Download IT REPORT TIMEHIN

A
TECHNICAL REPORT
ON
STUDENTS’ INDUSTRIAL WORK EXPERIENCE
SCHEME (SIWES)
UNDERTAKEN AT
NIGERIAN NATIONAL PETROLEUM CORPORATION
(NNPC)
Central Business District, Herbert Macauley Way,
P.M.B 190, Garki, Abuja.
BY
OKE PAUL OMEIZA OLUTIMEHIN
EEE/05/5378
SUBMITTED TO
THE DEPARTMENT OF ELECTRICAL AND
ELECTRONICS ENGINEERING
IN PARTIAL FULFILLMENT OF THE REQUIREMENT FOR THE
AWARD OF BACHELOR OF ENGINEERING (B.ENG) DEGREE
IN ELECTRICAL AND ELECTRONICS ENGINEERING.
THE FEDERAL UNIVERSITY OF TECHNOLOGY, AKURE
ONDO STATE.
JANUARY 2009
DEDICATION
To the Almighty God for His never-ending mercies and numerous blessings
during the course of my training and in particular, His profound wisdom, great
understand and knowledge which has been without a doubt endless.
ACKNOWLEGDEMENT
I use this opportunity to recognize several people who had greatly influence my
ability to complete my training program, which has been a great source of
encouragement.
First, I recognize the invaluable contributions of all the staffs at Information
System Department (ISD), NNPC CHQ, Abuja, for their utmost concern
in
making me perform at my topmost best.
I am thankful to Mr. Gabdo Mohammed who ensured that we learnt fundamentals
of networking, provided opportunity to work directly with CISCO boxes and cross
examined us periodically.
Am indeed indebted to Mr. Ademola Adebusuyi Olufemi for discovering salient
potentials in me and exposing me to in-depth networking, also Mr. Victor
Anaedobe made sure I deliver my best.
To semira Mustapha I really enjoyed working with you, you taught me
organization, I say thank you.
I also like to express my gratitude to my colleagues who became very good friends
throughout the period of this scheme and contributed in one way or the other.
Opeyemi Olarewaju, Denial Ikem, Gift Onu, esan, and fisayo for engaging in
knowledge sharing forum and enjoyable discussions
Finally, I deeply express my heartfelt thanks to my family for their numerable
supports throughout the scheme.
ABSTRACT
The six (6) months Students Industrial Work Experience Scheme program
undertaken at Nigerian National Petroleum Corporation.
The Information System Department (ISD) has been saddled with providing the corporation with
effective Information and Communication Technology (ICT) system through continuous
upgrading of systems and software. The department designs, installs and configures
data networks for Local Network Area, Wide Area Network, Campus LAN, and
Metropolitan Network, also Vsat, fiber optics and radio systems. Build
applications for pay-roll, SAP, etc
During the course of my industrial attachment with the corporation, I served in LAN support
team, I was able to set up local area networks (LANs) for both wired and wireless network,
efficiently use network monitoring tools, implemented network security which include, IEEE
802.1x and Microsoft lockdown MAC address authentication for end-users and proficient in
troubleshooting.
NNPC being an oil and gas company strive for best practice and to achieve this, a
reliable network cannot be overstated.
This report describes the basic internetworking set up and how data and voice
can be implemented effectively into the same network.
Consequently, networking as an essential part of any ICT setting is being
discussed in chapter three, transmission fundamentals is discussed in the
fourth chapter, while telephony which is also an important element of
telecommunication is being discussed in the fifth chapter.
Lastly, I had a challenging experience, as there were four blocks with each having
eleven (11) floors, with a lots of skill gained during troubleshooting and
installation of networks devices for clients.
TABLE OF CONTENTS
Contents
Pages
FRONT PAGE
DEDICATION
ii
ACKNOWLEDGEMENT
iii
ABSTRACT
IV
TABLE OF CONTENT
v-ix
LIST OF TABLES
ix
LIST OF FIGURES
x-xii
CHAPTER ONE
1.0
GENERAL INTRODUCTION
1
0.1
ABOUT ITF
1
0.2
OBJECTIVES OF ITF
1
0.3
THE PURPOSE OF ITF SERVICES
1
0.4
ABOUT SIWES
2
0.5
AIMS AND OBJECTIVES OF SIWES
2
0.6
NIGERIAN NATIONAL PETROLEUM CORPORATION
3
1.6.1 Organizational Profile
4
1.6.2 Strategic Business Unit (SBU)
5
1.6.3 Areas of operation and Job Undertaken
5
CHAPETR TWO
1.0
TELECOMMUNICATION BASICS
7
1.1
INTRODUCTION TO TELECOMMUNICATION
7
2.1.1 End Users, Nodes and Connectivity
7
1.2
1.3
1.4
2.1.2 Simplex, Half-Duplex and Full Duplex
9
BASIC TELECOMMUNICATIONS NETWORK
10
2.2.1 Transmission
10
2.2.2 Switching
10
2.2.3 Signaling
10
LOCAL ACCESS NETWORK
11
2.3.1 Local Exchange
11
2.3.2 Distribution Frames
12
TELECOMMUNICATIONS NETWORKS
12
2.4.1 Public Networks
12
2.4.2 Private or Dedicated Networks
13
CHAPTER THREE
2.0
DATA COMMUNICATION
14
2.1
NETWORKING
14
2.2
LAYERED APPROCH TO NETWORKING
18
2.3
NETWORK TYPES
20
2.4
LOCAL AREA NETWORK
21
3.4.1 LAN Standards
21
3.4.2 LAN Protocols
23
3.4.2.1
Ethernet
23
3.4.2.2
24
Fast Ethernet
3.4.2.3
Gigabit Ethernet
25
3.4.2.4
Token Ring
25
3.4.2.5
FDDI
26
3.5
METROPOLITAN AREA NETWORK
27
3.6
WIDE AREA NETWORK
27
3.6.1 WAN Services
28
3.6.2 WAN Service provider and signaling standards
29
3.6.3 DTE/DCE
31
3.6.4 WAN Protocols
32
3.7
VIRTUAL PRIVATE NETWORK
33
3.8
NETWORK TOPOLOGIES
33
3.8.1 Linear bus topology
33
3.8.2 Star topology
34
3.8.3 Ring topology
34
3.8.4 Tree topology
35
3.9
35
NETWORK OPERATING SYSTEM
3.9.1 Peer-to-Peer
35
3.9.2 Client/Server
36
CHAPTER FOUR
3.0
TRANSMISSION CONCEPTS
37
3.1
3.2
RADIO SYSTEMS
37
4.1.1 Line of sight Microwave
38
4.1.2 Satellite communication
39
FIBER OPTIC COMMUNICATION
40
4.2.1 How fiber optic works
41
3.3
COAXIAL CABLE
42
3.4
WIRE PAIR
43
CHAPTER FIVE
4.0
NETWORK SECURITY
4.1
Physical security
4.1.A Providing a secure place
4.2
Virtual Security
4.2.A Port-Based security (802.1x)
4.2.B MAC Address lock-down
4.2.C Firewall
5.0
CONCLUSION AND RECOMMENDATION
5.1
CONCLUSION
5.2
RECOMMENDATION
REFERENCES
66
66
66
CHAPTER ONE
1.0
GENERAL INTRODUCTION
1.1
ABOUT INDUSTRIAL TRAINING FUND (ITF)
The Industrial Training Fund (ITF) was established in the year 1971 under Decree 47 of 8 th
October 1971. The provision of the decree empowers the ITF to promote and encourage the
acquisition of skills in industry and commerce with a view to generating a pool of indigenous
trained manpower sufficient to meet the needs of the Nigerian economy.
More so, the scheme is expected to provide a basis for the technological advancement and
engineering development in the country.
1.2
OBJECTIVES OF ITF
Some of the objectives of ITF are listed below:
Provision of Direct training, Vocational and Apprentice Training.
 Provision of research services as well as consultancy services.
 Reimbursement of up to 60% levy paid by employers of labour registered with the ITF.
 Administration of the Student Industrial Work Experience Scheme (SIWES)
 Provision of human resource development information and training technology service to
industry and commerce to enhance their manpower capacity and in-house training delivery
effort.
1.3
THE PURPOSE OF ITF SERVICES
The main thrust of the ITF services is to stimulate human performance, improve productivity,
and induce value-added production in industry and commerce.
The Fund through its SIWES, Vocational and Apprentice training programmes, builds capacity
for graduates and youth self-employment.
1.4
ABOUT SIWES
SIWES was established by the ITF in 1973. The scheme was established to solve the problem of
poor practical skills preparatory for employment in industries by Nigerian graduates of tertiary
institutions.
The scheme was designed to give undergraduates the skills needed to cope in the labour market
after graduation and designed for duration of 4 months for Polytechnics and Colleges of
Education students and 6 months for University students. During this period, students are
expected to acquire all necessary practical skill, together with theoretical knowledge gained
from their respective institutions and put them into field practice to solve real life problems.
In addition, the scheme also gives students the basis of technological advancement and
development of Engineering in the economy.
1.5
AIMS AND OBJECTIVES OF SIWES
Participation in the SIWES program has become a necessary pre-condition for the award of
Diploma and Degree certificates in specific disciplines in most institutions of higher learning in
the country, in accordance with the Education policy of the government.
Some of the objectives of the scheme are listed below:
 It exposes students to industry based skills needed for smooth transition from the classroom
to work environment.
 It enables students of tertiary institutions to be exposed to the needed experience in
handling equipment and machinery that are not available in schools.
 It gives firms the avenue to assess the quality of graduates of tertiary institutions both
practically and theoretically.
 The scheme helps the students in building their communication skills at work and in human
inter-relationship.
 It exposes students to work ethics in their chosen profession.
 It gives students the opportunity to implement practical ideas gained from laboratories in
institutions to solve real life problems.
1.6 NIGERIAN NATIONAL PETROLEUM CORPORATION
1.7 Organizational Profile
The Nigerian National Petroleum Corporation, NNPC, was established on April 1, 1977, under
the statutory instrument-Decree No.33 of same year by a merger of Nigerian National Oil
Corporation, NNOC, with its operational functions and the Federal Ministry of Mines and Power
with its regulatory responsibilities.
This decree established NNPC, a public organization that would, on behalf of Government,
adequately
manage
all
government
interests
in
the
Nigerian
Oil
industry.
In addition to its exploration activities, the Corporation was given powers and operational
interests in refining, petrochemicals and products transportation as well as marketing.
In 1988, the NNPC was commercialized into 12 strategic business units, covering the entire
spectrum of oil industry operations: exploration and production, gas development, refining,
distribution, petrochemicals, engineering, and commercial investments. The subsidiary companies
include:

National Petroleum Investment Management Services (NAPIMS)

Nigerian Petroleum Development Company (NPDC)

The Nigerian Gas Company (NGC)

The Products and Pipelines Marketing Company (PPMC)

Integrated Data Services Limited (IDSL)

Nigerian LNG limited (NLNG)

National Engineering and Technical Company Limited (NETCO)

Hydrocarbon Services Nigeria Limited(HYSON)

Warri Refinery and Petrochemical Co. Limited (WRPC)

Kaduna Refinery and Petrochemical Co. Limited(KRPC)

Port Harcourt Refining Co. Limited (PHRC)

Eleme Petrochemicals Co. Limited (EPCL)
In addition to these subsidiaries, the industry is also regulated by the Department of Petroleum
Resources (DPR), a department within the Ministry of Petroleum Resources. The DPR ensures
compliance with industry regulations; processes applications for licenses, leases and permits,
establishes and enforces environmental regulations.
Moreover, DPR, and NAPIMS, play a very crucial role in the day to day activities throughout the
industry.
GMD’s Support
Staff
GROUP MANAGING
DIRECTOR
NNPC
GGM
LNG & POWER
MD
NETCO
GGM
CSLD
MD
HYSON
GGM
CPDD
MD
PPMC
GGM
ETD
GGM
INVESTMENT
GM PUBLIC
AFFAIRS
GGM
NIGERIAN CONTENT
GGM
AUDIT
GGM
RENEWABLE ENERGY
GED
E&P
GED
R&P
GED
F&A
GED
C&S
GGM
NAPIMS
GGM
HRD
MD
PHRC
GGM
FINANCE
MD
IDSL
MD
NPDC
MD
NGC
GGM
MEDICAL
MD
WRPC
GGM
ACCOUNTS
MD
KRPC
GGM
TREASURY
GM
P&G
GM
INSURANCE
GM
LONDON OFFICE
GGM
COMD
FIG. 1.1 NNPC BROAD ORGANOGRAM
1.2.1
Areas of Operations and Jobs Undertaken
NNPC is vested with the exclusive responsibility for upstream and downstream development,
which entails exploiting, refining, and marketing Nigeria’s crude oil. The NNPC through the
NAPIMS supervises and manage government investment in the Oil and Gas Industry. NNPCs oil
and gas operations are undertaken both in upstream and downstream operations.
The upstream operations i.e. crude oil production, are currently managed under the Exploration
and Production Directorate which consists of the following Strategic Business Units (SBUs) that
operate directly under the NNPC:
a.
National Petroleum Investment Management Services( NAPIMS)
b.
Crude Oil Sales Division ( COSD )
c.
Integrated Data Services Limited ( IDSL )
d.
Nigerian Petroleum Development Company ( NPDC )
e.
Nigerian Gas Company (NGC)
These SBUs are collectively responsible for surveys, seismic data collation and interpretation,
crude oil exploration, production, transportation, storage and marketing.
MINISTER OF PETROLEUM /
ALTERNATE CHAIRMAN
GROUP MANAGING
DIRECTOR
GROUP EXECUTIVE
DIRECTOR REFINERY &
PETROCHEMICAL
GROUP EXECUTIVE
DIRECTOR EXPLORATION &
PRODUCTION
GROUP EXECUTIVE
DIRECTOR COMMERCE &
INVESTMENT
GROUP GENERAL MANAGER
ENGINEERING & TECHNOLOGY DIVISION
( ETD )
GENERAL MANAGER
ENVIRONMENTAL AND SAFETY
GROUP EXECUTIVE
DIRECTOR CORPORATE
SERVICES
GROUP EXECUTIVE
DIRECTOR FINANCE &
ACCOUNTS
GROUP GENERAL MANAGER
INFORMATION & TECHNOLOGY DIVISION
( ITD )
GENERAL MANAGER
TELECOMS DEPARTMENT
GENERAL MANAGER
INFORMATION SERVICE
DEPARTMENT
GENERAL MANAGER MATERIAL
MANAGEMENT DEPARTMENT
GENERAL MANAGER TECHNICAL
SERVICES DEPARTMENT
MANAGER
SYSTEM DEVELOPMENT &
TECHNICAL SERVICES
MANAGER
OPERATIONS & MAINTENANCE
SUPERVISOR
COMMERCIAL SERVIVES
GENERAL MANAGER PROJECT
DEPUTY MANAGER
OPERATION & MAINTENANCE
GENERAL MANAGER PROCESS
SUPERVISOR
GRADUATE TRAINEE
YOUTH CORPS
SIWES STUDENT
Fig. 1.2 Corporate Headquarters' Organogram
1.2.2
About Information Service Department
The department started as a section under the directorate of Project Execution Division (PED),
now Engineering Technology division (ETD). Then the division through telecoms section was
involved in the provision of NITEL lines (both physical lines and dedicated trunk), license
procurement, negotiation and maintenance agreement with contractors, material procurement and
lots more. Moreover, the mode of communication then was based on High Frequency (HF) radio,
which was used to link other area offices across the country. This was a noisy and a simplex form
of communication.
In 1986, the section initiated a private network now called the Comprehensive
Telecommunication Network (CTN), a hybrid communication set-up comprising of radio system,
fiber optics and very small aperture terminal (VSAT). The fiber cables were laid on the right of
way just one meter away from the pipe-line. Around the first quarter of 1989, the CTN was at
maximum utility.
Thus, as a result the section was transformed into a department and was headed by a General
Manager. Under this department was created, three sections to run her daily activities namely:

Operations and Maintenance section ( O&M )

System Development and Technical Services section ( SD/TS )

Commercial Services section
Operations and Maintenance section was chiefly involved in the maintenance of the network with
the head office at Warri, while SD/TS was primarily involve in monitoring the operations of the
network and also to device means for its effective performance. Commercial services section has
the sole responsibility to procure materials (both technical and office materials), ensures that
service level of agreement amongst contractors are maintained, constitutes tender committees to
oversee the biding proceedings, etc.
CHQ
Abuja
KADUNA AREA
ABUJA AREA
LAGOS AREA
WARRI AREA
KRPC
HOUSING
ZONAL OFFICE
CPSK
MEDICAL
PENSIONS
MEGASTATION
NTI
PPMC
MEDICAL
NAPIMS
PPMC
PORT HARCOURT
AREA
NGC
PHRC
IDSL
PPMC DEPOT
ZONAL OFFICE
MEDICAL
IDSL
IDSL
HOUSING
NETCO
HYSON
WRPC
BENIN AREA
ZONAL OFFICE
NPDC
HOUSING
MEDICAL
NPDC
R&D
OKADA
NLNG
ETETE
OREDO
JVC
EPCL
HOUSING
NGC
Fig. 1.3
Operations and Maintenance Chart
CHAPTER TWO
2.0
TELECOMMUNICATION BASICS
2.1
INTRODUCTION TO TELECOMMUNICATION
Telecommunication is the transmission of signals over long distance, such as by telegraph, radio,
or television. It encompasses the electrical communication at a distance of voice, data, and
image information.
2.1.1
End-Users, Nodes, and Connectivity
Telecommunication networks consist of End-users, nodes and connectivity.
End-users provide the inputs to the network and are recipients of network outputs as well. Endusers employ an input/output device which may be a computer, smart phones, cellular/PCS
telephone or combined device, facsimile, or conference TV equipment. End-users usually
connect to nodes.
A node is a point or junction in a transmission system where lines and trunks meet. A node
usually carries out a switching function. In the case of the local area network (LAN), a network
interface unit is used, through which one or more end-users may be connected.
Connectivity links an end-user to a node and from there possibly through other nodes to some
final end-user destination with which the initiating end-user wants to communicate.
Telecommunication networks could be a voice, data or video only network. Considering the
voice only network for instance, the end-users are assumed to be telephone users and lastly
over the internet where VoIP is implemented, and the path that is set up is a speech path.
The three major stages to a telephone call.

Call setup

Information exchange

Call takedown
Call setup is the stage where a circuit is established and activated. The setup is facilitated by
signaling which is defined as the exchange of information specifically concerned with the
establishment and control of connections, along with the transfer of user-to-user and
management information in a circuit-switched (e.g., the PSTN) network. It is initiated by the
calling subscriber (user) going off-hook. It means “the action of taking the telephone instrument
out of its cradle.” Two little knobs in the cradle pop up, pushed by a spring action causing an
electrical closure. If we turn a light on, we have an electrical closure allowing electrical current
to pass. The same thing happens with our telephone set; it now passes current. The current
source is a “battery” that resides at the local serving switch. It is connected by the subscriber
loop. This is just a pair of copper wires connecting the battery and switch out to the subscriber
premises and then to the subscriber instrument. The action of current flow alerts the serving
exchange that subscriber requests service. When the current starts to flow, the exchange
returns a dial tone, which is audible in the headset (of the subscriber instrument). The calling
subscriber (user) now knows that he may start dialing digits or pushing buttons on the
subscriber instrument. A connection is made to the called subscriber line, and the switch sends a
special ringing signal down that loop to the called subscriber, and telephone rings, telling him
that someone wishes to talk to him. This audible ringing is called alerting, another form of
signaling. Once the called subscriber goes off-hook (i.e., takes the telephone out of its cradle),
there is activated connectivity, and the call enters the information-passing phase of the
telephone call.
When the call is completed, the telephones at each end are returned to their cradle, breaking
the circuit of each subscriber loop. Phase 3 of the telephone call begins. It terminates the call,
and the connecting circuit in the switch is taken down and is then freed-up for another user.
Both subscriber loops are now idle. If a third user tries to call either subscriber during stages 2
and 3, he is returned a busy-back by the exchange (serving switch). This is the familiar “busy
signal,” a tone with a particular cadence. The return of the busy-back is a form of signaling called
call-progress signaling.
Suppose now that a subscriber wishes to call another telephone subscriber outside the local
serving area of his switch. The call setup will be similar as before, except that at the calling
subscriber serving switch the call will be connected to an outgoing trunk. Trunks interconnect
exchanges or switches.
2.1.2
Simplex, Half-Duplex and Full Duplex
In telecommunication systems the transmission of information may be unidirectional or
bidirectional.
Simplex is one way operation; there is no reply channel provided. Radio and television
broadcasting are simplex. Certain types of data circuits might be based on simplex operation,
like reporting a system failure on an active device for immediate response.
Half-duplex is a two-way service. It is defined as transmission over a circuit capable of
transmitting in either direction, but only in one direction at a time, like walkie-talkie", Voice chat
on yahoo or MSN messenger etc.
Full duplex or duplex defines simultaneous two-way independent transmission on a circuit in
both directions. Most PSTN-type circuits are considered using full-duplex operation unless
otherwise specified.
2.2
BASIC TELECOMMUNICATIONS NETWORK
The basic purpose of a telecommunications network is to transmit user information in any form
to another user of the network. An overall telecommunications network (i.e., the PSTN) consists
of local networks interconnected by one or more long-distance networks. The three
technologies needed for communication through the network are:

Transmission

Switching

Signaling
2.2.1
Transmission
Transmission may be defined as the electrical transfer of a signal, message, or other form of
intelligence from one location to another. Transmission provides the transport of a signal from
an end-user source to the destination such that the signal quality at the destination meets
certain performance criteria.
2.2.2
Switching
Switching selects the route to the desired destination that the transmitted signal travels by the
closing of switches. Switching systems are used to build the required connection from one
subscriber to another. Switching systems are also called exchanges.
2.2.3
Signaling
Signaling is the mechanism that allows network entities (customer premises or network
switches) to establish, maintain, and terminate sessions in a network. Signaling is carried out
with the help of specific signals or messages that indicate to the other end what is requested of
it by this connection.
2.3
LOCAL-ACCESS NETWORK
The local-access network provides the connection between the customer’s telephone and the
local exchange. This connection is done using either twisted pair, fiber optic or microwave radio
depending on the transmission capacity required.
2.3.1
Local Exchange
Local or subscriber loops connect subscribers to local exchanges, which are the lowest-level
exchanges in the switching hierarchy. The main tasks of the digital local exchange are:

Detect off-hook condition, analyze the dialed number, and determine if a route is
available.

Connect the subscriber to a trunk exchange for longer distance calls.

Connect the subscriber to another in the same local area.

Determine if the called subscriber is free and connect ringing signal to her.

Provide metering and collect charging data for its own subscribers.

Convert 2W local access to 4W circuit of the network.

Convert analog speech into a digital signal (PCM).
The size of local exchanges varies from hundreds of subscribers up to tens of thousands
subscribers or even more. A small local exchange is sometimes known as a remote switching
unit (RSU) and it performs the switching and concentration functions just as all local exchanges
do. A local exchange reduces the required transmission capacity (number of speech channels)
typically by a factor of 10 or more; that is, the number of subscribers of the local exchange is 10
times higher than the number of trunk channels from the exchange for external calls.
2.3.2
Distribution Frames
All subscriber lines are wired to the main distribution frame (MDF) which is located close to the
local exchange. It is a large construction with huge number of connectors. Subscriber pairs are
connected to one side and pairs from the local exchange to the other. A cross-connection in the
MDF is usually done with twisted open pairs that are able to carry data rates up to 2 Mbps.
Ordinary subscriber pairs are used for analog telephone subscribers, analog and digital
PBX/PABX connections, ISDN basic rate connections and ADSL.
In addition to MDF, network operators may use other distribution frames for transmission
network management and maintenance. An optical distribution frame (ODF) contains two fields
of optical fiber connectors.
A digital distribution frame (DDF) is a cross-connection system to which digital interfaces from
line systems and the exchange (or other network equipment) are connected.
2.4
TELECOMMUNICATIONS NETWORKS
Telecommunications networks can be divided into two broad categories based on the
availability of services. These are: public networks and private or dedicated networks.
2.4.1
Public Networks
These are networks owned by telecommunications network operators licensed to provide
telecommunications services. Any customer can be connected to the public telecommunications
network if he has the correct equipment and an agreement with the network operator.
Examples of public networks are: Public Switched Telephone Network (PSTN), Mobile telephone
network, Telex network, Paging networks, Public data networks, Internet, Integrated Services
Digital Network (ISDN), Radio and Television networks etc.
2.4.2
Private or Dedicated Networks
Private networks are designed to serve the needs of particular organizations. This type of
network is usually owned and maintained by the organization itself. The services provided are
tailored mix of voice, data etc. Examples of private or dedicated networks are: Voice
communication networks like Private mobile radio (used by the police and other emergency
services and taxi organizations), and Data communication networks, like the one we have in
NNPC, NNPC has successfully integrate data and voice on it exchange server.
2.4.3
Integrated Networks
This type of network has the capacity to do both public and private network, depending on the
demand at hand. In NNPC the PABX is programmed in such a way to carry public networks, i.e.
dialing a landline or mobile number.
CHAPTER THREE
3.0
DATA COMMUNICATION
3.1
NETWORKING
Networking is essential to information and communication Technology. Just as human beings
communicate with one another through speaking, written messages, and signs; computers also
need a means of passing information to each other and sharing the resources that are available
to them. This simply explains the idea of networking.
WHAT IS NETWORKING?
Networking is the connection of two or more computers so that they can communicate,
exchange files and share resources like printer, fax machine, modems, scanner, and CD-ROM
players. Because computers are important building blocks in a network, it is important to be
able to recognize and name the major components of a personal computer (PC).

Bus: A bus is a collection of wires through which data is transmitted from one part of a
computer to another. It connects the entire internal component to the CPU. The
Industry-Standard Architecture (ISA) and the peripheral component interconnect (PCI)
are the two types of buses.

CD-ROM drive: The CD-ROM drive is a compact disk read-only memory drive, a device
that can read information from a CD-ROM.

Central processing unit (CPU): The CPU is the brain of the computer, where most
calculations take place (see Figure 3.1).

Expansion card: The expansion card is a printed circuit board you can insert into a
computer to give it added capabilities. Examples of expansion cards are: wireless LAN
card, modem, TV card etc.

Expansion slot: The expansion slot is an opening in a computer where a circuit board
can be inserted to add new capabilities to the computer. It serves as an interface
between the system and the devices to be attached to it. (see Figure 3.2)

Floppy disk drive: This disk drive is used to read and write to floppy disks. (See Figure
3.3). A floppy disk drive uses removable storage media called floppy disks.

Hard disk drive: This device reads and writes data on a hard disk.

Microprocessor: A microprocessor is a silicon chip that contains a CPU.

Motherboard: The motherboard is the main circuit board of a microcomputer (see
Figure 3.4). The motherboard contains the primary component of the computer system.

Power supply: This component supplies power to a computer. It powers every device
that make up the system unit i.e. devices such as the floppy drive, hard disk drive, CDROM drive etc.

Printed circuit board (PCB): The PCB is a thin plate on which chips (integrated circuits)
and other electronic components are layered.

Random-access memory (RAM): Also known as read-write memory, RAM can have new
data written into it as well as stored data read from it. A drawback of RAM is that it
requires electrical power to maintain data storage. If the computer is turned off or
looses power, all data stored in RAM is lost, unless the data was saved to disk.

Read-only memory (ROM): ROM is computer memory on which data has been
prerecorded.

System unit: The system unit is the main part of a PC; it includes the chassis,
microprocessor, main memory, bus, and ports, but does not include the keyboard and
the monitor, or any external devices connected to the computer.
PC Components
Figure 3.1: Pentium 4 CPU
Figure 3.2: Expansion slots
Figure 3.3: Hard Disk Drive
Figure 3.4: Intel Duo core Motherboard

Network interface card (NIC): is a printed circuit board that provides network
communication capabilities to and from a personal computer. It is also called a LAN
adapter; it is plugged into a motherboard and provides a port for connecting to the
network. It constitutes the computer interface with the LAN. The NIC communicates
with the network through a serial connection, and with the computer through a parallel
connection.
Figure 3.5: Ethernet NIC
The computers on a network may be linked through cables, telephone lines, radio waves,
satellites, or infrared light beams. A computer network is simply two or more computers
connected together so they can exchange information.
Most networks use hubs to connect computers together. Hub offers a very low through-put and
half-duplex. A large network may connect thousands of computers and other devices together.
Figure 3.6: Network connected with a hub
3.2
LAYERED APPROACH TO NETWORKING
The early development of networks saw tremendous increases in the numbers and sizes of
networks. As network size increases, companies began to experience growing pains and it
became more difficult for networks that used different specifications and implementations to
communicate with each other. These lead companies to move away from proprietary
networking systems. Proprietary systems are privately developed, owned, and controlled. In
computing, proprietary is the opposite of open. Open means free usage of the technology is
available to the public.
The International Organization for Standardization (ISO) came up with the Open System
Interconnection (OSI) reference model as a solution to the problem of networks being
incompatible and unable to communicate with each other. This model provided vendors with a
set of standards that ensured greater compatibility and interoperability between the various
types of network technologies that were produced.
Some advantages of OSI model are
1. Divides network communications into smaller and simpler components helping in
components design, development and troubleshooting.
2. Allows various types of network and software to communicate.
3. Assists in data transfer between disparate hosts. (e.g Unix host and PC). This is the
greatest function of all.
The OSI model divides interconnectivity between computers into seven layers:

Layer 7: The application layer

Layer 6: The presentation layer

Layer 5: The session layer

Layer 4: The transport layer

Layer 3: The network layer

Layer 2: The data link layer

Layer 1: The physical layer.
Each individual OSI layer has a set of functions that it must perform in order for data to travel
from a source to a destination on a network. Below is a brief description of each layer in the OSI
reference model.
Layer 7: The Application Layer
The application layer is the platform where the user interface with the computer in user friendly
manner; This layer interacts with software applications that implement a communicating
component. Such application programs fall outside the scope of the OSI model. Application layer
functions typically include identifying communication partners, determining resource
availability, and synchronizing communication. When identifying communication partners, the
application layer determines the identity and availability of communication partners for an
application with data to transmit. When determining resource availability, the application layer
must decide whether sufficient network resources for the requested communication exist. Some
examples of application layer implementations include Hypertext Transfer Protocol (HTTP), File
Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP) and X.400 Mail.
Layer 6: The Presentation Layer
The Presentation Layer establishes a context between Application Layer entities, in which the
higher-layer entities can use different syntax and semantics, as long as the presentation service
understands both and the mapping between them. The presentation service data units are then
encapsulated into Session Protocol data units, and moved down the stack.
This layer provides independence from differences in data representation (e.g., encryption) by
translating from application to network format, and vice versa. The presentation layer works to
transform data into the form that the application layer can accept. This layer formats and
encrypts data to be sent across a network, providing freedom from compatibility problems. It is
sometimes called the syntax layer.
The original presentation structure used the basic encoding rules of Abstract Syntax Notation
One (ASN.1), with capabilities such as converting an EBCDIC-coded text file to an ASCII-coded
file, or serialization of objects and other data structures from and to XML.
Layer 5: The Session Layer
The Session Layer controls the dialogues (connections) between computers. It establishes,
manages and terminates the connections between the local and remote application. It provides
for full-duplex, half-duplex, or simplex operation, and establishes check pointing, adjournment,
termination, and restart procedures. The OSI model made this layer responsible for graceful
close of sessions, which is a property of the Transmission Control Protocol, and also for session
check pointing and recovery, which is not usually used in the Internet Protocol Suite. The
Session Layer is commonly implemented explicitly in application environments that use remote
procedure calls.
The session layer establishes, manages and terminates sessions between two communicating
hosts. It synchronizes dialogue between the two host’s presentation layers and manages their
data exchange. The session layer offers provisions for efficient data transfer, class of service, and
exception reporting of session layer, presentation layer, and application layer problems.
Layer 4: The Transport Layer
The fourth and “middle” layer of the OSI Reference Model protocol stack is the transport layer. I
consider the transport layer in some ways to be part of both the lower and upper “groups” of
layers in the OSI model. It is more often associated with the lower layers, because it concerns
itself with the transport of data, but its functions are also somewhat high-level, resulting in the
layer having a fair bit in common with layers 5 through 7 as well.
It deals with issues such as the reliability of transport between two hosts, it establishes,
maintains, and properly terminates virtual circuits. Error detection, windowing, buffering, and
sequencing all happen at this level.
Layer 3: The Network Layer
The Network Layer is Layer 3 of the seven-layer OSI model of computer networking.
The Network Layer is responsible for end-to-end (source to destination) packet delivery
including routing through intermediate hosts.
The Network Layer provides the functional and procedural means of transferring variable length
data sequences from a source to a destination host via one or more networks while maintaining
the quality of service and error control functions.
Functions of the Network Layer include:

Connection model: connection-oriented and connectionless communication
For example, snail mail is connectionless, in that a letter can travel from a sender to a
recipient without the recipient having to do anything. On the other hand, the telephone
system is connection-oriented, because the other party is required to pick up the phone
before communication can be established. The OSI Network Layer protocol can be
either connection-oriented, or connectionless. In contrast, the TCP/IP Internet Layer
supports only the connectionless Internet Protocol (IP); but connection-oriented
protocols exist higher at other layers of that model.

Host addressing
Every host in the network needs to have a unique address which determines where it is.
This address will normally be assigned from a hierarchical system, either from the
Dynamic Host Configuration Protocol (DHCP) server or static, so you can be "Daddy" to
people in your house, "Gabdo Fredrick, Main Street 1, Abuja" to Samuel, or "Gabdo
Fredrick, Main Street 1, Abuja" to people in Lagos, or "Gabdo Fredrick, Main Street 1,
Nigeria" to people anywhere in the world. On the Internet, addresses are known as
Internet Protocol (IP) addresses.

Message forwarding
Since many networks are partitioned into sub networks and connect to other networks
for wide-area communications, networks use specialized hosts, called gateways or
routers to forward packets between networks. This is also of interest to mobile
applications, where a user may move from one location to another, and it must be
arranged that his messages follow him. Version 4 of the Internet Protocol (IPv4) was not
designed with this feature in mind, although mobility extensions exist. IPv6 has a better
designed solution.
Within the service layering semantics of the OSI network architecture the Network Layer
responds to service requests from the Transport Layer and issues service requests to the Data
Link Layer.
Layer 2: The Data Link Layer
The Data Link Layer is Layer 2 of the seven-layer OSI model of computer networking. It
corresponds to or is part of the link layer of the TCP/IP reference model.
The Data Link Layer is the protocol layer which transfers data between adjacent network nodes
in a wide area network or between nodes on the same local area network segment. The Data
Link Layer provides the functional and procedural means to transfer data between network
entities and might provide the means to detect and possibly correct errors that may occur in the
Physical Layer. Examples of data link protocols are Ethernet for local area networks (multinode), the Point-to-Point Protocol (PPP), HDLC and ADCCP for point-to-point (dual-node)
connections.
The Data Link Layer is concerned with local delivery of frames between devices on the same
LAN. Data Link frames, as these protocol data units are called, do not cross the boundaries of a
local network. Inter-network routing and global addressing are higher layer functions, allowing
Data Link protocols to focus on local delivery, addressing, and media arbitration. In this way, the
Data Link layer is analogous to a neighborhood traffic cop; it endeavors to arbitrate between
parties contending for access to a medium.
When devices attempt to use a medium simultaneously, frame collisions occur. Data Link
protocols specify how devices detect and recover from such collisions, but it does not prevent
them from happening.
Delivery of frames by layer 2 devices is affected through the use of unambiguous hardware
addresses. A frame's header contains source and destination addresses that indicate which
device originated the frame and which device is expected to receive and process it. In contrast
to the hierarchical and routable addresses of the network layer, layer 2 addresses are flat,
meaning that no part of the address can be used to identify the logical or physical group to
which the address belongs.
Layer 1: The Physical Layer
The Physical Layer defines the electrical and physical specifications for devices. In particular, it
defines the relationship between a device and a physical medium. This includes the layout of
pins, voltages, cable specifications, hubs, repeaters, network adapters, host bus adapters (HBAs
used in storage area networks) and more.
The Physical Layer will tell one device how to transmit to the medium, and another device how
to receive from it (in most cases it does not tell the device how to connect to the medium).
Standards such as RS-232 do use physical wires to control access to the medium.
The major functions and services performed by the Physical Layer are:
1. Establishment and termination of a connection to a communications medium.
2. Participation in the process whereby the communication resources are
effectively shared among multiple users. For example, contention resolution
and flow control.
3. Modulation or conversion between the representation of digital data in user
equipment and the corresponding signals transmitted over a communications
channel. These are signals operating over the physical cabling (such as copper
and optical fiber) or over a radio link.
3.3
TYPES OF NETWORKS
The three basic types of networks include: Local Area Networks (LANs), Metropolitan Area
Networks (MANs), and Wide Area Networks (WANs). Others are storage area networks (SANs),
content networks, virtual private networks (VPNs), Campus Area Network (CAN), Personal Area
Network (PAN) and Desk Area Network (DAN)
3.4
LOCAL AREA NETWORK
A local area network (LAN) is a computer network covering a small physical area, like a home,
office, or small group of buildings, such as a school, or an airport. The defining characteristics of
LANs, in contrast to wide-area networks (WANs), include their usually higher data-transfer rates,
smaller geographic area, and lack of a need for leased telecommunication lines.
In a typical LAN configuration, one computer is named as the file server. This computer stores all
of the software that controls the network, as well as the software that can be shared by other
computers attached to the same network. Computers connected to the file server are called
workstations. Workstations could be less powerful than the file server, and they may have
additional software on their hard drives.
3.4.1
LAN Standards
Figure 3.7: IEEE PROJECT 802
Local area networks are high speed, low error data networks that cover a relatively small
geographic area (up to a few thousand meters). LANs connect workstations, peripherals,
terminals, and other devices in a single building or the geographically limited area.
LAN standards gives specification for cabling and signaling at the physical and data link layers of
the Open System Interconnection (OSI) model.
The Institute of Electrical and Electronic Engineers (IEEE) defines network standards which are
predominant and best known LAN standards in the world today. IEEE 802.3 specifies the
physical layer, and the channel-access portion of the data link layer.
Project 802 comprises a variety of LAN standards dealing primarily with Physical Layer and Data
Link Layer issues. The most important LAN standards include the basic Media Access Control
(MAC) standards for Ethernet and wireless LANs, the standard on Logical Link Control (LLC), and
the standards related to bridging, security, VLANs, and Quality of Service.

Media Access Control (MAC)

Logical Link Control (LLC)

LLC
This layer provides versatility in services to network layer protocols that are above it, while
communicating effectively with the variety of technologies below it. The LLC, as a sub layer,
participates in the encapsulation process.
An LLC header tells the data link layer what to do with a packet once a frame is received.
MAC
The Media Access Control (MAC) sub layer deals with the protocols that a host follows in order
to access the physical media. The IEEE 802.3 MAC specification defines MAC addresses, which
enable multiple devices to uniquely identify one another at the data link layer. The MAC sub
layer maintains a table of MAC address (physical address) of devices. Each device is assigned and
must have a unique MAC address if the device is to participate in the network.
3.4.2
LAN Protocols
A protocol is a set of rules that governs the communications between computers on a network.
These rules include the guidelines that regulate the following characteristics of a network:
access method, allowed physical topologies, types of cabling, speed of data transfer and
security.
The most common LAN protocols are:
3.4.2.1 Ethernet
Ethernet refers to the family of LAN implementations that include four main categories:

Ethernet and IEEE 802.3: These LAN specifications operate at 10 megabits per second
(Mbps) over coaxial cable.

100-Mbps Ethernet: This single LAN specification, also known as Fast Ethernet, operates
at 100 Mbps over twisted-pair cable.

Gigabit Ethernet: An extension of the IEEE 802.3 Ethernet standard. Gigabit Ethernet
increases speed tenfold over Fast Ethernet, to1000 Mbps, or 1 gigabit per second
(Gbps).

10000-Mbps (10-Gbps) Ethernet: This version is the newest and will soon be
implemented.
Ethernet uses an access method called CSMA/CD (Carrier Sense Multiple Access/Collision
Detection). This is a system where each computer listens to the cable before sending anything
through the network. If the network is clear, the computer will transmit. If some other node is
already transmitting on the cable, the computer will wait and try again when the line is clear. If
two or more computers attempt to transmit simultaneously, a collision occurs. The computers
are alerted to this collision, and they execute a back-off algorithm that randomly reschedules
transmission of the frame. This prevents the systems from attempting to talk at the same time
repeatedly. These collisions are normally resolved in microseconds.
3.4.2.2 Fast Ethernet
Ethernet protocols are usually described as a function of data rate, maximum segment length,
and medium. As faster types of Ethernet are used, more users can be added to the network
without degrading the performance of the network.
The Fast Ethernet standard (IEEE 802.3u) was developed for networks that need higher
transmission speeds. Fast Ethernet operates at a speed of 100 Mbps with only minimal changes
to the existing cable structure. Data can move from 10 Mbps to 100 Mbps without protocol
translation or changes to application and networking software.
Protocol
Maximum Segment Transmission
Application
Length (m)
Medium
100BASE-FX
400
Two strands of multimode fiber-optic cable
100BASE-T
100
UTP
100BASE-T function
+ more
100BASE-T4
100
Four pairs Category 3
– 5 UTP
100BASE-TX
100
Two pairs UTP or STP
100BASE-X
Refers to two strands/pairs, 100BASE-FX and 100BASE-TX
Table 3.1: Fast Ethernet Specifications
3.4.2.3 Gigabit Ethernet
The Gigabit Ethernet specification is an extension of the IEEE 802.3 Ethernet standard. It builds
on the Ethernet protocol but increases speed tenfold over Fast Ethernet, to 1000 Mbps, or 1
Gbps. It provides high speed LAN backbones and server connectivity.
The Gigabit Ethernet specification addresses four forms of transmission media:

1000BASE-LX: Long-wave laser over single-mode and multimode fiber

1000BASE-SX: Short-wave laser over multimode fiber

1000BASE-CX: Transmission over balanced, shielded, 150-ohm two pair shielded twisted
pair (STP) copper cable

1000BASE-T: Category 5 unshielded twisted pair (UTP) copper wiring
3.4.2.4 Token Ring
Token Ring is a LAN protocol defined in the IEEE 802.5 where all stations are connected in a ring
and each station can directly hear transmissions only from its immediate neighbor. Permission
to transmit is granted by a message (token) that circulates around the ring.
Token-passing networks move a small frame, called a token, around the network. Possession of
the token grants the right to transmit. If a node receiving the token has no information to send,
it seizes the token, alters 1 bit of the token (which turns the token into a start-of-frame
sequence), appends the information that it wants to transmit, and sends this information to the
next station on the ring. While the information frame is circling the ring, no token is on the
network, which means that other stations wanting to transmit must wait. Therefore, collisions
cannot occur in Token Ring networks; however it’s significantly slow and totally undesirable in
today’s network
Figure 3.8: Logical Ring Topology
3.4.2.5 FDDI
The Fiber Distributed Data Interface (FDDI) specifies a 100-Mbps token-passing, dual-ring LAN
using fiber-optic cable. FDDI is frequently used as high-speed backbone technology because of
its support for high bandwidth and greater distances than copper.
FDDI uses dual-ring architecture with traffic on each ring flowing in opposite directions (called
counter-rotating). The dual rings consist of a primary and a secondary ring. During normal
operation, the primary ring is used for data transmission, and the secondary ring remains idle. It
uses dual-ring architecture to provide redundancy. It also allows traffic on each ring to flow in
opposite directions (called counter-rotating). The dual rings consist of a primary and a secondary
ring. During normal operation, the primary ring is used for data transmission and the secondary
ring remains idle.
Figure 3.9: FDDI
3.5
METROPOLITAN AREA NETWORK
A metropolitan area network (MAN) is a large computer network that usually spans a city
or a large campus. A MAN usually interconnects a number of local area networks (LANs)
using a high-capacity backbone technology, such as fiber-optical links, and provides up-link
services to wide area networks and the Internet.
A MAN is optimized for a larger geographical area than a LAN, ranging from several blocks
of buildings to entire cities. MANs can also depend on communications channels of
moderate-to-high data rates. A MAN might be owned and operated by a single
organization, but it usually will be used by many individuals and organizations. MANs
might also be owned and operated as public utilities. .
Typically, a service provider is used to connect two or more LAN sites, using T1 private
lines or optical services. A MAN can also be created using wireless bridge technology by
beaming signals across public areas.
Fig: MAN Topology
3.6
WIDE AREA NETWORK
Wide Area Networks (WANs) connect large geographic areas, such as states within a country,
countries to countries and the world as a whole. Dedicated transoceanic cabling (e.g. SAT-3
cable) or satellite uplinks (e.g. Nigeria SAT 1) may be used to connect this type of network.
WAN enables communication between countries in a matter of minutes, without paying
enormous phone bills. It uses multiplexers to connect local and metropolitan networks to global
communications networks like the Internet. A WAN is a data communications network that
operates beyond a LAN’s geographic scope. It requires user’s subscribing to an outside WAN
service provider, such as Cyberspace, Linkserve, Netcom e.t.c. to use WAN carrier network
services. WAN uses data links, such as Integrated Services Digital Network (ISDN) and Frame
Relay, provided by carrier services to access bandwidth over wide-area geographies.
WANs generally carry a variety of traffic types, such as voice, data, and video.
Figure 3.10: WAN Services
3.6.1
WAN Services
The most commonly used WAN services are telephone and data services. Telephone and data
services are normally connected from the building point of presence (POP) to the WAN
provider’s central office (CO). The CO is the local telephone company office to which all local
loops in a given area connect and which circuit switching of subscriber lines occurs.
The WAN cloud above organizes WAN provider services into three main types:

Call setup: It sets up and terminates calls between telephone users. It is also called
signaling and uses a separate telephone channel not used for other traffic. The most
commonly used call setup is Signaling System 7 (SS7), which uses telephone control
messages and signals between the transfer points along the way to the called
destination.

Time-division multiplexing (TDM): Information from many sources has bandwidth
allocation on a single medium. Circuit switching uses signaling to determine the call
route, which is a dedicated path between the sender and the receiver. By multiplexing
traffic into fixed time slots, TDM avoids congested facilities and variable delays. Basic
telephone service and ISDN use TDM circuits.

Frame Relay: Information contained in frames shares bandwidth with other WAN Frame
Relay subscribers. It is a statistical multiplexed service, unlike TDM, which uses Layer 2
identifiers and permanent virtual circuits. In addition, Frame Relay packet switching uses
Layer 3 routing with sender and receiver addressing contained in the packet.
3.6.2
WAN Service Providers and Signaling Standards
When one subscribes to an outside WAN service provider for network resources, the service
provider gives connection requirements to the subscriber, such as the type of equipment to be
used to receive services.
WAN links can be ordered from the WAN provider at various speeds that are started in bits per
second (bps) capacity. This bps capacity determines how fast data can be moved across the
WAN link.
Figure 3.11: WAN Service Providers
Figure 3.12: DTE/DCE
Fig 3.2: WAN Technologies Operate at the Lowest Levels of the OSI Model
The following are the most commonly used terms associated with the main parts of WAN
services:

Customer premises equipment (CPE): These are devices that are physically located on
the subscriber’s premises. These include both devices owned by the subscriber and
devices leased to the subscriber by the service provider.

Demarcation (or demarc): It is the point at which the CPE ends and the local loop
portion of the service begins. Often occurs at the Point of Presence (POP) of a building.

Local loop (or “last-mile”): Cabling (usually copper wiring) that extends from the demarc
into the WAN service provider’s central office.

CO switch: A switching facility that provides the nearest point of presence for the
provider’s WAN service.

Toll network: The collective switches and facilities (called trunks) inside the WAN
provider’s cloud. The caller’s traffic may cross a trunk to a primary center, then to a
sectional center, and than to a regional or international carrier center as the call travels
the long distance to its destination.
3.6.3
DTE/DCE
A key interface in the customer site occurs between the data terminal equipment (DTE) and the
data circuit-terminating equipment (DCE). The DTE is the router, and the DCE is the device used
to convert the user data from the DTE into a form acceptable to the WAN service’s facility.
The WAN path between the DTE is called the link, circuit, channel, or line. The DCE primarily
provides an interface for the DTE into the communication link in the WAN cloud. The DTE/DCE
interface acts as a boundary where responsibility for the traffic passes between the WAN
subscriber and the WAN provider. The DTE/DCE interface uses various protocols that establish
the codes that the devices use to communicate with each other. This communication
determines how call setup operates and how user traffic crosses the WAN.
Fig.
3.6.4
The CSU/DSU Stands between the Switch and the Terminal
WAN Protocols
WAN operates at both the physical and the data link layer of the OSI model. The WAN protocols
are divided into the physical layer protocols and data link layer protocols.
The WAN physical layer protocols describe how to provide electrical, mechanical, operational,
and functional connections for WAN services. Most WANs require an interconnection that is
provided by a communications service provider, an alternative carrier, or a post, telephone, and
telegraph (PTT) agency. The WAN physical layer also describes the interface between the DTE
and the DCE.
Some of the physical-layer standards that define the rules governing the interface between the
DTE and DCE are: EIA/TIA-232 or RS-232 (operates at a speed up to 64 kbps), EIA/TIA449(operates at 2 Mbps), EIA/TIA-612/613 (provides access to services at T3 (45 Mbps), E3 (34
Mbps), and Synchronous Optical Network (SONET) STS-1 (51.84 Mbps) rates); V.24, V.35, X.21,
G.703 and EIA-530.
Data link layer protocols are designed to operate over dedicated point-to-point, multipoint, and
multi-access switched services such as frame relay. The common data link layer encapsulations
associated with synchronous serial lines are: Cisco High-Level Data Link Control (HDLC) (a Cisco
proprietary protocol), Frame Relay, Point-to Point Protocol (PPP), Simple Data Link Control
Protocol (SDLC), Serial Line Interface Protocol (SLIP), Link Access Procedure, Balanced (LAPB),
Link Access Procedure on the D channel (LAPD), and Link Access Procedure to Frame mode
bearer services (LAPF).
Fig: WAN Topology
3.7
VIRTUAL PRIVATE NETWORK
A virtual private network (VPN) is a network that allows the creation of private networks across
the Internet, enabling privacy and tunneling of non-TCP/IP protocols. It is a communications
environment in which access is controlled to permit peer connections only within a defined
community of interest. It is constructed through some form of partitioning of a common
underlying communications medium. This communication medium provides services to the
network on a non-exclusive basis. There are two major type of VPN, site-to-site IPsec and
Remote Access VPN
3.7.1
Site-to-Site IPSec VPN: This alternative to frame relay or leased-line WANs allows you to
extend your network resources to branch offices, home offices, and business partner sites.
3.7.2
Remote Access VPN: This type of VPN extends almost any data, voice, or video
application to the remote desktop, emulating the main office desktop.
Fig: Private Networks
3.8
NETWORK TOPOLOGIES
Network topology simply means the way in which the computers, printers, and other devices on
a network are connected. Topology greatly influences the way the network works. There are
two types of topology: physical and logical. The physical topology of a network refers to the
configuration of cables, computers, and other peripherals. Logical topology is the method used
to pass the information between workstations. The physical and logical topologies of a network
can be the same and could also be different. The following are the different types of network
topologies:
3.8.1
Linear Bus Topology
All devices on a bus topology are connected by a single cable, which proceeds from one
computer to the next like a bus line going through a city. It uses a long run of cable with
terminators at each end. The terminator absorbs the signal when it reaches the end of the line
or wire. In a bus network only one packet of data can be transmitted at a time.
Figure 3.13: Linear Bus topology
3.8.2
Star Topology
Star topology requires connection of all workstations and other devices to a central device, such
as a hub, switch, or router, using cables. Data on a star network passes through the central
device before continuing to its destination. The central device manages and controls all
functions of the network.
Figure 3.14: Star topology
3.8.3
Ring Topology
In ring topology, workstations are connected in the form of a ring or circle. Unlike the bus
topology, it has no beginning or end that needs to be terminated. A frame travels around the
ring, stopping at each node. If a node wants to transmit data, it adds that data as well as the
destination address to the frame. The frame then continues around the ring until it finds the
destination node, which takes the data out of the frame.
3.8.4
Tree Topology
The tree topology combines characteristics of linear bus and star topologies. It consists of
groups of star-configured workstations connected to a linear bus backbone cable. Tree
topologies allow for the expansion of an existing network, and enable schools to configure a
network to meet their needs. The tree topology is supported by several hardware and software
vendors. It uses point to point wiring for individual segments. The problems with tree topology
are: the overall length of each segment is limited by the type of cabling used; it is more difficult
to configure and wire than other topologies; if the backbone line breaks, the entire segment
goes down.
Fig. Tree Topology
3.9
NETWORK OPERATING SYSTEM
Network operating systems (NOS) coordinate the activities of multiple computers across a
network. The network operating system acts as a director to keep the network running
smoothly.
The two major types of network operating systems are: peer-to-peer and client/server.
3.9.1
Peer-to-Peer
Peer-to-peer network operating systems allow users to share resources and files located on
their computers and to access shared resources found on other computers. However, they do
not have a file server or a centralized management source. In a peer-to-peer network, all
computers are considered equal; they all have the same abilities to use the resources available
on the network. Peer-to-peer networks are designed primarily for small to medium local area
networks. AppleShare, Windows for Workgroups, Windows 98, and Windows XP are examples
of systems that can function as peer-to-peer network operating systems.
Figure 3.15: Peer-to-Peer network
3.9.2
Client/Server
Client/server network operating systems allow the network to centralize functions and
applications in one or more dedicated file servers. The file servers become the heart of the
system, providing access to resources and providing security. Individual workstations (clients)
have access to the resources available on the file servers. The network operating system
provides the mechanism to integrate all the components of the network and allow multiple
users to simultaneously share the same resources irrespective of physical location. Novell
Netware and Windows NT Server are examples of client/server network operating systems.
CHAPTER FOUR
4.0
TRANSMISSION CONCEPTS
Transmission is simply defined as the propagation of a signal, message, or other form of
intelligence by any means such as optical fiber, wire, or visual means. Transmission provides the
transport of a signal from an end-user source to the destination such that the signal quality at
the destination meets certain performance criteria.
A telecommunication network consists of customer premise equipment (CPE), switching nodes,
and transmission links. There are four different ways by which we can convey signals from one
switching node to another:
4.1

Radio

Fiber optics

Coaxial cable

Wire medium
RADIO SYSTEMS
The sizes, capacities, ranges, and operational frequency bands for radio systems vary greatly.
Radio systems include line of sight (LOS) microwave and satellite communication which are used
in long distance communication networks. Satellite communication is really nothing more than
an extension of LOS microwave.
The radio medium unlike wire, cable and fiber displays notable variability in performance. The
radio-frequency spectrum is shared with others and requires licensing. Metallic and fiber media
need not be shared and do not require licensing (but often require right-of-way).
Radio systems have very limited information bandwidths. It is for this reason that radiofrequency bands 2 GHz and above are used for PSTN and private network applications. It is less
expensive compared with fiber-optic cable, no requirement for right-of-way, less vulnerable to
vandalism, not susceptible to “accidental” cutting of the link, often more suited to crossing
rough terrain, often more practical in heavily urbanized areas, used as a backup to fiber-optic
cable links.
Satellite communications is an extension of LOS microwave, it has two drawbacks: limited
information bandwidth and excessive delay when the popular geostationary satellite systems
are utilized. It also shares frequency bands with LOS microwave.
One application showing explosive growth is very small aperture terminal (VSAT) systems. It is
very specialized and has great promise for certain enterprise networks, and there are literally
thousands of these networks now in operation.
4.1.1
Line of Sight Microwave
Line-of-sight (LOS) microwave provides broadband connectivity over a single link or a series of
links i.e. to connect one radio terminal to another or to a repeater site. Links can be up to 30
miles long, depending on terrain topology, links with geostationary satellites can be over 23,000
miles long.
On conventional LOS microwave links, the length of a link is a function of antenna height.
Figure 4.1: Line of Sight microwave link using RAD Airmux-200 radio
4.1.2
Satellite Communication
Satellite communications is an extension of LOS microwave technology. The satellite must be
within line-of-sight of each participating earth terminal.
Satellite communications presents another method of extending the digital network. These
digital trunks may be used as any other digital trunks for telephony, data, the Internet, facsimile,
and video. Only very small aperture terminal (VSAT) systems are showing any real growth in the
GEO arena. A new type of communication satellite is being fielded. This is the low earth obit
(LEO) class of satellites. Because of LEO’s low-altitude orbit (about 785 km above the earth’s
surface), the notorious delay problem typical of GEO (geostationary satellite) is nearly
eliminated.
There are two bands available for satellite communications, and they are the C-band and the
KU-band. The C-band operates between 6GHz Uplink and 4GHz Downlink, while the KU-band
operates between 14GHz Uplink and 12GHzDownlink.
Figure 4.2: Satellite communication
4.2
FIBER OPTIC COMMUNICATION
A fiber optic system is similar to the copper wire system that fiber optics is replacing. The
difference is that fiber optics use light pulses to transmit information down fiber lines instead of
using electronic pulses to transmit information down copper lines.
Fiber optics as a transmission medium has a comparatively unlimited bandwidth. It has excellent
attenuation properties, as low as 0.25dB/km. A major advantage fiber has when compared with
coaxial cable is that no equalization is necessary. Also, repeater separation is on the order of 10–
100 times that of coaxial cable for equal transmission bandwidths. Some of the other
advantages are:

Electromagnetic immunity

Ground loop elimination

Security

Small size and lightweight

Expansion capabilities requiring change out of electronics only, in most cases

No licensing required
Fiber has analog transmission application, particularly for video/TV, and digital applications,
principally as a pulse code modulation (PCM) highway or “bearer.”
Fiber-optic transmission is used for links under 1 ft in length all the way up to and including
transoceanic undersea cable. In fact, all transoceanic cables currently being installed and
planned for the future is based on fiber optics.
Fiber-optic technology was developed by physicists and, following the convention of optics,
wavelength rather than frequency is used to denote the position of light emission in the
electromagnetic spectrum. The fiber optics of today uses three wavelength bands: around 800
nm (nanometers), 1300 nm, and 1600 nm or near-visible infrared.
Figure 4.3: Fiber optic cable
4.2.1
How Fiber Optic Works
Looking at the components in a fiber optic chain, at one end of the system is a transmitter which
is the place of origin for information coming on to fiber optic lines. The transmitter accepts
coded electronic pulse information coming from copper wire. It then processes and translates
that information into equivalently coded light pulses. A light emitting diode (LED) or an injection
laser diode (ILD) can be used for generating the light pulses. Using a lens, the light pulses are
funneled into the fiber optic medium where they transmit themselves down the line.
Light pulses move easily down the fiber optic line because of a principle known as total internal
reflection. "This principle of total internal reflection states that when the angle of incidence
exceeds a critical value, light cannot get out of the glass; instead, the light bounces back in.
When this principle is applied to the construction of the fiber optic strand, it is possible to
transmit information down fiber lines in the form of light pulses.
Figure 4.4: Cut away of a fiber optic cable
Surrounding the cladding is a buffer material used to help shield the core and cladding from
damage. A strength material surrounds the buffer, preventing stretch problems when the fiber
cable is being pulled. The outer jacket is added to protect against abrasion, solvents, and other
contaminants. Once the light pulses reach their destination they are channeled into the optical
receiver. The basic purpose of an optical receiver is to detect the received light incident on it
and to convert it to an electrical signal containing the information impressed on the light at the
transmitting end. The electronic information is then ready for input into electronic based
communication devices, such as a computer, telephone, or TV.
4.3
COAXIAL CABLE
Coaxial cable is made up stiff copper wire as core and a plastic layer provides insulation between
the center conductor and a braided metal shield. The metal shield helps to block any outside
interference from fluorescent lights, motors, and other computers. Although coaxial cabling is
difficult to install, it is highly resistant to signal interference. In addition, it can support greater
cable lengths between network devices than twisted pair cable. The most common type of
connector used with coaxial cables is the Bayone-Neill-Concelman (BNC) connector. Coaxial
cables are used in LANs (original 10-Mbps Ethernet), in antenna systems for broadcast radio and
TV, and in high capacity analog and digital transmission systems in telecommunications
networks and even in older generation submarine systems.
Figure 4.5: Coaxial Cable and BNC connector
4.4
WIRE PAIR
A wire pair consists of two wires which are twisted pair. The wires commonly use a copper
conductor.
Twisted pair consists of two insulated copper wires insulated separately and twisted together to
eliminate any form of interference. Twisted pair cables are either shielded twisted pair (STP) or
unshielded twisted pair (UTP). Twisted pair cables are mainly used for local area network (LAN)
connections. Twisted pair uses RJ-45 connector for data connection and RJ-11 for voice channel.
The basic impairment of wire pair is loss or attenuation. Loss can be defined as the dissipation of
signal strength as a signal travels along a wire pair, or any other transmission medium for that
matter.
Other impairments suffered by wire pair are crosstalk and delay distortion. Crosstalk appears as
another conversation having nothing to do with the main telephone call. One main cause of
crosstalk is from other wire pairs sharing the same cable as the main line. These other
conversations are electrically induced into our line. To mitigate this impairment, physical twists
are placed on each wire pair in the cable.
Figure 4.6: Unshielded twisted pair cable
6.0
NETWORK SECURITY
The network is the entry point to all resources like applications, data, and lots more of other
packages. It provides the first gatekeepers that control access to the various servers in the
environment. Servers are protected with their own operating system gatekeepers, but it is
important not to allow them to be deluged with attacks from the network layer. It is equally
important to ensure that network gatekeepers cannot be replaced or reconfigured by
imposters. In a nutshell, network security involves protecting network devices and the data that
they forward.
The basic components of a network, which act as the front-line gatekeepers, are the router, the
firewall, and the switch.
Fig. Network components: router, firewall, and
switch
6.1
Physical Security
It doesn't matter how many service packs you put on your operating system. If the
server is sitting in the middle of your office where anyone can get to it, you might as
well not have any security at all.
6.2
What is physical security?
Physical security refers to the sometimes dreary task of ensuring that only authorized people
have physical access to your systems. This is not nearly as exciting as the war being waged on
the Internet, but it can be more important in protecting your corporate assets.
Computers are unavoidably vulnerable to physical attack. Routers allow their passwords to be
reset, server software-based security can be easily bypassed, and user passwords can be
cracked and stolen. All of this is possible with a reasonable amount of physical access to the
system.
Physical network security standards should be applied to everything from how old
servers are treated at end-of-life to how the new voicemail system operates,
because anything could prove a potential security hole. Companies must develop
best practices in-house for recognizing and mitigating these threats.
6.3
The importance of physical security
Physical security is an important component of the protection of corporate information. The
ability to gain physical access to servers and network equipment not only can allow all the
information to be downloaded, but it can create an opening that hackers can continue to use
for years to come.
Gaining physical access to a server provides direct access to the server’s hard drives and the
ability to reboot the server. Remember that all of the security set up on your servers is
software-level security. That is, the operating system software protects the files based on the
security settings you've established. If someone rebooted the server and installed a new copy
of the operating system, that person could establish new rules for access. Intruders can use
this fact to install a new version of the operating system and grant themselves access to every
file on the server.
Once intruders have access to the file system, they can extract a password file that contains the
usernames and passwords of every user on the system. This file typically contains encrypted
passwords for users; however, there are a variety of tools that will break the encryption on
these files to reveal the password of every user on the system.
This is dangerous because users typically use the same password for every system. Once the
security of one system has been compromised, it is possible for an intruder to use that
information to gain access to other systems. Also, most networks contain several specialpurpose system accounts that are used so that automated tools can manage the network and
perform administrative functions, such as backing up the network. These passwords are
typically never changed and never expire. Furthermore, because some of them are likely to
access every file on the network repeatedly, they are rarely audited.
The end result of a password-cracking activity might be to allow an intruder into an account
that is not audited, whose password never changes, and one that is not often thought of when
looking for potential security breaches. This is all possible despite the fact that the account
may contain administrative access.
6.4
Locking the door
Physical security is all about who has access to the equipment. In the past, it was clear that
only authorized people would have access to the systems. Computers lived in big "glass
houses" where only IT people were allowed to go. The systems were always kept under lock
and key.
Locks have been around forever and have the benefit of being simple in their design. However,
keys can be lost, stolen, or duplicated, which presents a problem when you're trying to manage
user access to the servers. One lost key or disgruntled person, and the potential physical
security is gone.
In addition, keys do not generate audit trails. It is impossible to determine, from just a lock,
who has unlocked the door and gained access. The key-and-lock combination prevents anyone
except the determined from gaining access but does not offer the extended ability to keep
records.
Most computer rooms and many businesses have shifted to a card access (or token access)
system. Under such a system, each user has a unique card that authenticates the user. Once
the card access system knows who the person is, it determines whether the person is
authorized for entry. Once properly authorized, the person can be allowed entry and the
person’s access can be logged.
Fig 6. Token Access Control
6.5
Lock everything
With the increasing density of computers and the number of servers being used at smaller and
smaller offices, it is no longer safe to assume that all of the critical servers in an organization
are behind lock and key in one big room. Today, branch offices are receiving servers, which
run some of the operations such as file and print services that demand larger communications
bandwidth. While a line of business application may still be present on a central server, more
operations are moving local to the user to improve responsiveness.
The unfortunate part of this is that suddenly servers must share their space with other
equipment and potentially with a much wider array of employees. A server may be squirreled
away in the corner of a janitor's closet, in the break room, or in any number of other locations
where controlling physical access to the room may not be practical.
Luckily, servers and equipment have been standardized to fit a standard 19-inch rack. Initially,
racks were free-standing mounting hardware that allowed for a mechanism to stack
equipment into tighter spaces, but the evolution of computer equipment has led to 19-inch
rack mount cabinets that may or may not be fully enclosed. Enclosed racks offer the unique
opportunity to create a physical barrier to accessing the servers without providing complete
room security.
Once they are sufficiently loaded with computers or bolted to the floor, rack cabinets become
substantially more difficult to move and much more difficult to steal. Locked rack cabinets,
although having the problems associated with a lock and key, do provide a measurable level of
additional physical security, particularly for environments where the room housing the servers
cannot be practically secured.
6.6
What to secure
It is obvious that access to servers is critical and that servers should be protected, but there are
other items whose physical access should be protected. Anything that has data on it should
obviously have some physical security protecting it from being taken by someone who should
not have it.
Perhaps the best example of this is your backups. You probably already know that you should
rotate backup tapes off site in case there is a fire, flood, tornado, hurricane, or other disaster
that destroys your location. However, do you encrypt the data that is on those tapes with a
password? Without some sort of basic encryption, the tapes are as good as having access to the
server itself. The data can be restored to another system and become a way for corporate spies
to gain access to your information—and your passwords.
Although most off-site tape rotation companies are bonded and insured, there is often little
thought given to leaving the tapes for those companies at a front desk, on a shipping dock, or
in other places where they would be easy for someone to steal. Remembering to protect your
backups with physical security is an important step.
Special care should also be given to any device that might allow a user to gain access to the
network remotely. A good example of this type of device is a firewall that is installed in a
branch office and configured to automatically establish a VPN to the main office. If the firewall
were stolen, it would be relatively easy to create an environment that would establish the VPN
to the home office without needing to know the password on the device or in any way modify
the configuration.
The implication is that the person could gain access to your network from anywhere he or she
wanted. This is particularly true when all branch offices are configured with the same VPN
password—because changing the VPN password would require reconfiguring all of the devices.
6.7 Monitoring
There is no foolproof way to ensure that a server is always physically protected. Breakdowns in
security always happen. Monitoring is necessary to ensure that unauthorized actions do not
occur with the server.
You may already have the most basic kind of monitoring in place on your network. For
intruders to attack the server, they will need to take it off the network, either by stealing it or
rebooting it to their operating systems. By monitoring for servers that go offline, you can
identify connectivity and stability problems as well as machines that may be targets.
Obviously, monitoring when a server is present and when it is not present is a good start, but
it does not tell you who took the server. That is what video monitoring can do for you. Video
monitoring uses digital video cameras to snap pictures of the individuals entering a room or
approaching a server. There are a variety of devices that can perform this function.
Fig. 6. Security Camera
6.9
Logical Security
Logical controls (also called technical controls) use software and data to monitor and control
access to information and computing systems. For example: passwords, network and host based
firewalls, network intrusion detection systems, access control lists, and data encryption are
logical controls.
An important logical control that is frequently overlooked is the principle of least privilege. The
principle of least privilege requires that an individual, program or system process is not granted
any more access privileges than are necessary to perform the task. A blatant example of the
failure to adhere to the principle of least privilege is logging into Windows as user Administrator
to read Email and surf the Web. Violations of this principle can also occur when an individual
collects additional access privileges over time.
6.9.1
IEEE 802.1X Port-Based Access Control
The ability to connect an unauthorized device to a LAN port has long been a threat to
network security. In the past, options to defend against this threat were limited to:
-
Electronically disabling unused LAN ports
-
Configuring access control lists to only allow authorized MAC addresses to
connect to a switch port
-
Physically disconnecting the switch from unused wiring.
The IEEE has developed a standard that permits a switch port to remain wired or enabled, but
will not permit network traffic to traverse a switch until the identity of the client is confirmed.
The IEEE 802.1x standard defines the process to authenticate a wired or wireless client prior to
authorizing a switch port to allow the client to communicate with the network
6.9.2
Wired Environment
The IEEE 802.1x standard defines a client-server-based access control and authentication
protocol that restricts unauthorized devices from connecting to a LAN through publicly
accessible ports. 802.1x controls network access by creating two distinct virtual access points at
each port. One access point is an uncontrolled port; the other is a controlled port. All traffic
through the single port is available to both access points. 802.1x authenticates each user device
that is connected to a switch port and assigns the port to a VLAN before it makes available any
services that are offered by the switch or the LAN. Until the device is authenticated, 802.1x
access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through
the port to which the device is connected. After authentication is successful, normal traffic can
pass through the port.
There are three main components that comprise the 802.1x standard. They are the Client, the
Authentication Server, and the Switch
Client: This is the device that requests access to the network via a switch port.
It could be a desktop, laptop, or Fly book has the case may be. The devices
(workstations) that requests access to the LAN and switch services and responds
to requests from the switch. As shown below, PCs 1 to 4 are the clients that
request an authenticated network access. PCs 1 and 2 use the same logon
credential that is in VLAN 2. Similarly, PCs 3 and 4 use a logon credential for
VLAN 3. PC clients are configured to attain the IP address from a DHCP server.
Switch: This is the device that controls the status of the LAN port that a client is
connected to. This device initiates the authentication process when a client first
tries to connect to the network. Controls the physical access to the network
based on the authentication status of the client. The switch acts as an
intermediary (proxy) between the client and the RADIUS server. It requests
identity information from the client, verifies that information with the RADIUS
server, and relays a response to the client. Here, the Catalyst 6500 switch is also
configured as a DHCP server. The 802.1x authentication support for the Dynamic
Host Configuration Protocol (DHCP) allows the DHCP server to assign the IP
addresses to the different classes of end users by adding the authenticated user
identity into the DHCP discovery process.
Remote Authentication Dial-In User Service (RADIUS) Server: This is the device
that is responsible for verifying the identity of the client. The RADIUS server
communicates with the switch to inform the switch whether or not the client is
authorized to attach to the network.
6.9.3
802.1x Conversation
To begin the process, the switch port that the client will connect to is in an
unauthorized state. It is important to understand that a switch port that is
configured to use 802.1x has two channels available for data traffic. The first
channel is for data traffic between the client and the network. The second channel
is for 802.1x authentication traffic. When a switch port is in an unauthorized
state, it means that network data traffic is not permitted to traverse the switch port.
However, 802.1x authentication traffic is permitted to traverse the switch between
the client and the RADIUS server.
The start of the authentication process generally begins when the switch port detects an
electrical connection, this happens when the workstation is powered on and the network
interface card attempts to connect to a switch. Once the switch detects a connection, the
switch will send an Extensible Authentication Protocol (EAP) frame to the client requesting the
client’s identity. The client will then send an EAP frame with its identity to the switch, which the
switch will then forward to the RADIUS server. The RADIUS server will then challenge the client
by sending an EAP frame back through the switch to the client to request the clients certificate
or password. The client will respond with an EAP frame that includes the client certificate or
password. Once the RADIUS server receives and verifies the client certificate or password, the
RADIUS server will send an EAP frame to the switch to authorize the client to use the network
data traffic channel.
Fig. 6.9 802.1X Authentication Process
6.10
Wireless Environment
802.1X was originally designed for use in wired networks but was adapted to address WLAN security concerns
because of its robust, extensible security framework and powerful authentication and data privacy capabilities. An
IEEE standard, the 802.1 X frameworks empowers the secure exchange of user and/or device credentials, and
prevents virtually any unauthorized network access since authentication is complete before a network IP address has
been assigned.
6.10.1
How It Works
An 802.1X network requires only three components to operate, each of which is referred
to in terms that are somewhat unique to this standard. Those components are:
A Supplicant • – software that implements the client side of the 802.1X standard and
works in wired or wireless environments. The Supplicant is loaded onto the user’s
device and is used to request network access.
An Authenticator• – a component that sits between the external user device that needs
to be authenticated and the infrastructure used to perform authentication. Examples
of Authenticators are network switches and wireless access points.
An Authentication Server• – a server which receives RADIUS messages and uses
that information to check the user’s or device’s authentication credentials, usually
against a backend authentication data store such as Microsoft Active Directory,
LDAP, or another directory store or database.
In addition, a secure, flexible authentication framework for access control is also needed
to ensure the secure passing and validation of network credentials. This framework should
also simplify the creation and maintenance of additional authentication methods. The
Extensible Authentication Protocol (EAP) standard was created explicitly to meet these
requirements. An Internet Engineering Task Force (IETF) standard, EAP enables the
creation of a variety of extensible access protocols providing flexible, expandable network
access and authorization.
When attempting to access an 802.1X-based network, instead of simply being granted
Layer 3 access, the port challenges users for their identity. If the user’s device is not
configured for use in an 802.1X-based network—that is, it does not have a running
Supplicant—the port will deny network access. With an operational Supplicant on the
device, the Supplicant will respond to the port’s challenge for user identity and start the
802.1X authentication process. The Supplicant passes network credentials (user and/or
device identification information) to the Authenticator, which verifies the connection to the
network and passes the identification information on to the Authentication Server. Figure 1
below is a graphical representation of a typical 802.1X network environment. In an 802.1X
compliant network, both the Supplicant and the Authenticator must support the 802.1X
standard, and there must be an Authentication Server component in the environment to
complete the transaction.
Figure 1: Typical 802.1X Network Environment
Network credentials are presented by the Supplicant and passed to the Authenticator. These credentials
must then be validated by the Authentication Server. Once that validation occurs, a network port on a switch
or a wireless access point is opened and made available for the user or device to gain access to the
network. If network credentials are in order and approved, the user can access the network. However, if the
network credentials are not up to par and are not approved, or if the service to check the network credentials
is unavailable for any reason, the user can be denied access to the network. The combination of robust
security with simple “on/off” control of network admission is another key reason for the popularity of 802.1X.
In some cases, organizations may wish to grant holders of inappropriate, invalid or unchecked network
credentials limited access to the enterprise network, or allow them Internet access only. These options may
be achieved through VLAN tagging or routing which must be supported by the network switch or access
point.
6.11
Microsoft Lockdown
Most computer users want recourses on the internet, this will make them want to install
programs, run applications, and most often accept active installer during surfing the internet.
While these could be helpful, it poses a threat to the server. This calls for locking down work
computers and limit the user’s capacity to do anything other than run programs
6.11.1 Implementing Group Policy
Group Policy gives you administrative control over users and computers in your network. By
using Group Policy, you can define the state of a user's work environment once, and then rely
on Windows Server 2003 to continually force the Group Policy settings that you apply across an
entire organization or to specific groups of users and computers. The following can be achieved

You can assign group policy in domains, sites and organizational units.

All users and computers get reflected by group policy settings in domain, site and
organizational unit.

No one in network has rights to change the settings of Group policy; by default
only administrator has full privilege to change, so it is very secure.

Policy settings can be removed and can further rewrite the changes.
6.11.2 The Domain Controller Effect
The domain controllers in the network are the centerpiece of the Active Directory service. They contain all
of your user account information, without which, users cannot log on to your network and access the
resources that they need to perform their jobs.
Because of the information that domain controllers contain and their critical role in any environment, they
are obvious targets of malicious attacks. For this reason, the domain controllers should be kept in the
most secure location possible; it should be up-to-date with the latest security updates; and apply group
policy
To improve the security the environment, apply Group Policy, which is the change and configuration
management technology included with Active Directory, on your domain controllers. This guide leads you
through the following tasks:
6.11.3
Securing The Domain Controllers By Using Group Policy.
You can improve security on your domain controllers by using Group Policy. The following tasks show how
to configure Group Policy to disable unnecessary or unused services on your domain controllers that might
otherwise create unwanted exposure if they are left enabled. To configure Group Policy for your domain
controllers, complete the following tasks:

Create a new Group Policy object (GPO), and link it to the Domain Controllers organizational unit
(OU).

Import baseline security settings into the new GPO by using the security template that is included
with this guide.

Verify the new settings by reviewing the Application log on your domain controllers.
Other steps are implementing the Domain Controllers Baseline Policy, and logging in has an administrator.
6.11.4
Securing the DNS Server service.
For Active Directory to function correctly, it requires the presence of a Domain Name System (DNS)
server. In the Internet and in other TCP/IP networks, DNS naming is used to locate computers and
services by using user-friendly names. When a user enters a DNS name in an application, DNS services
resolve the name to an IP address.
To support Active Directory, use a DNS service that is provided by a service provider or host a personal
DNS in Windows Server 2003. Security can be improved for personalize DNS:

Limiting the IP Addresses on which the DNS Server service listens.

Disabling recursion for DNS servers that do not provide resolution services to network clients.

Configuring root hints to help protect your private DNS namespace.
6.11.5
Keeping your domain controllers secure.
Because domain controllers contain critical information that must remain secure, the availability of
security features for domain controllers and using the ones that suit the environment. Insure the
installation of the latest Microsoft security updates.
This section provides configuration steps for helping you keep your domain controllers secure:

Installing the latest Microsoft security updates.

Creating a reserve file to enable recovery from disk-space attacks.

Disabling automatic 8.3 name generation to decrease system exposure to viruses and malicious
attacks.

Using the System Key utility to help protect domain controllers from password-cracking software.

Disabling anonymous access to Active Directory in environments where applications do not
require anonymous connections.
6.12
Network Firewall
A firewall is a system or group of systems that enforces an access control policy between two
networks. The actual means by which this is accomplished varies widely, but in principle, the
firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the
other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic,
while others emphasize permitting traffic. Probably the most important thing to recognize about
a firewall is that it implements an access control policy.
Fig. 6. Firewall Implementation
6.12.1 The Need for a Firewall
The Internet, like any other society, is plagued with the kind of jerks who enjoy the
electronic equivalent of writing on other people's walls with spray paint, tearing their
mailboxes off, or just sitting in the street blowing their car horns. Some people try to get
real work done over the Internet, and others have sensitive or proprietary data they must
protect. Usually, a firewall's purpose is to keep the jerks out of your network while still
letting you get your job done, also a firewall can act as your corporate ``ambassador'' to
the Internet. Many corporations use their firewall systems as a place to store public
information about corporate products and services, files to download, bug-fixes, and so
forth. Several of these systems have become important parts of the Internet service
structure (e.g.: UUnet.uu.net, whitehouse.gov, gatekeeper.dec.com) and have
reflected well on their organizational sponsors.
6.12.2 Firewall Protection
Some firewalls permit only Email traffic through them, thereby protecting the network
against any attacks other than attacks against the Email service. Other firewalls provide
less strict protections, and block services that are known to be problems.
Generally, firewalls are configured to protect against unauthenticated interactive logins
from the ``outside'' world. This, more than anything, helps prevent vandals from logging
into machines on your network. More elaborate firewalls block traffic from the outside to
the inside, but permit users on the inside to communicate freely with the outside. The
firewall can protect you against any type of network-borne attack if you unplug it.
Firewalls are also important since they can provide a single ``choke point'' where security
and audit can be imposed. Unlike in a situation where a computer system is being
attacked by someone dialing in with a modem, the firewall can act as an effective ``phone
tap'' and tracing tool. Firewalls provide an important logging and auditing function; often
they provide summaries to the administrator about what kinds and amount of traffic
passed through it, how many attempts there were to break into it, etc.
6.12.3 Firewall Incapability
Firewalls can't protect against attacks that don't go through the firewall. Many
corporations that connect to the Internet are very concerned about proprietary data
leaking out of the company through that route. Unfortunately for those concerned, a
magnetic tape can just as effectively be used to export data. Many organizations that are
terrified (at a management level) of Internet connections have no coherent policy about
how dial-in access via modems should be protected. It's silly to build a 6-foot thick steel
door when you live in a wooden house, but there are a lot of organizations out there
buying expensive firewalls and neglecting the numerous other back-doors into their
network. For a firewall to work, it must be a part of a consistent overall organizational
security architecture. Firewall policies must be realistic, and reflect the level of security
in the entire network. For example, a site with top secret or classified data doesn't need a
firewall at all: they shouldn't be hooking up to the Internet in the first place, or the
systems with the really secret data should be isolated from the rest of the corporate
network.
Another thing a firewall can't really protect you against is traitors or idiots inside your
network. While an industrial spy might export information through your firewall, he's just
as likely to export it through a telephone, FAX machine, or floppy disk. Floppy disks are
a far more likely means for information to leak from your organization than a firewall!
Firewalls also cannot protect you against stupidity. Users who reveal sensitive
information over the telephone are good targets for social engineering; an attacker may
be able to break into your network by completely bypassing your firewall, if he can find a
``helpful'' employee inside who can be fooled into giving access to a modem pool.
Lastly, firewalls can't protect against tunneling over most application protocols to
trojaned or poorly written clients. There are no magic bullets, and a firewall is not an
excuse to not implement software controls on internal networks or ignore host security on
servers.
CHAPTER SIX
6.0
CONCLUSION AND RECOMMENDATION
6.1
CONCLUSION
The six months Industrial training has been a great experience to me and an exposure to the
industry. The scheme opened up the Information and Computer Technology industry to me and
I can practically work comfortable on both voice and data communication equipments.
Considering the bountiful knowledge and technicality acquired during the course of the
program, I will say SIWES has greatly contributed to the development of Manpower and
technology in our Nation and I would be very grateful to SIWES.
6.2
RECOMMENDATION
All parties involved in the organization of the scheme should work together so as to achieve a
more successful scheme. The major body, SIWES should adhere to the following suggestions:

The welfare of the students partaking in the program has been a thing of concern for
years. The body should ensure that the stipends are paid during the program so that
students will be at their best.

SIWES should also ensure that students performed their six months training in firms
related to their course of study.
In addition, the university should also ensure that:

Regular visitation to student’s placement is strictly carried out.

Students are attached to industries where they can put their theoretical knowledge into
practice during the course of the program.

The authorities should also make effort to fast track placement for students as early as
possible.

The institution should also ensure that students embark on field trips and should be well
nurtured in practical aspects of their discipline.
More so, the firms taking students on industrial attachment should ensure:

A well structured program for the period of training is spelt out and be seriously
adhered to, so that students can benefit.

The firms should make students aware of the rules and regulation at work and give
them the necessary work ethic needed.
REFERENCES
1.
www.windowsnetworking.com
2.
How Stuff Works, Computer Networks
3.
Todd Lammle; (2007), Cisco Certified Network Associate Study Guide
4.
Cisco Systems, Inc.; (2002), Cisco Certified Network Associate Basics (CCNAB)
5.
http://technet.microsoft.com/en-us/library
6.
NNPC Group Profile www.nnpcgroup.com
8.
Roger L. Freeman; (2005), Fundamentals of Telecommunication
9.
techrepublic.com.com/5208-6230-0.htm