UNIT-1 EXPLORING DIRECTORY SERVICES AND REMOTE ACCESS

1 Define: Directory Services

Directory service is the network service that identifies all the resources of the network and makes them
accessible to users and applications.

2 List out the characteristic of directory services 4

7
 Hierarchical Naming Model 8
 Extended search capability 9
 Distributed information model 13
 Shared network access 14
 Replicated data 20
 Data store optimized for reads 21
 Extensible schema 22

3 Define: Container

 A container is type of object that contains other objects, which can also include more
containers and leaves.
 When active directory installed, several default containers are automatically created.

4 DEFINE: Forest, Tree, Root and Leaves.

 Forest
o A forest is a collection of directory trees.
 Trees
o A directory tree is hierarchy of directories that consists of single directory called
the parent directory or top level directory and all levels of its subdirectories.
 Root
o The top directory of the directory tree which does not have any parent directory is
known as the root of the directory tree.
 Leaves
o The objects at the bottom of the directory tree which does not have any child are
known as the leaf of the directory tree.

5 Write the full form of the following

 LDAP : Lightweight directory access protocol.

 DAP : directory access protocol
 PSTN : Public switched telephone network.
 ISDN : Integrated system digital network.
 DSL : Digital subscriber line
 CATV : Community access television
 VPN : Virtual Private Network
 SSL : Secure Shell
 SSTP : Secure socket tunnelling protocol
 PPTP : Point to point tunnelling protocol
 L2TP : Layer 2 tunnelling protocol
 DHCP : Dynamic host configuration protocol
1 NETWORK MANAGEMENT AND ADMINISTRATION(3360703)| COMPUTER DEPT.CUSP,SURENDRANAGAR
UNIT-1 EXPLORING DIRECTORY SERVICES AND REMOTE ACCESS

 ARP : Address resolution protocol

 RARP : Reverser address resolution protocol
 BOOTP: Bootstrap protocol
 IP : Internet Protocol
 DNS : Domain Name System
 WINS : Windows internet naming system.
 IIS : Internet Information service

6 List out the different directory services that most networks have.

 File storage and sharing

 Printer Sharing
 E-mail services
 Web Hosting both for the internet and intranet
 Database server service.
 Specific application service.
 Internet connectivity
 Dial-in and dial-out services.
 Fax services.
 Domain name system service
 Windows internet naming service
 Dynamic host configuration protocol services.
 Centralized virus-detection services
 Backup and restore services.

7 List out five important directory services.

 Novell eDirectory
 Microsoft’s Windows NT domains
 Microsoft’s Active Directory
 X.500 Directory Access Protocol
 Lightweight Directory Access Protocol

8 Explain X.500 Directory access protocol

 The X.500 is a client-server protocol and it uses OSI i.e. Open System Interconnection networking
model for the communication between client and server.
 In this client is called Directory User Agent (DUA) and server is called Directory System Agent
(DSA).
 There are two sub-protocols used for the communication between the systems.
 Directory access protocol (DAP) is used between client and server.

 Directory system protocol (DSP) is used between two servers.

2 NETWORK MANAGEMENT AND ADMINISTRATION(3360703)| COMPUTER DEPT.CUSP,SURENDRANAGAR

UNIT-1 EXPLORING DIRECTORY SERVICES AND REMOTE ACCESS

 It does not store all the data on one server, instead it stores all the data on the distributed server.
 It uses hierarchical model for the database.
 It stores data in the form of objects and attributes analogous to database in which data to be stored
in the form of tables and columns.
 For the security purpose it uses X.509 Public key infrastructure for the authentication.
 It provides database replication among the server to maintain data accuracy.
 It is internationally standard but it has lots of overhead. So, it is very complex to implement in the
real time system. Instead, it is used as a benchmark.
 The X.500 directory tree starts with a root, just like the other directory trees, and then breaks down
into country (C), organization (O), organizational unit (OU), and common name (CN) fields.
 To specify an X.500 address fully, you provide five fields, as in the following:
o CN=user name,
o OU=department,
o OU=division,
o O=organization,
o C=country
 For example, you might configure the fields as follows:
o CN=Bruce Hallberg,
o OU=Networking Books,
o OU=Computer Books,
o O=McGraw-Hill,
o C=USA

9 Explain LDAP Protocol

 LDAP stands for lightweight directory access protocol.

 It is subset of X.500 DAP i.e. It contains 90 percent specification of X.500 DAP
 It runs over TCP/IP and uses client/server Model.
 It used for communication between directory server and client.
 LDAP standard not only provides layout and field with in LDAP directory, but it also provides
methods to be used when user logs into the LDAP server or queries or updates the LDAP directory
information on an LDAP server.
 An LDAP tree starts with a root, which then contains entries.
 Each entry can have one or more attributes.
 Each of these attributes has both a type and values associated with it.
 One example is the common name (CN), which contains at least two attributes: FirstName and
Surname.
 All attributes in LDAP use the text string data type.
 Entries are organized into a tree and managed geographically and then within each organization.
 The four basic model describes the LDAP standards.
o Information Model
o Naming Model
o Functional Model
o Security Model
 Information Model: this model describes the data structure for the directory.
 Naming Model: this model describes how to reference and organize the data.

3 NETWORK MANAGEMENT AND ADMINISTRATION(3360703)| COMPUTER DEPT.CUSP,SURENDRANAGAR

UNIT-1 EXPLORING DIRECTORY SERVICES AND REMOTE ACCESS

 Function Model: this model describes how to work with the data i.e. authentication, interrogation
and updates.
 Security Model: this model defines how to keep the data secure.

10 Write a short note on Novell eDirectory.

 It is also known as NDS i.e. Network Directory Service.

 It is global, distributed and replicated database.
 It was first introduced for Novell Network but later on it is compatible with non-Novell Network.
 eDirectory is a hierarchical, object oriented database used to represent certain assets in an
organization in a logical tree, including organizations, organizational units, people, servers, etc.
 It is reliable and robust directory service.
 It uses primary/backup approach for directory servers and it also allows partitioning of the tree.
 eDirectory is also available for other operating system such as windows, solaris, linux etc.
 It is easy to manage using administrative privileges from client computer.
 It can be managed by using a simple graphical tool , such as Novell Identity Manager,
 eDirectory tree can manage more than one billion object in the directory tree.

11 Write a short note on Windows NT domains directory services.

 It breaks an organization into small chunks called domains.

 Each domain is controlled by primary domain controller (PDC), which might have one or more
backup domain controller (BDC) to handle if PDC fails.
 Whatever changes happen to PDC, all that changes must be replicated to BDC.
 It is not suitable for large network because it is very complex to maintain more trust relationship.
 WindowsNT domain can be organized into one of four domain models.
o Single Domain
o Master Domain
o Multiple Master Domain
o Complete Trust Domain
 Single Domain
o Only one domain contains all network resources.
 Master Domain
o It contains two domains one is top level domain and lower level domain.
o Top level domain contains all the users of the system. Hence, it is also called as user
domains or account domains.
o Lower level domain contains all the resources of the system. Hence, it also called as
resource domain.
o Resource domains trust user domains.
 Multiple Master domains.
o In this domain model, multiple master domains exist.
o All the users exist in multiple master domains trust one another.
o All the resources domain trust all the master domain.
 Complete trust.
o This variation of the single-domain model spreads users and resources across all domains,
which all trust each other.

12 Write a short note on Active Directory Directory Service.

 It is suitable for large network i.e. comprehensive.

 It runs on windows 2000 server or later.

4 NETWORK MANAGEMENT AND ADMINISTRATION(3360703)| COMPUTER DEPT.CUSP,SURENDRANAGAR

UNIT-1 EXPLORING DIRECTORY SERVICES AND REMOTE ACCESS

 It is compatible with LDAP version 2, LDAP version 3 and DNS of the internet.
 It uses a peer approach to domain controller; all domain controllers are full participants at all times.
 It uses multimaster approach to maintain redundancy.
 It uses forest (trees of trees) data structure.
 It can handle millions of objects.
 It does not require to maintain trust relationship among domains except when connected to
Windows NT 4.x servers that are not using active directory. Otherwise all domains within a tree
have automatic trust relationships.

13 Explain Active Directory Architecture

 Active Directory is composed of objects, which represent the various resources on a network, such
as users, user groups, servers, printers, and applications.
 An object is a collection of attributes that define the resource, give it a name, list its capabilities,
and specify who should be permitted to use it.
 Active Directory provides administrators and users with a global view of the network.
 OBJECT TYPES
o There are two basic types of objects in Active Directory, called container objects and leaf
objects.
o A container object is simply an object that stores other objects, while a leaf object stands
alone and cannot store other objects.
 OBJECT NAMING
o Every object in the Active Directory database is uniquely identified by a name that can be
expressed in several forms.
o The naming conventions are based on the Lightweight Directory Access Protocol (LDAP)
o The distinguished name (DN) of an object consists of the name of the domain in which the
object is located, plus the path down the domain tree through the container objects to the
object itself.
 Ex. CN=Chetan OU=Faculty OU=Computer Department, DC=CUSP.COM
o The part of an object’s name that is stored in the object is called its relative distinguished
name (RDN).
 Ex. CN=Chetan
 CANONICAL NAMES
o A canonical name is a DN in which the domain name comes first, followed by the names
of the object’s parent containers working down from the root of the domain and separated
by forward slashes, followed by the object’s RDN, as follows:
 mgh.com/sales/inside/jdoe
 In this example, jdoe is a user object in the inside container, which is in the sales
container, which is in the mgh.com domain.
 LDAP Notation
o The DN can also be expressed in LDAP notation, which would appear as follows:
 cn=jdoe,ou=inside,ou=sales,dc=mgh,dc=com
o This notation reverses the order of the object names, starting with the RDN on the left and
the domain name on the right. The elements are separated by commas and include the
LDAP abbreviations that define each type of element.
 cn Common name
 Ou Organizational Unit
 Dc Domain component
 GLOBALLY UNIQUE IDENTIFIERS
o In addition to its DN, every object in the tree has a globally unique identifier (GUID), which
is a 128-bit number that is automatically assigned by the Directory System Agent when the
object is created.

5 NETWORK MANAGEMENT AND ADMINISTRATION(3360703)| COMPUTER DEPT.CUSP,SURENDRANAGAR

UNIT-1 EXPLORING DIRECTORY SERVICES AND REMOTE ACCESS

o Unlike the DN, which changes if you move the object to a different container or rename it,
the GUID is permanent and serves as the ultimate identifier for an object.
 User Principal Names
o Distinguished names are used by applications and services when they communicate with
Active Directory, but they are not easy for users to understand, type, or remember.
o Therefore, each user object has a user principle name (UPN) that consists of a username
and a suffix, separated by an @ symbol, just like the standard Internet e-mail address
format defined in RFC 822.
 DOMAIN, TREE and FOREST
o Active Directory makes easier to manage multiple domains by combining them into larger
units called trees and forests.
o Active Directory automatically creates trust relationships between domains in the same
tree.
o The domains in a tree share a contiguous name space.
o an Active Directory domain has a hierarchical name that is based on the DNS name space,
such as
 mycorp.com.
o The subsequent domains in that tree will have names that build on the parent domain’s
name mycorp.com , such as
 sales.mycorp.com
 mis.mycorp.com

14 Write the advantages and disadvantages of the active directory directory

 Advantages
o It allows users to sign in using usernames and passwords that are used elsewhere.
o Sharing resources such as files and printers is easier all users have access to set permissions.
o It is easy to manage, administrate and control.
o It Increases scalability.
o It lets you manage your network from one point.
o It is also easy to set up and use.
 Disadvantages
o It can be expensive as you will need Windows Server 2000 licences and you may need to
upgrade the hardware on the server so it can run Windows Server 2000.
o Active directory is OS dependent meaning that it will only work with Windows server
software.
o High maintenance costs.
o If the Active Directory goes down so does your network.
o If it is set up wrong it can take time and money to remove it and set it up again.
o It is prone to being hacked.
o Cost of the infrastructure can be high.
o You need to have good planning to set it properly.

15 Write the need of Remote Network Access

Or
Explain the need of Remote Network Access

 The following things to be considered while you setup Remote Network access. o Types of remote
users you need to support.
o Type of remote access are required (Application).
o How much bandwidth do you need?
o Types Remote Users you need to support
6 NETWORK MANAGEMENT AND ADMINISTRATION(3360703)| COMPUTER DEPT.CUSP,SURENDRANAGAR
UNIT-1 EXPLORING DIRECTORY SERVICES AND REMOTE ACCESS

 There are generally four types of remote access users.

o Broad traveller
o Narrow traveller
o Remote office users
o Remote office group
 Each category of users has different needs and different technologies required to satisfy their needs.
 Broad Traveller
o The broad traveller is the most common type of remote access user.
o This is someone who normally is based in an office that has LAN access, but also travels
on business.
 Narrow traveller
o The narrow traveller is someone who travels to relatively few locations, such as from
corporate headquarters to the company’s manufacturing plants or distribution centres.
 Remote Office Users
o The remote office user is in a single location and needs access to the corporate LAN for e-
mail and application access.
 Remote Office Groups
o Sometimes a small group (two to five people) stationed in a remote location needs certain
services from the corporate LAN.
 Type of remote access are required (application point of view)
o The following are some examples of type of remote access.
o Easy remote access to e-mail and to files stored in e-mail
o Remote access to stored private or shared files on the LAN
o Remote access to a centralized application, such as an accounting system or a Sales order
system
o Remote access to groupware programs or custom applications
o Internet access
o Intranet/extranet access, including any hosted web-based applications on Those systems
o Remote access to any of the previous features from a fixed location, such as a Remote sales
office
o Remote access to any of the previous features from anywhere in the world.
 How much bandwidth do you need?
o Different bandwidth requires for different types of remote access.
o You can estimate a particular application program’s bandwidth requirements by actually
measuring the amount of bandwidth that application uses.
o On the LAN, you can monitor the amount of data being sent to a particular node that uses
the application in the way it would be used remotely.
o You can find out the bandwidth of the particular using system monitor or performance
monitor software application.
o If the bandwidth of the network is more than the required bandwidth of the application,
then the application works well. Otherwise you have to find the alternative.

16 Write a short note on PSTN

OR
Write a short note on Public Switched Telephone Network
OR
Describe PSTN

 PSTN stands for public switched telephone network it is also known as POTS i.e. Plain Old
Telephone System
 Telephone networks use circuit switching.
 Telephone companies provide Analog as well as digital service.

7 NETWORK MANAGEMENT AND ADMINISTRATION(3360703)| COMPUTER DEPT.CUSP,SURENDRANAGAR

UNIT-1 EXPLORING DIRECTORY SERVICES AND REMOTE ACCESS

 The telephone network is made of three major components.

o Local Loops
o Trunks
o Switching offices
 The telephone network has several levels of switching offices such as
o End office
o Tandem offices
o Regional offices
 The diagram of the telephone network is shown below.

 Local Loops
o It is twisted pair cable that connects the subscriber telephone to the nearest end office or
local central office.
 Trunks
o Trunks are the transmission media that handles the communication between offices.
 Switching offices
o The switching offices have the number of switches to connect several local loops or trunks
and allow a connection between different subscribers
 Signalling
o The telephone network, at its beginning, used a circuit-switched network with dedicated
Links to transfer voice communication. Later, the signalling system became automatic.
 a telephone network today can be thought of as two networks:
o A signalling network
o A data transfer network.
 Data transfer Network
o The data transfer network that can carry multimedia information today is, for the most part,
a circuit-switched network, although it can also be a packet-switched network.
 The maximum downloading speed using 56K modem is 56 kbps and uploading speed using 56K
modem is 33.6 kbps.

17 DESCRIBE ISDN
OR
Explain Integrated Service Digital Network.

 Integrated service digital network utilizes the existing telephone system to transmit/receive data.
 ISDN SERVICES
 There are main two types of ISDN service, based on the unit of bandwidth called B Channels
running at 64 kbps, and D channels, running at 16 or 64 Kbps. B channel carries voice and data
traffic and D channels carries control traffic only.
 These services types are as follows.
o BRI
o PRI
 BRI
o Basic rate interface
o It is also called 2B+D, because it consists of two 64 kbps channel and one 16 kbps channel.

8 NETWORK MANAGEMENT AND ADMINISTRATION(3360703)| COMPUTER DEPT.CUSP,SURENDRANAGAR

UNIT-1 EXPLORING DIRECTORY SERVICES AND REMOTE ACCESS

o It was generally used for home users and for the connection to the business network or the
internet
 PRI
o It consists of up to 23 B channels and one 64 kbps D channel for total bandwidth equivalent
to a T1-Leased line(1.5 Mbps)
o It was generally used for business community.
 One of the primary advantages of ISDN was the ability to combine the bandwidth of multiple
channels as needed using inverse multiplexing.
 It supports bandwidth on demand.
 ISDN COMMUNICATION
 The process of establishing on ISDN connection involves messages exchanged between three
entities: the caller, the switch and the receiver.
 The connection procedures is as follows.
o The caller transmits a SETUP message to the switch.
o If the SETUP message is acceptable, the switch returns a CALL PROC(call proceeding)
message to the caller and forwards the SETUP message to the receiver.
o It the receiver accepts the SETUP message, it rings the phone and sends and ALERTING
message back to the switch, which forwards it to the caller.
o When the receiver answers the call, it sends a CONNECT message to the switch, which
forwards it to the CALLER.
o The caller then sends a CONNECT ACK message to the switch, which forwards it to the
receiver. The connection is now established.
 ISDN HARDWARE
o All ISDN installations needed a device called a Network Termination 1 (NT1) connected
to the telephone line at each end.
o The NT1 connects to the U interface (Telephone Company) and converts the signals to the
four-wire S/T interface used by ISDN terminal equipment.
o All the ISDN capable devices are referred to as TE1 and connects to the S/T interface
directly.
o All the Devices that are not ISDN capable require terminal adapter and referred as TE2

18 Describe DSL

 To overcome the limitation of the traditional Modem, telephone companies developed new
technology to transfer data higher speed i.e. DSL.
 Digital subscriber line (DSL) technology is one of the most promising for supporting high-speed
digital communication over the existing local loops.
 DSL technology is a set of technologies and the set is often referred as xDSL where x can be
replaced by A (ADSL), V(VDSL), H(HDSL), or S(SDSL).
 ADSL
o ADSL stands for Asymmetric Digital Subscriber Line.
o It provides high speed for downloading than uploading that is the reason it is called
asymmetric.
o The maximum downloading speed is 1.5-6.1 Mbps
o The maximum upload speed is 16-640 Kbps
o The repeater required at every 12,000 ft(3.86km)
 HDSL
o HDSL stands for high-bit-rate digital subscriber line.
o It uses 2B1Q encoding which is less susceptible to attenuation.
o It uses two twisted pair cable to achieve full duplex communication.
o It provides maximum 1.5-2.0 Mbps in both uploading and downloading.
 SDSL

9 NETWORK MANAGEMENT AND ADMINISTRATION(3360703)| COMPUTER DEPT.CUSP,SURENDRANAGAR

UNIT-1 EXPLORING DIRECTORY SERVICES AND REMOTE ACCESS

o SDSL stands for symmetric digital subscriber line.

o It uses only one twisted pair cable for full duplex communication.
o It provides maximum 768 Kbps speed in both uploading and downloading.
o It uses 2B1Q encoding which is less susceptible to attenuation.
 VDSL
o VDSL stands for very high-bit-rate digital subscriber line.
o It provides high uploading speed than downloading.
o The maximum upload speed is 25-55 Mbps
o The maximum download speed is 3.2 Mbps

19 Describe CATV
OR
Explain Community access television
OR
Explain Cable Television

 CATV stands form community access television or cable television.

 Definition:
o CATV is a shared cable system that uses a tree and branch topology in which multiple
households with a neighbourhood share the same cable.
 TRADITIONAL CATV NETWORK
 The cable TV office called Head end, receives video signal from broadcasting stations and feed the
signal into coaxial cables.
 The signal becomes weaker and weaker with distance, so amplifiers were installed through the
network to renew the signals.
 There could be up to 35 amplifiers between the Head end and the subscriber premises.
 At the other end, splitter split the cable, and taps and drop cable make the connections to the
subscriber premises.
 The traditional cable TV system used coaxial cable end to end.
 Traditional CATV network is unidirectional and it is shown below.

 HYBRID FIBRE CO-AXIAL NETWORK

 It is the second generation of cable network.
 It uses a combination of fibre optic and coaxial cable hence it is known as Hybrid fibre co-axial
network.
 The transmission medium from the cable tv office to a fibre node is optical fibre.
 The transmission medium from the fibre node to the subscriber/house is still co-axial.
 The role of the distribution hub is as follows.

10 NETWORK MANAGEMENT AND ADMINISTRATION(3360703)| COMPUTER DEPT.CUSP,SURENDRANAGAR

UNIT-1 EXPLORING DIRECTORY SERVICES AND REMOTE ACCESS

 Modulation and Demodulation of signals.

 The signal after doing modulation and demodulation are then fed to the fibre node through fibre-
optic cables.
 The fibre node splits the Analog signals so the same signal is sent on each coaxial cable.
 Second generation cable network is bidirectional and the diagram of the HFC network is shown
below.

 Even in the HFC system, the last part of the network, from fibre node to the subscriber premises is
still a coaxial cable.
 The coaxial cable has a bandwidth that ranges from 5 to 750 MHz.
 CABLE TV NETWORK FOR DATA TRANSFER
 To provide internet access, the cable company has divided bandwidth into three bands.
o Downstream Video
o Downstream Data
o Upstream Data
 Downstream Video Band
o The theoretical downstream data rate is 30-Mbps but the standard specifies only 27-Mbps.
 Upstream Data Band
o The theoretical upstream data rate is 12 Mbps but the standard specifies less than 12 Mbps
 Sharing
o Both upstream and downstream bands are shared by subscribers.
 Devices
o CM i.e. Cable Modem
o CMTS i.e. Cable Modem Transmission System.

20 Define: VPN

 Virtual Private Network (VPN) is a secure, reliable and logical connection that is created over a
public network (Internet).

21 Explain Types of VPN in detail.

OR
What is VPN? Explain its types in detail.
OR
What is VPN? Explain with their types

 Virtual Private Network (VPN) is a secure, reliable and logical connection that is created over a
public network (Internet).

11 NETWORK MANAGEMENT AND ADMINISTRATION(3360703)| COMPUTER DEPT.CUSP,SURENDRANAGAR

UNIT-1 EXPLORING DIRECTORY SERVICES AND REMOTE ACCESS

 There are two different types of VPN.

o Remote Access VPN
o Site to Site VPN
 Remote Access VPN
 Remote access VPN allows a user to connect to a private network and access its services and
resources remotely.
 The connection between the user and the private network happens through the Internet and the
connection is secure and private.
 Remote Access VPN is useful for business users as well as home users.
 A corporate employee, while traveling, uses a VPN to connect to his/her company’s private network
and remotely access files and resources on the private network.
 Home users, or private users of VPN, primarily use VPN services to bypass regional restrictions on
the Internet and access blocked websites.
 Users conscious of Internet security also use VPN services to enhance their Internet security and
privacy.
 The diagram of the Remote Access VPN is shown below.

 Site to Site VPN

 A Site-to-Site VPN is also called as Router-to-Router VPN and is mostly used in the corporates.
 Companies, with offices in different geographical locations, use Site-to-site VPN to connect
the network of one office location to the network at another office location.
 When multiple offices of the same company are connected using Site-to-Site VPN type, it is called
as Intranet based VPN.
 When companies use Site-to-site VPN type to connect to the office of another company, it is called
as Extranet based VPN.
 Basically, Site-to-site VPN create a virtual bridge between the networks at geographically distant
offices and connect them through the Internet and maintain a secure and private communication
between the networks.
 Since Site-to-site VPN is based on Router-to-Router communication, in this VPN type one router
acts as a VPN Client and another router as a VPN Server.
 The communication between the two routers starts only after an authentication is validated between
the two.
 The diagram of the Site to Site VPN is shown below.

12 NETWORK MANAGEMENT AND ADMINISTRATION(3360703)| COMPUTER DEPT.CUSP,SURENDRANAGAR

UNIT-1 EXPLORING DIRECTORY SERVICES AND REMOTE ACCESS

22 Explain VPN Protocols

OR
List and Explain VPN Protocol

 VPN can be configured using various protocols as per need but some of them are listed below.
o PPTP ( Point-to-Point Tunnelling Protocol )
o L2TP (Layer 2 Tunnelling Protocol )
o IPsec (Internet Protocol Security)
o SSTP (Secure Socket Tunnelling Protocol )
 PPTP
o PPTP stands for Point to Point tunnelling protocol.
o It works as client/server and operates at layer 2 of the OSI model.
o It is connection oriented protocol and uses TCP port 1723.
o It uses any one protocol from MS-CHAPv1, MS-CHAPv2, EAP-TLS and PAP for
authentication.
o It uses MPPE for encryption and supports maximum up to 128 bit encryption.
o Packet filtering Is implemented on VPN servers.
 L2TP
o L2TP stands for Layer 2 Tunnelling protocol.
o It is combination of two tunnelling protocol i.e. L2F (Layer 2 forwarding) and PPTP.
o It is an extension of PPTP.
o It works as client/server and operates at layer 2 of the OSI model.
o It does not support strong authentication and confidentiality by itself. Hence it is often used
with IPSec and known as L2TP/IPSec.
o It uses any one protocol from MS-CHAPv1, MS-CHAPv2, EAP-TLS and PAP for
authentication.
o It uses MPPE, 3DES and AES-256 for encryption and supports maximum up to 256 bit
encryption.
 IPSec
o IPSec stands for Internet Protocol Security and it is network security protocol suite.
o It works at the network layer of the OSI model to provide end-to-end security.
o It uses different types of protocols to provide security which are as follows.
 AH-[Authentication Header]
 ESP-[Encapsulating Security Payload]
 SA-[Security Associations]
 ISAKMP-[Internet Security Association and Key Management Protocol]
 IKE & IKEv2-[Internet Key Exchange]
o IPSec can be configured in two different modes.
 Transport
 Tunnel
o In the transport mode, only the payload of the IP packet is usually encrypted.
o In the tunnel mode, entire IP packet is encrypted.
 SSTP
o SSTP stands for secure socket tunnelling protocol.
o It uses TLS 3.0 over TCP port 443, this makes it secure and hard to block.
o It uses public key cryptography.
o It is completely integrated with windows and can bypass most firewalls.

23 Write a short note on PPTP

 It operates at layer 2 of the OSI model.
 It works as client/server model which simply configured.
 It is connection oriented protocol and it uses TCP port 1723.
13 NETWORK MANAGEMENT AND ADMINISTRATION(3360703)| COMPUTER DEPT.CUSP,SURENDRANAGAR
UNIT-1 EXPLORING DIRECTORY SERVICES AND REMOTE ACCESS

 In this tunnels are created by the following two steps.

o First of all, the clients connect to their ISPs through using any services(dial up, ISDN, DSL
Modem, or LAN)
o Secondly, PPTP creates a TCP session between client and server to establish a secure
tunnel.
 Once, the PPTP tunnel is established between client and server the two types of information can be
passed through the tunnel.
o Control Message
o Data Packets.
 PPTP Security
o PPTP supports authentication, encryption and packet filtering.
o In authentication,
 PPP based protocol like MS-CHAPv1, MS-CHAPv2, EAP-TLS and PAP are used.
 MS-CHAPv1 is insecure.
 EAP-TLS is a superior choice
o In Encryption,
 MPPE (Microsoft Point to Point Encryption) is used.
 It supports 40-bit, 56-bit & 128-bit encryption.
 It enhances the confidentiality of PPP-encapsulated packets.
 Packet filtering is implemented on VPN servers.
 Encapsulation
o PPTP encapsulates the PPP frames in IP Packet.
o It uses TCP connection for tunnel management.
o The encapsulated PPP frames may encrypt, compress or the both as it is highlighted in the
following.

 Advantages
o Default Windows Compatibility
o Cost-Effective to Deploy
o Fast Connection Speeds
 Disadvantages
o Inadequate Security
o Poor Performance on Unstable Network.

24 Write a short note on L2TP

 It is a combination of two tunnelling protocols i.e. L2F (Layer 2 Forwarding) by CISCO systems
and PPTP (Point to Point Tunnelling Protocol) by Microsoft.
 It is an extension of PPTP.
 It operates at Layer 2 of the OSI Model and it works as a client\server model.
 It does not support strong authentication & confidentiality by itself. The IPSec protocol is often
used with L2TP to provide strong confidentiality, authentication and Integrity.
 The combination of these two protocols is generally known as L2TP/IPSec.
 The entire L2TP packet including (Payload & L2TP Header) is sent with in a UDP with a port
number 1701.
 Two endpoints of the L2TP tunnel are called LAC (L2TP access concentrator) and LNS (L2TP
Network server).
 The LNS waits for new tunnels.

14 NETWORK MANAGEMENT AND ADMINISTRATION(3360703)| COMPUTER DEPT.CUSP,SURENDRANAGAR

UNIT-1 EXPLORING DIRECTORY SERVICES AND REMOTE ACCESS

 The LAC remains between LNS & a remote system and forwards packets to the server.
 Once the tunnel is established between peer and the network traffic moves bidirectional.
 The packets exchanged within the tunnel characterized as either it is controlled packet or it is a data
packet, it is reliable for control packet and not reliable for data packets.
 If the reliability is desired for data packets then it is provided by another protocol running with in
the session of the tunnel.
 The tunnels are created by the following two steps.
o A control connection is established for a tunnel between LAC and LNS.
o A session is established between client and server.
 L2TP Security
o L2TP supports authentication and encryption.
o In authentication, PPP based protocols like MS-CHAPv1, MS-CHAPv2, EAP-TLS and
PPP are used.
o It supports MPPE, 3DES and AES-256 bits for encryption.
 Encapsulation
o The entire PPP frame is encapsulated in L2TP Header first.
o Then L2TP frame is encapsulated in UDP Header as shown in the following figure.

 Advantages
o Better Security
o Easy Configuration
o Very Stable
 Disadvantages
o Slow connection speeds
o Easier to block
25 Write a short note on IPSec

 Internet protocol security (IPSec) is a network security protocol suite.

 It provides strong authentication, data encryption, data origin authentication and data integrity
features.
 It can use as network-to-network, host-to-host and host-to-network over the public network
(Internet).
 It works at the network layer of the OSI model to provide end-to-end security.
 It uses different types of protocols to provide security which are as follows.
o AH-[Authentication Header]
o ESP-[Encapsulating Security Payload]
o SA-[Security Associations]
o ISAKMP-[Internet Security Association and Key Management Protocol]
o IKE & IKEv2-[Internet Key Exchange]
 AH-[Authentication Header]
o It provides the connectionless data integrity, data origin authentication for IP datagrams
and protection against replays.
o It does not encrypt data packets.
 ESP-[Encapsulation Security Payload]
o It provides confidentiality, data origin authentication, connectionless integrity, an anti-
reply service and limited traffic flow confidentiality.
 SA-[Security Association]

15 NETWORK MANAGEMENT AND ADMINISTRATION(3360703)| COMPUTER DEPT.CUSP,SURENDRANAGAR

UNIT-1 EXPLORING DIRECTORY SERVICES AND REMOTE ACCESS

o The SA is a logical group of security parameters.

o It is used to establish and share security attributes between two entities to provide secure
communication.
 ISAKMP-[Internet Security association and key management protocol]
o It defines procedure and packet format to establish, negotiate, modify and delete security
associations.
 IKE-[Internet Key Exchange]
o The IKE is the protocol used to setup a security association dynamically.
 Encapsulation
o IPSec can be configured in two different modes and they are…
 Transport Mode
 Tunnel Mode
o The transport mode is used to provide end-to-end security.
o In the transport mode, only the payload of the IP packet is usually encrypted or
authenticated.
o The original IP header is not encrypted nor modified.
o The transport mode IPSec Encapsulation is show below.

o The tunnel Mode is the default mode.

 It is used to provide security between gateways (Routers).
o In this mode, the entire original IP Packet is protected.
o The entire IP Packet is encapsulated with IPSec, ESP Headers & Trailer, adds a new IP
Header and sends it to the other side of the tunnel. As it is shown in the following figure.

26 Write a short note on SSTP

 SSTP (Secure Socket Tunnelling Protocol) is a VPN protocol that was developed by Microsoft.
 The protocol is designed to secure online data and traffic, and is considered a much safer option for
Windows users than PPTP or L2TP/IPSec.
 How does the SSTP work?
o SSTP works by establishing a secure connection between a VPN client and a VPN
server.Basically, the protocol creates a secure “tunnel” between the client and the server,
and all the data and traffic that passes through that tunnel is encrypted.
o SSTP transports PPP traffic through a SSL/TLS channel. Because of that, SSTP offers
significantly more security than PPTP
o Due to the use of SSL/TLS, SSTP servers must be authenticated when a connection is
established. SSTP clients can be optionally authenticated too.

 Technical Details about SSTP

o SSTP uses TCP port 443 – the same port used by HTTPS traffic.
o SSTP offers high level security than OpenVPN and the fact that it can bypass NAT
firewalls.
o SSTP doesn’t generally support site-to-site VPN tunnels. Instead, it supports roaming since
it uses SSL transmissions.

16 NETWORK MANAGEMENT AND ADMINISTRATION(3360703)| COMPUTER DEPT.CUSP,SURENDRANAGAR

UNIT-1 EXPLORING DIRECTORY SERVICES AND REMOTE ACCESS

o SSTP only supports user authentication. The protocol doesn’t support device or computer
authentication.
 Advantages
o it is easy to configure
o It is very difficult to block because it uses TCP port 443.
o It offers good speeds if you have enough bandwidth.
 Disadvantages
o It is available on a limited number of platforms.
o It is susceptible to the “TCP Meltdown” problem.

27 Explain SSL VPN in detail

 An SSL VPN takes advantage of the built in feature of web browser i.e. Secure Sockets Layer (SSL)
encryption technology
 SSL is the same technology used to encrypt information in web pages that use the “https://” prefix,
such as for shopping or online banking web sites.
 SSL VPNs bring a number of attractive benefits which are as follows.
o No client software needs to be installed on the remote computer.
o No configuration or management required on the remote system.
o Users can access this VPN by typing its URL in the browser and by submitting credentials.
o It works well on the lower bandwidth network.
o It also supports remote node connection features.
 SSL VPNs are typically offered as a rack-mountable piece of equipment that contains all of the
hardware and software needed to run the VPN.
 There are number of VPN vendors. For Ex. NetScreen, FirePass.
 SSL VPNs can authenticate users through variety of different techniques. Some of them are as
follows.
o Through username and passwords defined in the SSL VPN for each user.
o Through integration with an existing authentication system, such as Windows Active
Directory.
o Through the integration of two factor authentication system.
 Once users log in to an SSL VPN, they have many choices available which are as follows.
o Access to remote note connection
o Access to company’s web server.
o Access to email
o To perform web based file management
o Access to shared corporate applications
o Access to windows terminal service.

28 What is VPN Client?

OR
Define: VPN client

 A VPN clients is an end device, software or user that is seeking connection, network or data services
from a VPN.
 A VPN client can be a standard computing or networking device installed and configured with VPN
client software.
 It is part of the VPN infrastructure and is the end recipient of VPN services.
 VPN Client Examples…
o TunnelBear
o OpenVPN

17 NETWORK MANAGEMENT AND ADMINISTRATION(3360703)| COMPUTER DEPT.CUSP,SURENDRANAGAR

UNIT-1 EXPLORING DIRECTORY SERVICES AND REMOTE ACCESS

o Hotspot Shield
o VPNBook
o UltraVPN
o PacketiX.NET
o CyberGhost
o TorVPN

18 NETWORK MANAGEMENT AND ADMINISTRATION(3360703)| COMPUTER DEPT.CUSP,SURENDRANAGAR