Before we discuss the
services and devices that are used to connect LANs and WANs to the Internet, we
will first have a look at why we need such
services. As you know, corporate LANs and WANs use private address ranges, and the Internet uses public address ranges. This means that every IP
address on the Internet is unique, but the addresses used in corporate networks
are repeatedly used. For example, the private class A network 10.0.0.0 can be
used at both company A and company B, while both their networks need to be
connected to the Internet.
In this context, there
are two main types of connections: routed and translated.
In a routed network, every IP address must be unique. If in the above example,
both company A and B would have a routed connection to the Internet, their internal addresses would be
advertised on the web, resulting in conflicting duplicate IP addresses. To
avoid this, companies could register public addresses and use them for their
internal hosts. However, this would be very expensive, and there are simply not
enough available public IP addresses to make every corporate LAN/WAN part of
the same WAN (the Internet). The solution to this is a translated connection which can be accomplished by using
Network
Address Translation (NAT).
Network Address Translation (NAT)
Network Address Translation (NAT) is used to
translate public IP addresses to private and vice versa and is typically
configured on access routers and firewalls that connect home and office
networks to the Internet. These networks use IP addresses from the private
address ranges and therefore cannot have a routed connection to the
Internet. NAT translates network addresses, thus it operates at the Network
layer (Layer 3) of the OSI model.
A common type of NAT is dynamic NAT, in which case
the router maintains a list of internal addresses and a list of external
addresses that are dynamically mapped to each other. When a client from an
internal network communicates with a web server on the Internet, the NAT router
will change the source IP address in the header of the IP packet. The source
address is changed from internal client’s IP address to the public IP address
of the router’s external interface. For the web server, the packets will appear
to be coming from the NAT router, hence that is were it sends the replies with
the requested data. The NAT router will in turn forward the replies to the
client that initially made the request.
With static NAT, the router is
configured with an address table. This table contains static entries that maps
public address to local addresses. Static NAT entries are typically used when a
web or mail server resides on the internal LAN. The clients and servers on each
side of the router are not aware of the translating process and do not require
any additional software. A NAT router is typically also a DCHP server and DNS
Proxy for its internal clients. Besides using NAT on routers connected to the
Internet, NAT is also used in corporate WANs when multiple LANs use the same IP
subnet. NAT offers some security as well, because only a single public IP
addresses needs to be visible to external hosts while the internal network
addressing schema can remain hidden.
Instead of using a list of internal and external addresses, a
single external address can be used by changing the source port, which is
essentially part of the complete address known as socket (the combination of an IP address and a port number). This is
also known as Port Address Translation (PAT).
Firewalls
A firewall is a
hardware device or software application on a computer that protects private
networks from unauthorized external intruders. A firewall filters both inbound
and outbound traffic by checking if it meets certain criteria. The most common
firewall operates at the Network layer and is known as a packet filter. The
criteria for blocking or forwarding packets are typically source and
destination addresses, and the TCP/UDP port numbers. For example, you can
configure a packet filter, also known as access control list, on a router that
connects to the Internet to allow port 25 for inbound and outbound SMTP traffic
but deny port 110 to block POP3 traffic. Because packet filtering firewalls
inspect only the header of packets it has little impact on network performance.
Most operating systems and routers include a packet filter options and are
therefore inexpensive to implement.
The following network
diagram shows a simple firewall setup. All outbound and inbound traffic must be
authorized by the firewall before it can pass. The firewall can be a dedicated
hardware device with two network interfaces, or a computer with two NICs
running firewall software. The latter is also known as a multi-homed firewall.
The higher in the OSI
model a firewall operates the more advanced criteria it can use. Application
layer firewalls are able to inspect traffic all the way up to layer 7 of the
OSI model. This means they do not only inspect the header of a packet, but also
the data payload, allowing you to set criteria for applications without allowing
or denying them entirely. Another type of firewall is the circuit-level
firewall, which operates at the Transport layer of the OSI model. This firewall
checks if the TCP and UDP messages used to establish a connection meet certain
criteria. Once a connection is established (i.e. the TCP handshake completed
successfully), traffic can pass the firewall without further checking. A newer
and more advanced type of firewall, stateful firewalls, can use more advanced criteria than simple packet
filter firewalls, and they are aware of the state of connections. For example,
if an internal client initiates a HTTP connection to a web server on the
Internet, and the firewall blocks inbound HTTP traffic, it will still allow the
HTTP reply to the client as the firewall will ‘know’ it is part of an
established session.
The hosts in the DMZ are typically web
servers, e-mail servers, and the alike, and are accessible for both internal
and external users. This allows users on the Internet to access the servers
without accessing the organization’s internal network. Although the servers in
the DMZ can be accessed only through the firewall, security is less strict, and
they are connected to the
Internet, and therefore should be locked down and hardened.
Another common
firewall configuration that creates a DMZ is the screened firewall shown in the following network diagram. This
setup involves two firewalls of which the screening host is often a simple packet filter and the screened host a more advanced firewall. This is a more
complicated and more expensive setup but can have a great impact on performance
and security. The packet filter blocks the majority of invalid traffic and
provides access to the servers in the DMZ, alleviating the workload for the
screened firewall.
Proxy
The word
"proxy" can be defined as something or someone that impersonates some
other thing or someone else. Or simply put: "something that acts on behalf
of another". In the context interesting to us a proxy can be many things,
the most common being the web proxy server. A proxy server is placed between
the internal network and the Internet.
When a client from the
internal network connects to an external resource and requests data, the proxy
server pretends to be the client, retrieves the requested data, and passes it
on to the client. This offers some level of protection because only the
external public IP address of the proxy server is known on the external
network. The main difference with NAT is that a proxy is requested to act on
behalf of a client to make the actual request to the web server. With NAT, the
web server is merely fooled by changing the addressing info of packets.
Additionally, NAT is transparent, which means the client doesn't know anything
about the translating. To use a proxy server however, the client application,
such as a web browser, must support it.
Most proxy servers
offer some sort of caching. For example if the proxy server in the previous
diagram represents a web caching proxy, the proxy server could first check if
the data an internal client requests, is previously requested by another. If
that is the case, the proxy server would retrieve the data from its own hard
disk instead of using the external connection. This can reduce traffic on
expensive and relatively slow internet connections. Following are the most
common type of proxies:
- HTTP
Proxy - besides providing an
anonymous appearance on the web and acting as an intermediate for clients,
it also caches web content requested by clients.
- DNS
Proxy - caches DNS lookups initiated
by clients. When an internal client needs to know the IP address for a
domain name, i.e. www.techexams.net, it will send the request to the DNS
Proxy (i.e. a NAT router), which will forward it to DNS server on the
Internet or retrieve the info from its cache if it the address has been
requested previously.
- WINS
Proxy - works similar as a DNS Proxy
except it forwards NETBIOS name lookups to a WINS server in a different
subnet and is used only in Microsoft networks.
SOCKS Proxy , SOCKS is a protocol that works with TCP/IP (hence also with HTTP,
FTP, POP3, SMTP, NNTP, etc.), and provides secure and transparent communication
between a client and a proxy server.
A HTTP Proxy is often
used in combination with a SOCKS proxy. The HTTP Proxy handles requests for web
pages, and the SOCK proxy all other TCP/IP traffic, such as SMTP, POP3, and
Telnet for example. Many companies today use proxy servers and virtually every
ISP provides one to its subscribers. There are also many public proxy servers
available. These are intended for anonymous surfing rather then for improving
speed through caching.
ICS
Internet Connection Sharing (ICS) allows multiple computers to share single
Internet connection and is included in several Windows versions. ICS is
especially suitable for small home and small office networks. For example, in a
small company with five employees who need regular access to the Internet, ICS
would allow you to configure one client with a dial-up, cable or DSL
connection, enable ICS, and share the connection between all five employees.
The computer with the
shared internet connection must have at least two network interfaces: the
shared public interface that is connected to the internet, and a private
interface that is connected to the internal network. The computer with ICS
enabled performs NAT, and acts as a DHCP server and DNS proxy for the other
internal clients. This is at the same time a disadvantage of ICS there may
already be a DHCP server in the LAN. Only IP addresses from the private IP
Class C network 192.168.0.0 can be assigned to hosts in the internal network
when using ICS. In Windows, ICS can be enabled on the Advanced tab of the Properties of the interface that connects to the Internet.
Extranet/Intranet
The technology of
interconnecting web clients and servers, HTTP, and HTML, is also suitable for
use in networks with a less public nature than the Internet. The first use is
an Intranet,
which is a small private piece of ‘Internet’ that is accessible only to users
within the organization. It is a very suitable medium to keep employees up to
date with information about both the organization and its systems. Typical
examples of information you can find on an Intranet are employee directories,
emergency evacuation procedures, internal job vacancies, employee of the month
articles, and other more, and less, useful information. Additionally, the
Intranet can be used to keep employees informed about security related
information, such as virus alerts, incident response policies, and acceptable
use policies.
In its most basic
form, an Intranet is a web server running a website or web application and is
accessible only to users with a web browser in the company’s LAN or WAN. The
more advanced implementations of an Intranet often use separate servers for
backend operations, such as database servers. Protecting the servers that make
up the Intranet is no different from protecting the rest of the internal
network; they should not be accessible to anyone outside the company.
Authentication of Intranet users should preferably occur automatically by using
a single sign-on system. This means that the same user credentials used to
access the file servers, email, and shared printers, should be used to
authenticate the user. A typical example of this is a Microsoft Windows domain
with IIS as the web server.
An Extranet is similar to an Intranet, but is accessible
by two or more parties. When two companies/partners need to communicate and
collaborate a lot, they may benefit from connecting their networks together.
Instead of creating a direct connection, which would be objectionable from a
security perspective, they create a network that is accessible from both
companies’ networks. Firewalls at the entrance points ensure the extranet
serves as a buffer between the two companies, and prevent direct access between
their networks while allowing them to collaborate and share information in a
secure manner. The companies can create this network themselves, but can also
introduce a third party to host and manage the extranet.
POTS / PSTN
POTS (Plain Old Telephone Service) and PSTN (Public Switched Telephone Network) refer to the standard telephone network. It
is a circuit-switching network designed for analog transmission of ‘voice’ over
copper wires. By using a modem, a computer can use the telephone line for
transferring digital information. This dial-up connection has long been the
most widely used method to connect to the Internet but has been replaced by
faster methods such as DSL and cable Internet when those became available. A
dial-up modem connection offers relatively slow transfer rates up to 56Kbps, in
reality even less. Apart from the low transfer rates, there are several other
disadvantages to using dial-up connections. Dial-up connections are established
when needed, usually on demand. In other words, a dial-up connection is not
permanent. It can take up to several minutes for a modem to establish a
connection with a remote modem. Customers are charged per minute or second for
dial-up connections, so unless it is used sporadically, it is usually less
expensive to lease a permanent connection. Although dial-up Internet
connections are still common, amongst mobile users with notebooks for example,
they are mostly being replaced with high-speed broadband and wireless
connections.
xDSL (Digital Subscriber Line)
DSL uses the standard
copper telephone wires, often already installed in offices and homes, to
provide a high-speed digital Internet connection. There are different types of
DSL, of which Asynchronous Digital Subscriber Line (ADSL) is the most widely installed. ADSL allows the
telephone wires to be used for the analog POTS system and digital data transfer simultaneously. The
download speed for ADSL connections is much faster than the upload speed, which
corresponds to the needs of most of the typical Internet users. Another type of
DSL is Symmetric DSL (SDSL), which cannot share the physical medium with standard telephone
communication and has a download speed equal to the upload speed. DSL
connections are not available everywhere because of the distance limitations
and incompatible POTS systems.
The actually transfer
speed varies a lot per type of DSL connection, and depends a lot on the
distance of the connection between the user and the provider's Central Office (CO). The CO is the location at which customers’
lines from a particular area are terminated and connected to a DSL Access Multiplexer
(DSLAM). The DSLAMs are in
turn connected to the telco/ISP’s backbone to provide access to the Internet
and other telephone services. This is usually a high-speed ATM connection. The
maximum distance of an ADSL connection to the CO is 18,000 feet (5,460 meters.
This is the limit for most other types of DSL as well. The download speeds
generally range from 1.544 Mbps to 8.448 Mbps depending on the distance to the
CO. The upload speed usually ranges from 64 and 640 Kbps.
The ISP that offers
the DSL service usually provides a DSL transceiver, commonly referred to as a
DSL modem. This small box usually allows an Ethernet UTP or an USB connection
directly to a PC, or to a hub, router, or switch to provide Internet access to
an entire network. The DSL transceiver can also be integrated in a router or
switch. In addition to providing Internet access to homes and offices, DSL can
also be suitable for VPN connections between offices or for home workers
remotely accessing the corporate network.
Broadband Cable (Cable modem)
The cable that has
become so popular for receiving TV broadcasts turns out to be very suitable for
an Internet connection as well. TV channels only take up 6 MHz each, which
usually leaves several hundred MHz available. This additional space on cable
allows for a permanent high-speed Internet connection. Information from the
Internet travels through the cable as a single TV channel of 6 MHz. Upstream
information requires just 2 MHz. Theoretically this can allows for download
speeds of 5 Mbps, but in reality it usually ranges from 384Kbps to 1.5Mbps. The
transmissions speeds do not depend on the distance of the connection, but since
the medium is shared with other customers, they can vary a lot depending on how
many users are connected in your area.
Just as with DSL,
cable Internet requires a special transceiver at the customer’s premises. This cable modem translates the analog signal to digital
information and vice versa. Together with the Cable Modem Termination System (CMTS) on the provider’s end, they allow to use the
cable to receive and send information on frequencies not used by TV channels.
Just like the DSLAM for DSL connections, the CMTS interconnects the customers’
cable connections to a single high-capacity Internet connection.
The incoming 75 ohm
coaxial cable connect with an F-Type connector to the cable modem, which in
turn provides one or more LAN interfaces, usually Ethernet or USB, which
connect directly to a client, or a device such as a hub, switch, or wireless
access router, to allow additional internal clients or entire networks to use
the same connection. The cable modem is also equipped with connections for TV
and radio for example.
Satellite
Using satellites for
Internet access may seem a bit futuristic, but in rural areas where DSL and
cable Internet services are not available, using satellite Internet access can
be a very good alternative to standard dial-up connections. The download speeds
is typically around 500Kbps and the upload speed around 50Kbps, but this can
vary per provider. Satellite Internet requires a dish of about the same size as
those used for satellite TV reception. The customer’s dish communicates with
the satellite, which in turn communicates with a large dish at the provider. IP
multicasting, compression, and acceleration technology is implemented
throughout the entire circuit to squeeze the most out of the connection.
Wireless
Wireless Internet access is particularly
useful for mobile users. With handheld devices becoming more advanced and
increasingly popular, most of the major mobile telcos started offering wireless
internet access in several ways. This is includes deploying WiFi hotspots in
populated areas and locations such as airports and hotels. Organizations can
use the same method to offer wireless access to the corporate network for
mobile employees and indirectly provide them access to the Internet.
Technologies such as GPRS and UMTS allow smartphones and other handhelds with
Internet capabilities to access the Internet using the existing cell phone
network.
it start booting with pendrive like this..
on above screen select next. then on next screen click on repair your computer.
it will open system recovery option, select windows7 and click next.
After clicking on next it will display all the options of system recovery.
run the following command in command prompt..
go to C:\WINDOWS\SYSTEM32 location and type ren command to rename cmd.exe to magnify.exe.
after running the above command type exit and restart machine without pendrive (Normal OS Mode)
After clicking on apply it will open cmd prompt. like this...
run net user command to get user details and to change user password.
If you are unable to do net user command plz see my other blog of net user commands.
