Professional Documents
Culture Documents
This assignment has five questions. Answer all questions. Rest 20 marks are for viva voce.
You may use illustrations and diagrams to enhance the explanations. Please go through the
guidelines regarding assignments given in the Programme Guide for the format of
presentation. Answer each part of the question should be confined to about 300 words.
Question 1: a) Describe the structure of 5 classes of IP address. Also draw the network
configuration of your study centre/organisation showings IP addresses assigned your
organization by ISP. How do these classes differ? How do you identify a particular classes?
(5 Marks)
b) How does DNS improve the name resolution? (5 Marks)
c) What is real time OS? How it is different from the traditional OS. (5 Marks)
Answer 1 : In the original Internet routing scheme developed in the 1970s, sites were assigned
addresses from one of
three classes: Class A, Class B and Class C. The address classes differ in size and number. Class
A
addresses are the largest, but there are few of them. Class Cs are the smallest, but they are
numerous.
Classes D and E are also defined, but not used in normal operation.
To say that class-based IP addressing in still used would be true only in the loosest sense. Many
addressing
designs are still class-based, but an increasing number can only be explained using the more
general
concept of CIDR, which is backwards compatible with address classes.
Suffice it to say that at one point in time, you could request the Internet NIC to assign you a class
A, B or C
address. To get the larger class B addresses, you might have to supply some justification, but
only the class
A was really tough to get. In any case, NIC would set the network bits, or n-bits, to some unique
value and
inform the local network engineer. It would then be up to the engineer to assign each of his hosts
an IP
address starting with the assigned n-bits, followed by host bits, or h-bits, to make the address
unique.
Internet routing used to work like this: A router receiving an IP packet extracted its Destination
Address,
which was classified (literally) by examining its first one to four bits. Once the address's class
had been
determined, it was broken down into network and host bits. Routers ignored the host bits, and
only needed
to match the network bits to find a route to the network. Once a packet reached its target
network, its host
field was examined for final delivery.
Summary of IP Address Classes
Class A - 0nnnnnnn hhhhhhhh hhhhhhhh hhhhhhhh
· First bit 0; 7 network bits; 24 host bits
· Initial byte: 0 - 127
· 126 Class As exist (0 and 127 are reserved)
· 16,777,214 hosts on each Class A
Class B - 10nnnnnn nnnnnnnn hhhhhhhh hhhhhhhh
· First two bits 10; 14 network bits; 16 host bits
· Initial byte: 128 - 191
· 16,384 Class Bs exist
· 65,532 hosts on each Class B
Class C - 110nnnnn nnnnnnnn nnnnnnnn hhhhhhhh
· First three bits 110; 21 network bits; 8 host bits
· Initial byte: 192 - 223
· 2,097,152 Class Cs exist
· 254 hosts on each Class C
Class D - 1110mmmm mmmmmmmm mmmmmmmm mmmmmmmm
· First four bits 1110; 28 multicast address bits
· Initial byte: 224 - 247
· Class Ds are multicast addresses -
Class E - 1111rrrr rrrrrrrr rrrrrrrr rrrrrrrr
· First four bits 1111; 28 reserved address bits
· Initial byte: 248 - 255
· Reserved for experimental use
b) Answer: A DNS server is any computer registered to join the Domain Name System. A DNS
server
runs special-purpose networking software, features a public IP address, and contains a database
of network
names and addresses for other Internet hosts.
DNS Root Servers
DNS servers communicate with each other using private network protocols. All DNS servers are
organized
in a hierarchy. At the top level of the hierarchy, so-called root servers store the complete
database of
Internet domain names and their corresponding IP addresses. The Internet employs 13 root
servers that
have become somewhat famous for their special role. Maintained by various independent
agencies, the
servers are aptly named A, B, C and so on up to M. Ten of these servers reside in the United
States, one in
Japan, one in London, UK and one in Stockholm, Sweden.
DNS resolution
Resolution occurs when a client queries a name server to obtain the IP address with which it
wants to
connect. If a name server in the local domain cannot resolve a client's request, it queries other
servers to
locate a server that can.
There are two types of resolution:
· by iteration
· by recursion
Iterative queries
By default, a name server queries ``iteratively'' (or non-recursively). This means that it queries
several
name servers in turn until it finds an answer. It starts by consulting a known name server within
the domain
hierarchy that contains the destination machine. If it does not already know of a suitable server to
ask, it
first asks a server in the root domain. Each server responds by referring to a name server in the
domain
name hierarchy that is closer to the one containing the destination machine. The local server then
repeats its
query to the name server whose name and IP address it has just been given. In this way, the local
server
traverses the domain name space until it reaches a name server for the domain that contains the
destination
machine. This name server
should be able to provide the IP address of the destination machine. ``Obtaining an IP address by
iterative
query'' illustrates how a client in the domain reseau.co.fr might obtain the IP address of the
remote host
missouri.rivers.mynet.com.
Obtaining an IP address by iterative query
The steps taken to resolve missouri.rivers.mynet.com to its IP address are:
1. The local client asks the local name server for the IP address of
missouri.rivers.mynet.com.
2. The local name server does not know the IP address of Missouri .rivers
.mynet.com . It also does not know the IP address of the name servers for
rivers.mynet.com or mynet.com so it asks a root name server for the IP address of
missouri.rivers.mynet.com.
3. The root name server does not know the IP address of Missouri .rivers .mynet.com, but it
does know the IP address of the name server for mynet .com so it tells this to the local name
server.
4. The local name server asks mynet.com's name server for the IP address of
issouri.rivers.mynet.com.
5. mynet.com's name server does not know the IP address of Missouri .rivers.mynet.com, but
it does know the IP address of the name server for rivers.mynet.com so it tells this to the local
me server.
6. The local name server asks rivers.mynet.com's name server for the IP address of
missouri.rivers.mynet.com.
7. rivers.mynet.com's name server is authoritative for its zone so it can supply the IP
address of missouri.rivers.mynet.com
c) A real-time operating system (RTOS) is an operating system that guarantees a certain
capability within
a specified time constraint. For example, an operating system might be designed to ensure that a
certain
object was available for a robot on an assembly line. In what is usually called a "hard" real-time
operating
system, if the calculation could not be performed for making the object available at the
designated time, the
operating system would terminate with a failure. In a "soft" real-time operating system, the
assembly line
would continue to function but the production output might be lower as objects failed to appear
at their
designated time, causing the robot to be temporarily unproductive. Some real-time operating
systems are
created for a special application and others are more general purpose. Some existing general
purpose
operating systems claim to be a real-time operating systems. To some extent, almost any general
purpose
operating system such as Microsoft's Windows 2000 or IBM's OS/390 can be evaluated for its
real-time
operating system qualities. That is, even if an operating system doesn't qualify, it may have
characteristics
that enable it to be considered as a solution to a particular real-time application problem. In
general, realtime
operating systems are said to require:
· multitasking
· Process threads that can be prioritized
· A sufficient number of interrupt levels
Real-time operating systems are often required in small embedded operating systems that are
packaged as
part of microdevices. Some kernels can be considered to meet the requirements of a real-time
operating
system. However, since other components, such as device drivers, are also usually needed for a
particular
solution, a real-time operating system is usually larger than just the kernel.
The key difference between general-computing operating systems and real-time operating
systems is the need for " deterministic " timing behavior in the real-time operating systems.
Formally,
"deterministic" timing means that operating system services consume only known and expected
amounts of
time. In theory, these service times could be expressed as mathematical formulas. These
formulas must be
strictly algebraic and not include any random timing components. Random elements in service
times could
cause random delays in application software and could then make the application randomly miss
real-time
deadlines – a scenario clearly unacceptable for a real-time embedded system. Many non-real-
time operating
systems also provide similar kernel services.
General-computing non-real-time operating systems are often quite non-deterministic.
Their services can inject random delays into application software and thus cause slow
responsiveness of an
application at unexpected times. If you ask the developer of a nonreal- time operating system for
the
algebraic formula describing the timing behavior of one of its services (such as sending a
message from
task to task), you will invariably not get an algebraic formula. Instead the developer of the non-
real-time
operating system (such as Windows, Unix or Linux) will just give you a puzzled look.
Deterministic
timing behavior was simply not a design goal for these general-computing operating systems.
On the other hand, real-time operating systems often go a step beyond basic determinism. For
most kernel
services, these operating systems offer constant load-independent timing:
In other words, the algebraic formula is as simple as: T(message_send) = constant , irrespective
of the
length of the message to be sent, or other factors such as the numbers of tasks and queues and
messages
being managed by the RTOS.
(iv) Write the purpose of VPN and name some VPN protocols supported in windows 2000.
(5 Marks)
Answer 3 : To share files on your computer with other computers on a network, you need to:
• Share a folder on your computer. This will make all of the files in the folder available to all
the computers on your network (you can’t share individual files).
• Set up user accounts on your computer for everyone who needs to connect to your shared
folder. If any
of the accounts are Limited User accounts (unless an account is a Computer Administrator
account, it is a
Limited User account), follow the steps in Set permissions for files and folders to enable them to
open
your files.
To access shared files that are on another computer on your network, you need to:
• Connect to the shared folder from other computers on the network. This procedure is described
in Map a network drive.
Note: By default, file permissions only allow your user account and administrators on your local
computer
to open your files, regardless of whether a person is sitting at your keyboard or at another
computer. It may
help to keep these three things in mind when setting up file sharing:
• Files have user permission settings.
• Every computer has its own user database.
• Some accounts are administrator accounts and some aren’t.
Configure your computer to share files
To share a folder on your computer so that files stored in the folder can be accessed
from other computers on your home network
1. Log on to your computer as an administrator. For more information, see Access the
administrator account from the Welcome screen.
2. Click Start, and then click My Documents.
Tip: If you want to share your entire My Documents folder, open My Documents, and then click
the Up
button on the toolbar. You can then select the My Documents folder.
4. If you see a message that reads, As a security measure, Windows has disabled remote access
to this
computer, click the Network Setup Wizard link. Then follow the instructions in How to set up
your
computer for home networking. On the File and printer sharing page of the Network Setup
Wizard, be
sure to select Turn on
5. If you want to be able to edit your files from any computer on your network (instead of just
being able to
open them without saving any changes), select the Allow network users to change my files check
box.
7. Click OK.
Windows Explorer will show a hand holding the folder icon, indicating that the folder is now
shared.
(ii) Describe the role of the primary and backup domain controller in enhancing security in
windows 2000.
Answer.
A Primary Domain Controller (PDC) is a server computer in a pre- Windows 2000 NT server
Domain. A
domain is a concept used in NT server operating systems whereby a user may be granted access
to a
number of computer resources with the use of a single username and password combination.Such
domains
have at least a Primary Domain Controller, and will often have one or more Backup Domain
Controllers
(BDCs). The PDC has the master copy of the user
accounts database which it can access and modify. The BDC computers have a copy of this
database, but
these copies are read-only. The PDC will replicate its account database to the BDCs on a regular
basis. The
BDCs exist in order to provide a backup to the PDC, and can also be used to authenticate users
logging on
to the network. If a PDC should fail, one of the BDCs can then be promoted to take its place. The
PDC will
usually be the first domain controller that was created unless it was replaced by a promoted
BDC.
Backup Domain Controller (BDC) is a computer that has a copy of the user accounts database.
Unlike the
accounts database on the Primary Domain Controller (PDC), the BDC database is a read only
copy. When
changes are made to the master accounts database on the PDC, the PDC pushes the updates
down to the
BDCs. Most domains will have at least one BDC, often there are several BDCs in a domain.
These domains
exist to provide fault tolerance. If the PDC fails, then it can be replaced by a BDC. In such
circumstances,
an administrator promotes a BDC to be the new PDC. BDCs can also authenticate user logon
requests - and
take some of the authentication load from the PDC.
Use of the Legacy Client is not recommended in secure environments. Installing the Legacy
Client on the
domain controller is not recommended because many Legacy Client accounts require local
Administrator
rights, which become domain admins on a domain controller.
Account and password creation
When installing Legacy Clients with Client Push Installation, Client Configuration Manager
(CCM) creates
this domain account to run the CCM boot loader service on client computers that are domain
controllers.
This account is made unique by including the domain controller name in the account name. For
enhanced
security, SMS randomly generates and encrypts the passwords for these accounts. This account
is
automatically deleted after the client is set up.
Account location
Because the client is a domain controller, the account is created in the domain that the client
belongs to.
You will have one account for each domain controller in the domain running the Legacy Client.
The
accounts include the server name in the account name to keep them unique.
Account maintenance
Do not change the passwords, account names, or permissions for this account. If you change the
account
manually, the related processes do not run successfully, and you run the risk of causing account
lockouts by
forcing the accounts out of synchronization.
Security best practices
Resolve problems that prevent temporary accounts from being deleted because it would prevent
the
SMS#_dc from being deleted after installation is completed.
Shared folders is a term used for IMAP folders that can be accessed simultaneously by many
users. Kolab
allows to specify a variety of access rights for such folders so that you can easily specify which
users can
read, write or modify the messages held in the IMAP folder.
Since a shared folder can also hold groupware resources (like events, tasks, addresses, notes,
etc.) instead
of plain mail they are an ideal tool for team organization and communication.
(iii) What are the shared folders in windows and why are they used?
Answer.
1. Open "My Network Places" from the Start Menu or from the left pane of Windows Explorer
(under
Desktop, below My Documents and My Computer).
2. Open the "Entire Network" item listed in the left pane of My Network Places.
3. Open the "Microsoft Windows Network" item.
4. Next, open the new item that appears showing the computer's workgroup (or domain) name.
5. Finally, click on the new item that appears showing the computer's name.
6. In the right pane, any non-administrative Windows shares set on this computer will appear. If
no items appear, no folders have been set for sharing.
Folders shown in this window link to the actual shared folders. Opening any of these shares will
reveal
the contents of the actual folder. Note that renaming or deleting files from this linked location is
not
permitted. Note also that this method reveals the contents but does not reveal the actual location
of the
shared folders on the hard drive.
7. To find the actual location of file shares on Windows XP or Windows 2000, and also to view
administrative shares, open a command prompt. To open a command prompt, click the Start
Menu, choose the Accessories option, then choose Command Prompt. Alternatively, click the
Start Menu, choose the Run option, then type 'cmd' in the Run window that opens.
8. Type the command 'net share' and press Enter in the command prompt window. The 'net share'
command
shows the name and location of each shared folder on that computer. Share names that end with a
dollar
sign ($) are administrative shares. Several administrative shares are created automatically by
Windows;
these should not be modified.
(iv) Write the purpose of VPN and name some VPN protocols supported in windows
2000.
Answer.
VPN Protocols
The term "VPN" has taken on many different meanings in recent years. VPNC has a white paper
about
VPN technologies that describes many of the terms used in the VPN market today. In specific, it
differentiates between secure VPNs and trusted VPNs, which are two very different
technologies.
For secure VPNs, the technologies that VPNC supports are
· IPsec with encryption
· L2TP inside of IPsec
· SSL with encryption
For trusted VPNs, the technologies that VPNC supports are:
· MPLS with constrained distribution of routing information through BGP ("layer 3 VPNs")
· Transport of layer 2 frames over MPLS ("layer 2 VPNs")
IPsec is the most dominant protocol for secure VPNs. SSL gateways for remote-access users are
also
popular for secure VPNs. L2TP running under IPsec has a much smaller but significant
deployment. For
trusted VPNs, the market is split on the two MPLS-based protocols. Companies want to do their
own
routing thend to use layer 2 VPNs; companies that want to outsource their routing tend to use
layer 3
VPNs.
The various VPN protocols are defined by a large number of standards and recommendations
that are
codified by the Internet Engineering Task Force (IETF). There are many flavors of IETF
standards,
recommendations, statements of common practice, and so on. Some of the protocols used in
IPsec are full
IETF standards; however, the others are often useful and stable enough to be treated as standard
by people
writing IPsec software. Neither of the trusted VPN technologes are IETF standards yet, although
there is a
great deal of work being done on them to get them to become standards.
RFCs
The IETF codifies the decisions it comes to in documents called "Requests For Comments".
These are
almost universally called by their acronym "RFCs". Many RFCs are the standards on which the
Internet is
formed.
The level of standardization that an RFC reaches is determined not only by "how good" the RFC
is, but by
how widely it is implemented and tested. Some RFCs are not solid standards, but they
nonetheless
document technologies that are of great value to the Internet and thus should be used as
guidelines for
implementing VPNs.
For the purpose of defining VPNs, any protocol that has become an IETF Request For
Comments (RFC)
document can be treated as somewhat of a standard. Certainly, any IPsec-related RFC that has
been deemed
to be on the IETF "standards track" should
certainly be considered a standard.
Internet Drafts
Before a document becomes an RFC, it starts out as an Internet Draft (often called "IDs" or "I-
Ds"). IDs are
rough drafts, and are sometimes created for no other benefit than to tell the Internet world what
the author
is thinking. On the other hand, there is often very good information in some IDs, particularly
those that
cover revisions to current standards.
Some Internet Drafts go along for years, but are then dropped or abandoned; others get on a fast
track to
becoming RFCs, although this is rare. Internet Drafts are given names when they first appear; if
they
become RFCs, the I-D name disappears and an RFC number is assigned.
It should be emphasized here that it is unwise to make any programming decisions based
on information in Internet Drafts. Most IDs go through many rounds of revisions, and some
rounds make
wholesale changes in the protocols described in a draft. Further, many IDs are simply abandoned
after
discussion reveals major flaws in the reasoning that lead to the draft.
That being said, it is worthwhile to know which IDs pertain to areas of interest. The following is
a list of
the IDs that are related to Internet mail. Some of these drafts will likely become RFCs in the
months or
years to come, possibly with heavy revision; some will be merged with other drafts; others will
be
abandoned.
++Protocol listings
The relevant IETF Working Groups for the protocols used by secure VPNs and trusted VPNs
are:
· Profiling Use of PKI in IPsec Working Group
· Transport Layer Security Working Group
· Layer 2 Virtual Private Networks (l2vpn) Working Group
· Layer 3 Virtual Private Networks (l2vpn) Working Group
· Pseudo Wire Emulation Edge to Edge (pwe3) Working Group
Note that the IPsec Working Group was disbanded in April, 2005.
The documents are arranged by the general categories they apply to. These categories are:
For secure VPNs:
· General IPsec
· ESP and AH (encryption and authentication headers)
· Key exchange (ISAKMP, IKE, and others)
· Cryptographic algorithms
· IPsec policy handling
· Remote access
· SSL and TLS
For trusted VPNs:
· General MPLS
· MPLS constrained by BGP routing
· Transport of layer 2 frames over MPLS
=====================================================================
Answer 4 : Security risks have grown dramatically for Internet service providers because entire
infrastructures are based on open standards systems. As a result, ISPs need to be able to quickly
and accurately detect unauthorized changes and respond accordingly, in order to maximize
security and minimize downtime. Intrusion Detection Systems (IDS) remain relatively youthful,
but in terms of development they are growing at an extraordinary rate.
Generally speaking, there are four different categories of intrusion detection systems— network
instruction detection, system integrity verifiers, log file monitors, and deception systems.
Network intrusion detection systems (NIDS) monitor packets traversing the system in an attempt
to discover anomalies, indicating that an intruder trying to break into a system, or worse—launch
a distributed denial of service (DDoS) attack. NIDSs look for frequent connection requests to
different ports to reveal port scans.
System integrity verifiers (SIV) monitor system files in an attempt to discover when an intruder
changes the files—leaving behind a backdoor. A SIV may be capable of detecting changes in
critical files, but these systems usually don't generate real-time alerts to network intruders. Log
file monitors (LFM) simply monitor log files generated across network services. LFMs also look
for patterns and anomalies in log files that suggest an intruder is attacking the network.
The sole purpose of a deception system—known in the industry as decoys, fly traps and
honeypots—is to lure an unsuspecting intruder into a network through well-known security holes
and trap the intruder.
Whether you need a simple intrusion alert system and network anomaly reports, or need to
defend your network against DDoS attacks, smurfing, ping floods and the like, it's a imperative
that you prepare a line of defense today or risk having your business be exploited by some script
kiddie tomorrow. With the rapid increase in the number of LAN connections to the world's
largest computer network (the Internet), new security techniques should be used to protect local
networks against intrusion from the Internet. Basically, we need to prevent destruction of data by
intruders, maintain the privacy of local information, and prevent unauthorized use of computing
resources. To improve network security, network connections to the Internet, in general, do not
take place transparently. Instead, firewall servers are used to
protect the systems connected to the local network against assaults from the Internet. But, there
is a price to pay, usually, because the firewall server results in a bottleneck for assaults from the
Internet into the LAN as well as for allowed communication between the LAN and the Internet.
Security protection methods are basically concerned with ensuring network's efficiency and
effectiveness. With successful security implementations, risks can be reduced but not eliminated.
There are several protection methods to ensure confidentiality, integrity and continuity. The
dominating security protection method in the mainframe computing environment is the Access
Control. It consists primarily of functions related to:
1. Access Mediation via connection control establishment,
2. Identification by means of Logon-Ids,
3. Authentication by means of Passwords,
4. Deferent levels of authorization controlled by Access Privileges,
5. Monitoring and enforcement,
6. Disaster recovery programs to respond to incidents,
7. Logging to record traffic and usage of services.
Protection With Firewalls
The best line of defense is an up-to-date and constantly maintained firewall. A firewall/proxy
server is a mechanism that is used to protect a trusted network, such as an organization's internal
network, from an untrusted network, typically the Internet, or any other untrusted network
[second]. Firewall/Proxy servers provide the most reliable method to control outbound access
and to protect networks against unauthorized intrusions. It checks addresses and characteristics
of messages to make sure that they follow authorization rules. All messages that are verified to
be legitimate are allowed to flow through the firewall, while others are blocked. The majority of
firewalls are used between internal networks and the Internet, but they can be
used in any internet, such as a company's wide area network [second]. The design decision sets
the general attitude of the firewall whether to provide a higher degree of service or a higher
degree of security. To protect the firewall server itself, no users should be allowed to login on the
firewall server [sixth].
(ii) What are the two general methods of implementing network security by firewalls?
Answer Firewall Concepts
A firewall is a trusted system that is placed between a trusted internal network and another un
trusted external network. The firewall system implements a policy that defines what information
should be allowed to pass through. In general firewalls have the following features and
limitations [fourth]:
Features:
1. It can control the access to the protected network.
2. It can provide one central point of security.
3. It provides more privacy by hiding addresses.
4. It provides logging for security and other purposes.
5. It can notify the network administrator of security related events, so that he can take the
appropriate actions.
6. It can be integrated with authentication keys.
7. It enforces the security policy.
Limitations:
1. Restricted access to desirable services.
2. Back door access problem.
3. Inside attacks.
4. Email viruses.
5. Potential bottleneck
6.Single point of failure.
Question 5: i) Write a Linux Shall Script to shift all characters in a file forwarding five
characters i.e. ‘a’ become ‘f’. (5 Marks)
ii) How does information flow from the top layer to the bottom layer in the OSI model.
=====================================================================
=====================================================================
=====================================================================