Course Code : MCS-022 Course Title : Operating System Concepts and Networking Management Assignment Number : MCA(I)/022/Assignment/2020-21 ‘Maximum Marks : 100 Weightage : 25% Last Dates for Submission : 31st October, 2020 (For July, 2020 Session) + 25th April, 2021 (For January, 2021 Session) Ql. How the following concepts are improve the system performance? * Spooling compared to buffering ‘* Multiprocessing compared to sequential execution Ans. pooling compared to buffering:- There are two ways by which Input/output subsystems can improve the performance and efficiency of the computer by using a memory space in the main memory or on the disk and these two are spooling and buffering. ‘spooling: ‘pooling stands for Simultaneous peripheral operation online. A spool is similar to buffer as itholds the jobs for a device until the device is réady to accept the job. It considers disk as a huge buffer that ean store {as many jobs for the device tillthe output devices are ready to accept them. Buffering ~ The main memory has an area called buffer thats used to store or hold the data temporarily thats being. transmitted either between two devices or between a device or an application. Buffering is an act of storing data temporarily In the buffer. It helps in matching the speed of the data stream between the sender and the receiver. Ifthe speed of the sender's transmission is slower than the receiver, then a buffer created in the main memory ofthe receiver, and it accumuilates the bytes recelved from the sender and vice versa, The basic difference between Spooling and Buffering is that Spooling overlaps the input/output of one job With the execution of another job while the buffering overlaps the input/output of one job with the execution of the same job. Differences between Spooling and Buffering ‘+ The key difference between spooling and buffering is that Spooling can handle the input/output of ‘one job along with the computation of another job at the same time while buffering handles input/output of one job along with its computation. ‘+ Spooling stands for Simultaneous Peripheral Operation online, Whereas buffering is not an acronym. ‘+ Spooling is more efficient than buffering, as spooling can overlap processing two jobs ata time. ‘+ Buffering uses limited area in main memory while Spooling uses the disk as a huge buffer. Ignou Study Helper-Sunil Poonia Page 1‘Multiprocessing compared to sequential execution: ‘Multiprocessing :-In a uni-processor system, only one process executes ata time. “Multiprocessing is the use of two or more CPUs (processors) within a single Computer system. The term also refers to the ability of a system to support more than one processor within a single computer system. Now since there are multiple processors available, multiple processes can be executed at atime. These ‘multi processors share the computer bus, sometimes the clock, memory and peripheral devices also. “Multi-processing system’s working — ‘+ With the help of multiprocessing, many processes can be executed simultaneously. Say processes, 1, P2, P3 and Pa are waiting for execution. Now in a single processor system, firstly one process will execute, then the other, then the other and so on. ‘© But withmultiprocessing, each process can be assigned toa different processor for its execution. Ifits a dual-core processor (2 processors), two processes can be executed simultaneously and thus willbe two times faster, similarly a quad core processor will be four times as fast asa single processor. Sequential execution:- A sequence is an ordered list of something. Sequential execution means that each command in @ program script executes in the order'in which it iste in the program. The first command inthe sequence executes first and when itis complete, the second command executes, and so on. For example, values are assigned to @ and b before they are used to calculate the sum ab. The following, ‘example isa sequence of commands that computes the average of three values. 1L Input the first value and save it as sum. 2. Input the second value and save it as next Value, 3. Add next Value to sum. 4, Input the third value and save it as next Value, 5. Add next Value to sum. 6. Divide sum by three and save the result as avg. 7. Display the average to the user. ‘The order that the values are input and saved matter doesn't matter, but we cannot calculate the average Until ll three values have been entered and added to together. Q2. Discuss the basic design issues in distributed OS which are different from traditional OS and network OS and how are they implemented? ‘Ans. Distributed Operating System - {An operating system (0S) is basically a collection of software that manages computer hardware resources and provides common services for computer programs. Operating system isa crucial component of the system software in a computer system. Ignou Study Helper-Sunil Poonia Page 2@xree Distributed Operating System is one of the important type of operating system, Multiple central processors are used by Distributed systems to serve multiple real-time applications and ‘multiple users. Accordingly, Data processing jobs are distributed among the processors. Processors communicate with each other through various communication lines (lke high-speed buses or telephone lines). These are known as loosely coupled systems or distributed systems. Processors in this system may vary in size and function. They are referred as sites, nodes, computers, and so on. Advantages ‘© With resource sharing facility, @ user at one site may be able to use the resources available at another. ‘+ Speedup the exchange of data with one another via electronic mail ‘+ Failure of one site in a distributed system doesn’t affect the others, the remaining sites can potentially continue operating, ‘+ Better service to the customers. ‘¢ Reduction of the load on the host computer. Reduction of delays in data processing ‘Traditional operating systems and applications running on them can be encapsulated in VMs Only one ‘operating system runs ina virtualization while many applications run in the operatingsystem, System virtualization allows multiple VMs to run on a physical machine and the VMsare completely solated. To achieve encapsulation and isolation, both the system software and the hardware platform, such as CPUs and chipsets, are rapidly updated. HOWever, storage is lagging. The storage sytem become the main bottleneck of VM deployment. In virtualization environments, a virtualization layers inserted between the hardware andtraditionaloperatingsystemsoratraditionaloperatinsystemismodifiedto support virtualization. Tis procedure complicates storage operations. On the one hand, storage management of ‘the guest 05 performs as though it is operating ina real hard disk while the guest OSes cannot access the hard disk rectly. On the other hati, many guest OSes cates the harddisk when many VMs are running ona single physical machine, Therefore, storage management ofthe underving VMIM is much more complex than that of guest OSes (traditional OSes).n ddition, the storage primitives used by VMs are not nimble. Hence, operations such as remapping volumes across hosts and check poiting isk are frequently clumsyandesoterijandsometimessimplyunavailable.Indatacentersthereareoften thousands of \VMs,which cause the VM images to become flooded. Many researchers tied to solve these problem sin virtual storage management. The main purposes of their research are to make managementeasy while enhancing performance and reducing the amount of storage occupied by the VM images. Parallax isa distributed storage system customized for virtualization environments.Content Addressable Storage (CAS) isa solution to reduce the total size of VM images, and therefore supports a large set of VW-based systems in data centers Sincetradtionalstoragemanagementtechniquesdonotconsiderthefeaturesof storage invirtualization environments, Parallax designs a novel architecture in which storage features thathave traditionally been implemented directly on high-end storage arrays and switchers arerelocated into a federation of storage VMs. These storage VMs sharethesamephysicalhostsastheVMsthattheyserve. Itprovidesan overview of the Parallax system architecture. supports all popular system virtualization techniques, such as para virtualization and fullitualization For each physical machine, Parallax Ignou Study Helper-Sunil Poonia Page 3Touou Stuer Henvee ‘Sum Pooana customizes a special storage appliance VM.qThe storage appliance VM acts as a block virtualization layer between individual VMs and the physical storage device. It provides a virtual disk for each VM on the same ‘ey physical machine. ‘A network operating system (NOS) is a computer operating system (0S) that is designed primarily to support workstations, personal computers and, in some instances, older terminals that are connected on a local area network (LAN). The software behind a NOS allows multiple devices within a network to ‘communicate and share resources with each other. ‘The composition of hardware that typically uses a NOSiincludes a number of personal computers, a printer, a server and file server witha local network that connects them together. The role of the NOS is to then provide basic network services and features that support multiple input requests simultaneously in a ‘multiuser environment: Due to earlier versions of basic operating systems not being designed for network use, network operating systems emerged as a solution for single-user computers: ‘Types of network operating systems There are two basic types of network operating systems the peer-to-peer NOS and the client/server NOS: 1. Peer-to-peer network operating systems allow users to share network resources saved in a ‘common, accessible network location. inthis afehitecture, all devices are treated equally in terms of functionality. Peer-to-peer usually works best for small to medium LANs and is cheaper to set, up. 2. Client/server network operating systems provide users with access to resources through a server. Inthis architecture, all functions and applications are unified under one file server that can be used to execute individual client actions regardless of physical location. Client/server tends to be ‘most expensive to implement and requires a large amount of technical maintenance: An advantage to the client/server model is that the network is controlled centrally, makes changes or ‘additions to technology easier incorporate Q3. What are thessteps involved in configuring IP address in your system? What is the use of DHCP and BOOTP in this process? Why a subnet mask is required as an input for configuring IP address? ‘Ans. This wiki How teaches you how to seta static IP address for your eamputer within your Wi-Fi network. A static IP address won't change when your reuter er computer reboots, making it useful for remote operation and website hosting Static I addresses can also prevent connection issues on routers ‘to which several items are connected. steps 1. 0pen Start lick the Windows oo nthe bottom et cornerf te sren, The Start mens will 2.dpon Series {Sf cee par seped kann tte lver sido he Sta men Ignou Study Helper-Sunil Poonia Page 4@xree 3. Click GD Network & internet's inthe middle ofthe Settings window. 4, Click “View your network properties". This lik is near the bottom of the page. ‘+ Ifyou don't see ths link, scroll down. You may also need to click the About tab in the upper-eft corner of the window. 5. Scroll down to the "Wi-Fi heading. I's near the bottom of the page. You'll ee alist of information about your Wi-Fi connection her. Note the "Default gateway" address. The address to the right of the "Default gateway" heading is the address you'll enter ina web browser to access your router's page. 7. Press £8 Win+X. Doing so will open the advanced Start menu, ‘* Youccan also right-click the Start icon in the lower-left corner ofthe screen. 8. Click “System”. It's in the advanced Start menu. Doing so opens a window with your Windows computer's specifications. 9. "Note your computer's name”. This is a name (typically a jumble of letters and numbers) to the right of, the "Device name" heading in the riddle of the page. At this point, you're ready to proceed with setting a static IP address. Use of DHCP and BOOTP = DHCP/Bootp is used to download configuration data fr6m a DHCP or Bootp server respectively to the Hub. Bootp: ~ A Bootp server requires some configuration. It allows a device to obtain its configuration information, such as the IP Address and Subnet Mask,in one message, reducing the demand on the network. The Bootp protocol is desigfied for a network in which each host has a permanent network connection. DHCP: ~The Dynamic Host Configuration Protocol (DHCP) manages the allocation of TCP/IP configuration information by automatically assigning IP addresses. With DHCP you can configure the hub to automatically retrieve the IP address with no configuration required on either the hub or the DHCP server. In dynamic mode, the address is used by the device for a specified period of time, The time period depends on the situation; one device may only need the address for an hour, while another device may use the same address for several days. DHCP is moresuitable in environments where the number of IP addresses needed exceeds the number available. It also allows a device to obtain its configuration information, such as the IP Address and Subnet Mask, in one message, reducing the demand on the network Whenever the IP Config parameter in the hub is configured to DHCP/Bootp (the default), or when the hub is rebooted with this configuration: 1, _DHCP/Bootp requests are automatically broadcast on the local network. (The hub sends one type Of request which either @ DHCP or Bootp server can process.) 2. When a DHCP or Bootp server receives the request, it replies with an automaticaly generated IP address and subnet mask for the hub. The hub also receives an IP Gateway address ifthe server hhas been configured to provide one. Subnet mask is required as an input for configuring IP address:- Subnetting is the process to divide the larger network into smaller sub-networks (subnets). We always reserve an IP address to identify the subnet and another one to identify the broadcast address within the Ignou Study Helper-Sunil Poonia Page 5enue STP HELPER ‘Sum Pooma submet,Subneting breaks up larger network into smal parts, which s more effeient and would conserve t great amount of edreses. The smaller netwarks, therefore, crested smaller broadcast that generates less broadcast trafic. Besides, subnet also simplifies faut troubleshooting by Koatng network problems down to their speci existence A subnet maski 3 32- or 128-bit number that segments an existing IP address in a TCP/IP network. Its, used by the TCP/IP protocol to determine whether a host ison the local subnet or on a remote network. Subnet mask divides the IP address into a network address and host address, hence to identify which part Of IP address is reserved for the network and which partis available for host use. Once given the IP address and its subnet mask, the network address (subnet) ofa host can be determined. Usually, subnet calculators are readily available online that help divide an IP networkiinto subnets. Q4. (a) DrawDNS hierarchy for ignou.ac.in and explain, ‘Ans. DNS uses a hierarchy to manage its distributed database system. The ONS hierarchy, alo called the domain name space, isan inverted tree structure, much lke director. The DNS tree has a single domain at the top ofthe structure called the root domain. A period oF dot () s the designation forthe root domain, Below the root domali/are the top level domains that divide the ONS bierarchy into segments ot (ianou) om \ <—— _Toplevel domain Google ‘<—_— second level domain “1 <—— Ourdomain name www <—— Third level domain (host) DNS Hierarchy ‘The DNS hierarchy is comprised of the following elements: 1) Root Level 2) Top Level Domains 3) Second Level Domains Ignou Study Helper-Sunil Poonia Page 6enue STP HELPER ‘Sum Pooma 4) Sub-Domain 5) Host In the geographic hierarchy, each country is assigned with two letter codes. These codes are used to identity counties. For example, take the domain name images.google.com Here the “com” isthe top evel domain, scaled a tn short. This isthe next componentin the DNS hierarchy. A TLD can have many domains under, For example, a.com td can have fiuxcom, centos.com,ubuntu.com, ee Sometimes, there isa second lve irarchy to ald They deal withthe type of entity intended to reister an SLD unde For example, forthe: college rather academicinstution woud register under the .ac.uk ccSLD, while companies would register under .co.uk. (b) Discuss the type of security vulnerabilities in DNS and what measures are taken to prevent it? ‘Ans. DNS Vulnerabilities - We briefly review some of the mast important attacks n DNS. Most of these problems have been previously documented. 11 Man in the middle (MITM) attacks The recipient of data from a DNS name server has no way of authenticating its origin or verifying itsintegrity. This is because DNS does not specify a mechanism for servers to provide authentication details for the data they push down to clients. A resolver has no way to verify the authenticity and integrity ofthe data sent by name servers. The Resolver can only authenticate the origin of a DNS reply data packet using the SOUrce IP address of the DNS server, destination and source port numbers and ONS transaction ID. An attacker can easily craft a ONS server response packet to match these parameters. The client has no choice but to trust as reliable the data provided by an attacker. An attacker can resolve legitimate queries, responding with false information 1.1 Packet Sniffing DNS sends an entire query or response in a single unsigned, unencrypted UDP packet, ‘which makes it easy to tamper with. By capturing DNS query packets, a wrong answer can be ‘generated fast enough to reach the resolver before the correct answer from the name server. ‘Compromising a rauter 6n a transit network allows an attacker to capture the DNS Reply packet from ‘the name server and modify it. As no source authentication or data integrity checks are supported, this will not be detected by the resolver. 1.2 Transaction ID Guessing An attacker can respond with false answers t6 a predicted query, without having to be on the LAN to intercept packets. These answers will be cached either by the resolver or by the caching name server. The DNS Transaction ID field is only @ 16-bit field, and the server UDP port associated with DNS is 53. On the client there are only 2” possible combinations of ID (2"*) and client UDP ports (2) fora given client and server. In practice the client UDP port and the Transaction ID can be predicted from previous queries. Its common for the client port to be a known fixed value due to firewall restrictions, or the port number will increase incrementally due to resolver library behaviour. ‘The DNS transaction ID generated by a client usually increases incrementally. This reduces the search space to a range smaller than 2"*. By itself, 1D guessing is not enough to allow an attacker to inject Ignou Study Helper-Sunil Poonia Page 7Touou Stuer Henvee ‘Sum Pooana bogus data This has tobe combined with knowledge or esses about Queries (QNAME) and Query type (TYPE) for which resolver might be querying This can, for example, be achieved by cache snooping 2 caching Problems Through the use of caches, the ONS sacrifices consistency in favour of reduced access time, ONS caching cases concerns about cache inconsistency and staleness of data, Stale information may include security critical information, e.g. @ compromised key. The current DNS. protocol does net support any means to propagate data updates or invalidation to DNS servers or caches ina fast and secure way. 2.4 Cache Poisoning using Name Chaining This attack introduces false information into DNS caches, ‘This is achieved by means of DNS RRS whose RDATA portion ineludes @ ONS name which can be usee 2353 hook to let an attacker feed bad data into a victim's cache. The most affected types of Rs are (CNAME, NS, and DNAME RRs. False data associated with these names, cn be injected into the victim's cache va the Additional section of the response. An Attacker can introduce arbitrary ONS names ofthe attackers choosing, and provide further information thats claimed to be associated with those names, 2.2 Cache Poisoning using Transaction IO Prediction In this attack, large numberof resolution requests are sen tothe vitim server (ns. vietim.com, say) with spoofed source IP addresses to resolve a name, say wwwsmybank.com. Each request wll be assigned a unique transaction ID and processed independently Since ns.vietin. corns trying to resolve each ofthese requests, the server will be awaiting a large number of replies from ns1.mybank.com. The attacker uses this wait stage to bombard ns1.victim.com with spoofed replies from ns1.mybank.com, stating that www.mybank.com points toan P address whichis under the attacker's control Each spoofed reply has a cifferent transaction I, a source port and the spoofed DNS server IP address (for nsi.mybank.com). The attacker hopes to guess the correct transaction ID and source port used by the querying name server. ‘nce the attacks successful false information willbe stored in ns. vet com's cache. 23 DDOS attacks DDoS attacks can havea significant impact on the global DNS database and its users. They are usualy directed at root servers This was evident with the recent DDS attackin June 2008, hich was. repeat of a similaattackin October 2002, These atackscaused a loss of availabilty of name resolution services tothe Internet community ‘ey Domain Name System Security Extensions (DNSSEC) ONSSEC adds security tothe DNS protocol by providing origin authentication, data integrity and authenticated denial of existence to DNS data provided by a name server. All answers from DNSSEC servers are digitally signed. By checking the signature, a DNSSEC resolver is able to check ifthe information originated from a legitimate server and. ‘that data is identical to the data on the authoritative DNS server. 1 Keys in DNSSEC Each secured zone has a key pair, made up ofa zone private key and the corresponding public key. The zone public key is stored as a resource record (type KEY) in the secured zone. The public key is used by DNS servers and Resolvers to verify the zone's digital signature, All resource records in a secured zone are signed by the zone's private key. To make zone re-signing and key roll-overs easier to implement, its possible to use one or more keys as Key Signing Keys (KSKs). A SK will only be used to sign the top level KEY RRs in a zone. Zone Signing Keys (2SKs) are used to sign allthe RRsets in a zone. Ignou Study Helper-Sunil Poonia Page 82 Signatures in DNSSEC DNSSEC provides an unforgeable authentication of a RRset by associating it with a signature resource record that binds DNS data toa time interval and the signer’s domain name, A private key is used to sign a RRset. For increased speed a hash of the RRset is signed. This provides authenticated data origin. If data is modified during transport the signature is no longer valid (authenticated data integrity). In ONSSEC, only signatures are used, and nothing is encrypted. Hashes are generated using MDS or SHA-1. Signatures are created using MD5/RSA , DSA or elliptic curve cryptographic algorithms. Signatures are stored as resource records (type RRSIG) and are used with the zone’s public key to authenticate resource records. ‘3 NSEC Records Each unique name in a secured zone i also assigned a corresponding NSEC resource record, which points to the next name present in the zone. The sequential chain of NSEC resource records for a zone defines what resource records actually exist in that zone. The NSEC resource records are also signed by the zone private key, preventing the zone from being compromised through Unauthorised addition or deletion of zone resource records. NSEC resource records for a zone are automatically generated when the zone records are signed. 3.1 Time in DNSSEC All times in DNS are relative, The Start Of Authority (SOA) resource records refreshyretry and expiration timers are counters that are used to determine the time elapsed since a slave server synchronised with @ master server. The Time to Live (TTL) value is used todetermine how long @ forwarder should cache data after it has been fétthed from an authoritative server. DNSSEC Introduces absolute time into DNS. The signaturé validity period isthe period that a signature is valid. It startsat the time specified in the signature inception field ofthe RRSIG and ends at the time specified in the expiration field. The Signature publication period is the time after which a signature is. replaced with a new signature by publishing the relevant RASIG in the master zone fle. QS. Answer the following questions related to Linux commands: + List all the directories using echo command only Ans. $ echo */ Desktop/ Documents/ Downloads/ jym/ looped/ mounts/ Music/ netbeans-6.9/ orb.db/ PacketTracerS/ Pictures/ © List all the files within a directory including hidden files Ans. Is-a oF [sal Ignou Study Helper-Sunil Poonia Page 9‘Ans. cal[{ month ] year] Saar et Serr harang ; rea) August 260 aaa as rT} ria ry] 31 ‘Ans. Whol More leat ea aT coordinate wf EOC se et aie eee nce C Tass Cm ear met eT ere eer a oa rete ere eee eC et rae ent document look. You'can easily change the formatting of selected text in th Pear va Cre Ree erect Rae Ta Ca eee Tera es rere eee Taesrar ira anaes Ra ae areas teres eee ee aCe Rie oe Cree) oat ee eae em ee eee ae ea RC Mtres aCe neem Men Mea ITs View Terminal Tabs Help emcee Cement Riarrrrar ae? Perea ciara: TRC Oe Cec erer Ce RCTs Rete a! irae Pmcnererrert erry arate ie rere Cree Cer etme Crary om ror ST ere mcr me ee eri Cast tee Tt matting of selected Seer etree aren ee SC ase eine: Srarsur me rrricaritry aor fusing the look tro ner eres Ignou Study Helper-Sunil Poonia Page 10Poet run-level 3 2018-01 Ber 16 05:33 eet es oor Peete Ere ete ee) + What options an be used with a grep command? Show output with each option: Ans. grep options) pattern es) Options Description ‘¢: Ths prints only a count of the lines that match a pattern -1: Displays list of a filenames only. -n Display the matched lines and their line numbers. -v: Thisprints out all the lines that do not miatehes the'pattern -e.exp : Specifies expression with this option, Can use multiple times. “file Takes patterns from ile, one per line. -w: Match whole word Serep -cunix” geektile.xt Output: 2 Sere -| "unix" Output geekfile.bt S grep-n “unix” geekfile.txt Output ‘Lunicis great os. unix is opensource. Unix is free os 4:uNix is easy to learn.unix is a multiuser 0s Learn unix unix is a powerful $ grep-~v "unix" geekfile-txt Output: learn operating system, Unix linux which one you choose. Ignou Study Helper-Sunil Poonia Page 11Serep-e Output " Agarwal" ~e "Aggarwal"-e "Agrawal geekfile.txt Serep-f Output: Agarwal Aggarwal Agrawal Serep—fpattern.txt geekfile.txt S grep-w "unix’ geekfile.txt Output: Uni is great os, unixis opensource. unix is free os, LUNix is easy to learn.unixis a multiuser 0s.Learn unix unix is a powerful, Q6. (a) What are the objectives of dynamic addressing and directory services in ‘Windows 2000? How are they:configured? ‘Ans, One of the easiest ways to manage the complex task of keeping up with al of the TCP/IP addresses ‘on your network is by using Dynamic Host Configuration Protocol (OHCP). However, using DHCP in an Active Directory (AD) environment cane ful of pitfalls if you're not careful In this Daily Drill Down, show you how DHCP works and how to make it work effectively wth Windows 2000 and Active Directory. What is DHCP? ‘As you know, each node on a TCP/IP network must have a unique IP address. Computers are typically nodes, but other devices such as printers and fouters can also be nodes and thus require unique addresses, whether the network they're connected to is local or connected to the Intemet. You have two options for assigning addresses. With the first option, static assignment, You manually assign an IP address toa given node, The address doesn't change unless you manually change it Devices that always need the same IP address, such as Web servers or other devices that clients access by their address, should generally be assigned static I addresses. The second option involves assigning IP addresses dynamically through DHCP. A DHCP server allocates IP addresses to clients as those clients start up. While the address retrieved through the lease from the server can remain the same from session to session, it may also change, meaning the node could have a different IP address for each session. This makes DHCP most useful for workstations and other devices that don't require a fixed IP address. ‘The biggest benefit to using DHCP is simplified administration. You can centrally manage a range of IP addresses and associated settings (a gateway address, DNS server assignment, and so on) and effect Ignou Study Helper-Sunil Poonia Page 12enue STP HELPER ‘Sum Pooma changes tothe network by simply changing the stings atthe DHCP server. You dont have to make changes manually at each workstation or device; instead, you can implement a change simply by restarting those syste or releasing and renewing the adress lease. When the users restart their workstations the changes wil automaticaly take effet. ‘Active Directory integration and unauthorized server detection. Unauthorized servers can cause real headaches for network administrators by allocating conflicting or Incorrect addresses or related settings to clients. For example, an inexperienced administrator or a power ser might bring up a new DHCP server, unaware that itwill cause a conflict on the network. Fortunately, Windows 2000 integrates DHCP inte AD to provide detection and protection against unauthorized DHCP [AD stores a list of authorized DHCP servers. When a Windows 2000 DHCP server stafts up in a domain, the server checks to see ifitis listed as an authorized server in AD. If the service finds itself inthe list, it starts processing DHCP requests from clients. Ifthe server doesn't find itself in the list or isn’t able to connect to AAD, the server assumes it is not authorized and ignores DHCP client requests. Stand-alone servers that are not members of a domain provide a similar capability but through a slightly different mechanism. When the stand-alone DHCP server starts, it broadcasts a DHCPINFORM message on the network. Domain-member DHCP servers respond with a DHCPACK message and a notification of the directory domain to which they belong: Ifa stand-alone server receives a DHCPACK message, it assumes that it isn’t authorized and does not respond to DHCP client requests. So, workgroup DHCP servers will function by themselves or coexist with other workgroup DHCP servers, but they will not operate when domain-based DHCP servers are present. The Domain Name System (ONS) is the Active Directory locator in Windows 2000. Active Directory clients and client t6ols Use DNS to locate domain controllers for administration and logon. You must have a DNS server installed and configured for Active Directory and the associated client software to function correctly. Ths article guides you through the requiréd DNS configuration. Configure TCP/1P Click Start, point to Settings and then click Control Panel Double-click Networkand Dial-up Connections Right-click Local Area Connection, and then lik Propeties. Click Internet Protocol (TCP/IP), and then click Properties. Assign this server static IP address, subnet mask, and gateway address, Enter the server's IP address in the Preferred DNS server box. Click Advanced. liek the ONS Tab Select “Append primary and connection specific DNS suffixes” CCheck “Append parent suffixes of the primary DNS suffix” 10. Check “Register this connection’s addresses in DNS’. If this Windows 2000-based DNS server is on an intranet, it should only point toits own IP address for DNS; donot enter IP addresses for other Ignou Study Helper-Sunil Poonia Page 13gees Teno Sty Herve Nes? Sum Poowa DONS servers here. If this server needs to resolve names on the Internet, it should have a forwarder configured. 11. Click OK to close the Advanced TCP/IP Settings properties. 12. Click OK to accept the changes to your TCP/IP configuration, 13, Click OK to close the Local Area Connections properties Enable Active Directory Integrated DNS (Optional - Recommended) Active Directory Integrated DNS uses the directory for the storage and replication of DNS zone databases. I you decide to use Active Directory Integrated DNS, ONS runs on ane or more domain controllers and you do not need to set up a separate ONS replication topology. In DNS Manager, expand the DNS Server object. Expand the Forward Lookup Zones folder. Right-click the zone you created, and then click Properties. (On the General tab, the Zone Type value is set to Primary. Click Change to change the zone type. In the Change Zone Type dialog box, click DS Integrated Primary, and then click Ok: ‘The DNS server writes the zone database into Active Directory. Rght-lick the zone named “.”, and then click Properties. ‘On the General tab, the Zone Type value is set to Primary. Click Change to change the zone type. In the Change Zone Type dialog box, DS Integrated Primary, and then click OK. (b) How is static IP address differentfrom dynamic IP address? Ans. Difference between Static and Dynamic IP address: ‘L.__| Its provided by ISP(Internet Service Provider}. ‘While itis provided by DHCP (Dynamic Host Configuration Protocol). 2. _| Static ip address does not change any time, it means | While dynamic ip address change any ifa static ip addressis provided then it can’t be time, ‘changed or modified. 3. Static ip address is less secure, Whilelin dynamieip address, there is ow amount of risk than static ip address’ risk. 4. _| Static ip address i difficult to designate While dynamic ip address s easy to designate. 5. | The device designed by static lp address can be But the device designed by dynamic ip trace, address can't be trace. 6. _| Static ip address is more stable than dynamicip | While dynamic ip address s less stable address, than static ip address. Ignou Study Helper-Sunil Poonia Page 14Epuemnn Suwie Poona 7. | The cost to maintain the static ip address is higher | While the maintaining cost of dynamic than dynamic ip address. Ipaddress is less than stat address. 8. | itisused where computational data is less While tis used where data is more ‘confidential confidential and needs more security. Q7. What is the meaning of map drive in Windows 2000? What are the benefits in mapping a network drive? Write all the steps for mapping a network drive. ‘Ans. A mapped drive sa shortcut to the specific dive ona diferent device that enables you to access resources shared ona local network, or fle on a FTP server or website Ie Tooks jus lke the shortaut on your local hard drive with its own letter, even opening 2s though it were ion the drive, bu the files are physically stored on a different computer or device altogether Mapping is different from mounting a drive ast allows you to open remote files as though they were stored on your own computer, while mounting allows you to open a file as fit were a folder, ‘The main limitation with using a mapped network drive is that it depends ona working network, so if it’s: down, o the connection isn't working properly, you can't access the files in the mapped dive Benefits in mapping a network drive: Drive mapping is a feature of some Operating systems, including Microsoft Windows, that allows the user to assign a standard local drive volume letter (ike C:\ or D:)to a drive on a remote machine connected to the user's computer over a network. Mapping a drive has several benefits. Ease of Access Drive mapping allows a Windows user to access the mapped drive quickly; through the "My Computer” interface, asifit were a local drive, and to perform tasks with it using the techniques and processes with which the user is familiar from working with local drives, Consistency ‘A mapped drive can remain in a user's drive tree indefinitely, allowing that user to aééess a remote drive whenever he wants, without having to reconnect it each time he turns on his computer (or each time the remote drive's user turns on hers). Attempting to access a mapped drive whose parent computer is off will result in a simple error message, but will not remove the mapped drive. Network Setup Since most casual computer users understand the drive tree but may not understand the more technical Universal Naming Convention (UNC) system for accessing remote drives, it can be very useful for a network administrator to set up a system of mapped drives for his users. Such a system requires next to no new information to be imparted to the users~they can simply use the mapped drives as if those drives, were local. Ignou Study Helper-Sunil Poonia Page 15Steps for mapping a network drive: ‘Open Windows Explorer Select Tools, Map Network Drive from the menu bar Select an available drive letter from the Drive drop-down list Click Browse to locate a shared directory on the network, or enter the UNC path in the Folder field ‘Mark the Reconnect At Logon checkbox Click Finish Q8. Answer the following questions related to Windows 2000 server? ‘What features and services are provided? ‘Ans. Some of the significant features of Windows 2000 Server are: 1. Active Directory improves manageability, enables security, and extends interoperability with other operating systems. 2. Provides high-/evel interfaces for database access and Active Directory sewices. 3. Lets you use COM+ to run component-based applications, integrated Web applications, and message-queuing services, 4, Transaction services feature makes it easier to develop and deploy server-centric applications. ‘5. Microsoft BackOrficeis fully integrated into, Windows 2000 Server, Advanced server Some of the significant features of Windows 2000 Advanced Server are: 1. The server operating system for e-commerce and line-of-business applications. 2. Includes all the features of Windows 2000 Server, with additional scalability and clustering support. 3. Increased reliability to ensure your business applications are online when your customers need them. 4. Easier toluse and manage clusters, applications, and updates. 5. Supports &-way SMP (symmetric multiprocessing) and upto 8 GBof RAM. «How are networkiresources accessed? ‘Ans. When you connect to a network drive, You add a whole new set of folders and files—not to mention other resources—to your working environment. After connecting, you can remain connected to that network while you work and can even access other servers and resources if required. To open My Network Places, click the My Network Places icon on your desktop. Ifthe My Network Places icon does not appear, your computer isnot configured for networking. You should contact your Network Administrator. I you click My Network Places and do not see your network in the My Network Places window, double: click the Entire Network icon. The Entire Network window opens, displaying the networks and domains available to you. If the My Network Places icon does not appear on your desktop, your PC is not configured for the network Ignou Study Helper-Sunil Poonia Page 16es Too Suny Henk ‘Sum Poowa Understanding the My Network Places Window My Network Places window displaying several computers. Your display wl difr from the one shown in this gure and may show more or fewer computers, s wellas thelr names. But the features of My Network Places and the practice of using itare the same as we describe here. The My Network Paces window contains only one Contents pane, unlike the Windows Explore window, which i vided into two parts—drives and folders onthe left, and the content ofthe selected dive or folder onthe right. if your Toolbars not showing, choose View, Toolbar from the menu if you don't see the status baron your window, choose View, Status Br from the menu. The statusbar displays the numberof objects (Fiesand elders inthe window andthe number of bytes they take up in memory space when an objects selected, you select one or more fies, the Status Bar changes to display the numberof selected fies and how many bytes of memory they total To.open any server, computer, or flder, simply double-click the con represeting te resource. tems that appear in My Network Places are tems that you have permission to acess The resting window wen a computer icon representing computer Tweety is clicked, This computer has sik share folders. To learn more aboutsharing your computer, se Lesion 16, "Sharing Workstations and Setting Password.” Creating Shortcuts to Network Resources You can create shortcuts to computers found in My Network Places on your desktop, saving you from opening My Network Places. You might want to do thisif you access a computer or file server frequentiy. We don't recommend that you create shortcuts for everything in My Network Places, or your desktop can become quite cluttered. Tocreate a shortcut, open My Network Places, locate the resource you want to create a shortcut to, and right-click it with the mouse, Next, drag (with the right mouse button) and drop the resource onto your desktop, and select Create Shortcut(s) Here from the context menu that is displayed. Click the shortcut to access the resource. Remember though, if you log off or the computer that contains the resource is disconnected from the network, the shortcut will not work Closing My Network Places You close My Network Places just as you close any other window in Windows 2000, by selecting File, Close from the window menu or by clicking the Close button (X) in the upper-right corner of the My "Network Places window. Closing My Network Places does nat log you off ofthe network. Q9. Define Kerberos? What aré the key benefits of Kerberos? How is it managed in Windows 2000 system ? ‘ans. Kerberos I a computer network security protocol that authenticates service requests between two of more trusted hosts across an untrusted network ke the internet. It uses secret-key cryptography and a trusted third party for authenticating client-server applications and verifying users’ identities. Initially developed by the Massachusetts Institute of Technology (MIT) for Project Athena in the late ‘80s, Kerberos isnow the default authorization technology used by Microsoft Windows. Kerberos implementations also exist for other operating systems such as Apple OS, FreeSO, UNDK, and Linux. Ignou Study Helper-Sunil Poonia Page 17enue STP HELPER ‘Sum Pooma Microsoft rolled out version of Kerberos in Windows 2000 and it's become the goto protocol for websites and ingle sign-on implementation over ferent platforms. The Kerberos Consortium maintains the Kerberos san open-source project The protocol derives its name from the legendary three-headed dog Kerberos (also known s Cerberus) from Greek myths the carne guardian tothe entrance tothe underworld Kerberos had a snake all anda particularly ad temper and, despite one notable exception, was avery useful guardian. But inthe protoco's case, the thre heads of Kerberos represent the cient, the server, and the Key Distribution Center (KDC). Te ater functions asthe trusted thr party authentication service Users, machines and services that use Kerberos depend onthe KDC alone, which works asa single process that provides two functions: authenition and ticket granting KDC "Wickets offer authentication t all partes, allowing nodes to very theiridesty securely, The Kerberos authentication proces employs 2 conventional shared secret cryptography that prevents packets traveling across the network from being read or altered, as well as protecting messages from eavesdropping and replay (or playback) attacks. key benefits of Kerberos: '* User's passwords are never sent across the network, encrypted or in plain text. Secret keys are only passed across the network in encrypted form. Hence, a miscreant snooping and logging conversations on a possibly insecure network cannot deduce from the contents of network Conversations enough information to impersonate an authenticated user or an authenticated target service. ‘* Client and server systems mutually authenticate ~ at each step of the process, both the client and the server systems may be certain that they are communicating with their authentic counterparts, ‘+ Although the preceding discussion did not go into sufficient detail to elucidate the fact, the tickets ppassed between clients and servers in the Kerberos authentication model include timestamp and lifetime information. This allows Kerberos clients and Kerberized servers to limit the duration of their users’ authentication. While the specific length of time for which a user's authentication ‘remains valid after his initial ticket (ssid is implementation dependent, Kerberos systems typically use small enough ticket lifetimes to prevent brute-force and replay attacks.In general, no authentication ticket should have a lifetime longer than the expected time requited to crack the encryption ofthe ticket. ‘= Authentications are reusable and durable. A user need only authenticate tothe Kerberos system ‘once (using his principal and password). For the lifetime of his authentication ticket, he may then authenticate to Kerberized services across the Hetwork without re-entering his personal information ‘© Asa side-effect of the dual-key encryption scheme employed in the Kerberos madel, a service- session key is generated which constitutes a shared secret between a particular client system and 2 particular service. This shared secret may be used as a key for encrypting the conversation between the client and the target service, further enhancing the security of Kerberized transactions. '* Unlike many alternative authentication mechanisms, Kerberos is entirely based on open Internet standards. A number of well-tested and widely-understood reference implementations are Ignou Study Helper-Sunil Poonia Page 18sis Touou Stor Wee ES inc Poon avaliable free of charge to the Internet community, Commercial implementations based onthe accepted standarés are aso avaliable + Untke many ofits proprietary counterparts, Kerberos ha been scrutinized by many of the top programmes, cryptoloits and security experts inthe industry. This public scrutiny has ensured ane continues to ensure that any new weaknesses dlscovered inthe protocl ors underying security model wll be quickly analyzed and corrected ‘Managed in Windows 2000 system: Windows NT uses a proprietary authentication scheme, NT LAN Manage ( NTLM ) Challenge-Response. With the introduction of Windows 2000, Microsoft changed the default authenication to their version of Kerberos, a public domain authentication scheme developed at MIT (Massachusetts Insitute of Technology) as part of Project Athena, Windows 2000 uses Version 5 of Kerberos as defined by RFC 1510. To be standard, Kerberos Implementations use the AP! library described in RFC 1964, the Kerberos Version $ Generic Security Service Application Programming interface ( GSS-API ) Mechanism. Microsoft chose to not use the GSS-API directly, but instead, Windows 2000 uses a similar set of functions they developed. Windows 2000 supports Kerberos and NTLM for authenication. Legacy, legacy, legacy support -the key to ‘Microsoft's security problems. Because the authentication mechanism is designed to be as transparent as possible, it isn’t obvious whether Kerberos or NTLM is used. In general, Windows 2000 uses Kerberos in the following circumstan« ‘+ Authenticating users logging on to Windows 2000 domain controllers ‘+ Authenticating users logging Gf to Windows 2000 servers and workstations that are members of 2 Windows 2000 damain ‘+ Authenticating users logging on to standalone Windows 2000 servers and workstations. ‘+ Authenticating users accessing 2 Windows 2000 server or workstation from a Winx client or NT client configured with the Active Directory add-on The Windows® 2000 operating system implenents the standard Kerberos network authentication protocol to improve security and interoperability. While new to Windows, the Kerberos protocol is not new and has been implemented on a number of operating system platforms. This paper describes ‘common scenarios for interoperability between Windows 2000 and other Kerberos implementations. Downloadable 104K. Q10. What computer security control measures are applied at your study centers? Against what kind of attacks these measures are taken? Prepare a brief note. ‘Ans. Computer Security isthe protection of digital information and IT assets from allknds of malicious threats and attacks. There are different types of computer security which used to protect the organization IT infrastructure. itis also known as cyber security whichis the protection of computer systems such as hardware, software, network and electronic data ‘TYPES OF COMPUTER SECURITY Ignou Study Helper-Sunil Poonia Page 19Touou Stuer Henvee ‘Sume Pooua The ferent types of computer security such as application security, network security, internet security, data security, information security and end user securty. ‘ey 1, APPLICATION SECURITY Application security is the types of cyber security which developing application by adding security features within applications to prevent from cyber threats. The threat can be SQL injection, denial of service (DoS) attacks, data breaches or other eyber-attacks. There are some application security tools and techniques such as firewalls, antivirus software, encryption, and web application firewall which can help to prevent from cyber-attacks. ‘A web application firewalls designed to protect web applications by filtering and monitoring HTTP harmful traffic. 2, INFORMATION SECURITY Information security IS) isthe types of computer security which refers to the process and methodology to protect the confidentiality, integrity and availabilty of computer system from unauthorized access, use, ‘modification and destruction, Its) focuses on the CIA triad model, which isto ensure confidentiality, integrity, and availability of data, without affecting organization productivity. 3. NETWORK SECURITY "Network Security is other types of IT security which process of preventing and protecting against unauthorized intrusion into computer networks. Its a set of rules and configurations which designed'to protect the confidentiality, integrity and accessibility of computer networks system and information using both software and hardware technologies. |4, ENDPOINT SECURITY Human error is a major weak point which is easly exploited by cyber criminals. End users are becoming the largest security risk in any organizations. However, end user has no faut of their own, and mostly due to a lack of awareness and ICT policy, They can unintentional open the virtual gates to cyber attackers. So, that’s why comprehensive security polices, procedures and protocols have to be understood in depth by users who accessing the sensitive information. 5. INTERNET SECURITY Internet security isthe important types of computer security which has defined as a process to create set of rules and actions to protect computers system that are connected to the Internet. Iisa branch of computer security that deals specifically with internet-based threats such as: A. HACKING ‘A Hacker is a person who finds weakness and exploits the vulnerability in computer systems or network to gain access. Hacking refers to activities that exploit a computer system or a network in order to gain unauthorized access or control over systems for illegal purpose. B. COMPUTER VIRUSES ‘A computer virus is a software program that can spread from one computer system to another computer without the user's knowledge and performs malicious actions. It has capability to corrupt or damage data, destroy files, format hard drives or make disks unreadable, Ignou Study Helper-Sunil Poonia Page 20@xree kind of attacks these measures are taken: ‘cyber attack is any type of offensive action that targets computer information systems, infrastructures, computer networks or personal computer devices, using various methods to steal alter or destroy data or information systems, 1. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks AA denial-of-service attack overwhelms a system's resources so that it cannot respond to service requests. ‘A DDoS attack is also an attack on system's resources, but it s launched from a large number of other host ‘machines that are infected by malicious software controlled by the attacker. Unlike attacks that are designed to™enable the attacker to gain or increase access, denial-of-service doesn't provide direct benefits for attackers. For some of them, i's enough to have the satisfaction of service denial. However the attacked resource belongs to a business competitor, then the benefit to the attacker may be real enough. Another purpose of a DoS attack can be to take a system offline so that a different kind of attack can be launched. One common example is session hijacking, which I'll describe later. 2. Man-in-the-middle (Mit) attack ‘A MitM attack occurs when a hacker inserts itself between the communications of a client and a server. Here are some common types of man-in-the-middle attacks: Session hijacking In this type oF MitM attack, an attacker hijacks a session between a trusted client and network server. The attacking computer substitutes its IP address for the trusted client while the server continues the'session, believing it's communicating with the cient. For Instance, the attack might unfold ike this: 1. Adlient connects to a serve 2. The attacker's computer gains control ofthe client. 3. The attacker's computer disconnects the client from the server. 4, The attacker's computer replaces the client's IP address with its own IP address and spoofs the client's sequence numbers. 5. The attacker's computer continues dialog with the'Serverandthe server believes itis still ‘communicating withthe client, 1 Spoofing IP spoofing is used by an attacker to.convince a system that itis communicating with a known, trusted entity and provide the attacker with access to the system. The attacker sends a packet with the IP source address of a known, trusted host instead of its own IP souree address to a target host, The target host, might accept the packet and act upom it. Replay ‘replay attack occurs when an attacker intercepts and saves old messages and then tries to send them later, impersonating one of the participants. This type can be easily countered with session timestamps or nonce (a random number or a string that changes with time), Currently, there is no single technology or configuration to prevent all MitM attacks. Generally, encryption and digital certificates provide an effective safeguard against MitM attacks, assuring both the Ignou Study Helper-Sunil Poonia Page 21enue STP HELPER ‘Sum Pooma confidentiality and integrity of communication. Buta man-nthe-middleatack can be injected int the middle of cornmuniatons in such» way that encryption wal nt help — for example attacker “A” intercepts public key of person“P” and substituteit with his own pubickey Then, anyone wanting to send an encrypted message to P using P’s public key is unknowingly using A’s public key. Therefore, A can read the message intended for P and then send the message to P, encrypted in P’s real public key, and P- wil ever notice that the messoge was compromised. nation, could also ody the message before resendingit to Ps you can see, Pis using encryption and thinks that his information fs protected but ts not, because ofthe MitM attack So, how can you make sure that P's public key belongs to Pand notto A? Certificate authorities and hash functions were created to solve this problem. When person 2 (P2) wants to send a message to P, and P wants to be sure that A will not read or modify the message and that the message actually came from P2, the following method must be used: 2 creates'a symmetric key and encrypts it with P's public key. 2 sends the encrypted symmetric key to P. 'P2 éomputes a hash function of the message and digitally signs it. P2.encrypts his message and the message's sighed hash using the symmetric Key and sends the entire thing to P. 5. Pisable to receive the symmetric key from P2 because only he has the private key to decrypt the encryption. 6. 'P, and only , can decrypt the symmetrically encrypted message and signed hash because he has the symmetric key. 7. He is able to verify thatthe! fiéSSage has not been altered because he can compute the hash of received message and compare it with digitally signed one. also able to prove to himself that P2 was the sender because only P2 can sign the hash so that itis verified with P2 public key. 3. Phishing and spear phishing attacks Phishing attack isthe practice of sending emalls that appear to be from trusted sources with the goal of gaining personal information or influencing users to do something. It combines social engineering and technical trickery. It could involve an attachment to an email that loads malware onto your computer. It ould also be a link to an illegitimate website that can trick you into downloading malware or handing over your personal information. ‘spear phishing is a very targeted type of phishing activity, Attackers take the time to conduct research into targets and create messages that are personal and relevant. Because of this, spear phishing can be very hard to identify and even harder to defend against. One of the simplest ways that a hacker can conduct a spear phishing attack is email spoofing, which is when the information in the “From” section of the email is falsified, making it appear as if it is coming from someone you know, such as your management of your partner company. Another technique that scammers use to add credibility to their story is website cloning — they copy legitimate websites to fool you into entering personally identifiable information (Pll) login credentials Ignou Study Helper-Sunil Poonia Page 22@xree 4, Drive-by attack Drive-by download attacks are a common method of spreading malware. Hackers look for insecure Websites and plant a malicious script into HTTP or PHP code on one of the pages. This script might install ‘malware directly onto the computer of someone who visits the site, or it might re-direct the victim to.a site controlled by the hackers. Drive-by downloads can happen when visiting a website or viewing an email message or a pop-up window. Unlike many other types of cyber security attacks, a drive-by doesn't rely on 2 user to do anything to actively enable the attack — you don’t have to click a download button or open 2 ‘malicious email attachment to become infected. A drive-by download can take advantage of an app, operating system or web browser that contains security flaw due to unsuccessful updates or lack of updates. To protect yourself from drive-by attacks, you need to keep your browsers and operating systems up to date and avoid websites that might contain malicious code. Stick to the sites You normally use — although keep in mind that even these sites can be hacked. Don't keep too many unnecessary programs and apps ‘on your device, The more plug-ins you have, the more vulnerabilities there are that can be exploited by drive-by attacks. 5. Password attack Because passwords are the most commonly used mechanism to authenticate users to an information system, obtaining passwords is a commomand effective attack approach, Access to a person's password can be obtained by looking around the person's desk, “sniffing” the connection to the network to acquire unencrypted passwords, using Social engineering, gaining access to a password database or outright guessing. 6. SQL injection attack SQL injection has become a common issue with database-driven websites. It occurs when amalefactor executes aSQL query to the database via the input data from the client toserver. SQL commands are Inserted into data-plane input (for 8xariple, instead of the login or password) in order to run predefined SQL commands, suctessful SOL injection exploit can read Sensitive data from the datatiase, modify (insert, update or delete) database data, execute administration operations (such as shutdown) on the database, recover the content ofa given file, and, in some cases, issue commands ta the operating, system 7. Cross-site scripting (XSS) attack: XSS attacks use third-party web resources to run scripts in the victim's web browser or scriptable application. Specifically, the attacker injects a payload with malicious JavaScript into a website's database, When the victim requests a page from the website, the website transmits the page, with the attacker's payload as part of the HTML body, to the victim’s browser, which executes the malicious script. For ‘example, it might send the victim's cookie to the attackers server, and the attacker can extract it and use It for session hijacking. The most dangerous consequences occur when XSS is used to exploit additional vulnerabilities. These vulnerabilities can enable an attacker to nat only steal cookies, but also log key Ignou Study Helper-Sunil Poonia Page 23Touou Stuer Henvee ‘Sum Pooana strokes, capture screenshots, discover and collect network information, and remotely access and control the vietim’s machine. ‘ey 8. Eavesdropping attack Eavesdropping attacks occur through the interception of network traffic. By eavesdropping, an attacker can obtain passwords, credit card numbers and other confidential information that a user might be sending over the network. 9. Birthday attack Birthday attacks are made against hash algorithms that are used to verify the integrity of a message, software or digital signature. A message processed by a hash function produces a message digest (MD) of fixed length, independent of the length of the input message; this MD uniquely characterizes the message. ‘The birthday attack refers to the probability of finding two random messages that generate the same MD when processed by a hash function. If an attacker calculates same MD for his message as the user has, he can safely replace the user's message with his, and the receiver will nt be able to detect the replacement leven if he compares MDs, 10. Malware attack Malicious software can be described as unwanted software that is installed in your system without your consent: Itean attach itself to legitimate éade and propagate; it can lurk in useful applications or replicate itself across the Internet. QUL. (a) Differentiate between dial-up connection and and VPN connection for remote access . List the requirements to set up a VPN connect Explain the steps for configuring Windows 2000 VPN. Ans. Dial up is traditionally a method using a modem and the POTS (plain old telephone service) to call another modem ether an IS for internet access orto access a private network/system, VEN is a virtual private network, which explicitly uses the internet to establish a personal network inside an encrypted tunnel. it was a more affordable alternative than using traditional packet switching networks. Requirements to set up a VPN connection: | was trying to meet the following requirements = which is different from what others often want from a ven: 1, support multiple concurrent VPN connections from mobile devices with a minimum of administration effort and a maximum amount of transparency to the mobile device User 2. ensure the User can override the VPN capability i required (*smart® services should always have @ lobotomy button") 3. VPN connections are secure/encrypted — this rules out protocols such as "straight" L2TP (ie, without IPSec) and PPTP (a compromised protocol). for us, ths leaves IPSec and OpenVPN as two "zero-cost” options Ignou Study Helper-Sunil Poonia Page 24enue STP HELPER ‘Sum Pooma 4. aVPN-connectedi0s device routes al the device's trafic through our network Le + allthe 0s device's traffic oes through our network ad is encrypted while doing so~s0 the cellar dota and WiFi pars ofthe device's traffic cant be “monitored” + allunencrypted fad normal SSL browsing, et.) traffic emanates only from our LAN trough our network's land-based/hard-wired) router '* this gives our mobile devices the benefit of some "bad site" filters provided by our firewalll appliance «this litfers from the mare common VPN strategy wherein only he trafic between the VPN- connected site and the mobile device i eneryted and all the mobile device's traffic other sites is via direct and possibly unencrypted routes to those sites 5. aVPN-comected device hagas tour ftéral network, appers to reside on our LAN ands subject trout router/irewal configuration 6. VPN connections are driven by cerifetes andthe Users nat requid ta eter password to create a PN connection (eventhough the devices themselves have reasonably tong acess passwords, ths no password ent" requirement does add some skin the event 2 compromised device) 7. VPNs are configured o se self-signed ceificatesto reduce the securty and administrative impactia device jlostandits cerifeatenfration i compromised 8, when the device is connected to our Wii network no VPN connection image and ay exiting \eN connection sautomaticaly turned OFF 8. lwhen the device i connected f9 some other WiFi etwork, the VPN connection to our network automaticaly turned ON 10. when the devices connect othe celular data network, the VN connection to our networks automaticaly turned ON 11. when the VPN connection is via OpenVPN (the preferred method), first attempt to connect via one of multiple UDP ports and, failing that, use TCP port 443 (i.e., in an attempt to avoid blockages by fcewals and proxy servers) 12. many ease, 9 VPN connection should not be attempted a VPN connection couldnt be ‘supported (i.e., by our network) Steps for configuring Windows 2000 VPI 41.60 to Start / Programs / Administrative Tools / Routing and Remote Access 2. ight click on the Server narhe 3. Select Configure and Enable Routing and Remote Access 4. atthe Setup Wizard, click on the Next button 5. Select Virtual private network (VPN) server 6. Clickonthe Next button 7. Select all the Protocol(s) needed by the clients 8. Select the network adapter that is connected tothe internet 9. Select how you want IP addresses assigned (either DHCP or Specified) 10. Clickon the New button 11, Specify the range of IP addresses you want to use Ignou Study Helper-Sunil Poonia Page 2512, Generically you can select NO for setting up a RADIUS server 13, This will finish the install ofthe VPN server. (b) Discuss the protocols and tools for providing secure VPN services. ‘Ans. VPN stands for Virtual Private Network (VPN), that allows a user to connect to a private network over the internet securely and privately. VPN creates an encrypted connection that is called VPN tunnel, and all Internet traffic and communication is passed through ths secure tunnel Virtual Private Network (VPN) is basicaly of 2 types: 4. Remote Access VPN: Remote Access VPN permits a user to €annect to a private network and access allits services and resources remotely. The connection Between the user and the private network oceurs through the Internet and the connection is secure and private. Remote Access VPN is useful for home users and business users both, ‘An employee of a company, while he/she is out of station, uses a VPN to connect to his/hercompany's private network and remotely access files and resources on the private network. Private users or home "users of VPN, primarily use VPN services to bypass regional restrictions on the internet and aecess blocked websites. Users aware of Internet security also use VPN sefVices to enhance their Intemet security and privacy, 2. Site to site VPN: ASite-to-Site VPN is also called as Router-tO-ROULEF VPN and is commonly used inthe large companies. Companies or organizations, with branch offices in different locations use Site-to-site VPN to\connect the network of one office location to the network at another office location, ‘+ Intranet based VPN: When several offices of the same company are connected using Site-to-site VPN type, itis called as intranet based VPN. ‘+ Extranet based VPN: When companies use Site-to-site VPN type to connect to the office of another company, it's called as Extranet based VPN. Basically, Site-to-site VPN create aimaginary bridge between the networks at geographically distant offices and connect them through the internet and sustain 9 secure and private communication between the networks. In Site'to-site VPN one router acts asa VPN Client and another router a 3 VPN Server as it is based on Router-to-Router communication. When the authentication is validated between the two routers only then the communication starts ‘Types of Virtual Private Network (VPN) Protocols: 1. Internet Protocol Security (IPSec Internet Protocol Security, known as IPSee, Is used'to secure Internet communication across an IP network. IPSec secures Internet Protocol communication by verifying the session and encrypts each data packet during the connection. IP Sec runs in 2 modes: ‘+ Transport mode ‘+ Tunneling mode Ignou Study Helper-Sunil Poonia Page 26es Too Suny Henk ‘Suu. Pooura The work of transport mode i to encryt the message inthe data packet and the tunneling mode encrypts the whole data packet. |PSeccan also be used with other security protocols to improve the security system 2. Layer 2 Tunneling Protocol (L2TP): 2 or Layer 2 Tunneling Protocol s a tunneling protocol that is often combined with another VPN. security protocol like IPSec to establish a highly secure VPN connection. L2TP generates a tunnel between two L2TP connection points and IPSec protocol enerypts the data and maintains secure ‘communication between the tunnel. 3. Point-to-Point Tunneling Protocol (PPTP): PTP or Point-to-Point Tunneling Protocol generates a tunnel and confines the data packet. Point- to-Point Protocol (PPP) is used to encrypt the data between the connection. PPTP is one of the ‘most widely used VPN protocol and has been in use since the early release of Windows. PPTP is also used on Mac and Linux apart from Windows. 4. sstandTis: SSL (Secure Sockets Layer) and TLS (Transport LayerSecurity) generate a VPN connection where the web browser acts as the client and user a6tess is prohibited to spetific applications instead of entire network. Online shopping websites commonly uses SSL and TLS protocol. Its easy to switch 10 SSL by web browsers and with almostino action required from the user as web browsers come Integrated with SSL and TLS°SSL connections have “https” in the intial of the URL instead of hep 5. OpenvPn: (OpenVPN is an open source VPN that is commonly used for creating Point-to-Point and Site-to-Site connections. It uses a traditional security protocol based on SSL and TLS protocol 6. Secure Shell (SSH): Secure Shell or SSH generates the VPN tunnel through which the data transfer occurs and also ensures that the tunnel is encrypted. SSH connections ae generated by a SSH elent and data is transferred from a local port on to the remote server through the encrypted tunnel. Q12. Explain in details'the tasks performed by firewall. Whatis the need of firewall policy ? ‘Ans. A firewall isa network security deviee, either hardware or software-based, which monitors all incoming and outgoing traffic and based on a defined set of security rules it accepts, rejects or drops that specific traffic. ‘Accept : allow the traffic Reject: block the traffic but reply with an “unreachable error” Drop : block the traffic with no reply A firewall establishes a barrier between secured internal networks and outside untrusted network, such as the Internet. Ignou Study Helper-Sunil Poonia Page 27Touou Sty HeLPe ‘Sum Poowa Work: Firewall match the network traffic against the rule set defined in its table. Once the rule is matched, associate action is applied to the network traffic. For example, Rules are defined as any employee from HR department cannot access the data from code server and at the same time another rule is defined like system administrator can access the data from both HR and technical department. Rules can be defined Con the firewall based on the necessity and security policies of the organization. From the perspective of a server, network traffic can be either outgoing or incoming. Firewall maintains a distinct set of rules for both the cases. Mostly the outgoing traffic, originated from the server itself, allowed to pass. Stl seting a rule on Outgoing traffic is always better in order to achieve more security and prevent unwanted communication. Incoming traffic is treated differently. Most traffic which reaches on the firewall is one of these three ‘major Transport Layer pratocols- TCP, UDP or ICMP. Al these types have a souree address and destination address. Also, TCP and UDP have port numbers. ICMP uses type code instead of port number which identifies purpose of that packet Firewall Policy A firewall is an appliance (a Combination of hardware and software) or an appliation (software) designed to control the flow of internet Protocol IP) traffic to or from a network or electronic equipment. Firewalls are used to examine network traffic and enforce policies based on instructions contained within the Firewall’s Ruleset. Firewalls represent one component of a strategy to combat malicious activities and assaults on computing resources and network-accessible information. Other components include, but are not limited to, antivirus software, intrusion detection software, patch management, strong passwords/passphrases, and spyware detection utilities. Firewalls are typically categorized as either "Network" or “Host” appliance attached to a network for the purpose of controlling access to single or multiple hosts, or subnets; 3 Host Firewall is most often an application that addresses an individual host (e.g., personal computer) separately. Both types of firewalls (Network and Host) can be and often are used jointly. This policy statementis designed to: [Network Firewall is most often an Ignou Study Helper-Sunil Poonia Page 28‘ey ‘+ Provide guidance on when firewalls are required or recommended. A Network Firewall is required inall instances where Sensitive Data is stored or processed: a Host Firewall is required in all Instances where Sensitive Data is stored or processed and the operating environment supports the implementation. Both the Network and Host Firewalls afford protection to the same operating environment, and the redundancy of controls (two separate and distinct firewalls) provides additional security in the event of a compromise or failure. ‘+ Raise awareness on the importance of a properly configured (installed and maintained) firewall. Q13. What strategies are used in hardening Windows 2000 OS and its file system? Discuss. ‘Ans. Used in hardening Windows 2000 0s: ‘+ Adjusting retransm during a SYN flood. ‘+ Determining how many times TCP retransmits an unacknowledged data Segment on an existing connection, TCP retransmits data segments until they are acknowledged or until this value expires. ‘+ Disabling ICMP Router Discovery Protocol (|RDP) where an attacker may remotely add default ‘out entries on 2 remote system. ‘of SYN-ACKS. This makes connection responses time out more quickly Disabling these services: + Telnet ‘+ Universal Plug and Play Device Host ‘+ IIS (not installed by default, ‘+ _ Net meeting Remote Desktop Sharing ‘+ Remote Desktop Help Session Manager + Remote Registry ‘+ Routing & Remote Access ‘= SSDP Distovery Service ‘+ Disable aniynon-active accounts and delete any accounts which are no longer required ‘+ Disable Guestaccounts Use the Local Security Policy snap-in to strengthen the system policies for password accentance. “Microsoft suggests that you make the following changes: ‘+ Set the minimum password length to atleast 8 characters ‘+ Seta minimum password age appropriate to your network (typically between 1 and 7 days) ‘+ Set a maximum password age appropriate to your network (typically no more than 42 days) ‘+ Set a password history maintenance (using the “Remember passwords” radio button) of atleast 6 ‘+ Disable Enumeration of SIDS. Even after renaming Guest and Administrator accounts, an intruder ‘armed with the right software can stil find the real account by enumerating the account SIDs (Security Identifiers) because renaming an account does not change Its SID. Once an account name hhas been identified (an attacker is looking for an Administrator account here) a brute force attack Con the password is usually the next step. This can be avoided by not allowing the enumeration of Account SIDs. Ignou Study Helper-Sunil Poonia Page 29 Touou Stuer Henvee ‘Sum Pooana