Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

network administration directory access and remote access


Published on

Network management Administration unit 1 directory services and remote access and VPN n DSL

Published in: Education

network administration directory access and remote access

  2. 2. Exploring Directory Services and Remote Access
  4. 4. Directory Service  In computing, directory service or name service maps the names of network resources to their respective network addresses.  It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects.  A directory service is a critical component of a network operating system
  5. 5.  A directory server is a server which provides such a service.  Each resource on the network is considered an object by the directory server.  Information about a particular resource is stored as a collection of attributes associated with that resource or object.  A directory service defines a namespace for the network.  The namespace is used to assign a "name" (unique identifier) to each of the objects.  Directories typically have a set of rules determining how network resources are named and identified, which usually includes a requirement that the identifiers be unique and unambiguous.
  6. 6.  When using a directory service, a user does not have to remember the physical address of a network resource; providing a name locates the resource.  Some directory services include access control provisions, limiting the availability of directory information to authorized users.
  7. 7. Characteristics of Directory Services 1. Hierarchical naming model:Follows a tree structure for naming. 2. Extended search capability:can search because of tree like structure. 3. Distributed information model:can be accessed distributedly. 4. Shared network access:The resources are shared over the network. 5. Replicated data:The data is redundant to avoid failure. 6. Data store optimized for reads: reads are more optimised than the reads.
  8. 8. Novell Directory Service  eDirectory is an X.500-compatible directory service software product from NetIQ.  Previously owned by Novell, the product has also been known as Novell Directory Services (NDS) and sometimes referred to as NetWare Directory Services.  NDS was initially released by Novell in 1993 for Netware 4, replacing the Netware bindery mechanism used in previous versions, for centrally managing access to resources on multiple servers and computers within a given network. 
  9. 9.  eDirectory is a hierarchical, object oriented database used to represent certain assets in an organization in a logical tree, including organizations, organizational units, people, positions, servers, volumes, workstations, applications, printers, services, and groups to name just a few.  NDS can be installed to run under Windows NT, Sun- Microsystems’s Solaris and UNIX and as well as under Novelle’s own Netware.  So, it can be used to control a multi-platform network.
  10. 10. Windows Domain  A Windows domain is a form of a computer network in which all user accounts, computers, printers and other security principals, are registered with a central database located on one or more clusters of central computers known as domain controllers.  Authentication takes place on domain controllers.  Each person who uses computers within a domain receives a unique user account that can then be assigned access to resources within the domain.
  11. 11.  Starting with Windows 2000, Active Directory is the Windows component in charge of maintaining that central database.  The concept of Windows domain is in contrast with that of a workgroup in which each computer maintains its own database of security principals.  Computers can connect to a domain via LAN, WAN or using a VPN connection.
  12. 12.  Users of a domain are able to use enhanced security for their VPN connection due to the support for a certification authority which is gained when a domain is added to a network, and as a result smart cards and digital certificates can be used to confirm identities and protect stored information.
  13. 13. Domain Controller  In a Windows domain, the directory resides on computers that are configured as "domain controllers."  A domain controller is a Windows or Samba server that manages all security-related aspects between user and domain interactions, centralizing security and administration.  A domain controller is generally suited for businesses and/or organizations when more than 10 PCs are in use.  A domain does not refer to a single location or specific type of network configuration.  The computers in a domain can share physical proximity on a small LAN or they can be located in different parts of the world.
  14. 14. Workgroup  Windows Workgroups, by contrast, is the other model for grouping computers running Windows in a networking environment which ships with Windows.  Workgroup computers are considered to be 'standalone' - i.e. there is no formal membership or authentication process formed by the workgroup.  A workgroup does not have servers and clients, and hence represents the peer-to-peer (or client-to-client) networking paradigm, rather than the centralized architecture constituted by Server-Client.  Workgroups are considered difficult to manage beyond a dozen clients, and lack single sign on, scalability, resilience/disaster recovery functionality, and many security features.  Windows Workgroups are more suitable for small or home- office networks.
  15. 15. X.500 DIRECTORY ACCESS PROTOCOL  X.500 is a series of computer networking standards covering electronic directory services.  The X.500 series was developed by ITU-T, formerly known as CCITT, and first approved in 1988.  The directory services were developed in order to support the requirements of X.400 electronic mail exchange and name lookup.  ISO was a partner in developing the standards, incorporating them into the Open Systems Interconnection suite of protocols. ISO/IEC 9594 is the corresponding ISO identification.
  16. 16. X.500 protocols  The protocols defined by X.500 include  DAP (Directory Access Protocol)  DSP (Directory System Protocol)  DISP (Directory Information Shadowing Protocol)  DOP (Directory Operational Bindings Management Protocol)  Because these protocols used the OSI networking stack, a number of alternatives to DAP were developed to allow Internet clients to access the X.500  Directory using the TCP/IP networking stack.  The most well-known alternative to DAP is Lightweight Directory Access Protocol (LDAP).  While DAP and the other X.500 protocols can now use the TCP/IP networking stack, LDAP remains a popular directory access protocol.
  17. 17.  The primary concept of X.500 is that there is a single Directory Information Tree (DIT), a hierarchical organization of entries which are distributed across one or more servers, called Directory System Agents (DSA).  An entry consists of a set of attributes, each attribute with one or more values.  Each entry has a unique Distinguished Name, formed by combining its Relative Distinguished Name (RDN), one or more attributes of the entry itself, and the RDNs of each of the superior entries up to the root of the DIT.  As LDAP implements a very similar data model to that of X.500, there is further description of the data model in the article on LDAP.
  18. 18.  X.520 and X.521 together provide a definition of a set of attributes and object classes to be used for representing people and organizations as entries in the DIT.  They are one of the most widely deployed white pages schema.  X.509, the portion of the standard providing for an authentication framework, is now also widely used outside of the X.500 directory protocols. It specifies a standard format for public-key certificates.  X.509v3 is used for digital certificates for e-commerce
  19. 19. LDAP (LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL)  The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.  Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network.  As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory.  Similarly, a telephone directory is a list of subscribers with an address and a phone number.
  20. 20.  LDAP is specified in a series of Internet Engineering Task Force (IETF) Standard Track publications called Request for Comments (RFCs), using the description language ASN.  The latest specification is Version 3, published as RFC 4511.  A common use of LDAP is to provide a central place to store usernames and passwords. This allows many different applications and services to connect to the LDAP server to validate users.  LDAP is based on a simpler subset of the standards contained within the X.500 standard. Because of this relationship, LDAP is sometimes called X.500-lite.
  21. 21. History Telecommunication companies' understanding of directory requirements were well developed after some 70 years of producing and managing telephone directories.  These companies introduced the concept of directory services to information technology and computer networking, their input culminating in the comprehensive X.500 specification, a suite of protocols produced by the International Telecommunication Union (ITU) in the 1980s.  X.500 directory services were traditionally accessed via the X.500 Directory Access Protocol (DAP), which required the Open Systems Interconnection (OSI) protocol stack.  LDAP was originally intended to be a lightweight alternative protocol for accessing
  22. 22.  In the early engineering stages of LDAP, it was known as Lightweight Directory Browsing Protocol, or LDBP. It was renamed with the expansion of the scope of the protocol beyond directory browsing and searching, to include directory update functions.  It was given its Lightweight name because it was not as network intensive as its DAP predecessor and thus was more easily implemented over the Internet due to its relatively modest bandwidth usage.
  23. 23. Protocol Operations  Add/Delete/Modify entries.  Search the DIT (retrieving info)  Authenticate the client (the bind-operation)
  24. 24. ACTIVE DIRECTORY ARCHITECTURE  Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks.  It is included in most Windows Server operating systems as a set of processes and services.  Initially, Active Directory was only in charge of centralized domain management. Starting with Windows Server 2008, however, Active Directory became an umbrella title for a broad range of directory-based identity-related services.  A server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software.
  25. 25. Object types in AD  Container object  Leaf object
  26. 26. Container Object  A container object is simply an object that stores other objects.  Container objects are function as the branches of the tree.  AD uses container objects such as organizational unit (OUs) and groups to store other objects.  Container can store other container or leaf objects, such as users and computers.  The guiding rule of directory tree design is that rights and permission flow downward through the tree.  Assigning a right to a container object means that by default all of the objects in the container inherit that right.
  27. 27. Leaf Object  A leaf object stands alone and cannot store other objects.
  28. 28. Object naming in AD  Every object in active directory database is uniquely identified.  The naming conventions are based on the LDAP standard.  The distinguished name (DN) of an object consist of the name of the domain in which the object is located, plus the path down the domain tree through the container objects to the object itself.  The part of object’s name that is stored in the object itself is called its relative distinguished name (RDN).
  29. 29. Canonical Names  Most active directory applications refer to objects using their canonical names.  A canonical name is DN in which the domain name comes first, followed by the names of the object’s parent containers working down from the root of the domain and separated by forward slashes, followed by the object’s RDN.  For example:
  30. 30. LDAP notation  The same DN can also be expressed in LDAP notation. Cn=jdoe,ou=inside,ou=sales,dc=zacker,dc=com cn=common name ou=organizational unit dc=domain component
  31. 31. Globally unique identifier (GUID)  Every object in tree has a globally unique identifier (GUID).  It is a 128 bit number that is automatically assigned by the directory system when the object is created.  DN changes if you move the object to a different container but the GUID is permanent and serves as the ultimate identifier for the object
  32. 32. User Principle Name (UPN)  Distinguished names are used by application and services when they communicate with active directory but they are not easy for users to understand type or remember.  Therefore each user object has a User Principle Name (UPN) that consists of a username and a suffix, separated by an @ symbol.  The user name part of UPN is the user object’s RDN and suffix is the domain name in which the user object is located.  If network consists of multiple domains, you can optional to use a single domain name as the suffix for all of your user’s UPN  This way UPN can remain unchanged even if you move your object to different domain  For ex:
  33. 33. Active directory structure element  Object:Active directory is composed of objects, which represent the various resources on a network, such as users, servers, printers and applications.  An object is a collection of attributes that define the resources, give it a name, define its capabilities, and specify who should be permitted to use it  Domain:A domain is the basic unit of grouping related objects in active directory. Every domain must have at- least one domain-controller, which is server that is responsible for the domain.  Organizational unit:Many domains have too many objects to manage altogether in a single group. In active directory you can create one or more organization units.  Trees:A tree is a set of active directory names that share a common name space.  Forest:A forest is a collection of trees. In other words, a forest is a collection of one or more domain trees that do not share a common parent domain
  34. 34. REMOTE NETWORK ACCESS  Remote access usually means allowing a person to access the office network/computer from a remote location.  It could be an employee who needs to access workplace files while working from home. Or an executive wants to connect to his/her own computer while traveling so that productivity can be maintained.  If only files or network services are needed, then remote network access would be the right solution.  After remote network access is established, a user can access the remote network and its resources such as shared files, VOIP line, connect to database and/or email servers such as Oracle Database and Microsoft Exchange.
  35. 35. Need of Remote Network Access  Use a computer to work from any non-University location connect to campus networks or systems from off-campus, including  your workstation  departmental file systems, shared drives or shared servers  Conduct University business over a non-University network (wired or wireless)  Use a computer for University business that is shared by non-University individuals, including children, family or friends  Use a non-University computer for University business
  36. 36. PSTN (Public Switching Telephone Network)  The public switched telephone network (PSTN) is the aggregate of the world's circuit-switched telephone networks that are operated by national, regional, or local telephony operators, providing infrastructure and services for public telecommunication.  The PSTN consists of telephone lines, fiber optic cables, microwave transmission links, cellular networks, communications satellites, and undersea telephone cables, all interconnected by switching centers, thus allowing most telephones to communicate with each other.  Originally a network of fixed-line analog telephone systems, the PSTN is now almost entirely digital in its core network and includes mobile and other networks, as well as fixed telephones.
  37. 37.  The technical operation of the PSTN adheres to the standards created by the ITU-T. These standards allow different networks in different countries to interconnect seamlessly.  The E.163 and E.164 standards provide a single global address space for telephone numbers. The combination of the interconnected networks and the single numbering plan allow telephones around the world to dial each other.
  38. 38.  Regular telephone service that gives a dial tone, and the ability to dial up any phone number for analog (voice) or digital (data) communications over ordinary telephone lines.  This service sets up a path (circuit) between the calling and the called party, and maintains it for the duration of the call also called public switched telephone network.  All the regional offices are connected using mesh topology.  Accessing a switching station at the end office is accomplished through dialing.  Dialing is accomplished through a touch tone technique.
  39. 39.  In this method the user send two small burst of analog signals, called dual tone.  The frequency of signals sent depends on the row and column of the pressed pad.  When a user dials, for example the number is 8, two burst of analog signals with frequency 852 Hz and 1336 Hz are sent to the end office.
  40. 40. ISDN  Integrated Services Digital Network standards for simultaneous (ISDN) is a set of communication digital transmission of voice, video, data, and other network services over the traditional circuits of the public switched telephone network.  It was first defined in 1988 in the CCITT red book. Prior to ISDN, the telephone system was viewed as a way to transport voice, with some special services available for data.  The key feature of ISDN is that it integrates speech and data on the same lines, adding features that were not available in the classic telephone system.  The ISDN standards define several kinds of access interfaces, such as Basic Rate Interface (BRI), Primary Rate Interface (PRI), Narrowband ISDN (N-ISDN), and Broadband ISDN (B-ISDN).
  41. 41.  ISDN is a circuit-switched telephone network system, which also provides access to packet switched networks, designed to allow digital transmission of voice and data over ordinary telephone copper wires, resulting in potentially better voice quality than an analog phone can provide.
  42. 42.  ISDN is employed as the network, data-link and physical layers in the context of the OSI model, or could be considered a suite of digital services existing on layers 1, 2, and 3 of the OSI model.  In a videoconference, ISDN provides simultaneous voice, video, and text transmission between individual desktop videoconferencing systems and group (room) videoconferencing systems.
  43. 43. ISDN channel Types  Bearer channel (B channel) :  A bearer channel is defined at a rate of 64 Kbps. It is the basic user channel and can carry any type of digital information in full-duplex mode as long as the required transmission rate does not exceed 64 Kbps.  Data Channel (D channel) :  A data channel can be either 16 or 64 Kbps, depending on the needs of the user. The name says data but the primary function of a D channel is to carry control signaling for the B channel.  Hybrid channel (H channel) :  Hybrid channels are available with data rates of 384 Kbps (H0), 1536 Kbps (H11), or 1920 Kbps (H12). These rates suit H channels for high data-rate applications such as video, teleconferencing and so on.
  44. 44. User Interfaces  There are generally two types of access interfaces to ISDN defined as Basic Rate Interface (BRI) and Primary Rate Interface (PRI)  Both include a number of B-channels (Bearer) and a D-channel (Data).  Each B-channel carries data, voice, and other services. The D-channel carries control and signaling (request and response) information
  45. 45. Basic Rate Interface (BRI)  The entry level interface to ISDN is the Basic Rate Interface (BRI), a 128 kbit/s service delivered over a pair of standard telephone copper wires.  The 144 kbit/s payload rate is broken down into two 64 kbit/s bearer channels ('B' channels) and one 16 kbit/s signaling channel ('D' channel or data channel). This is sometimes referred to as 2B+D.
  46. 46.  The interface specifies the following network interfaces:  The U interface is a two-wire interface between the exchange and a network terminating unit, which is usually the demarcation point in non-North American networks.  The T interface is a serial interface between a computing device and a terminal adapter, which is the digital equivalent of a modem.  The S interface is a four-wire bus that ISDN consumer devices plug into; the S & T reference points are commonly implemented as a single interface labeled 'S/T' on a Network termination 1 (NT1).  The R interface defines the point between a non-ISDN device and a terminal adapter (TA) which provides translation to and from such a device.  BRI-ISDN is very popular in Europe but is much less common in North America. It is also common in Japan — where it is known as INS64.
  47. 47.  2B +1D =2(64) + 1(16) =144 Kbps
  48. 48. Primary Rate Interface  Primary Rate Interface (PRI), for larger users.  PRI has two interface line E1 (E-carrier line in European countries) T1 (T-carrier system line in the U.S., Canada, and Japan)  The Primary Rate Interface consists of 23 B-channels and one 64 Kbps D-channel using a T1 line or 30 B- channels and 1 D-channel using an E1 line.  Thus, a Primary Rate Interface user on a T-1 line can have up to 1.544 Mbps service or up to 2.048 Mbps service on an E1 line.
  49. 49.  T1 23B+1D =23(64) +64=1.54 Mbps and E1 30B+1D=30(64) + 64=2.048 Mbps  PRI connection can connect 30 phone lines in single T1 connection. 
  50. 50. DSL (Digital subscriber line)  Digital subscriber line (DSL; originally digital subscriber loop) is a family of technologies that are used to transmit digital data over telephone lines.  In telecommunications marketing, the term DSL is widely understood to mean asymmetric digital subscriber line (ADSL), the most commonly installed DSL technology, for Internet access  DSL service can be delivered simultaneously with wired telephone service on the same telephone line. This is possible because DSL uses higher frequency bands for data. On the customer premises, a DSL filter on each non-DSL outlet blocks any high-frequency interference to enable simultaneous use of the voice and DSL services.  In ADSL, the data throughput in the upstream direction (the direction to the service provider) is lower, hence the designation of asymmetric service. In symmetric digital subscriber line (SDSL) services, the downstream and upstream data rates are equal. Researchers at Bell Labs have reached speeds of 10 Gbit/s, while delivering 1 Gbit/s symmetrical broadband access services using traditional copper telephone lines.
  51. 51. ADSL  The first technology in the set is asymmetric DSL (ADSL).  ADSL, like a 56K modem, provides higher speed (bit rate) in the downstream direction (from the Internet to the resident) than in the upstream direction (from the resident to the Internet).  That is the reason it is called asymmetric. Unlike the asymmetry in 56K modems, the designers of ADSL specifically divided the available bandwidth of the local loop unevenly for the residential customer.  The service is not suitable for business customers who need a large bandwidth in both directions.
  52. 52. CATV (Community antenna television)  Cable television is a system of delivering television programming to paying subscribers via radio frequency (RF) signals transmitted through coaxial cables or, in the 2010s, light pulses through fiber-optic cables.  This contrasts with broadcast television, in which the television signal is transmitted over the air by radio waves and received by a television antenna attached to the television.  FM radio programming, high-speed Internet, telephone services, and similar non-television services may also be provided through these cables.  Analog television was standard in the 20th century, but since the 2000s, cable systems have been upgraded to digital cable operation.
  53. 53. VPN  A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.  Applications running across the VPN may therefore benefit from the functionality, security, and management of the private network
  54. 54.  Virtual Private Networks may allow employees to securely access a corporate intranet while located outside the office.  They are used to securely connect geographically separated offices of an organization, creating one cohesive network. Individual Internet users may secure their wireless transactions with a VPN, to circumvent geo-restrictions and censorship, or to connect to proxy servers for the purpose of protecting personal identity and location.  However, some Internet sites block access to known VPN technology to prevent the circumvention of their geo- restrictions
  55. 55.  A VPN is created by establishing a virtual point-to- point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryption.  A VPN available from the public Internet can provide some of the benefits of a wide area network (WAN). From a user perspective, the resources available within the private network can be accessed remotely.
  56. 56.  VPNs cannot make online connections completely anonymous, but they can usually increase privacy and security. To prevent disclosure of private information, VPNs typically allow only authenticated remote access using tunneling protocols and encryption techniques.  The VPN security model provides:  Confidentiality such that even if the network traffic is sniffed at the packet level (see network sniffer and Deep packet inspection), an attacker would only see encrypted data  Sender authentication to prevent unauthorized users from accessing the VPN  Message integrity to detect any instances of tampering with transmitted messages
  57. 57. Tunneling  In computer networks, a tunneling protocol allows a network user to access or provide a network service that the underlying network does not support or provide directly.  One important use of a tunneling protocol is to allow a foreign protocol to run over a network that does not support that particular protocol; for example, running IPv6 over IPv4.  Another important use is to provide services that are impractical or unsafe to be offered using only the underlying network services; for example, providing a corporate network address to a remote user whose physical network address is not part of the corporate network.  Because tunneling involves repackaging the traffic data into a different form, perhaps with encryption as standard, a third use is to hide the nature of the traffic that is run through the tunnels.
  58. 58.  The tunneling protocol works by using the data portion of a packet (the payload) to carry the packets that actually provide the service.  Tunneling uses a layered protocol model such as those of the OSI or TCP/IP protocol suite, but usually violates the layering when using the payload to carry a service not normally provided by the network.  Typically, the delivery protocol operates at an equal or higher level in the layered model than the payload protocol.
  59. 59. Types of VPN  Remote Access VPN:- Also called as Virtual Private dial-up network (VPDN) is mainly used in scenarios where remote access to a network becomes essential. Remote access VPN allows data to be accessed between a company’s private network and remote users through a third party service provider; Enterprise service provider  Site to Site VPN – Intranet based: This type of VPN can be used when multiple Remote locations are present and can be made to join to a single network. Machines present on these remote locations work as if they are working on a single network.  Site to Site VPN – Extranet based: This type of VPN can be used when several different companies need to work in a shared environment. E.g. Distributors and service companies. This network is more manageable and reliable
  60. 60. VPN Protocols 1. PPTP 2. L2tp 3. Ipsec 4. SSL
  61. 61. PPTP  PPTP (Point-to-Point Tunneling Protocol) it’s the most widely supported VPN method among Windows users and it was created by Microsoft in association with other technology companies.  The disadvantage of PPTP is that it does not provide encryption and it relies on the PPP (Point-to-Point Protocol) protocol to implement security measures  But compared to other methods, PPTP is faster and it is also available for Linux and Mac users.
  62. 62. L2TP  L2TP (Layer 2 Tunneling Protocol) it’s another tunneling protocol that supports VPNs. Like PPTP, L2TP does not provide encryption and it relies on PPP protocol to do this.  The difference between PPTP and L2TP is that the second one provides not only data confidentiality but also data integrity.  L2TP was developed by Microsoft and Cisco as a combination between PPTP and L2F(Layer 2 Forwarding).
  63. 63. IPsec  IPsec protocol can be used for encryption in correlation with L2TP tunneling protocol. It is used as a “protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream”. IPSec requires expensive, time consuming client installations and this can be considered an important disadvantage.
  64. 64. SSL  SSL (Secure Socket Layer) is a VPN accessible via https over web browser. The advantage of this SSL VPN is that it doesn’t need any software installed because it uses the web browser as the client application. Through SSL VPNs the user’s access can be restrict to specific applications instead of allowing access to the whole network.