Network Access Protection Using 802.1x VLAN’s or Port ACLs

Given that the NAC (Network Access Control)market is one of the hottest segments in the industry (I think virtualization has that distinction at the moment) it is fitting to take a look at the variety of options available from Microsoft's Network Access Protection (NAP). NAP supports a variety of what we call enforcement methods. In the NAP space, and enforcement method is simply a term that defines the way a machine connects to a network. In NAP, these are DHCP, 802.1x (wired or wireless), VPN, IPsec, or via a Terminal Services Gateway.

The most common method of the list is 802.1x for a variety of reasons. First, the industry has been selling 802.1x network authentication for the last 10 years. 1x gained tremendous popularity as wireless networking became prevalent in the late 90's and early 2000's and has been proven to be a viable solution to identifying assets and users on your network. For customers that have invested in 802.1x capable switches and access points, NAP can very easily be implemented to complement what is already in place. The Network Policy Server (NPS) role Windows Server 2008 has been dramatically improved to make 802.1x policy creation much simpler to do, however, what many people don't realize is that there really are 2 rather distinct ways to deploy 802.1x based NAP, and this is what we will be discussing today. These 2 methods are commonly referred to as the use of VLAN's or Port ACL's.

VLAN

Since we are talking about this in the context of NAP, this would be a good time to introduce the fact that taking the VLAN approach essentially requires that you involve the folks that own your switching infrastructure in your NAP plans. Why you ask, because you will now be asking them to touch all the switches and AP's on the network to create the VLAN structure that you will need for your NAP deployment. At a minimum, you would want to create 3 different VLAN's. One for 'healthy' or compliant computers, one for 'unhealthy' or non-compliant computers, and a third VLAN for guests, or unknown devices that cannot pass the ports requirement to do 802.1x authentication.

In the VLAN scenario, on your RADIUS server (i.e. our NPS server) you would create a policy that had a set of attributes with values that matched the VLAN you have created on the switch. The most common attributes used are Tunnel-Private-Group-ID, Tunnel-Tag and Filter-ID. The values for these attributes usually would match the VLAN name, or number you created on the switch.

As an example, let's say on your switch VLAN 100 is the compliant VLAN and VLAN 200 is the non-compliant VLAN.

To make this work when you walk through the wizard in NPS to create 802.1x policies you will create a compliant and non-compliant policy. When prompted to insert values for these attributes you will enter "100" for your compliant policy (i.e. Tunnel-Private-Group-ID = 100) and "200" for the non-compliant policy. Our wizard based configuration makes this very easy.

Once completed, when a machine comes onto your network and meets the criteria of one of the policies you created, the NPS will send back this tunnel information to the switch to instruct the switch to put that machine in the proper VLAN. Pretty simple and straight forward.

Port ACLs

There are 2 approaches here.

1. You send the switch a 'reference' to an ACL you have already created on the switch
2. You send the switch vendor specific attributes with values that tell the switch how to ACL the port

In scenario 1, you would do the heavy configuration on the switch by creating the ACLs you would want for compliant and non-compliant machines. Most likely those ACL's would restrict protocols and ports and access to only certain IP addresses. For this example let's say you have named your ACL's "compliant" and "non-compliant".

In your RADIUS server you would use something like the Filter-ID attribute (this is the most commonly supported attribute) with a string value of "compliant" or "non-compliant". When received the switch will then know what ACL to apply to that port.

In scenario 2, instead of configuring and sending the Filter-ID attribute, you would create Vendor Specific Attributes (VSAs) (this is a common concept in the RADIUS protocol) that tell the switch explicitly what ACL's to apply to that port. For example, the HP ProCurve line of switches will accept the following Vendor Specific Attribute (VSA)

permit in udp from any to 10.10.10.2 53

This essentially says 'allow any DNS traffic on this port to IP address 10.10.10.2'. The assumption is that 10.10.10.2 is your DNS server.

The pros and cons of the 2 port ACL approaches are fairly similar as well.

1. Pros, simplified RADIUS server configuration, less prone to mistakes in the RADIUS server configuration; Cons, required to touch your entire switching infrastructure, ACL configuration isn't centralized
2. Pros, doesn't require you to touch your entire switching infrastructure, configuration can be centralized on your RADIUS servers; Cons, more complex RADIUS server configuration, prone to mistakes in ACL configuration on the RADIUS server

Comparing the 2 approaches

Now that everyone understands what is required for each approach, let's take a look at some of the pro's and con's of each.

VLAN

+ The concept of VLAN's is one that is easy to explain that even a manager can figure out!

+ Doesn't require extensive knowledge of the RADIUS protocol to set up and anyone who's anyone at a switch CLI could get this set up pretty easily

+ Makes helpdesk troubleshooting a bit simpler by being able to quickly find out why a machine can't connect to (insert your answer here). It would go something like "Oh, you can't get to your mail because you're in VLAN 200!"

- The user experience can be very poor if the machine is being dynamically moved from VLAN to VLAN (which is what NAP does essentially). The reason why is because when a machine changes VLAN's the interface on the machine is torn down and essentially does an ipconfig /release /renew

- If not properly designed, this can be a real helpdesk nightmare. A common mistake here is to ACL down the non-compliant VLAN to not have any corporate access, which is a mistake since that machine may need to re-authenticate itself with the network after NAP has remediated it

- Requires you to touch all of your switches and AP's to do the VLAN creation and management.

- For NAP, your AP's and switches will need to support the ability to do dynamic VLAN assignment and not all switches and AP's support this concept. In fact, not all firmware versions from the same manufacturer support this, so an upgrade may be required.

Port ACL

+ Can possibly be implemented without having to touch all your switches and AP's since the configuration would reside on the NPS Server. This can also be seen as a political positive as well since infrastructure folks and server folks are commonly separate teams with separate objectives that rarely overlap.

+ The actual enforcement of the ACL is done at the switch or AP and thus offers the user a more pleasant experience since even if the machine is moving from a compliant to a non-compliant state (or vice versa) it is handled at the switch and not on the client machine (no ipconfig /release /renew)

+ The attributes and values required in your NPS policy to make this scenario work are commonly supported and have been for some time, so the chance of having to do a hardware upgrade in this scenario are less likely

- To really make this work effectively in an enterprise you really need to know the ins and outs of your switches and what is and is not supported, not to mention you must be a pretty good RADIUS geek as well to get this working (we are a dying breed these days… J)

- Troubleshooting and helpdesk support in this scenario is a bit more complicated since your NPS policy for this could have multiple ACL's in it that look like this (permit in udp from any to 10.10.10.2 53). It would not be uncommon to have 10-12 lines like this in your policy and trying to figure out why a machine can't connect to a resource on the network

- Finding accurate documentation on exactly what attributes and values are supported for your device(s) can be a challenge

In conclusion

Hopefully now you have a better understanding of what 802.1x authentication support in NAP can offer you. 1x is a very powerful means of maintaining and safe and healthy network, but it's not the ultimate solution by any means. Network security and health is an ongoing exercise that may require multiple solutions to achieve your business goals (like using 1x and IPsec together for instance).

Network HUBs

Hubs and switches function as a common connection point for the workstations, printers, file servers and other devices that make up a network. The main difference between hubs and switches is the way in which they communicate with the network.

What is a Hub?

A hub functions as the central connection point of a network. It joins together the workstations, printers, and servers on a network, so they can communicate with each other. Each hub has a number of ports that connect it to the other devices via a network cable.

How does a Hub work?

A hub is an inexpensive way to connect devices on a network. Data travels around a network in 'packets' and a hub forwards these data packets out to all the devices connected to its ports.

As a hub distributes packets to every device on the network, when a packet is destined for only one device, every other device connected to the hub receives that packet. Because all the devices connected to the hub are contending for transmission of data the individual members of a shared network will only get a percentage of the available network bandwidth. This process can slow down a busy network.

A 10Base-T hub Ethernet Hub provides a total of 10 Mbit/sec of bandwidth, which all users share. If one person on the network is downloading a very large file, for example, little or no bandwidth is available for other users. These users will experience very slow network performance.

What is a Switch?

A switch is more sophisticated than a hub, giving you more options for network management, as well as greater potential to expand. A switch filters the data packets, and only sends the packet to the port which is connected to the destination address of that packet. It does this by keeping a table of each destination address and its port. When the switch receives a packet, it reads the destination address and then establishes a connection between the source port and the destination port. After the packet is sent, the connection is terminated.

What are the advantages of a Switch?

A switch provides higher total throughput than a hub because it can support multiple simultaneous conversations. For example, when a 100Mbit/sec hub has five workstations, each receives only 20Mbit/sec of the available bandwidth. When a 10/100Mbit/sec switch is used every port on the switch represents a dedicated 100Mbit/sec path, so each workstation receives 100Mbit/sec of bandwidth.

Switches also run in full duplex mode, which allows data to be sent and received across the network at the same time. Switches can effectively double the speed of the network when compared to a hub which only supports half duplex mode.

Why choose one of our Switches?

Switches improve the performance and efficiency of a network and should be used when you:

• Need to make best use of the available bandwidth
• Have multiple file servers
• Require improved performance from file servers, web servers or workstations
• Use high speed multi-media applications
• Are adding a high speed workgroup to a 10Mbit/sec LAN
• Plan to upgrade from 10 to 100Mbit/sec or Gigabit network

The standard features on all N-Way switches are:

• 10/100Mbit/sec Auto-Negotiation on all ports, the switch automatically senses the speed of the attached device and configures the port for the proper speed. This simplifies deployment in mixed Ethernet and Fast Ethernet environments
• Auto MDI/MDI-X auto-detects whether the connected cable type is normal or cross-over
• Full or Half Duplex operation

Which Switch do I need?

If you are setting up a home or small office network an ideal solution is to use a switch with 5 to 8 ports. Switches can be linked together as your network expands.

For a good entry level switch to meet this requirement we recommend the 5 Port 10/100Base-TX Ethernet N-Way Switch (Part No. 32981) or the 8 Port 10/100Base-TX Fast Ethernet N-Way Switch (Part No. 32982)

The compact 8 Port 10/100Base-TX Fast Ethernet Switch features Auto MDI/MDI-X on all ports, 10/100Mbit/sec Auto-Negotiation, and full and half-duplex modes and can be desktop or wall mounted.

If you require a larger switch with rackmount capability choose the 16 Port 10/100 Base-TX Fast Ethernet N-Way Switch (Part No. 25020) or 24 Port 10/100 Base-TX Fast Ethernet N-Way Switch (Part No. 25021).

These 19" rackmount switches are the perfect solution for expanding a 10/100 network.

Gigabit Ethernet Switches

Our GIGA N-Way Switches provide cost effective scalability of the network by utilising the existing copper CAT5e cabling environment. Connectivity is not sacrificed because the same cabling is used for Ethernet, Fast Ethernet and Gigabit Ethernet.

These switches also incorporate VLAN technology. This feature is accessed from a console port on the switch and provides network administrators advanced configuration options and the ability to set up “virtual” LANs which function as separate, secure network segments.

The LINDY 24 Port 10/100Base-TX + 2 Port 1000Base-T GIGA N-Way Switch (Part No. 25000) is ideal for linking backbone connections between servers and network switches.

24 Port 10/100Base-TX Switch with two 10/100/1000Base-T Gigabit Ethernet Ports with VLAN technology.

Managed Switches

A managed switch allows the ports on the switch to be configured, monitored, enabled and disabled. Switch management can also gather information on a variety of network parameters, such as:

• The number of packets that pass through each of its ports
• What types of packets they are
• Whether the packets contain errors
• The number of collisions that have occurred

You should look for the following features on a managed switch:

• Gigabit Ethernet support
• SNMP management and remote control capabilities
• A management interface that can be accessed through an internet browser
• Auto-negotiation support which auto-senses the speed and duplex capabilities of connected devices
• Built-in expansion capability

The Fully Managed SNMP 24 Port 10/100Base-TX + GIGA Expansion N-Way Switch (Part No. 25030) is a high performance web-managed Layer 2 Switch that provides 24 Fast Ethernet 10/100Mbps ports. The built-in expansion slot can accommodate a number of different modules. Optional Gigabit/Fast Ethernet modules can be copper or fibre based and support 10/100/1000Base-T, 100Base-FX, and 1000Base-SX. This switch is ideal for organisations wishing to create a new, or upgrade their existing network infrastructure.

The switch features advanced SNMP (Simple Network Management Protocol) management and remote control capabilities, and supports an easy to use Layer 2 management interface that can be accessed through an internet browser.

Fully managed SNMP 24 Port Fast Ethernet and full Gigabit backbone support with remote management.

Using a managed switch can reduce hidden costs by using –

• Switch and traffic monitoring to help head off problems before they occur, reducing user downtime
• Management tools that offer an intuitive graphical user interface (GUI) that simplifies configuration and monitoring tasks
• Management functions can be performed remotely using a web browser or directly via a console connected to the switch

Virtual Network Components

The key virtual networking components in a VMware Infrastructure are virtual Ethernet adapters and virtual switches. A virtual machine can be configured with one or more virtual Ethernet adapter. Virtual switches allow virtual machines on the same VMware ESX host to communicate with each other using the same protocols that would be used over physical switches, without the need for additional hardware. They also support VLANS that are compatible with standard VLAN implementations from other vendors, such as Cisco.

Connecting Virtual Machines to your Network

VMware technology lets you link local virtual machines to each other and to the external enterprise network through the virtual switch. The virtual switch emulates a traditional physical Ethernet network switch to the extent that it forwards frames at the data link layer. VMware ESX may contain multiple virtual switches, each providing more than 1,000 internal virtual ports for virtual machine use.

The virtual switch connects to the enterprise network through outbound Ethernet adapters. A maximum of eight Gigabit Ethernet ports or ten 10/100 Ethernet ports can be used by the virtual switch for external connectivity. The virtual switch is capable of binding multiple VMNICs together, in a manner much like NIC teaming on a traditional server, offering greater availability and bandwidth to the virtual machines using the virtual switch.

Virtual Ethernet Adapters

There are three types of adapters available for virtual machines in VMware infrastrucure 3:

1. vmxnet is a paravirtualized device that works only if VMware Tools is installed on the Operating System. This adapter is optimized for virtual environments and designed for high performance.
2. vlance emulates the AMD Lance PCNet32 Ethernet adapter. It is compatible with most 32-bit guest operating systems and can be used without VMware Tools.
3. e1000 emulates the Intel E1000 Ethernet adapter and is used in either 64-bit or 32-bit virtual machines.

There are two other virtual adapters that are available through VMware technology. Vswif is a paravirtualized device similar to vmxnet that is used by the VMware ESX service console. Vmknic is a device in the VMkernal that is used by the TCP/IP stack to serve NFS and software iSCSI clients.

Virtual Switches

VMware technology includes virtual switches that you can build on demand at run-time to provide different functions, including:

1. Layer 2 forwarding.
2. VLAN tagging, stripping and filtering.
3. Layer 2 security, checksum and segmentation offloading.

This modular approach reduces complexity and maximizes system performance, VMware virtualization technology loads only those components it needs to support the specific physical and virtual Ethernet adapter types used in the configuration. Additionally, the modular design enables VMware and third-party developers to incorporate new modules to enhance the system in the future. Up to 248 virtual switches can be created on each VMware ESX host. Following are important features of virtual switches:

• Virtual ports: The ports on a virtual switch provide logical connection points among virtual devices and between virtual and physical devices. Each virtual switch can have up to 1,016 virtual ports, with a limit of 4,096 ports on all virtual switches on a host. The virtual ports provide a rich control channel for communication with the virtual Ethernet adapters attached to them.
• Uplink ports: Uplink ports are associated with physical adapters, providing a connection between the virtual network and the physical networks. They connect to physical adapters when they are initialized by a device driver or when the teaming policies for virtual switches are reconfigured. Virtual Ethernet adapters connect to virtual ports when you power on the virtual machine, when you take an action to connect the device or when you migrate a virtual machine using VMware Vmotion. A virtual Ethernet adapter updates the virtual switch port with MAC filtering information when it is initialized or when it changes.
• Port groups: Port groups make it possible to specify that a given virtual machine should have a particular type of connectivity on every host, and they contain enough configuration information to provide persistent and consistent network access for virtual Ethernet adapters. Some of the information contained in a port group includes virtual switch name, VLANIDs and policies for tagging and filtering, the teaming policy and traffic shaping parameters. This is all the information needed for a switch port.
• Uplinks: With VMware technology, uplinks are the physical Ethernet adapters that serve as bridges between the virtual and physical network. The virtual ports connected to them are called uplink ports. A host may have up to 32 uplinks.

Other things to consider:

• Virtual switches do not learn from the network to populate their forward tables. This helps to minimize denial of service attacks.
• Virtual switches make private copies of frame data used to make forwarding or filtering decisions. This ensures the guest operating systems cannot access sensitive data once the frame is passed onto the virtual switch.
• VMware technology ensures that frames are contained within the appropriate VLAN on a virtual switch 1) by carrying the data outside the frame as it passes through the virtual switch, and 2) because there is no dynamic trunking support that could open up isolation leaks, making the data vulnerable to attack.

Virtual Switches vs. Physical Switches

Virtual switches are similar to modern physical Ethernet switches in many ways. Like a physical switch, it maintains a MAC:port forward table and performs frame destination lookup and frame forwarding. It also supports VLAN segmentation at the port level, so that each port can be configured as an access or trunk port, providing access to either single or multiple VLANs.

However, unlike physical switches, virtual switches do not require a spanning tree protocol, because VMware Infrastructure 3 enforces a single-tier networking topology. There’s no way to interconnect multiple virtual switches. Also, network traffic cannot flow directly form one virtual switch to another within the same host. Virtual switches provide all the ports you need in one switch. You don’t need to cascade virtual switches or prevent bad virtual switch connections, and because they don’t share physical Ethernet adapters, leaks between switches do not occur. Each virtual switch is isolated and has its own forwarding table, so every destination the switch looks up can match only ports on the same virtual switch where the frame originated. This feature improves security, making it difficult for hackers to break virtual switch isolation.

Networking In Workstations

Local Area Network (LAN)

The services offered to Departments will cover new network installations, network upgrades, troubleshooting, and maintenance. We provide:
· Network needs assessment
· Software and hardware support for most available LAN systems and LAN based software packages
· Network installation and upgrades
· Network troubleshooting

New LANs

For new network installations, our staff can assist with network needs analysis; prepare or review specs for new networks or network upgrades; install/upgrade network operating system on network server; install, connect, and configure workstations and peripherals, and install, upgrade and configure network software applications.

LAN Upgrades

Network upgrades, including the upgrade of network operating system software; the installation and configuration of new network applications; the installation, connection, and configuration of additional workstations and peripherals; and the installation and configuration of hardware upgrades in network servers, are all a part of this new service. In addition, our staff can help coordinate LAN connections with the campus-wide network (when available).

Trouble Shooting & Problem Solving

We can troubleshoot network problems involving operating systems, the server, workstations, network applications, and printing. Network maintenance can also be provided including maintaining network documentation, remote network monitoring, optimizing server performance, design and help maintain network backup schedule, and installation of network operating system upgrades and fixes. Our staff can also design and/or conduct seminars for network managers and for network users as a non-contract service.

Network Maintence:

Preventive Maintenance

Preventive maintenance is one of the most ignored aspects of network ownership. Preventive Maintenance refers to performing proactive maintenance in order to prevent system problems. This is different from diagnostic or corrective maintenance, which is performed to correct an
already-existing problem. Here are some reasons why you should develop a preventive maintenance plan for your network:

1. Preventive Maintenance Saves Money: Avoiding problems with your PC will save you money in the long run. By preventing a problem from occurring, you will no longer need to spend money on new components or repair jobs.

2. Preventive Maintenance Saves Time: Preventive maintenance saves time because it saves you the inconvenience and disruption of system failures and lost data. Most preventive maintenance procedures are quite simple compared to troubleshooting and repair procedures.

3. Preventive Maintenance Helps Safeguard Your Data: For most people, the data on the hard disk is more important than the hardware that houses it. Taking steps to protect this data therefore makes sense, and that is what preventative maintenance is all about.

4.Preventive Maintenance Improves Performance: Some parts of your system will actually degrade in performance over time, and preventive maintenance will help to improve the speed of your system in these respects. It is important to us at Dapoy that your computer systems will be as
secure and steady as possible. If you would like to get an estimate for preventive maintenance that will suit your business needs, please contact the office to speak to a technical representative today.

Cabling and Infrastructure :

Network Performance

The performance of a network infrastructure depends not only on the quality of its components, but also on the quality of the cabling installation. Each network infrastructure is installed and tested by trained quality assurance engineers and technicians.

A properly installed cable network should function efficiently for 10-12 years. We guarantee all of our cabling installation for up to 12 years.

TimeTiger Technical Overview and Architecture

The TimeTiger,time and project tracking system has been designed to meet the needs of organizations from 1 to over 1,000 individual users. This document describes the components that make up TimeTiger and how these components work together to form a system. Various deployment approaches are illustrated, for installations ranging from a single-user desktop configuration to a multi-server, fault tolerant set-up suitable for 1,000 or more time loggers.

How TimeTiger Works

At the core of the TimeTiger system is the TimeTiger System Server. The TimeTiger System Server is a web server that hosts one or more TimeTiger applications, each of which is connected to a TimeTiger database. The TimeTiger database houses all the time log data, system configuration and user data required for the entire system. As of TimeTiger 2, the TimeTiger database can be stored in Microsoft Access 2000 format or on a Microsoft SQL Server. The TimeTiger database is open-architecture, meaning you are able to use third-party reporting and analysis tools to look at TimeTiger data, and even create your own applications that interface with the TimeTiger system. The TimeTiger database resides in a single location on your PC (for single-user installations) or network (for multi-user installations).

You install the TimeTiger System Server on a single computer (running Windows XP, 2000 or 2003), and then access the TimeTiger application using a web browser from the same PC or any other PC connected to your network.

For single-user installations, the TimeTiger application, database, and web browser can all reside on the same PC.

A single-user TimeTiger system

The single-user installation is the simplest TimeTiger configuration we support. A single PC houses the TimeTiger System Server, which has been used to create a single TimeTiger application connected to an Access 2000 format TimeTiger database. Note that owning Microsoft Access 2000 is not required to use the system: everything you need is already built-in to TimeTiger.

A Peer-to-Peer TimeTiger system

For small workgroups using a peer-to-peer network (such as Microsoft Windows 95/98/ME networking) multiple workstations can connect to a single TimeTiger System Server located on one of the machines on the network. This machine must be on at all times so that the other machines can connect to and use the TimeTiger system. This configuration is not recommended for workgroups larger than 10 machines.

A LAN-based TimeTiger system

For larger departmental or organization-wide deployments, the TimeTiger System Server should be deployed on a network server machine and the database should reside on a network file server (for Access 2000 databases), or a Microsoft SQL Server (for SQL Server databases, shown here). All LAN workstations access TimeTiger using a standard web browser. Optionally, you can allow Internet or WAN users to connect to the same TimeTiger System Server through your corporate firewall. This configuration is recommended for up to 150 users (using an Access format database) or 1,000+ users (using a SQL Server database).

An enterprise TimeTiger system

For enterprise-wide deployments where scalability, performance and reliability are critical, component redundancy and load balancing can be introduced using the facilities already available in Microsoft Windows Server and Microsoft SQL Server. By clustering the various servers involved and implementing SQL Server replication and Windows Advanced Server cascading failover, TimeTiger can reliably support your entire enterprise of 1,000+ users.

For large installations such as this we recommend you take advantage of the skills provided by our professional services team to help design and configure your deployment. We can help you architect the perfect tracking solution for your entire organization.

Microsoft Access or SQL Server?

TimeTiger gives you the option of using a database in Microsoft Access 2000 format or a Microsoft SQL Server database. When choosing which of these two platforms to deploy on, bear the following considerations in mind:

• Although you do not require your own copy of Microsoft Access to use an Access 2000 format database with TimeTiger, you do require your own Microsoft SQL Server to use a SQL Server format database.
• Databases in both formats require some administration. An Access 2000 database must be regularly compacted to preserve performance and data integrity. A SQL Server should be managed by a qualified database administrator to ensure the security, safety, and performance of your application.
• There is no hard user limit imposed on either database format. Performance and reliability are the chief considerations in deciding to go with SQL Server, especially for installations of over 150 users.
• You can always change your mind. TimeTiger can seamlessly convert your data from Access 2000 to SQL Server format, or vice-versa.

Wi-Fi Network

Wi-Fi the trade name for the popular wireless technology used in home networks, mobile phones, video games and other electronic devices that require some form of wireless networking capability. In particular, it covers the various IEEE 802.11 technologies (including 802.11a, 802.11b, 802.11g, and 802.11n).

Wi-Fi technologies are supported by nearly every modern personal computer operating system, most advanced game consels and laptops, and many printers and other periphirals.

Purpose

The purpose of Wi-Fi is to provide wireless access to digital content. This content may include applications, audio and visual media, Internet connectivity, or other data. Wi-Fi generally makes access to information easier, as it can eliminate some of the physical restraints of wiring; this can be especially true for mobile devices.

Uses

A Wi-Fi enabled device such as a PC, game console, mobile phone, MP3 player or PDA can connect to the Internet when within range of a wireless network connected to the Internet. The coverage of one or more interconnected access printers — called a hotspot — can comprise an area as small as a single room with wireless-opaque walls or as large as many square miles covered by overlapping access points. Wi-Fi technology has served to set up mesh networks, for example, in London.Both architectures can operate in community networks.

In addition to restricted use in homes and offices, Wi-Fi can make access publicly available at Wi-Fi hotspots provided either free of charge or to subscribers to various providers. Organizations and businesses such as airports, hotels and restaurants often provide free hotspots to attract or assist clients. Enthusiasts or authorities who wish to provide services or even to promote business in a given area sometimes provide free Wi-Fi access. Metropolitan-wide Wi-Fi has more than 300 projects in process.There were 879 Wi-Fi based Wireless Internet Service Provider in the Czech Republic as of May 2008.

Wi-Fi also allows connectivity in peer to peer mode, which enables devices to connect directly with each other. This connectivity mode can prove useful in consumer electronics and gaming applications.

Advantages

Wi-Fi allows local area networks(LANs) to be deployed without cabling for client devices, typically reducing the costs of network deployment and expansion. Spaces where cables cannot be run, such as outdoor areas and historical buildings, can host wireless LANs.

Wireless network adapters are now built into most laptops. The price of chipsets for Wi-Fi continues to drop, making it an economical networking option included in even more devices. Wi-Fi has become widespread in corporate infrastructures.

Different competitive brands of access points and client network interfaces are inter-operable at a basic level of service. Products designated as "Wi-Fi Certified" by the Wi-Fi Alliance are backwards compatible. Wi-Fi is a global set of standards. Unlike mobile telephones, any standard Wi-Fi device will work anywhere in the world.

Wi-Fi is widely available in more than 220,000 public hotspots and tens of millions of homes and corporate and university campuses worldwide. WPA is not easily cracked if strong passwords are used and WPA2 encryption has no known weaknesses. New protocols for Quality of Service (WMM) make Wi-Fi more suitable for latency-sensitive applications (such as voice and video), and power saving mechanisms (WMM Power Save) improve battery operation.

Limitations

Spectrum assignments and operational limitations are not consistent worldwide. Most of Europe allows for an additional 2 channels beyond those permitted in the U.S. for the 2.4 GHz band. (1–13 vs. 1–11); Japan has one more on top of that (1–14). Europe, as of 2007, was essentially homogeneous in this respect. A very confusing aspect is the fact that a Wi-Fi signal actually occupies five channels in the 2.4 GHz band resulting in only three non-overlapped channels in the U.S.: 1, 6, 11, and three or four in Europe: 1, 5, 9, 13 can be used if all the equipment on a specific area can be guaranteed not to use 802.11b at all, even as fallback or beacon.

Types of wireless LANs

PEER TO PEER

An ad-hoc network is a network where stations communicate only peer to peer (P2P). There is no base and no one gives permission to talk. This is accomplished using the Independent Basic Service Set (IBSS).

A peer-to-peer (P2P) allows wireless devices to directly communicate with each other. Wireless devices within range of each other can discover and communicate directly without involving central access points. This method is typically used by two computers so that they can connect to each other to form a network.

If a signal strength meter is used in this situation, it may not read the strength accurately and can be misleading, because it registers the strength of the strongest signal, which may be the closest computer.

802.11 specs define the physical layer (PHY) and MAC (Media Access Control) layers. However, unlike most other IEEE specs, 802.11 includes three alternative PHY standards: diffuse infrared operating at 1 Mbit/s in; frequency-hopping spread spectrum operating at 1 Mbit/s or 2 Mbit/s; and direct-sequence spread spectrum operating at 1 Mbit/s or 2 Mbit/s. A single 802.11 MAC standard is based on CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance). The 802.11 specification includes provisions designed to minimize collisions. Because two mobile units may both be in range of a common access point, but not in range of each other. The 802.11 has two basic modes of operation: Ad hoc mode enables peer-to-peer transmission between mobile units. Infrastructure mode in which mobile units communicate through an access point that serves as a bridge to a wired network infrastructure is the more common wireless LAN application the one being covered. Since wireless communication uses a more open medium for communication in comparison to wired LANs, the 802.11 designers also included a shared-key encryption mechanism, called wired equivalent privacy (WEP), or Wi-Fi Protected Access, (WPA, WPA2) to secure wireless computer networks.

Bridge

A bridge can be used to connect networks, typically of different types. A wireless Ethernet bridge allows the connection of devices on a wired Ethernet network to a wireless network. The bridge acts as the connection point to the Wireless LAN.

Computer networking

Computer networking

Network cards such as this one can transmit and receive data at high rates over various types of network cables. This card is a 'Combo' card which supports three cabling standards.
Network cards such as this one can transmit and receive data at high rates over various types of network cables. This card is a 'Combo' card which supports three cabling standards.
This article is about computer networking, the discipline of engineering computer networks. For the article on computer networks, see Computer network.

Computer networking is the engineering discipline concerned with communication between computer systems or devices. Networking, routers, routing protocols, and networking over the public Internet have their specifications defined in documents called RFCs.[1] Computer networking is sometimes considered a sub-discipline of telecommunications, computer science, information technology and/or computer engineering. Computer networks rely heavily upon the theoretical and practical application of these scientific and engineering disciplines.

A computer network is any set of computers or devices connected to each other with the ability to exchange data.[2] Examples of networks are:

* local area network (LAN), which is usually a small network constrained to a small geographic area.
* wide area network (WAN) that is usually a larger network that covers a large geographic area.
* wireless LANs and WANs (WLAN & WWAN) is the wireless equivalent of the LAN and WAN

All networks are interconnected to allow communication with a variety of different kinds of media, which including twisted-pair copper wire cable, coaxial cable, optical fiber, and various wireless technologies.[3] The devices can be separated by a few meters (e.g. via Bluetooth) or nearly unlimited distances (e.g. via the interconnections of the Internet)

History

Before the advent of computer networks that were based upon some type of telecommunications system, communication between calculation machines and early computers was performed by human users by carrying instructions between them. Many of the social behavior seen in today's Internet was demonstrably present in nineteenth-century telegraph networks, and arguably in even earlier networks using visual signals. [5]

In September 1940 George Stibitz used a teletype machine to send instructions for a problem set from his Model K at Dartmouth College in New Hampshire to his Complex Number Calculator in New York and received results back by the same means. Linking output systems like teletypes to computers was an interest at the Advanced Research Projects Agency (ARPA) when, in 1962, J.C.R. Licklider was hired and developed a working group he called the "Intergalactic Network", a precursor to the ARPANet.

In 1964, researchers at Dartmouth developed the Dartmouth Time Sharing System for distributed users of large computer systems. The same year, at MIT, a research group supported by General Electric and Bell Labs used a computer (DEC's PDP-8) to route and manage telephone connections.

Throughout the 1960s Leonard Kleinrock, Paul Baran and Donald Davies independently conceptualized and developed network systems which used datagrams or packets that could be used in a packet switched network between computer systems.

The first widely used PSTN switch that used true computer control was the Western Electric 1ESS switch, introduced in 1965.

In 1969 the University of California at Los Angeles, SRI (in Stanford), University of California at Santa Barbara, and the University of Utah were connected as the beginning of the ARPANet network using 50 kbit/s circuits. Commercial services using X.25, an alternative architecture to the TCP/IP suite, were deployed in 1972.

Computer networks, and the technologies needed to connect and communicate through and between them, continue to drive computer hardware, software, and peripherals industries. This expansion is mirrored by growth in the numbers and types of users of networks from the researcher to the home user.

Today, computer networks are the core of modern communication. For example, all modern aspects of the Public Switched Telephone Network (PSTN) are computer-controlled, and telephony increasingly runs over the Internet Protocol, although not necessarily the public Internet. The scope of communication has increased significantly in the past decade and this boom in communications would not have been possible without the progressively advancing computer network.

Network topology

The network topology defines the way in which computers, printers, and other devices are connected, physically and logically. A network topology describes the layout of the wire and devices as well as the paths used by data transmissions. Commonly used topologies include:

* Bus
* Star
* Tree (hierarchical)
* Linear
* Ring
* Mesh
o partially connected
o fully connected (sometimes known as fully redundant)

The network topologies mentioned above are only a general representation of the kinds of topologies used in computer network and are considered basic topologies.

Networking methods

Networking is a complex part of computing that makes up most of the IT Industry. Without networks, almost all communication in the world would cease to happen. It is because of networking that telephones, televisions, the internet, etc. work.

One way to categorize computer networks is by their geographic scope, although many real-world networks interconnect Local Area Networks (LAN) via Wide Area Networks (WAN). These two (broad) types are:

Local area network (LAN)

A local area network is a network that spans a relatively small space and provides services to a small number of people. Depending on the number of people that use a Local Area Network, a peer-to-peer or client-server method of networking may be used. A peer-to-peer network is where each client shares their resources with other workstations in the network. Examples of peer-to-peer networks are: Small office networks where resource use is minimal and a home network. A client-server network is where every client is connected to the server and each other. Client-server networks use servers in different capacities. These can be classified into two types: Single-service servers, where the server performs one task such as file server, print server, etc.; while other servers can not only perform in the capacity of file servers and print servers, but they also conduct calculations and use these to provide information to clients (Web/Intranet Server). Computers are linked via Ethernet Cable, can be joined either directly (one computer to another), or via a network hub that allows multiple connections.

Historically, LANs have featured much higher speeds than WANs. This is not necessarily the case when the WAN technology appears as Metro Ethernet, implemented over optical transmission systems.


Wide area network (WAN)

A wide area network is a network where a wide variety of resources are deployed across a large domestic area or internationally. An example of this is a multinational business that uses a WAN to interconnect their offices in different countries. The largest and best example of a WAN is the Internet, which is a network comprised of many smaller networks. The Internet is considered the largest network in the world.[6]. The PSTN (Public Switched Telephone Network) also is an extremely large network that is converging to use Internet technologies, although not necessarily through the public Internet.

A Wide Area Network involves communication through the use of a wide range of different technologies. These technologies include Point-to-Point WANs such as Point-to-Point Protocol (PPP) and High-Level Data Link Control (HDLC), Frame Relay, ATM (Asynchronous Transfer Mode) and Sonet (Synchronous Optical Network). The difference between the WAN technologies is based on the switching capabilities they perform and the speed at which sending and receiving bits of information (data) occur.

For more information on WANs, see Frame Relay, ATM and Sonet.


Wireless networks (WLAN, WWAN)

A wireless network is basically the same as a LAN or a WAN but there are no wires between hosts and servers. The data is transferred over sets of radio transceivers. These types of networks are beneficial when it is too costly or inconvenient to run the necessary cables. For more information, see Wireless LAN and Wireless wide area network. The media access protocols for LANs come from the IEEE.

The most common IEEE 802.11 WLANs cover, depending on antennas, ranges from hundreds of meters to low kilometers. For larger areas, either communications satellites of various types, cellular radio, or wireless local loop (IEEE 802.16) all have advantages and disadvantages. Depending on the type of mobility needed, the relevant standards may come from the IETF or the ITU.