. the device holding the frame decides whether to send a message. If so, it inserts message data
into the token frame and issues it back onto the LAN. If not, the device releases the token frame
for the next device in sequence to pick up
4. the above steps are repeated continuosly for all devices in the token ring

Token Ring is a data link technology for local area networks (LANs). It operates at layer 2 of
the OSI model.

Token Ring was developed by IBM during the 1980s as an alternative to Ethernet.
Ethernet Starting in the
1990s, it significantly decreased in popularity and gradually was phased out of business networks
as Ethernet technology began to dominate LAN designs.

Standard Token Ring supports only up to 16 Mbps. In the 1990s, an industry initiative called High
Speed Token Ring developed technology for extending Token Ring to 100 Mbps equal to Ethernet, 71
but insufficient interest in the marketplace existed for HSTR products and the technology was
72
73
74
75
Note that if a domain controller is not present, a domain master browser is not available and you are
unable to obtain browse lists from workgroups other than the one you are located in.

76
77
78
79
80
81
82
It is important to realize the differences between peer to peer and client‐server networks. We will discuss
those differences now, starting with peer‐to‐peer.

83
A peer‐to‐peer network is very easy to set up. It is usually also inexpensive, as not dedicated servers are
required.

Peer to peer
Peer‐to peer‐networks
networks are often referred to as Workgroup networks. In a Microsoft Windows
environment you automatically work in a peer‐to‐peer network (which means you are not logging into a
Domain). You are identified by the hostname of your computer, and by a Workgroup name.

Peer‐to‐peer networks are suitable for small networks, with less than 10 computers or so. When the
network expands to more computers, the decentralized administration inherent in peer‐to‐peer will
become more complicated.

Another disadvantage of a peer‐to‐peer network is its decentralized security. Password protection, virus
control, and document security must be handled individually on each computer.

84
Now let’s examine the characteristics of the Client‐Server network.

The server can be a stand‐alone one providing services that users share. Two examples of this are 1: a
print server shares printing across users and 2: an application server hosts shared applications, which
users can access and use. Shared application environments in use today include

85
Additional servers can provide access control through authenticating users, providing specific access to
the network’s shared resources after users log into their Domain.

86
87
Security can also be controlled at a central location. Through the server, permissions can be granted,
either to individual users or to groups of users.

Central storage of data and its backup also simplifies data management.

88
The servers in a Domain have dedicated hardware: increased memory, storage, and processing power. For
a small company, client‐server networks are a more expensive investment than peer‐to‐peer networks.

89
90
91
92
93
94
95
1
In this lesson we will concentrate on the explanation and usage of commonly used network and transport
protocols.

2
Network communications occur in accordance with an agreed on set of rules, called protocols. In the
previous lesson we discussed the OSI Model and how networking made practical use of it. Here, we will
discuss the OSI layers Transport and Network in relation to the protocols used to implement practical use
of these layers.

For example, one of the protocol functions is to ensure reliability. This is accomplished with Checksums,
which are added to headers and trailers to guarantee the packet that is sent is the same packet that is
received.

Routing is another protocol function. Routing protocols can determine the shortest route to send a
packet,
k or decide
d id on which
hi h way is
i less
l congested
d when
h the h networkk becomes
b b
busy with
i h traffic.
ffi

3
There are also connectionless protocols. They merely send data without checking to see if it was received
properly, like a broadcast.

4
The network/transport protocols need to be linked or bound to the NIC or networking interface that
connects a device to a network. The NIC must handle the physical (electrical) bits of data going back and
forth, but the protocol tells it how to do that properly for the network it’s communicating with.

In Microsoft Windows 7 operating systems, after installing the NIC, you bind the protocol (usually TCP/IP)
to it using the Control Panel, to access the Network and Internet properties for the wired or wireless NIC.

5
The first protocol to look at is NetBEUI. Pronounced net‐booey, NetBEUI is short for NetBios Extended
User Interface. NetBEUI is the NetBios protocol that is used by Microsoft Windows networking. It
is a non‐routable protocol, which means that computers that are not located on the same
network segment or subnet cancan'tt communicate
communicate.

Is it still in use? To some extent, yes. The NetBIOS over TCP/IP (also known as NetBT) is prevalent
today, and allows legacy computers that rely on NetBIOS to be used on TCP/IP networks. These
legacy computers still using Windows XP, NT, and earlier versions of Windows need NetBIOS to be
able to share print and file resources.

Security Note:

NetBIOS over TCP/IP and SMB (server message block, mainly used for providing shared access to files,
printers, serial ports, and miscellaneous communications between nodes on a network) provide recurring
vectors for malicious attacks upon a network. Specifically, NetBIOS provides attackers with a means to
mapp the network and also freelyy navigate
g a compromised
p intranet. In regards
g to p
public Web Servers,
neither service is necessary for the successful operation of a public Web server and disabling both
services in such scenarios can greatly enhance the security status of a network.

6
Nodes communicate using MAC addresses, so with NetBEUI, a conversation is necessary from hostname
to MAC address. This name resolution is done by “name resolution broadcast.” Before a message is sent,
the sending node sends out a broadcast to all nodes on the network requesting the node’s address
associated with the NetBIOS name it wants to send the message to.

7
In small networks, the broadcasts do not influence network traffic to a large degree. However, in larger
networks, the name resolution broadcasts can cause a lot of network traffic, creating congestion that
degrades the network’s performance.

NetBEUI is simply not suitable for use on medium to large sized networks.

Another disadvantage is that NetBEUI does not support logical addresses like TCP/IP by itself. This means
that a NetBEUI network can’t be divided into subnets because NetBEUI broadcasts don’t pass through
routers since the router is looking for a logical address.

8
9
This Internet protocol suite resulted from research and development conducted by the Defense Advanced
Research Projects Agency (DARPA) in the late 1960s.[3] After initiating the pioneering ARPANET in 1969,
DARPA started work on a number of other data transmission technologies. In 1972, Robert E. Kahn joined
the DARPA Information Processing Technology Office, where he worked on both satellite packet networks
and ground‐based radio packet networks, and recognized the value of being able to communicate across
both. In the spring of 1973, Vinton Cerf, the developer of the existing ARPANET Network Control Program
(NCP) protocol, joined Kahn to work on open‐architecture interconnection models with the goal of
designing the next protocol generation for the ARPANET.

Most computer operating systems in use today, including all consumer‐targeted systems, include a TCP/IP
i l
implementation.
i

10
An IP address is a 32‐bit number that uniquely identifies a host (computer or other device, such as a
printer or router) on a TCP/IP network. IP addresses are normally expressed in dotted‐decimal format,
with four numbers separated by periods, such as 192.168.123.132. To understand how subnet masks are
used to distinguish between hosts, networks, and subnetworks, examine an IP address in binary notation.

For example, the dotted‐decimal IP address 192.168.123.132 is (in binary notation) the 32 bit number
110000000101000111101110000100. This number may be hard to make sense of, so divide it into four
parts of eight binary digits. These eight bit sections are known as octets. The example IP address, then,
becomes 11000000.10101000.01111011.10000100. Converting the binary address into dotted‐decimal
format (192.168.123.132) is easier to work with (for humans, that is). The decimal numbers separated by
periods
i d are the
h octets converted d ffrom binary
bi to decimal
d i l notation.
i

Internet addresses are made up of a network address and a host (or local) address. This two‐part address
allows a sender to specify the network as well as a specific host on the network. A unique, official
network address is assigned to each network when it connects to other Internet networks. However, if a
local network is not going to connect to other Internet networks, it can be assigned any network address
that is convenient for local use.
The Internet addressing scheme consists of Internet Protocol (IP) addresses and two special cases of IP
addresses: broadcast addresses and loopback addresses. The Internet Protocol defines the special
network address, 127.0.0.1, as a local loopback address.

11
12
13
14
15
16
The use of subnets in an organization makes a large network more manageable. Network administrators
are able to split the network into different subnets by using the subnet mask.

Each node on a given subnet should be configured with the same default gateway. The gateway is where
transmissions are sent when the node address of the receiver is on another subnet. If the gateway is not
configured, the transmission will not be delivered.

17
The IP address, subnet mask, and default gateway are configured through the Control Panel’s properties
window for the Internet Protocol (shown here is the properties window in Windows 7).

When setting the properties to obtain an IP address automatically, you can

can’tt change the subnet mask or
gateway manually.

18
Internet Protocol version 6 (IPv6) is the latest revision of the Internet Protocol (IP), the communications
protocol that provides an identification and location system for computers on networks and routes traffic
across the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the
long‐anticipated
long anticipated problem of IPv4 address exhaustion.

IPv6 is intended to replace IPv4, which still carries the vast majority of Internet traffic. As of September
2013, the percentage of users reaching Google services over IPv6 surpassed 2% for the first time.[2]
Every device on the Internet must be assigned an IP address in order to communicate with other devices.
With the ever‐increasing number of new devices being connected to the Internet, the need arose for
more addresses than IPv4 is able to accommodate. IPv6 uses a 128‐bit address, allowing 2128, or
approximately
i 3 4 1038 addresses,
l 3.4×10 dd or more than 7 9 1028 times
h 7.9×10 i as many as IPv4,
IP 4 which
hi h uses 32‐bit
32 bi
addresses. IPv4 allows only approximately 4.3 billion addresses.

The two protocols are not designed to be interoperable, complicating the transition to IPv6.

IPv6 addresses are represented as eight groups of four hexadecimal digits separated by colons, for
examplep 2001:0db8:85a3:0042:1000:8a2e:0370:7334,, but methods of abbreviation of this full notation
exist.

19
With a normal IP network transmissions are broken into packets that can travel different routes and arrive
at different times. With QoS, packet priority can be given to data streams that contain video and music.
This QoS feature can be implemented using the Flow Label field of the IPv6 header.

An IPv4‐based system has no way to differentiate between data payloads that are time sensitive, such as
streaming video or audio, and those that aren't time‐sensitive, such as status reports and file transfer.
Streaming audio and video applications are very sensitive to delays of a few packets ‐ lips move without
sound or picture break up ‐ but IPv4 has no way to prevent those problems. If a packet is lost in transit,
TCP recognizes the loss and requests a retransmission, but only after an inevitable delay. The single
delayed TCP packet is probably part of a much larger packet of audio or video data, so the entire big
packet is delayed and probably thrown out because the smallest part didn't arrive on time.

IPv6 provides a way for applications to request handling without delay throughout the WAN. The term
often used to describe this is low latency. Streaming audio and video requires low latency through high
priority. To prevent a break down in the scheme, the various application can share connection via priority
level.

20
In IPv6, IP security (IPsec) is part of the protocol suite. It is mandatory. IPsec is a set of security
specifications originally written as part of the IPv6 specification. Due to the strong need for
security in the current IPv4 Internet, IPsec was also adapted for IPv4. However, support for IPsec
in IPv4 is optional and “proprietary solutions are prevalent” (Davies,
(Davies p.1).
p 1) IPsec in IPv6
IPv6, on the
other hand, provides end‐to‐end security, i.e. data is secured from the originating
workstation/host (through the various routers, etc. of the Internet) to the destination
workstation/host. In IPv4, IPsec typically provides security between border routers of separate
networks.

IPsec is used in IPV4 to implement Virtual Private Networks (VPNs)

“IPsec (VPNs). IPsec provides network
network‐level
level
security, which means that an application running over an IPv6 network, e.g. a web‐server,
browsing the Internet, any application sending/receiving data over the Internet, etc., will also
have this security, since the application data is encapsulated within the IPv6 packet.” (excerpt
taken from SANS Institute InfoSec Reading Room paper)

21
22
1
In this lesson you will learn about network security and identifying key aspects of it. This will be a general
overview. Of course there is more to learn, but for now, the information contained here will help you to
appreciate and realize the scope of this important area of study.

Security is an ever evolving process with network intrusion strategems and data theft becoming more
sophisticated every day. Network administrators are faced with balancing between providing the
essential services to their users while protecting their network’s assets against unauthorized theft and
intentional harm.

2
A computer virus is a type of malware that, when executed, replicates by inserting copies of itself
(possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when
this replication succeeds, the affected areas are then said to be "infected". Viruses often perform some
type of harmful activity on infected hosts, such as stealing hard disk space or CPU time, accessing private
information, corrupting data, displaying political or humorous messages on the user's screen, spamming
their contacts, or logging their keystrokes.

However, not all viruses carry a destructive payload or attempt to hide themselves—the defining
characteristic of viruses is that they are self‐replicating computer programs which install themselves
without the user's consent.
Vi writers
Virus i use social
i l engineering
i i and d exploit
l i detailed
d il d knowledge
k l d off security
i vulnerabilities
l bili i to gain
i
access to their hosts' computing resources.

The vast majority of viruses (over 99%) target systems running Microsoft Windows, employing a variety of
mechanisms to infect new hosts, and often using complex anti‐detection/stealth strategies to evade
antivirus software.
Motives for creating viruses can include seeking profit, desire to send a political message, personal
amusement, to demonstrate that a vulnerability exists in software, for sabotage and denial of service, or
simply because they wish to explore artificial life and evolutionary algorithms.

3
Macro Virus: Many common applications, such as Microsoft Outlook and Microsoft Word, allow macro
programs to be embedded in documents or emails, so that the programs may be run automatically when
the document is opened. A macro virus (or "document virus") is a virus that is written in a macro
language, and embedded into these documents so that when users open the file, the virus code is
executed, and can infect the user's computer. This is one of the reasons that it is dangerous to open
unexpected attachments in e‐mails.

Boot Sector Virus: Boot sector viruses specifically target the boot sector/Master Boot Record (MBR) of the
host's hard drive or removable storage media (flash drives, floppy disks, etc.).

R id
Resident vs. Non‐resident
N id Vi
Virus: A memory‐resident
id virus
i (or( simply
i l ""resident
id virus")
i ") iinstalls
ll iitself
lf as part
of the operating system when executed, after which it remains in RAM from the time the computer is
booted up to when it is shut down. Resident viruses overwrite interrupt handling code or other functions,
and when the operating system attempts to access the target file or disk sector, the virus code intercepts
the request and redirects the control flow to the replication module, infecting the target. In contrast, a
non‐memory‐resident virus (or "non‐resident virus"), when executed, scans the disk for targets, infects
them,, and then exits ((i.e. it does not remain in memoryy after it is done executing).
g)

Browser Hijacker Virus: This type of virus, which can spread itself in numerous ways including voluntary
download, effectively hijacks certain browser functions, usually in the form of re‐directing the user
automatically to particular sites. It’s usually assumed that this tactic is designed to increase revenue from
web advertisements.
4
A Trojan horse, or Trojan, is a hacking program that is a non‐self‐replicating type of malware which gains
privileged access to the operating system while appearing to perform a desirable function but instead
drops a malicious payload, often including a backdoor allowing unauthorized access to the target's
computer.

These backdoors tend to be invisible to average users, but may cause the computer to run slowly. Trojans
do not attempt to inject themselves into other files like a computer virus. Trojan horses may steal
information, or harm their host computer systems.

Trojans may use drive‐by downloads or install via online games or internet‐driven applications in order to
reach target computers. The term is derived from the Trojan Horse story in Greek mythology because
Trojan horses employ a form of “social engineering,” presenting themselves as harmless, useful gifts, in
order to persuade victims to install them on their computers.

5
A computer worm is a standalone malware computer program that replicates itself in order to spread to
other computers.[1] Often, it uses a computer network to spread itself, relying on security failures on the
target computer to access it. Unlike a computer virus, it does not need to attach itself to an existing
program.[2] Worms almost always cause at least some harm to the network, even if only by consuming
bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
Many worms that have been created are designed only to spread, and do not attempt to change the
systems they pass through. However, as the Morris worm and Mydoom showed, even these "payload
free" worms can cause major disruption by increasing network traffic and other unintended effects.

A "payload" is code in the worm designed to do more than spread the worm—it might delete files on a
h system (e.g.,
host ( the
h ExploreZip
E l Zi worm), ) encrypt files
fil ini a cryptoviral
i l extortion
i attack,
k or send
dddocuments
via e‐mail. A very common payload for worms is to install a backdoor in the infected computer to allow
the creation of a "zombie" computer under control of the worm author. Networks of such machines are
often referred to as botnets and are very commonly used by spam senders for sending junk email or to
cloak their website's address.

Spammers are therefore thought to be a source of funding for the creation of such worms,[4][5] and the
worm writers have been caught selling lists of IP addresses of infected machines. Others try to blackmail
companies with threatened DoS (denial of service) attacks.

6
A computer virus hoax is a message warning the recipient of a non‐existent computer virus threat. The
message is usually a chain e‐mail that tells the recipient to forward it to everyone they know.

Most hoaxes are sensational in nature and easily identified by the fact that they indicate that the virus will
do nearly impossible things, like blow up the recipient's computer and set it on fire, or less sensationally,
delete everything on the user's computer. They often include fake announcements claimed to originate
from reputable computer organizations together with mainstream news media. These bogus sources are
quoted in order to give the hoax more credibility. Typically, the warnings use emotive language, stress the
urgent nature of the threat and encourage readers to forward the message to other people as soon as
possible.

Virus hoaxes are usually harmless and accomplish nothing more than annoying people who identify it as a
hoax and waste the time of people who forward the message. Nevertheless, a number of hoaxes have
warned users that vital system files are viruses and encourage the user to delete the file, possibly
damaging the system. Examples of this type include the jdbgmgr.exe virus hoax and the SULFNBK.EXE
hoax.

7
Virus authors adapted to the changing computing environment by creating the e‐mail virus. For example,
the Melissa virus in March 1999 was spectacular in its attack. Melissa spread in Microsoft Word
documents sent via e‐mail, and it worked like this:

Someone created the virus as a Word document and uploaded it to an Internet newsgroup. Anyone who
downloaded the document and opened it would trigger the virus. The virus would then send the
document (and therefore itself) in an e‐mail message to the first 50 people in the person's address book.
The e‐mail message contained a friendly note that included the person's name, so the recipient would
open the document, thinking it was harmless. The virus would then create 50 new messages from the
recipient's machine.

At that rate, the Melissa virus quickly became the fastest‐spreading virus anyone had seen at the time. As
mentioned earlier, it forced a number of large companies to shut down their e‐mail systems to control the
spread.

8
Malware is a term used to describe a broad category of damaging software that includes viruses, worms,
trojan horses, rootkits, spyware, and adware. The effects of malware range from brief annoyance to
computer crashes and identity theft. Malware is easier to avoid than it is to remove. Avoiding malware
involves a two
two‐part
part strategy. Follow these guidelines for staying safe.

Stay vigilant to avoid downloading and installing anything you do not understand or trust, no matter how
tempting, from websites, emails, pop‐up windows, media like USB thumbdrives, and file sharing services
(especially the ones you know you shouldn’t be using!)

Keeping security patches and updates for Windows, plug‐ins, and software applications up to date is
critical.
ii l

Running an anti‐virus application is critical, especially keeping it up to date.

Use either Windows Firewall of one that comes with an anti‐virus application.

9
A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms
that try to reach your computer over the Internet. Many personal computer operating systems include
software‐based firewalls to protect against threats from the public Internet. Many routers that pass data
between networks contain firewall components and, conversely, many firewalls can perform basic routing
functions.

Firewalls often have network address translation (NAT) functionality, and the hosts protected behind a
firewall commonly have addresses in the "private address range." Firewalls often have such functionality
to hide the true address of protected hosts. Originally, the NAT function was developed to address the
limited number of IPv4 routable addresses that could be used or assigned to companies or individuals as
wellll as reduce
d b h the
both h amount and d therefore
h f cost off obtaining
b i i enough h public
bli addresses
dd f every
for
computer in an organization.

Hiding the addresses of protected devices has become an increasingly important defense against network
reconnaissance (usually remote probing of a network to gain information about it).

10
A company will position a firewall in front of every connection to the Internet. The firewall can enforce
appropriate security rules within this company regarding FTP servers, web servers, Telnet servers, and
more. Using a firewall, the company can also control how employees connect to web sites and which file
types can be downloaded or uploaded.

11
A software firewall can be installed on home computers that connect to the Internet. A hardware firewall
can also be run on the router or gateway device connecting home computers to a cable modem or similar
Internet provider device. Firewalls use one or more of three methods to control traffic flowing in and out
of the network:

Packet filtering ‐ Packets (small chunks of data) are analyzed against a set of filters. Packets that make it
through the filters are sent to the requesting system and all others are discarded.
Proxy service ‐ Information from the Internet is retrieved by the firewall and then sent to the requesting
system and vice versa.
Stateful inspection ‐ A newer method that doesn't examine the contents of each packet but instead
compares certaini key
k parts off the
h packet
k to a d database
b off trusted
d iinformation.
f i Information
I f i traveling
li ffrom
inside the firewall to the outside is monitored for specific defining characteristics, then incoming
information is compared to these characteristics. If the comparison yields a reasonable match, the
information is allowed through. Otherwise it is discarded.

Whether business or home based, a firewall can be configured to do the following:

Block or filter all or specific IP addresses.

Block access to a specific Domain Name.
Block or Filter protocol traffic such as TCP/IP, HTTP, FTP, UDP, ICMP, SMTP, SNMP, and Telnet.
Block or monitor traffic across all or specific port addresses.
Block, monitor, and filter specific words and phrases.
Block software applications running on the client computer that are trying to access the Internet. 12
The level of security imposed will be determined by the range of threats expected. The absolute level of
security would be to block all access. An older rule of thumb was to block everything first, then remove
each block, one by one, as the need arose. Today, that process may be difficult if not impossible to
implement.

For home users, the default settings that come with the firewall are usually adequate. For businesses,
extensive testing and monitoring is needed to develop rules for configuring the firewall.

13
The majority of firewalls will be positioned between the network and the Internet. It is also possible to
place them between networks. This will provide the ability to control subnet traffic between subnets.

In recent years, a growing best practice has been to deploy firewalls not only at the traditional network
perimeter‐where the private corporate network meets the public Internet‐but also throughout the
enterprise network in key internal locations, as well as at the WAN edge of branch office networks. This
distributed‐firewall strategy helps protect against internal threats, which have historically accounted for a
large percentage of cyber losses.

Placing firewalls in multiple network segments also helps organizations comply with the latest corporate
andd industry
i d governance mandates.
d SSarbanes‐Oxley,
b O l Gramm‐Leach‐Bliley
G L h Blil (GLB),
(GLB) Health
H l h IInsurance
Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard, for
example, contain requirements about information security auditing and tracking.

14
The majority of firewalls also act as proxy servers. A proxy server receives a request from a user asking for
an Internet service (like showing a web page). The proxy server looks in its local cache of previously
downloaded pages. If it finds the page it returns it to the user, thereby avoiding the need to re‐download
it again and again, which helps lessen network traffic.

If the web page is not found in the cache, the proxy server makes a request for it on behalf of the user.
Today, most proxies are web proxies, facilitating access to content on the World Wide Web.

A proxy server may run right on the user's local computer, or at various points between the user's
computer and destination servers on the Internet.

• A proxy server that passes requests and responses unmodified is usually called a gateway or
sometimes a tunneling proxy.
• A forward proxy is an Internet‐facing proxy used to retrieve from a wide range of sources (in most
cases anywhere on the Internet).
• A reverse proxy is usually an Internet‐facing proxy used as a front‐end to control and protect access to
a server on a p
private network,, commonlyy also pperformingg tasks such as load‐balancing,
g, authentication,,
decryption or caching.

15
The proxy server is invisible to the user. All the Internet requests and the resulting responses appear to be
direct communications with the Internet server. However, you need to configure the web browser to
point to the proxy server’s URL.

Although the caching of web pages can help lessen traffic on the network for all users, if a certain web
page has changed since it was cached, the user will not see the newer version of the web page.
Configuration settings can be modified to help keep this from happening.

Caching also takes place with the user’s local web browser. While the user can’t clear or update the cache
on the proxy server, he or she can do so for the local computer’s web browser.

16
The majority of firewalls also have Network Address Translation (NAT). NAT is the process of modifying IP
address information in IPv4 headers while in transit across a traffic routing device. In the mid‐1990s NAT
became a popular tool for alleviating the consequences of IPv4 address exhaustion. It has become a
common, indispensable feature in routers for home and small
small‐office
office Internet connections. Most systems
using NAT do so in order to enable multiple hosts on a private network to access the Internet using a
single public IP address. The majority of NATs map multiple private hosts to one publicly exposed IP
address.

A single cable modem could be used to simultaneously connect all home computers to the Internet using
one IP Address.

17
In a typical configuration, a local network uses one of the designated "private" IP address subnets. A
router on that network has a private address in that address space. The router is also connected to the
Internet with a "public" address assigned by an Internet service provider.

As traffic passes from the local network to the Internet, the source address in each packet is translated on
the fly from a private address to the public address. The router tracks basic data about each active
connection (particularly the destination address and port). When a reply returns to the router, it uses the
connection tracking data it stored during the outbound phase to determine the private address on the
internal network to which to forward the reply.

All Internet
I packets
k have
h a source IP address
dd andd a destination
d i i IP address.
dd T i ll packets
Typically k passing
i from
f
the private network to the public network will have their source address modified while packets passing
from the public network back to the private network will have their destination address modified. More
complex configurations are also possible.

18
It will keep out people looking for file shares, rogue email servers and web server, and most port‐based
exploits. With a NAT device and a good anti‐virus program, you should be safe from common kinds of
Internet attacks.

19
20
21
22
In cryptography, encryption is the process of encoding messages (or information) in such a way that
eavesdroppers or hackers cannot read it, but only authorized parties can. Encryption doesn't prevent
hacking but it prevents the hacker from reading the data that is encrypted.

In an encryption scheme, the message or information (referred to as plaintext) is encrypted using an

encryption algorithm, turning it into an unreadable ciphertext.This is usually done with the use of an
encryption key, which specifies how the message is to be encoded. Any adversary that can see the
ciphertext should not be able to determine anything about the original message. An authorized party,
however, is able to decode the ciphertext using a decryption algorithm, that usually requires a secret
decryption key.

There are two basic types of encryption schemes: Symmetric‐key and public‐key encryption. In
symmetric‐key schemes, the encryption and decryption keys are the same. Thus communicating parties
must agree on a secret key before they wish to communicate. In public‐key schemes, the encryption key is
published for anyone to use and encrypt messages. However, only the receiving party has access to the
decryption key and is capable of reading the encrypted messages.

Public‐key encryption is a relatively recent invention: historically, all encryption schemes have been
symmetric‐key (also called private‐key) schemes.

23
A packet analyzer (also known as a network analyzer, protocol analyzer or packet sniffer, or for
particular types of networks, an Ethernet sniffer or wireless sniffer) is a computer program or a piece of
computer hardware that can intercept and log traffic passing over a digital network or part of a network.
As data streams flow across the network, the sniffer captures each packet and, if needed, decodes the
packet's raw data, showing the values of various fields in the packet, and analyzes its content.

This packet capture becomes less useful for the hacker when encryption is used, rendering the packer
unreadable until it is decrypted.

24
Symmetric‐key algorithms are a class of algorithms (such as DES, DES3, Blowfish, etc.) for cryptography
that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. The
keys may be identical or there may be a simple transformation to go between the two keys. The keys, in
practice, represent a shared secret between two or more parties that can be used to maintain a private
information link.

This requirement that both parties have access to the secret key is one of the main drawbacks of
symmetric key encryption, in comparison to public‐key encryption. This is also known as private key
encryption.

Triple DES or DES3,

DES3 which uses 3 keys,
keys is an enhancement of DESDES. The original DES cipher
cipher'ss key size of 56
bits was generally sufficient when that algorithm was designed, but the availability of increasing
computational power made brute‐force attacks feasible. Triple DES provides a relatively simple method of
increasing the key size of DES to protect against such attacks, without the need to design a completely
new block cipher algorithm.

25
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by
authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for
establishing mutual authentication between agents at the beginning of the session and negotiation of
cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a
pair of hosts (host‐to‐host), between a pair of security gateways (network‐to‐network), or between a
security gateway and a host (network‐to‐host).

IPsec is an end‐to‐end security scheme operating in the Internet Layer of the Internet Protocol Suite,
while some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL),
Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of the TCP/IP model.
H
Hence, IP
IPsec protects any application
li i traffic
ffi across an IP network.
k Applications
A li i d not need
do d to be
b
specifically designed to use IPsec.

IPsec operates in one of two modes: transport or tunnel mode.

Transport mode. In transport mode, the network traffic is IPsec‐protected by the originating computer
and it stays
y pprotected all of the wayy through
g the network to the destination computer.
p

Tunnel mode. In tunnel mode, the network traffic is IPsec‐protected only for a part of the trip between
the origin and destination computers, typically as it traverses an untrusted network.

26
Secure Sockets Layer is a commonly used protocol for the communications security. SSL has been
succeeded by TLS (Transport Layer Security). Transport Layer Security (TLS) and its predecessor, SSL are
cryptographic protocols which are designed to provide communication security over the Internet.

They use X.509 certificates and hence asymmetric cryptography to assure the counterparty whom they
are talking with, and to exchange a symmetric key. This session key is then used to encrypt data flowing
between the parties. This allows for data/message confidentiality, and message authentication codes for
message integrity and as a by‐product message authentication.

Several versions of the protocols are in widespread use in applications such as web browsing, electronic
mail,
il Internet
I faxing,
f i instant
i messaging
i and d voice‐over‐IP
i IP (VoIP).
(V IP)

27
The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS
that provides filesystem‐level encryption. The technology enables files to be transparently encrypted on
the hard drive to protect confidential data from attackers with physical access to the computer. By default,
no files are encrypted, but encryption can be enabled by users on a per
per‐file,
file, per
per‐directory,
directory, or per
per‐drive
drive
basis. Some EFS settings can also be mandated via Group Policy in Windows domain environments.

BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise
editions of Microsoft's Windows Vista and Windows 7, and with the Pro and Enterprise editions of
Windows 8[1] desktop operating systems, as well as the server platforms, Windows Server 2008, Windows
Server 2008 R2 and Windows Server 2012. It is designed to protect data by providing encryption for entire
volumes.
l

28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Other groups include the Everyone Group and the Anonymous Logon Group.

52
53
54
55
56
57
58
59
In this lesson we outlined and explored network security areas to think about and be aware of. We looked
at common types of malware, the functions of firewalls and proxy servers, the use of data encryption, and
permissions and rights for users and groups.

60
1
In this lesson we will concentrate services and command line utilities available for the TCP/IP protocol
stack.

2
3
4
5
When TCP/IP is used it is possible to set up multiple connections to the same computer through the use
of ports. Simultaneous sessions can be managed by the computer by assigning separate ports to each
session. For example, FTP uses port 21 by default, and HTTP uses port 80 by default.

6
7
8
9
10
File Transfer Protocol (FTP) is a standard network protocol used to transfer files from one host to another
host over a TCP‐based network, such as the Internet.

FTP is built on a client

client‐server
server architecture and uses separate control and data connections between the
client and the server. The first FTP client applications were command‐line applications developed before
operating systems had graphical user interfaces, and are still shipped with most Windows, Unix, and Linux
operating systems. Dozens of FTP clients and automation utilities have since been developed for
desktops, servers, mobile devices, and hardware, and FTP has been incorporated into hundreds of
productivity applications, such as Web page editors.

FTP login
l i utilizes
ili a normall username and d password
d scheme
h f granting
for i access. The
Th username is i sent to
the server using the USER command, and the password is sent using the PASS command. If the
information provided by the client is accepted by the server, the server will send a greeting to the client
and the session will commence. If the server supports it, users may log in without providing login
credentials, but the same server may authorize only limited access for such sessions.

11
12
13
A firewall is a software or hardware‐based network security system that controls the incoming and
outgoing network traffic by analyzing the data packets and determining whether they should be allowed
through or not, based on a rule set. A firewall establishes a barrier between a trusted, secure internal
network and another network (e.g., the Internet) that is not assumed to be secure and trusted. Many
personal computer operating systems include software‐based firewalls to protect against threats from the
public Internet. Many routers that pass data between networks contain firewall components and,
conversely, many firewalls can perform basic routing functions.

Common ports a firewall can filter or block access through include:

FTP 21
Telnet 23
SMTP 25
DNS 53
HTTP 80
POP3 110
SNMP 161
HTTPS 443
LPR 515

14
The Dynamic Host Configuration Protocol (DHCP) is a standardized network protocol that is used by
network devices to configure the IP settings of another device, such as a computer, laptop or tablet.
Network administrators or users do not need to configure the IP settings manually, since these settings
are received from a server running DHCP.

DHCP servers maintain a database of available IP addresses and configuration information, which is used
to assign IP addresses to client devices. DHCP servers typically grant IP addresses to clients only for a
limited interval. DHCP clients are responsible for renewing their IP address before that interval has
expired, and must stop using the address once the interval has expired, if they have not been able to
renew it.

The dynamic host configuration protocol (DHCP) may assign an IP address, a default route, and one or
more DNS server addresses to the client device. DHCP may be used to configure some of these settings
and the remaining settings may be manually configured. DHCP does not configure the IP settings of a
device unless the same device requests to use DHCP to "obtain an IP address automatically".

DHCP is used for Internet Protocol version 4 ((IPv4),

), as well as IPv6. While both versions serve the same
purpose, the details of the protocol for IPv4 and IPv6 are sufficiently different that they may be
considered separate protocols.

15
16
17
The Bootstrap Protocol, or BOOTP, is a network protocol used by a network client to obtain an IP address
from a configuration server. BOOTP is usually used during the bootstrap process when a computer is
starting up.

A BOOTP configuration server assigns an IP address to each client from a pool of addresses. BOOTP uses
the User Datagram Protocol (UDP) as a transport on IPv4 networks only. Historically, BOOTP has also been
used for Unix‐like diskless workstations to obtain the network location of their boot image in addition to
an IP address, and also by enterprises to roll out a pre‐configured client (e.g., Windows) installation to
newly installed PCs.

O i i ll requiring
Originally i i the
h use off a boot
b fl
floppy di k to establish
disk bli h the
h initial
i i i l networkk connection,
i
manufacturers of network cards later embedded the protocol in the BIOS of the interface cards as well as
system boards with on‐board network adapters, thus allowing direct network booting.

IMPORTANT NOTE: The Dynamic Host Configuration Protocol (DHCP) is a more advanced protocol for the
same purpose and has superseded the use of BOOTP. Most DHCP servers also function as BOOTP servers.

18
19
20
If you don’t have a DHCP relay agent installed on the router (C), the DHCP server must reside on the local
subnet.

21
22
The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or
any resource connected to the Internet or a private network. It associates various information with
domain names assigned to each of the participating entities. Most prominently, it translates easily
memorized domain names to the numerical IP addresses needed for the purpose of locating computer
services and devices worldwide. By providing a worldwide, distributed keyword‐based redirection service,
the Domain Name System is an essential component of the functionality of the Internet.

23
24
25
26
27
28
29
The hosts file is a computer file used by an operating system to map hostnames to IP addresses. The
hosts file is a plain text file, and is conventionally named hosts.

If there is no DNS server available, the clients are still able to resolve DNS names to IP addresses using the
hosts.txt file, which contains the mappings.

30
You may recall that the original method for name resolution was based on broadcasting. When a host
needs to contact another host it broadcasts that host’s NetBIOS name or host name, then waits until the
that host responds. The resolved address is then stored in the local cache to prevent a repeat broadcast.

Similar to the hosts.txt file you can also have an LMHosts.txt file on your computer. The LMHosts file
contains static entries for name resolution (NetBIOS names versus TCP/IP addresses). Microsoft devised
an alternative method to using the LMHosts file, and one that’s easier to manage, called WINS (Windows
Internet Naming Service).

Effectively, WINS is to NetBIOS names what DNS is to domain names — a central mapping of host names
to networkk addresses.
dd Lik
Like DNS,
DNS it
i is
i implemented
i l d in
i two parts, a Server
S Service
S i (that( h manages the h
encoded Jet Database, server to server replication, service requests, and conflicts) and a TCP/IP Client
component which manages the client's registration and renewal of names, and takes care of queries.

Although WINS performs a similar function to DNS, WINS and DNS are separate protocols and are not
related.

31
Here’s the name resolution order that’s normally followed:

1. The client checks to see if the name queried is its own.

2. The client queries the local Hosts.txt file.
3. The DNS servers are queried.
4. If the name is still not resolved, NetBIOS name resolution is used. First the WINS server will be
queried before the LMHosts.txt file is used.

IMPORTANT NOTE: This sequence order can be changed by configuring the NetBIOS node type of the
client.

32
Ping is a computer network administration utility used to test the reachability of a host on an Internet
Protocol (IP) network and to measure the round‐trip time for messages sent from the originating host to a
destination computer. The name comes from active sonar terminology which sends a pulse of sound and
listens for the echo to detect objects underwater.

Ping operates by sending Internet Control Message Protocol (ICMP) echo request packets to the target
host and waiting for an ICMP response. In the process it measures the time from transmission to
reception (round‐trip time)[1] and records any packet loss. The results of the test are printed in the form of
a statistical summary of the response packets received, including the minimum, maximum, and the mean
round‐trip times, and sometimes the standard deviation of the mean. Ping does not evaluate or compute
the
h time
i to establish
bli h the
h connection;
i iit only
l gives
i the
h mean round‐trip
d i times
i off an established
bli h d connection
i
with an open session.

Depending on the implementation, the ping command can be run with various command line switches to
enable special operational modes. Example options include: specifying the packet size used as the probe,
automatic repeated operation for sending a specified count of probes, and time stamping.

Ping may be abused as a simple form of denial‐of‐service attack in the form of a ping flood, in which the
attacker overwhelms the victim with ICMP echo request packets.

33
In Microsoft Windows, you enter the ping command at the command prompt in the format “ping
<ip_address>.”

You can ping your own computer with “ping

ping 127.0.0.1.
127.0.0.1.” A reply indicates TCP/IP is working on your
computer.

34
By default, ping waits 4,000 milliseconds (4 seconds) for each response to be returned before displaying
the "Request Timed Out" message. If the remote system being pinged is across a high‐delay link, such as a
satellite link,
link responses may take longer to be returned
returned. You can use the ‐w
w (wait) option to specify a
longer time‐out.

If you enter “ping /” or ping /?” you will get back a list of options, including the ones shown here.

35
Using “ping –a” you can see the host name associated with the ip address. For example, entering “ping –a
134.188.111.111” as shown here, will bring back the host name associated with that ip address, which, in
this example is ws023896.oce.nl.

Conversely, if you know the host name but not it’s ip address, enter “ping <hostname>.”

36
37
ipconfig (internet protocol configuration) in Microsoft Windows is a console application that displays all
current TCP/IP network configuration values and can modify Dynamic Host Configuration Protocol DHCP
and Domain Name System DNS settings.

In most cases, the ipconfig command is used with the command‐line switch /all. This results in more
detailed information than ipconfig alone.

38
39
40
41
traceroute is a computer network diagnostic tool for displaying the route (path) and measuring transit
delays of packets across an Internet Protocol (IP) network. The history of the route is recorded as the
round‐trip times of the packets received from each successive host (remote node) in the route (path); the
sum of the mean times in each hop indicates the total time spent to establish the connection.

Traceroute proceeds unless all (three) sent packets are lost more than twice, then the connection is lost
and the route cannot be evaluated. Ping, on the other hand, only computes the final round‐trip times
from the destination point.

On Microsoft Windows, it is named tracert. Windows NT‐based operating systems also provide PathPing,
with
i h similar
i il functionality.
f i li For
F Internet
I P
Protocol
l Version
V i 6 (IPv6)
(IP 6) the
h tooll sometimes
i h the
has h name
traceroute6 or tracert6.

42
43
44
45
Nbtstat is a diagnostic tool for NetBIOS over TCP/IP. It is included in several versions of Microsoft
Windows. Its primary design is to help troubleshoot NetBIOS name resolution problems. There are several
commands involved with Nbtstat that allows several options such as: local cache lookup, WINS server
query, broadcast, LMHOSTS lookup, Hosts lookup, and it is not for DNS server query.

Common switches are:

nbtstat ‐c: displays the contents of the NetBIOS name cache, the table of NetBIOS names and their
resolved IP addresses.
nbtstat ‐n: displays the names that have been registered locally on the system.
nbtstat ‐r: displays the count of all NetBIOS names resolved by broadcast and querying a WINS server.
nbtstat
b ‐R:
R purges and d reloads
l d the
h remote cache h name table.
bl
nbtstat ‐RR: sends name release packets to WINs and then starts Refresh.
nbtstat ‐s: lists the current NetBIOS sessions and their status, including statistics.
nbtstat ‐S: lists sessions table with the destination IP addresses.

46
47
48
49
We briefly covered network devices in the Network Introduction. Let’s discuss them again in relation to
the OSI Model to give you a better idea as to how the theory applies to the practical.

50
51
52
netstat (network statistics) is a command‐line tool that displays network connections (both incoming and
outgoing), routing tables, and a number of network interface (network interface controller or software‐
defined network interface) and network protocol statistics. It is available on Unix‐like operating systems
including OS X, Linux, Solaris, and BSD, and is available on Windows NTNT‐based
based operating systems including
Windows XP, Windows Vista, Windows 7 and Windows 8.

It is used for finding problems in the network and to determine the amount of traffic on the network as a
performance measurement.

Entering “netstat /?” will bring up a list of its command line switches.

53
54
55
56
57
This also works in Microsoft Windows 7 using the Windows Task Manager.

58
In Microsoft Windows 7 Task Manager, under the services tab, you will see the PID column.

59
60
Address Resolution Protocol (ARP) is a telecommunications protocol used for resolution of network layer
addresses into link layer addresses, a critical function in multiple‐access networks. It is also the name of
the program for manipulating these addresses in most operating systems.

ARP is used to convert an IP address to a physical address such as an Ethernet address.

ARP has been implemented with many combinations of network and data link layer technologies, such as
IPv4, Chaosnet, DECnet and Xerox PARC Universal Packet (PUP) using IEEE 802 standards, FDDI, X.25,
Frame Relay and Asynchronous Transfer Mode (ATM). IPv4 over IEEE 802.3 and IEEE 802.11 is the most
common case.

In Internet Protocol Version 6 (IPv6) networks, the functionality of ARP is provided by the Neighbor
Discovery Protocol (NDP).

61
62
63
64
65
66
67
68
69
1
In this lesson we will learn about the web‐based printing protocols available through the TCP/IP stack. The
previous lesson covered those protocols involved with network and transport; now we will look at the
printing protocols for FTP, HTTP, and IPP.

Objectives:

Describe the printing process using Windows.

Describe the upper layer web‐based printing protocols.

2
When a user makes a print the computer proceeds through a series of steps. These involve executable
files, drivers, device interfaces, and dynamic‐link libraries (.dll files). All these work together to create the
print output. Understanding how this process works will help you resolve issues with it not working.

The steps include the printer driver, spooler, and print monitor.

3
Print jobs are sent in a variety of formats, each suited to the different computing environments. The terms
EMF (enhanced metafile) and RAW describe the spool file formats that are used by the Windows
operating system during the print cycle.

When a print job is sent to the printer, the computer reads the file and holds it on the disk or in memory
for subsequent printing. Spooling allows multiple print jobs to be given to the printer at one time.

In the following pages we’ll go down the list shown above to explain each one.

4
5
6
7
8
FTP is one of the most frequently used protocols to transfer files to and from FTP servers. Additionally, it
can also be used in the printing environment to upload or download files to and from a print controller. In
most cases the files are uploaded to an INBOX or PRINT queue or HOT folder. The printing process polls
these queues regularly.

In some cases it is necessary to enter a user name and password before accessing the FTP server.

FTP is suitable to use with Windows, Apple, and Unix.

9
10
11
12
13
14
15
NTFS (New Technology File System) is a proprietary file system developed by Microsoft.

Starting with Windows NT 3.1, it is the default file system of the Windows servers and Windows 7
operating systems.

NTFS supersedes FAT file system. NTFS has several technical improvements over FAT and HPFS (High
Performance File System), such as improved support for metadata, and the use of advanced data
structures to improve performance, reliability, and disk space utilization, plus additional extensions, such
as security access control lists (ACL) and file system journaling.

16
17
18
You could also decide to configure for non‐anonymous logon (by not enabling Allow Anonymous
Connections). In this case the FTP server will always prompt for a username and password to log on.

19
Finally, let’s discuss active and passive FTP, and important consideration in relation to security.

FTP may run in active or passive mode, which determines how the data connection is established.

In active mode, the client creates a TCP control connection. The FTP server then opens a communications
channel to the client via a random port on the client. This channel of communication is secure for the FTP
server as it requires only 1 fixed port. However, this is not secure for the client because it requires
opening a random port on the client. The client never knows ahead of time which port will be assigned,
which can be exploited by hackers.

S FTP in
So i active
i mode
d is
i secure for
f the
h FTP server, but
b not secure ffor the
h FTP client.
li

20
In situations where the client is behind a firewall and unable to accept incoming TCP connections, passive
mode may be used.

A command channel is opened from the FTP client to the FTP server. This is more secure for the client as
it does not require a randomly opened port on the client. However, it is also less secure for the FTP server
since it is now the FTP server that has a randomly opened port for the communication channel.

So FTP in passive mode is secure for the FTP client, but less secure for the FTP server.

Both modes were updated in September 1998 to support IPv6. Further changes were introduced to the
passive
i mode
d at that
h time,
i updating
d i iit to extended
d d passive
i mode.
d

21
The HTTP protocol controls the connection of servers on the World Wide Web. The primary purpose is to
establish a connection with a web server and to transmit HTML pages to the client web browser.

The address of web sites have a http:// prefix. Usually the web browser will default to including it should
you only type in “www.canon.com” without the prefix.

The HTTP protocol can be used to upload files to a web server in combination with printing. However, it is
usually more efficient to use FTP for larger files.

22
HTTP connects to the web server via port 80. HTTP transmits readable, unencrypted data over the
network, making it less secure. Hackers using network sniffers can trap, open, and read the packets of
data. A more secure protocol is HTTPS (hypertext transport protocol secure).

HTTPS directs data across port 443 instead of port 80.

HTTPS provides authentication of the web site and associated web server that one is communicating
with, which protects against man‐in‐the‐middle attacks. Additionally, it provides bidirectional encryption
of communications between a client and server, which protects against eavesdropping and tampering
with and/or forging the contents of the communication.

In practice, this provides a reasonable guarantee that one is communicating with precisely the web site
that one intended to communicate with (as opposed to an imposter), as well as ensuring that the
contents of communications between the user and site cannot be read or forged by any third party.

Historically, HTTPS connections were primarily used for payment transactions on the World Wide Web, e‐
mail and for sensitive transactions in corporate information systems. In the late 2000s and early 2010s,
HTTPS began to see widespread use for protecting page authenticity on all types of websites, securing
accounts and keeping user communications, identity, and web browsing private.

23
HTML (hypertext markup language) is used when building web pages, but to increase dynamic content,
Javascript and Flash are often used. Although Apple does not support Flash on their iPads, and HTML5
contains more dynamic functionality built in, Flash is still heavily used across the Internet.

A Flash plug‐in suited to the particular web browser used is necessary to view Flash content, and a Java
plug‐in for the web browser is also needed. The Flash plug‐in allows you to see Flash animations playing
on web pages, and the Java plug‐in is important for everything from form data entry on web pages to
execution of button commands and searches.

Due to the heavy attraction of users to both Flash and Javascript coding, hackers often look for and find
weaknesses
k i their
in h i codes
d to exploit.
l i IIt is
i iimportant to always
l kkeep both
b h updated
d d to theh llatest version.
i

24
In computing, the Internet Printing Protocol (IPP) provides a standard network protocol for remote
printing as well as for managing print jobs, media size, resolution, and so forth. Like all IP‐based protocols,
IPP can run locally or over the Internet to printers hundreds or thousands of miles away. Unlike other
printing protocols, IPP also supports access control, authentication, and encryption, making it a much
more capable and secure printing solution than older ones.

Among other things, IPP allows a client to:

• query a printer's capabilities
• submit print jobs to a printer
• query the status of a printer
• query the
h status off one or more print
i jobs
j b
• cancel previously submitted jobs

IPP uses TCP with port 631 as its well‐known port. IPP implementations such as CUPS also use UDP with
port 631 for IPP printer discovery.

Products usingg the Internet Printingg Protocol include,, amongg others,, CUPS which is p
part of Apple
pp Mac OS
X and many BSD and Linux distributions and is the reference implementation for IPP/2.0 and IPP/2.1,
Novell iPrint, and Microsoft Windows, starting with MS Windows 2000. MS Windows XP and Windows
Server 2003 offer IPP printing via HTTPS. MS Windows Vista, Windows 7, Windows Server 2008 and 2008
R2 also support IPP printing over RPC in the "Medium‐Low" security zone. For reasons unknown Microsoft
dropped support of secure IPP via SSL with MS Windows Server 2008.
25
Using IPP, a user can access information about available printers and send jobs to any print server that
supports IPP.

The process outlined here and in the following pages is also true for Windows 7. In Windows 7, if IPP
doesn’t seem to be working, make sure it is enabled: go to the Turn Windows Features On or Off and
under Print and Document Services, see that a checkmark is next to Internet Printing Client.

26
27
28
29
Communication for Internet Printing uses IPP and HTTP (or HTTPS). Typically port 80 or 443 is used.
Because IPP is able to support HTTPS traffic, the printing job communication can be encrypted, depending
on the settings in the web browser.

30
31
32
1
In this topic we will look at non web‐based printing protocols which also use TCP/IP. You will learn about
LPR, SMB, SNMP, and LPD. We will also explain Telnet, although it is past its prime some print controllers
may still be found using it.

2
In a previous lesson we examined OSI upper layer protocols such as FTP, HTTP, and IPP. These protocols
are considered to be web‐based since they require set up on a web or FTP server. The printing protocols
we discuss in this lesson do not need to be set up on a web server.

3
LPR/LPD are acronyms for Line Printer Remote/Line Printer Daemon. These are printer protocols that use
TCP/IP to establish connections between printers and computers on a network. LPR runs on the client
computer. LPD listens for LPR requests and runs on the print controller.

A server for the LPD protocol listens for requests on TCP port 515. A request begins with a byte containing
the request code, followed by the arguments to the request, and is terminated by an ASCII line‐feed
character. An LPD printer is identified by the IP address of the server machine and the queue name on
that machine. Many different queue names may exist in one LPD server, with each queue having unique
settings.

N
Note that
h the
h LPD queue name is i case sensitive.
i i Some
S modern
d i l
implementations
i off LPD on networkk
printers might ignore the case or queue name altogether and send all jobs to the same printer. Others
have the option to automatically create a new queue when a print job with a new queue name is
received. This helps to simplify the setup of the LPD server. Some companies (e.g. D‐Link in model DP‐
301P+) have a tradition of calling the queue name “lpt1” or “LPT1”.

Apprinter that supports

pp LPD/LPR
/ is sometimes referred to as a "TCP/IP
/ p printer" ((TCP/IP
/ is used to establish
connections between printers and clients on a network), although that term would be equally applicable
to a printer that supports the Internet Printing Protocol (IPP).

4
5
6
7
The Standard Port Monitor (SPM) is available in Microsoft Windows as al alternative to using the LPR Port
when you want to print to network printers over TCP/IP. SPM is installed by default when TCP/IP is
installed in Windows.

For network‐connected print devices, the standard TCP/IP port monitor is the best choice. Standard port
monitor is the successor to line printer remote (LPR), that has been widely adopted as the de facto
standard in network printing for the past several years. Standard port monitor is faster, more scalable, and
bidirectional. In contrast, LPR is limited in all of these areas. Although Windows NT 4 and later provided
registry modifications to help extend the capabilities of LPR printing, these changes do not compare with
the benefits of using standard port monitor.

Unlike LPR, SPM uses port 9100 by default for the destination port, and randomly selects any open source
port greater than 1023 as the source port.

8
The print drivers should be installed first. Also make sure you are able to ping the print server. In the
following steps, we’ll set up an SPM Port in Windows 7.

To begin, click Start>Control Panel and select Go to Programs and Features.

9
Select Turn Windows Features on and off from the menu.

10
In the Windows Features window, under Print and Document Services, enable LPD Print Service and LPR
Port Monitor, then click OK to save your changes.

11
Now go to Devices and Printers in Control Panel.

12
Click Add a printer.

13
Click Add a local printer.

14
Select Create a new port and in the drop down list select Standard TCP/IP Port.

Click Next and you will be prompted to input the IP address of the print server and choose a print driver
to finish up.

15
Suppose you have a problem with the printer connection along the LPR port? One of the things to check is
whether you can submit a print job via LPR without using the print driver. To accomplish this, you would
run LPR using the Windows command prompt. Keep in mind that printing with the command line LPR
does not require drivers; however, because of this, you can only submit a print job that will be recognized
by the print controller without the need of a driver.

Using lpr /? will bring up the list of switches available. Remember that the lpr command is case‐sensitive
since it originates from the UNIX environment.

16
Standard port monitor sends documents to a printer using either the RAW or LPR printing protocols.
Together, these protocols support most current TCP/IP printers.

The RAW protocol is the default for most print devices. To send a RAW
RAW‐formatted
formatted job, the print server
opens a TCP stream to the printer’s network interface. For many devices this will be port 9100. When the
TCP/IP port is created, Windows uses SNMP to query the device for its object identifier (Printer MIB). If
the device returns a value the system file, tcpmon.ini, is parsed for a match. If the printer manufacturer
has provided special configuration information for the particular device, it is created with the
configuration settings in place. For example, some external print server interfaces support multiple
printers (for example, the Hewlett Packard JetDirect EX with three parallel port connections).

The manufacture can use different ports to designate which printer a job should be submitted to (for
example, 9102 for port 1, 9103 for port 2; and so on). This ability is helpful for print server interfaces that
require the use of specific port names, such as PASS on some IBM network printers.

Standard port monitor can be configured to comply more closely with the LPR. Specifically, you can use
g
the Configure Port button in the Server Properties,
p , Ports tab to enable byte
y counting.
g This settingg can be
helpful if a line printer daemon (LPD) requires an accurate byte count to be sent.

17
18
19
20
21
22
23
24
25
Server Message Block (SMB), the modern dialect of which is known as Common Internet File System
(CIFS) and operates as an application‐layer network protocol mainly used for providing shared access to
files, printers, serial ports, and miscellaneous communications between nodes on a network. It also
provides an authenticated interinter‐process
process communication mechanism. SMB works through a client
client‐server
server
approach, where a client makes specific requests and the server responds accordingly.

Most usage of SMB involves computers running Microsoft Windows, where it was known as "Microsoft
Windows Network" before the subsequent introduction of Active Directory. Corresponding Windows
services are LanmanServer (for the server component) and LanmanWorkstation (for the client
component).

The Server Message Block protocol can run on top of the Session (and lower) network layers in several
ways:
directly over TCP, port 445; via the NetBIOS API, which in turn can run on several transports: on UDP ports
137, 138 & TCP ports 137, 139 , and on several legacy protocols such as NBF.

26
27
28
In general, Windows 7 has a connection limit of 20, due to licensing.

29
Point and Print is the feature that enables a Microsoft Windows user to connect and print to a
remote printer without the need for the user to access any disks or other installation media.
Point and Print automatically downloads and installs all printer driver and data files and the
configuration information required to use the remote printer from the client computer.
computer

Client Computer Connection Methods

Point and Print supports four ways for a client computer to establish a connection to a shared
printer that is hosted on a Windows 2000, Windows XP, Windows Server 2003, or Windows Vista
print server:
Universal Naming Convention (UNC) path.
From the Start menu, choose Run (in Windows Vista use the Start Search box), type the
Universal Naming Convention (UNC) pathname of the remote printer, for example,
\\PrintServer\Printer, and then click OK.
Add Printer Wizard.
From the Start menu,
menu open the Printers and Faxes folder.
folder Click Add a Printer
Printer, click Next,
Next select
Network printer in the Add Printer Wizard and then specify the UNC path to the shared printer.
Drag and Drop.
From the Start menu, choose Run (in Windows Vista use the Start Search box), , type the name
of the print server, for example, \\PrintServer, and then click OK to view the shared printers on
the print server. Drag the desired printer icon into the Printers & Faxes folder of the local, client 30
computer to install the printer
You can find the SMB printer resource through the use of UNC (universal naming convention). The format
is two backslashes followed by the resource name.

To find a printer on the network you would enter “\\computer

\\computer name of the printserver\shared printer
name” at the Run command line in Windows.

31
Telnet is a network protocol used on the Internet or local area networks to provide a bidirectional
interactive text‐oriented communication facility using a virtual terminal connection. User data is
interspersed in‐band with Telnet control information in an 8‐bit byte oriented data connection over the
Transmission Control Protocol (TCP). Telnet was developed in 1969, and standardized as Internet
Engineering Task Force (IETF) Internet Standard STD 8, one of the first Internet standards.

Telnet is a client‐server protocol, based on a reliable connection‐oriented transport. Typically, this

protocol is used to establish a connection to Transmission Control Protocol (TCP) port number 23, where a
Telnet server application (telnetd) is listening. Telnet, however, predates TCP/IP and was originally run
over Network Control Program (NCP) protocols.

32
33
34
35
36
37
38
Simple Network Management Protocol (SNMP) is an "Internet‐standard protocol for managing devices
on IP networks". Devices that typically support SNMP include routers, switches, servers, workstations,
printers, modem racks and more. It is used mostly in network management systems to monitor network‐
attached devices for conditions that warrant administrative attention. SNMP is a component of the
Internet Protocol Suite as defined by the Internet Engineering Task Force (IETF). It consists of a set of
standards for network management, including an application layer protocol, a database schema, and a set
of data objects.

SNMP exposes management data in the form of variables on the managed systems, which describe the
system configuration. These variables can then be queried (and sometimes set) by managing applications.

SNMP itself does not define which information (which variables) a managed system should offer. Rather,
SNMP uses an extensible design, where the available information is defined by management information
bases (MIBs). MIBs describe the structure of the management data of a device subsystem; they use a
hierarchical namespace containing object identifiers (OID). Each OID identifies a variable that can be read
or set via SNMP.

39
In typical SNMP uses, one or more administrative computers, called managers, have the task of
monitoring or managing a group of hosts or devices on a computer network. Each managed system
executes, at all times, a software component called an agent which reports information via SNMP to the
manager.

Essentially, SNMP agents expose management data on the managed systems as variables. The protocol
also permits active management tasks, such as modifying and applying a new configuration through
remote modification of these variables. The variables accessible via SNMP are organized in hierarchies.
These hierarchies, and other metadata (such as type and description of the variable), are described by
Management Information Bases (MIBs).

An SNMP‐managed network consists of three key components:

• Managed device
• Agent — software which runs on managed devices
• Network management system (NMS) — software which runs on the manager

g device is a network node that implements

A managed p an SNMP interface that allows unidirectional ((read‐
only) or bidirectional (read and write) access to node‐specific information. Managed devices exchange
node‐specific information with the NMSs. Sometimes called network elements, the managed devices can
be any type of device, including, but not limited to, routers, access servers, switches, bridges, hubs, IP
telephones, IP video cameras, computer hosts, and printers.

An agent is a network‐management software module that resides on a managed device. An agent has 40
local knowledge of management information and translates that information to or from an SNMP specific
SNMP traps enable an agent to notify the management station of significant events by way of an
unsolicited SNMP message.

Agents send information to the manager. The manager then acts on this information. It can send an email
alert to and administrator, run a corrective program, or log the information for later use.

41
The Management Information Base (MIB) is a custom‐written database of system information. It can
contain information related to CPU, memory, storage space, etc. MIBs contain agents counters monitored
by SNMP. Device‐specific MIB information is usually supplied by their manufacturers.

42
A community is a name used to group SNMP hosts. This name is placed in SNMP messages sent between
SNMP‐managed devices and SNMP management stations. Typically, all hosts belong to the “Public”
community. Communities are identified by community names that you assign. A host can belong to
multiple communities at the same time, but an agent does not accept a request from a management
system outside its list of acceptable community names.

There is no relationship between community names and domain or workgroup names. Community names
represent a shared password for groups of network hosts, and should be selected and changed as you
would change any password.

D idi which
Deciding hi h hosts
h b
belong
l to the
h same community
i isi generally
ll determined
d i d by
b physical
h i l proximity.
i i

43
Enabling the SNMP service to run in Windows 7 is done through the Control Panel>Turn Windows
Features On and Off.

44
SNMP is considered to be an OSI application layer protocol. It assumes the communication path is a
connectionless communication subnetwork. Consequently SNMP does not guarantee reliable delivery of
data. The primary protocols used by SNMP are UDP (user datagram protocol) and IP (Internet protocol).
SNMP supports use of DNS, WINS, HOSTS files, and LMHOSTS files for name resolution.

The User Datagram Protocol (UDP) is one of the core members of the Internet protocol suite (the set of
network protocols used for the Internet). With UDP, computer applications can send messages, in this
case referred to as datagrams, to other hosts on an Internet Protocol (IP) network without prior
communications to set up special transmission channels or data paths.

45
46
47
48
49
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
 In network addressing, the host address, or the host ID portion of an IP address, is the portion of
the address used to identify hosts (any device requiring a Network Interface Card, such as a PC or
networked printer) on the network. The network ID, by contrast, is the portion of the address
that refers to the network itself
itself.

49
The node ID is also called the node address or the physical address (the MAC address) of a network
device. For example, a computer in a LAN has a node ID. Routers, gateways, printers, servers, and other
network devices also have node IDs.

50
We briefly covered network devices in the Network Introduction. Let’s discuss them again in relation to
the OSI Model to give you a better idea as to how the theory applies to the practical.

51
52
53
Repeaters are used to connect LANs of the same type.

54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
Gateways work at the layer four, Transport and above. They convert complete protocols and connect
different systems architectures.

88
89
90
91
92
93
94
95
96
97
98
99
1
Network problems can be the result of a wide range of issues, from minimal disruptions in service to
simple configuration problems. In this lesson we will look at diagnostic tools you can use in the Windows
XP and Windows 7 environment to assist in isolating the cause of a problem.

2
The Netdiag command‐line diagnostic tool helps to isolate networking and connectivity problems by
performing a series of tests to determine the state of your network client. These tests and the key
network status information that they expose give network administrators and support personnel a more
direct means of identifying and isolating network problems. Moreover, because this tool does not require
parameters or switches to be specified, support personnel and network administrators can focus on
analyzing the output rather than on training users how to use the tool.

For Windows 2000 and Windows 2003 it is provided on the Installation CD as part of the Windows
Support Tools.

Th NetDiag
The N Di tool:l

• Gathers static network information and tests the network driver, protocol driver, send/receive
capability, and well‐known target accessibility.
• Can be used by network administrators in conjunction with the Scheduler Service, to generate reports
at regularly scheduled intervals.

Netdiag can be used in Windows 8, Windows 2003, Windows 2012, Windows XP, and Windows 2000. In
Windows 7, Netdiag is merged into the Troubleshooting wizard.

3
To install netdiag from the installation CD, go to the Tools directory and execute setup.exe. The setup
wizard will begin.

4
Enter your administrator name and organization.

5
For Windows 2000 and 2003 you can choose typical installation.

6
When installing on Windows XP from the XP Installation disc, choose Complete.

7
Once installed, open the Windows command line and enter netdiag /v.

Using /v will run netdiag in verbose mode, meaning it will provide much more detailed debugging
information.

Netdiag will perform tests on each NIC installed along with a range of other tests. This information can be
stored in the file NetDiag.log.

Other switches:

• //q specifies
ifi quite
i output (errors
( only)
l )
• /l sends output to netdiag.log. This log file is created in the same directory where
netdiag.exe was run.
• /debug specifies even more verbose output. Netdiag will take longer to complete when using
this switch.
• /d: domain name finds a domain controller in the specified domain.
• //fix fixes minor problems
p
• /DcAccountEnum enumerates domain controller computer accounts
• /test: testname runs a specific test. TCP/IP must be bound to one or more NICs before running.
• Refer to Microsoft’s TechNet to learn more about which tests can be
run using this command switch.

8
With Windows 7, you don’t have to wait for an error to occur to use the built‐in diagnostics. You can
launch a troubleshooting session anytime from the new Troubleshooting item in Control Panel. When you
do, the screen shown appears. In this case, the tool has found that the computer has no Internet
connection. The page displays a boxed message that informs you of the problem and offers a Try to
connect again option.

You can also open network troubleshooting by right‐clicking the Network Icon on the desktop, then
selecting properties. You will see Troubleshoot Problems at the bottom of the list under Change your
network settings.

9
If you click on the Network and Internet selection, you’ll get the dialog box shown in here. There you can
choose from seven options that start sessions for troubleshooting several types of issues: Internet‐
connection difficulties, problems accessing files and folders on other computers, and network‐printing
troubles.

10
Choosing any of the seven options launches a wizard that steps you through diagnosis of the problem,
and if possible, automated or manual correction. The troubleshooter also records an Event Tracing Log
(ETL). If the problem can’t be resolved, you can examine and even forward the log. Just click on View
History from the Troubleshooting dialog to open the list shown here.

On the next page we will see a sample report for Connection to a Workplace Using DirectAccess.

11
Each item in the history list represents a separate troubleshooting session. Double‐clicking on a session
displays the results for it as shown here (for the Connection to a Workplace Using DirectAccess).

12
In the Connection to a Workplace Using Direct Access report, there was a link called Detection Details.
Clicking it will open this window, showing the ETL file generated from this troubleshooting session. You
can save the file by clicking it.

You can view and analyze ETL files with Network Monitor 3.4

13
Here we see an example of an ETL file being viewed in Network Monitor 3.4

Important Note Regarding Network Monitor 3.3: Before Network Monitor 3.3 can fully display the ETL
files generated by Windows 7, you must configure full Windows parsers. By default, Network Monitor 3.3
uses stub Windows parsers. To configure full Windows parsers, click Tools | Options | Parsers. In the list of
parsers, click Windows | Stubs to disable stub parsers and enable full parsers, then click OK.

14
To install Network Monitor

1. Open the Windows Components wizard in Windows 2000, Windows Server 2003.
2. In the Windows Components wizard, click Management and Monitoring Tools, and then click Details.
3. In Subcomponents of Management and Monitoring Tools, select the Network Monitor Tools check
box, and then click OK.
4. If you are prompted for additional files, insert the installation CD for your operating system, or type a
path to the location of the files on the network.

15
To use Network Monitor, your computer must have a NIC card that supports promiscuous mode. This
mode allows a network device to intercept and read each packet that arrives completely. This mode of
operation is given to a network sniffer tool which captures and saves all packets for analysis.

16
The Performance Monitor can be used to:

• Understand the workload on the computer.

• Observe changes and trends in those workloads and their resource usage.
• Test configuration changes or other tuning effects by monitoring before and after results.
• Diagnose problems and target components or processes for optimizaton.

The Performance Monitor is composed of two parts:

System Monitor—you can collect and view real‐time data about memory, disk, processor, network, and
other
h activities
i i i in
i graph,
h hi
histogram, or report form.
f

Performance Logs and Alerts—you can configure logs to record performance data and set system alerts to
notify you when a specified counter’s value is above or below a defined threshold.

17
To start Performance Monitor in Windows 7 and Windows 8, click Start, then enter perfmon in the search
box, then press enter. You can also start it through Administrative Tools for these versions of Windows
and the other Servers, such as Windows 2000/2003.

To start Performance Monitor in Windows XP, click Start, then select Help and Support.

Once started, you will need to add the “counters” you want to monitor, such as memory use, or processor
use, or disk use. You can also monitor network traffic coming into your computer.

18
In Windows operating systems and servers, an event is any significant occurrence in the system or in a
program that requires users to be notified, or an entry added to a log. The Event Log Service records
application, security, and system events in Event Viewer. With the event logs in Event Viewer, you can
obtain information about your hardware, software, and system components, and monitor security events
on a local or remote computer. Event logs can help you identify and diagnose the source of current system
problems, or help you predict potential system problems.

To open the Event Viewer in Windows XP, you can go through Administrative Tools. You may also need to
open Computer Management to access the Event Viewer (listed under System Tools).

Y can also
You l use Ad
Administrative
i i i TTools
l to open the
h EEvent Vi
Viewer iin Wi
Windows
d 7
7.

19
The Event Viewer in Windows 7 is redesigned, but the information and operation is primarily the same as
in earlier versions.

Event Viewer tracks information in several different logs. Windows Logs include:

Application (program) events‐‐Events are classified as error, warning, or information, depending on the
severity of the event. An error is a significant problem, such as loss of data. A warning is an event that
isn't necessarily significant, but might indicate a possible future problem. An information event describes
the successful operation of a program, driver, or service.
Security‐related events‐‐These events are called audits and are described as successful or failed
d
depending
di on theh event, such h as whether
h h a user tryingi to llog on to Windows
Wi d was successful.
f l
Setup events‐‐Computers that are configured as domain controllers will have additional logs displayed
here.
System events‐‐System events are logged by Windows and Windows system services, and are classified as
error, warning, or information.
Forwarded events‐‐These events are forwarded to this log by other computers.

Applications and Services Logs vary. They include separate logs about the programs that run on your
computer as well as more detailed logs that pertain to specific Windows services.

20
In this lesson we briefly looked at Microsoft Windows‐based utilities to help you troubleshoot a computer
or network connectivity issue. While this lesson did not go into using each one in‐depth, you can explore
their use at your own pace. For the ATSP certification exam, only the information covered in this lesson
will be examined.

21