1. Directory Service
2. NOVELL DIRECTORY SERVICE
3. WINDOWS DOMAIN
4. X.500 DIRECTORY ACCESS PROTOCOL
5. LDAP (LIGHTWEIGHT DIRECTORY ACCESS
6. ACTIVE DIRECTORY ARCHITECTURE
7. REMOTE NETWORK ACCESS
8. PSTN (PUBLIC SWITCHING TELEPHONE
9. ISDN (INTEGRATED SERVICE DIGITAL NETWORK)
10. DSL (DIGITAL SUBSCRIBER LINE)
11. CATV (COMMUNITY ANTENNA TELEVISION)
12. VPN (VIRTUAL PRIVATE NETWORK)
In computing, directory service or name service
maps the names of network resources to their
respective network addresses.
It is a shared information infrastructure for locating,
managing, administering and organizing everyday
items and network resources, which can include
volumes, folders, files, printers, users, groups,
devices, telephone numbers and other objects.
A directory service is a critical component of a
network operating system
A directory server is a server which provides such a
Each resource on the network is considered an object by
the directory server.
Information about a particular resource is stored as a
collection of attributes associated with that resource or
A directory service defines a namespace for the network.
The namespace is used to assign a "name" (unique
identifier) to each of the objects.
Directories typically have a set of rules determining how
network resources are named and identified, which usually
includes a requirement that the identifiers be unique and
When using a directory service, a user does not have
to remember the physical address of a network
resource; providing a name locates the resource.
Some directory services include access control
provisions, limiting the availability of directory
information to authorized users.
Characteristics of Directory
1. Hierarchical naming model:Follows a tree structure
2. Extended search capability:can search because of
tree like structure.
3. Distributed information model:can be accessed
4. Shared network access:The resources are shared over
5. Replicated data:The data is redundant to avoid
6. Data store optimized for reads: reads are more
optimised than the reads.
Novell Directory Service
eDirectory is an X.500-compatible directory service
software product from NetIQ.
Previously owned by Novell, the product has also been
known as Novell Directory Services (NDS) and
sometimes referred to as NetWare Directory Services.
NDS was initially released by Novell in 1993 for
Netware 4, replacing the Netware bindery mechanism
used in previous versions, for centrally managing
access to resources on multiple servers and computers
within a given network.
eDirectory is a hierarchical, object oriented database
used to represent certain assets in an organization in a
logical tree, including organizations, organizational
units, people, positions, servers, volumes,
workstations, applications, printers, services, and
groups to name just a few.
NDS can be installed to run under Windows NT, Sun-
Microsystems’s Solaris and UNIX and as well as under
Novelle’s own Netware.
So, it can be used to control a multi-platform network.
A Windows domain is a form of a computer network
in which all user accounts, computers, printers and
other security principals, are registered with a central
database located on one or more clusters of central
computers known as domain controllers.
Authentication takes place on domain controllers.
Each person who uses computers within a domain
receives a unique user account that can then be
assigned access to resources within the domain.
Starting with Windows 2000, Active Directory is the
Windows component in charge of maintaining that
The concept of Windows domain is in contrast with
that of a workgroup in which each computer maintains
its own database of security principals.
Computers can connect to a domain via LAN, WAN or
using a VPN connection.
Users of a domain are able to use enhanced security
for their VPN connection due to the support for a
certification authority which is gained when a domain
is added to a network, and as a result smart cards and
digital certificates can be used to confirm identities
and protect stored information.
In a Windows domain, the directory resides on computers
that are configured as "domain controllers."
A domain controller is a Windows or Samba server that
manages all security-related aspects between user and
domain interactions, centralizing security and
A domain controller is generally suited for businesses
and/or organizations when more than 10 PCs are in use.
A domain does not refer to a single location or specific type
of network configuration.
The computers in a domain can share physical proximity on
a small LAN or they can be located in different parts of the
Windows Workgroups, by contrast, is the other model for
grouping computers running Windows in a networking
environment which ships with Windows.
Workgroup computers are considered to be 'standalone' - i.e.
there is no formal membership or authentication process formed
by the workgroup.
A workgroup does not have servers and clients, and hence
represents the peer-to-peer (or client-to-client) networking
paradigm, rather than the centralized architecture constituted by
Workgroups are considered difficult to manage beyond a dozen
clients, and lack single sign on, scalability, resilience/disaster
recovery functionality, and many security features.
Windows Workgroups are more suitable for small or home-
X.500 DIRECTORY ACCESS
X.500 is a series of computer networking standards
covering electronic directory services.
The X.500 series was developed by ITU-T, formerly
known as CCITT, and first approved in 1988.
The directory services were developed in order to
support the requirements of X.400 electronic mail
exchange and name lookup.
ISO was a partner in developing the standards,
incorporating them into the Open Systems
Interconnection suite of protocols. ISO/IEC 9594 is
the corresponding ISO identification.
The protocols defined by X.500 include
DAP (Directory Access Protocol)
DSP (Directory System Protocol)
DISP (Directory Information Shadowing Protocol)
DOP (Directory Operational Bindings Management
Because these protocols used the OSI networking stack, a
number of alternatives to DAP were developed to allow
Internet clients to access the X.500
Directory using the TCP/IP networking stack.
The most well-known alternative to DAP is Lightweight
Directory Access Protocol (LDAP).
While DAP and the other X.500 protocols can now use the
TCP/IP networking stack, LDAP remains a popular
directory access protocol.
The primary concept of X.500 is that there is a single
Directory Information Tree (DIT), a hierarchical
organization of entries which are distributed across one or
more servers, called Directory System Agents (DSA).
An entry consists of a set of attributes, each attribute with
one or more values.
Each entry has a unique Distinguished Name, formed by
combining its Relative Distinguished Name (RDN), one or
more attributes of the entry itself, and the RDNs of each of
the superior entries up to the root of the DIT.
As LDAP implements a very similar data model to that of
X.500, there is further description of the data model in the
article on LDAP.
X.520 and X.521 together provide a definition of a set of
attributes and object classes to be used for
representing people and organizations as entries in the
They are one of the most widely deployed white pages
X.509, the portion of the standard providing for an
authentication framework, is now also widely used
outside of the X.500 directory protocols. It specifies a
standard format for public-key certificates.
X.509v3 is used for digital certificates for e-commerce
LDAP (LIGHTWEIGHT DIRECTORY
The Lightweight Directory Access Protocol is an open,
vendor-neutral, industry standard application protocol for
accessing and maintaining distributed directory information
services over an Internet Protocol (IP) network.
Directory services play an important role in developing intranet
and Internet applications by allowing the sharing of information
about users, systems, networks, services, and applications
throughout the network.
As examples, directory services may provide any organized set of
records, often with a hierarchical structure, such as a corporate
Similarly, a telephone directory is a list of subscribers with an
address and a phone number.
LDAP is specified in a series of Internet Engineering
Task Force (IETF) Standard Track publications called
Request for Comments (RFCs), using the description
The latest specification is Version 3, published as RFC
A common use of LDAP is to provide a central place to
store usernames and passwords. This allows many
different applications and services to connect to the
LDAP server to validate users.
LDAP is based on a simpler subset of the standards
contained within the X.500 standard. Because of this
relationship, LDAP is sometimes called X.500-lite.
History Telecommunication companies' understanding of directory
requirements were well developed after some 70 years of
producing and managing telephone directories.
These companies introduced the concept of directory
services to information technology and computer
networking, their input culminating in the comprehensive
X.500 specification, a suite of protocols produced by the
International Telecommunication Union (ITU) in the
X.500 directory services were traditionally accessed via the
X.500 Directory Access Protocol (DAP), which required the
Open Systems Interconnection (OSI) protocol stack.
LDAP was originally intended to be a lightweight
alternative protocol for accessing
In the early engineering stages of LDAP, it was known
as Lightweight Directory Browsing Protocol, or LDBP.
It was renamed with the expansion of the scope of the
protocol beyond directory browsing and searching, to
include directory update functions.
It was given its Lightweight name because it was not as
network intensive as its DAP predecessor and thus was
more easily implemented over the Internet due to its
relatively modest bandwidth usage.
Search the DIT (retrieving info)
Authenticate the client (the bind-operation)
ACTIVE DIRECTORY ARCHITECTURE
Active Directory (AD) is a directory service that Microsoft
developed for Windows domain networks.
It is included in most Windows Server operating systems as
a set of processes and services.
Initially, Active Directory was only in charge of centralized
domain management. Starting with Windows Server 2008,
however, Active Directory became an umbrella title for a
broad range of directory-based identity-related services.
A server running Active Directory Domain Services (AD
DS) is called a domain controller. It authenticates and
authorizes all users and computers in a Windows domain
type network—assigning and enforcing security policies for
all computers and installing or updating software.
Object types in AD
A container object is simply an object that stores other
Container objects are function as the branches of the tree.
AD uses container objects such as organizational unit
(OUs) and groups to store other objects.
Container can store other container or leaf objects, such as
users and computers.
The guiding rule of directory tree design is that rights and
permission flow downward through the tree.
Assigning a right to a container object means that by
default all of the objects in the container inherit that right.
A leaf object stands alone and cannot store other
Object naming in AD
Every object in active directory database is uniquely
The naming conventions are based on the LDAP
The distinguished name (DN) of an object consist of
the name of the domain in which the object is located,
plus the path down the domain tree through the
container objects to the object itself.
The part of object’s name that is stored in the object
itself is called its relative distinguished name (RDN).
Most active directory applications refer to objects
using their canonical names.
A canonical name is DN in which the domain name
comes first, followed by the names of the object’s
parent containers working down from the root of the
domain and separated by forward slashes, followed by
the object’s RDN.
The same DN can also be expressed in LDAP notation.
Globally unique identifier (GUID)
Every object in tree has a globally unique identifier
It is a 128 bit number that is automatically assigned by
the directory system when the object is created.
DN changes if you move the object to a different
container but the GUID is permanent and serves as the
ultimate identifier for the object
User Principle Name (UPN)
Distinguished names are used by application and services when
they communicate with active directory but they are not easy for
users to understand type or remember.
Therefore each user object has a User Principle Name (UPN) that
consists of a username and a suffix, separated by an @ symbol.
The user name part of UPN is the user object’s RDN and suffix is
the domain name in which the user object is located.
If network consists of multiple domains, you can optional to use
a single domain name as the suffix for all of your user’s UPN
This way UPN can remain unchanged even if you move your
object to different domain
For ex: email@example.com
Active directory structure element
Object:Active directory is composed of objects, which represent the various
resources on a network, such as users, servers, printers and applications.
An object is a collection of attributes that define the resources, give it a name,
define its capabilities, and specify who should be permitted to use it
Domain:A domain is the basic unit of grouping related objects in active
directory. Every domain must have at- least one domain-controller, which is
server that is responsible for the domain.
Organizational unit:Many domains have too many objects to manage
altogether in a single group. In active directory you can create one or more
Trees:A tree is a set of active directory names that share a common name
Forest:A forest is a collection of trees. In other words, a forest is a collection of
one or more domain trees that do not share a common parent domain
REMOTE NETWORK ACCESS
Remote access usually means allowing a person to access
the office network/computer from a remote location.
It could be an employee who needs to access workplace files
while working from home. Or an executive wants to
connect to his/her own computer while traveling so that
productivity can be maintained.
If only files or network services are needed, then remote
network access would be the right solution.
After remote network access is established, a user can
access the remote network and its resources such as shared
files, VOIP line, connect to database and/or email servers
such as Oracle Database and Microsoft Exchange.
Need of Remote Network Access
Use a computer to work from any non-University
location connect to campus networks or systems from
departmental file systems, shared drives or shared servers
Conduct University business over a non-University
network (wired or wireless)
Use a computer for University business that is shared
by non-University individuals, including children,
family or friends
Use a non-University computer for University business
PSTN (Public Switching Telephone
The public switched telephone network (PSTN) is
the aggregate of the world's circuit-switched telephone
networks that are operated by national, regional, or
local telephony operators, providing infrastructure
and services for public telecommunication.
The PSTN consists of telephone lines, fiber optic
cables, microwave transmission links, cellular
networks, communications satellites, and undersea
telephone cables, all interconnected by switching
centers, thus allowing most telephones to
communicate with each other.
Originally a network of fixed-line analog telephone
systems, the PSTN is now almost entirely digital in its
core network and includes mobile and other networks,
as well as fixed telephones.
The technical operation of the PSTN adheres to the
standards created by the ITU-T. These standards allow
different networks in different countries to
The E.163 and E.164 standards provide a single global
address space for telephone numbers. The
combination of the interconnected networks and the
single numbering plan allow telephones around the
world to dial each other.
Regular telephone service that gives a dial tone, and
the ability to dial up any phone
number for analog (voice) or digital
(data) communications over ordinary telephone lines.
This service sets up a path (circuit) between the calling
and the called party, and maintains it for
the duration of the call also called public switched
All the regional offices are connected using mesh
Accessing a switching station at the end office is
accomplished through dialing.
Dialing is accomplished through a touch tone
In this method the user send two small burst of analog
signals, called dual tone.
The frequency of signals sent depends on the row and
column of the pressed pad.
When a user dials, for example the number is 8, two
burst of analog signals with frequency 852 Hz and 1336
Hz are sent to the end office.
Integrated Services Digital Network standards for
simultaneous (ISDN) is a set of communication digital
transmission of voice, video, data, and other network services
over the traditional circuits of the public switched telephone
It was first defined in 1988 in the CCITT red book. Prior to ISDN,
the telephone system was viewed as a way to transport voice,
with some special services available for data.
The key feature of ISDN is that it integrates speech and data on
the same lines, adding features that were not available in the
classic telephone system.
The ISDN standards define several kinds of access interfaces,
such as Basic Rate Interface (BRI), Primary Rate Interface (PRI),
Narrowband ISDN (N-ISDN), and Broadband ISDN (B-ISDN).
ISDN is a circuit-switched telephone network system,
which also provides access to packet switched
networks, designed to allow digital transmission of
voice and data over ordinary telephone copper wires,
resulting in potentially better voice quality than an
analog phone can provide.
ISDN is employed as the network, data-link and
physical layers in the context of the OSI model, or
could be considered a suite of digital services existing
on layers 1, 2, and 3 of the OSI model.
In a videoconference, ISDN provides simultaneous
voice, video, and text transmission between individual
desktop videoconferencing systems and group (room)
ISDN channel Types
Bearer channel (B channel) :
A bearer channel is defined at a rate of 64 Kbps. It is the basic user
channel and can carry any type of digital information in full-duplex
mode as long as the required transmission rate does not exceed 64
Data Channel (D channel) :
A data channel can be either 16 or 64 Kbps, depending on the needs of
the user. The name says data but the primary function of a D channel is
to carry control signaling for the B channel.
Hybrid channel (H channel) :
Hybrid channels are available with data rates of 384 Kbps (H0), 1536
Kbps (H11), or 1920 Kbps (H12). These rates suit H channels for high
data-rate applications such as video, teleconferencing and so on.
There are generally two types of access interfaces to
ISDN defined as Basic Rate Interface (BRI) and
Primary Rate Interface (PRI)
Both include a number of B-channels (Bearer) and a
Each B-channel carries data, voice, and other services.
The D-channel carries control and signaling (request
and response) information
Basic Rate Interface (BRI)
The entry level interface to ISDN is the Basic Rate
Interface (BRI), a 128 kbit/s service delivered over a
pair of standard telephone copper wires.
The 144 kbit/s payload rate is broken down into two 64
kbit/s bearer channels ('B' channels) and one 16 kbit/s
signaling channel ('D' channel or data channel). This is
sometimes referred to as 2B+D.
The interface specifies the following network interfaces:
The U interface is a two-wire interface between the
exchange and a network terminating unit, which is usually
the demarcation point in non-North American networks.
The T interface is a serial interface between a computing
device and a terminal adapter, which is the digital
equivalent of a modem.
The S interface is a four-wire bus that ISDN consumer
devices plug into; the S & T reference points are commonly
implemented as a single interface labeled 'S/T' on a
Network termination 1 (NT1).
The R interface defines the point between a non-ISDN
device and a terminal adapter (TA) which provides
translation to and from such a device.
BRI-ISDN is very popular in Europe but is much less
common in North America. It is also common in Japan —
where it is known as INS64.
Primary Rate Interface
Primary Rate Interface (PRI), for larger users.
PRI has two interface line E1 (E-carrier line in
European countries) T1 (T-carrier system line in the
U.S., Canada, and Japan)
The Primary Rate Interface consists of 23 B-channels
and one 64 Kbps D-channel using a T1 line or 30 B-
channels and 1 D-channel using an E1 line.
Thus, a Primary Rate Interface user on a T-1 line can
have up to 1.544 Mbps service or up to 2.048 Mbps
service on an E1 line.
T1 23B+1D =23(64) +64=1.54 Mbps and E1
30B+1D=30(64) + 64=2.048 Mbps
PRI connection can connect 30 phone lines in single T1
DSL (Digital subscriber line)
Digital subscriber line (DSL; originally digital subscriber loop) is a
family of technologies that are used to transmit digital data over
In telecommunications marketing, the term DSL is widely understood
to mean asymmetric digital subscriber line (ADSL), the most
commonly installed DSL technology, for Internet access
DSL service can be delivered simultaneously with wired telephone
service on the same telephone line. This is possible because DSL uses
higher frequency bands for data. On the customer premises, a DSL
filter on each non-DSL outlet blocks any high-frequency interference to
enable simultaneous use of the voice and DSL services.
In ADSL, the data throughput in the upstream direction (the direction
to the service provider) is lower, hence the designation of asymmetric
service. In symmetric digital subscriber line (SDSL) services, the
downstream and upstream data rates are equal. Researchers at Bell
Labs have reached speeds of 10 Gbit/s, while delivering 1 Gbit/s
symmetrical broadband access services using traditional copper
The first technology in the set is asymmetric DSL (ADSL).
ADSL, like a 56K modem, provides higher speed (bit rate)
in the downstream direction (from the Internet to the
resident) than in the upstream direction (from the resident
to the Internet).
That is the reason it is called asymmetric. Unlike the
asymmetry in 56K modems, the designers of ADSL
specifically divided the available bandwidth of the local
loop unevenly for the residential customer.
The service is not suitable for business customers who need
a large bandwidth in both directions.
CATV (Community antenna
Cable television is a system of delivering television
programming to paying subscribers via radio frequency (RF)
signals transmitted through coaxial cables or, in the 2010s, light
pulses through fiber-optic cables.
This contrasts with broadcast television, in which the television
signal is transmitted over the air by radio waves and received by a
television antenna attached to the television.
FM radio programming, high-speed Internet, telephone services,
and similar non-television services may also be provided through
Analog television was standard in the 20th century, but since the
2000s, cable systems have been upgraded to digital cable
A virtual private network (VPN) extends a private
network across a public network, such as the Internet.
It enables users to send and receive data across shared
or public networks as if their computing devices were
directly connected to the private network.
Applications running across the VPN may therefore
benefit from the functionality, security, and
management of the private network
Virtual Private Networks may allow employees to securely
access a corporate intranet while located outside the office.
They are used to securely connect geographically separated
offices of an organization, creating one cohesive network.
Individual Internet users may secure their wireless
transactions with a VPN, to circumvent geo-restrictions
and censorship, or to connect to proxy servers for the
purpose of protecting personal identity and location.
However, some Internet sites block access to known VPN
technology to prevent the circumvention of their geo-
A VPN is created by establishing a virtual point-to-
point connection through the use of dedicated
connections, virtual tunneling protocols, or traffic
A VPN available from the public Internet can provide
some of the benefits of a wide area network (WAN).
From a user perspective, the resources available within
the private network can be accessed remotely.
VPNs cannot make online connections completely
anonymous, but they can usually increase privacy and
security. To prevent disclosure of private information,
VPNs typically allow only authenticated remote access
using tunneling protocols and encryption techniques.
The VPN security model provides:
Confidentiality such that even if the network traffic is
sniffed at the packet level (see network sniffer and
Deep packet inspection), an attacker would only see
Sender authentication to prevent unauthorized users
from accessing the VPN
Message integrity to detect any instances of tampering
with transmitted messages
In computer networks, a tunneling protocol allows a network
user to access or provide a network service that the underlying
network does not support or provide directly.
One important use of a tunneling protocol is to allow a foreign
protocol to run over a network that does not support that
particular protocol; for example, running IPv6 over IPv4.
Another important use is to provide services that are impractical
or unsafe to be offered using only the underlying network
services; for example, providing a corporate network address to a
remote user whose physical network address is not part of the
Because tunneling involves repackaging the traffic data into a
different form, perhaps with encryption as standard, a third use
is to hide the nature of the traffic that is run through the tunnels.
The tunneling protocol works by using the data
portion of a packet (the payload) to carry the packets
that actually provide the service.
Tunneling uses a layered protocol model such as those
of the OSI or TCP/IP protocol suite, but usually
violates the layering when using the payload to carry a
service not normally provided by the network.
Typically, the delivery protocol operates at an equal or
higher level in the layered model than the payload
Types of VPN
Remote Access VPN:- Also called as Virtual Private dial-up
network (VPDN) is mainly used in scenarios where remote
access to a network becomes essential. Remote access VPN
allows data to be accessed between a company’s private network
and remote users through a third party service provider;
Enterprise service provider
Site to Site VPN – Intranet based: This type of VPN can be
used when multiple Remote locations are present and can be
made to join to a single network. Machines present on these
remote locations work as if they are working on a single network.
Site to Site VPN – Extranet based: This type of VPN can be
used when several different companies need to work in a shared
environment. E.g. Distributors and service companies. This
network is more manageable and reliable
PPTP (Point-to-Point Tunneling Protocol) it’s the
most widely supported VPN method among Windows
users and it was created by Microsoft in association
with other technology companies.
The disadvantage of PPTP is that it does not provide
encryption and it relies on the PPP (Point-to-Point
Protocol) protocol to implement security measures
But compared to other methods, PPTP is faster and it
is also available for Linux and Mac users.
L2TP (Layer 2 Tunneling Protocol) it’s another
tunneling protocol that supports VPNs. Like PPTP,
L2TP does not provide encryption and it relies on PPP
protocol to do this.
The difference between PPTP and L2TP is that the
second one provides not only data confidentiality but
also data integrity.
L2TP was developed by Microsoft and Cisco as a
combination between PPTP and L2F(Layer 2
IPsec protocol can be used for encryption in
correlation with L2TP tunneling protocol. It is used as
a “protocol suite for securing Internet Protocol (IP)
communications by authenticating and encrypting
each IP packet of a data stream”. IPSec requires
expensive, time consuming client installations and this
can be considered an important disadvantage.
SSL (Secure Socket Layer) is a VPN accessible via https
over web browser. The advantage of this SSL VPN is
that it doesn’t need any software installed because it
uses the web browser as the client application. Through
SSL VPNs the user’s access can be restrict to specific
applications instead of allowing access to the whole