Chapter 1
Internet Contents • • • • • • •
Overview of Internet History and Evolution of Internet Uses of Internet Internet Addresses Services of Internet Types of Internet connections Connecting Internet
Objectives After completion of this module you will be able to know: • What is Internet and how it works? • History and Evolution of Internet • Services of the Internet. • Types of Internet connections • Choose the best connection suitable for you. • How to connect to the Internet
1.1 Overview of Internet The Internet is a global computer network made up of smaller computer networks; it has been called a "Network of Networks." These smaller networks include:
Local Area Networks (like networked offices or computer labs, and campus-wide networks) Wide Area Networks (like city-wide networks) State and Regional Networks (including regional service providers and others) National and International Networks
There is no one inventor of the Internet. The Internet was created in the 1960s as a huge network linking big university and government computers. The science behind the Internet was invented during the Cold War, when the United States was in competition against Russia for weapons and technology. So the Internet is actually pretty old--around forty years. Much of Internet’s initial development was supported by American governmental research and network development (beginning with the American military's ARPANET in 1969). In fact, email has been around since 1972! In 1989 that Tim Berners-Lee, a scientist at the European Laboratory for Particle Physics in Geneva, proposed the World Wide Web. Now Internet Service Providers (ISPs) offer Internet access to their clients, at costs ranging from Rs 150/- per 6 months to hundreds of rupees per year, depending on the types of service they offer.
1.2 What are the uses of the Internet? There are three fundamental uses of the Internet: Communication Information Retrieval Presentation of Information
1.2.1 Communication The Internet is used both for one-to-one communications (email and real-time "chat" programs) and one-to-many.
1.2.2 Information Retrieval The Internet allows access to public domain information, bibliographic databases, libraries, and entertainment services, as well as to proprietary information services .
1.2.3 Presentation of Information Any organization connected to the Internet can provide access to its own in-house information (library catalogs, faculty information, etc.) to millions of people world-wide. Individuals can also develop and provide their own information packages via their own home pages.
1.3 Internet Addresses Every computer, file of information, and person on the Internet is identified by a unique "address."
1.3.1 Computer Addresses Computer addresses are made up of three parts (or, in some cases, two parts), separated by "dots," like this: computer-name.institution.domain The computer name is a name given locally to identify a particular computer; it is, in some cases, omitted from the address. The institution name is the name (or an abbreviation) of the name of the school, company, or other institution housing the computer. The domain name specifies either the type or the geographic location of the computer.
1.3.2 Domain Names There are several possible "domain" names, including some that identify the type of institution, and some that identify a geographical location. They include: edu educational institution com commercial and profitable organizations org
non-profitable organizations
net
Internet infrastructure and service providers
gov governmental agency/department mil
American military agency
int
International organizations
us
United States
in
India
my
Malaysia
ca
Canada
jp
Japan
biz
Business
aero aeronautics
1.3.3 Personal Addresses A person's address (or their email address) places the user's "username" (or "login") and the symbol "@" before the computer address. For example, a user whose username is "sundar", who is accessing email from the "bsnl" server of India, would have the following address:
[email protected]
1.3.4 Uniform Resource Locators (URL) Sources of information that are on the World Wide Web or FTP server are identified by an extended address called a "Uniform Resource Locator" (URL). Here is a typical URL: http://www.win.org/workshops/internet.shtml The first part of the URL ("http://") identifies the type of information or protocol (in this case, it is a hypertext document, available from a HyperText Transport Protocol (http) server on the World Wide Web). The middle part ("www.win.org") is the basic address, as described above. The final part ("/workshops/internet.shtml") identifies the directories within which the document resides ("workshops"), as well as the exact name of the document ("internet.shtml").
1.4 Internet Services ”Internet services” serve more sophisticated and multi-purpose purposes, and increasingly make the Internet a truly useful information resource.
1.4.1 Email
• • • •
It is the Internet's version of the postal service. Using the Internet, it provides the ability to send a message, reply to a message, send a file created in another program and/or even send the same message to a group of people. Some benefits of Email are: Speed: A message can be sent from Chennai to Australia in a matter of seconds. Cost: Emails are cheap. You are usually only charged for the telephone call time (local call rate) for sending the message into the Internet, and not the cost associated with transferring the message across the Internet. Flexibility: It is easy to send duplicates of your messages to other people or groups for the cost of a single message. Record keeping: Messages sent and received can be easily stored for future reference.
In order to use Email, you will need Internet access arranged through an Internet Service Provider (ISP), who will allocate you one or a number of Email accounts. To be able to retrieve and send mail from these addresses, a user will need what is known as Email client software and your ISP usually provides this although nowadays most computers come with it pre-installed.
1.4.2 Mail Lists These use email to support discussion groups on a wide range of specific subjects. Once you are becoming a subscriber of a mailing list, you will receive lot of emails related to the subject covered by the mailing list.
1.4.3 FTP FTP was the original Internet mechanism for the storage and retrieval of information. There are still many FTP Sites around the Internet, although many of them
have been melded into the World Wide Web. In computer science, FTP stands for "File Transfer Protocol," which is a way of transferring files between computers. A file can be anything -- a spreadsheet, a word document, a song, or a picture. When someone says "Please FTP me that file," for instance, that means "Please transfer that file from your computer to mine." To FTP, you usually need to download a special program, or application. You also usually need a password to be able to access or send information to someone else's computer.
1.4.4 Gopher Gopher was developed at the University of Minnesota, primarily to support its own Campus Wide Information Server (CWIS). It provides access to information available either locally or elsewhere on the Internet by means of a simple series of uniformly designed menus.
1.4.5 Instant Messaging (IM) IM is a way for you to communicate instantly with your friends over the Internet. That might not sound so different to email. Have you ever noticed how cumbersome it is to have a brief conversation via email? You have to click Reply to each message, then find the right spot in the message to type something new, then send it. Then you have to wait for the next message to arrive! IM lets you to have a conversation almost as naturally as on the phone or face to face, by typing messages into a window shared between you and your friend's screens. Another difference between IM and email is that with IM you can see your friends' presence, that is, whether they are actually on-line at the same time as you. This lets you send messages truly instantly, instead of sending off a mail and having to wait for your friend to check their mailbox. An IM message pops up on the other person's screen as soon as you send it. Of course, if you'd rather not be interrupted, you can change your own presence so others will know not to disturb you. There are lots of other fun and useful IM features you can explore, like group chats, file transfers, voice calls, video conferencing and emoticons that reflect your mood.
1.4.6 IRC IRC stands for "Internet Relay Chat". It has been used in many countries around the world. IRC is a multi-user chat system, where people meet on "channels" (rooms, virtual places, usually with a certain topic of conversation) to talk in groups, or privately. There is no restriction to the number of people that can participate in a given discussion, or the number of channels that can be formed on IRC.
1.4.7 Newsgroups The Internet has a place where we can gather, question, and discuss our experiences within a wide variety of topics. It's called Usenet News. Some users also call it Net News. Think of Usenet News as a giant, worldwide bulletin board. Anyone can freely post something on this bulletin board. Everyone else can read the posted items and add their own items. These voluntary contributions and free exchange of
information are the foundation of the Internet. Usenet News allows people on the Internet to share their opinions and experiences, openly and freely, on a level playing field. No one has priority or seniority over anyone else. Usenet News gives everyone an equal opportunity to participate in the discussions. When you send an e-mail message, the only people who can read it are the recipients (for the most part). When you post an article on Usenet News, every person on the Internet could read it and respond to it. Not that they ever would, but they could. That's a lot of people and a lot of opinions, and only a few of them come from true experience. There are tens of thousands of newsgroups. Some of them are applicable to a global audience; others are more applicable to a country, city, or organization. Most of the newsgroups are available to everyone on the Internet. However, some of the newsgroups have a limited audience.
1.4.8 Voice over IP Voice over IP (Voice over Internet Protocol or "VoIP") technology converts voice calls from analog to digital to be sent over digital data networks. In Voice over IP, or VoIP, voice, data, and video all travel along the network.
1.4.9 World Wide Web (WWW) The newest information application on the Internet, the WWW provides standardized access to Gopher, FTP, Telnet and more by means of home pages designed either by institutions or by individuals. By means of the HyperText Markup Language (HTML), it allows users to "point" at highlighted terms, following "links" to whatever information interests them. It is a multimedia environment, allowing Internet users access to audio and video materials. There are a number of client software packages (or browsers), including Lynx (a textonly browser), Netscape, and Microsoft's Internet Explorer, (which are multimedia browsers).
1.5 Types of Internet connections The options for providing user connectivity to the Internet are given below: 1. Terminal Dialup/Modem (Shell connection) Most common option User requirements limited to modem and communications software Text-only access Shell accounts were more popular before the advent of the Web. A shell account lets you use your computer much as if it were a virtual console associated with a remote computer. You can type commands, which are interpreted by the remote computer, and view the resulting output on your
2.
3.
4.
5.
6.
computer. Although a few web browsers, such as Lynx, can operate via a shell account, they don’t generally support the highly graphical, multimedia pages which web surfers have come to expect. SLIP (Serial Line Internet Protocol) Computer is treated as though it were directly connected for the period it is online Utilizes telephone lines User must have modem, TCP software, SLIP software, & software for Internet applications Multimedia access PPP (Point-to-Point Protocol) Computer is treated as though it were directly connected for the period it is online Utilizes telephone lines User must have modem, TCP software, PPP software, & software for Internet applications Multimedia access While your computer is connected to the Internet, you can use it to surf the Web with your favorite browser. If your ISP allows, you can even run a web server, providing pages that can be viewed by others around the world. ISDN (Integrated Services Digital Network) Most often used to connect remote telecommuters to office LANs Requires ISDN phone line access Faster than analog terminal dialup/modem service User must have ISDN phone line, ISDN card, communications software, TCP software & SLIP or PPP software multimedia connectivity DIAS The DIAS offers a wire-line solution for high speed symmetrical Internet access on the existing telephone lines. It provides an "always on" internet access that is permanently available at customer's premises. DIAS combines voice and internet data packets on a single twisted pair wire at subscriber premises that means you can use telephone and surf internet at the same time. Cable Modem The term “Cable Modem” is quite new and refers to a modem that operates over the ordinary cable TV network cables. Basically you just connect the Cable Modem to the TV outlet for your cable TV, and the cable TV operator connects a Cable Modem Termination System (CMTS) in his end (the Head-End). Actually the term “Cable Modem” is a bit misleading, as a Cable Modem works more like a Local Area Network (LAN) interface than as a modem. In a cable TV system, signals from the various channels are each given a 6-MHz slice of the cable’s available bandwidth and then sent down the cable to your house. When a cable company offers Internet access over the cable, Internet information can use the same cables because the cable modem system puts downstream data – data sent from the Internet to an
individual computer – into a 6-MHz channel. On the cable, the data looks just like a TV channel. So Internet downstream data takes up the same amount of cable space as any single channel of programming. Upstream data – information sent from an individual back to the Internet – requires even less of the cable’s bandwidth, just 2 MHz, since the assumption is that most people download far more information than they upload. Putting both upstream and downstream data on the cable television system requires two types of equipment: a cable modem on the customer end and a cable modem termination system (CMTS) at the cable provider’s end. Between these two types of equipment, all the computer networking, security and management of Internet access over cable television is put into place. 7. Digital Subscriber Line (DSL) connection. DSL is a very high-speed connection that uses the same wires as a regular telephone line. Here are some advantages of DSL: 1. You can leave your Internet connection open and still use the phone line for voice calls. 2. The speed is much higher than a regular modem 3. DSL doesn’t necessarily require new wiring; it can use the phone line you already have. 4. The company that offers DSL (e.g. BSNL) will usually provide the modem as part of the installation. But there are disadvantages: 1. A DSL connection works better when you are closer to the provider’s central office. 2. The service is not available everywhere. Other types of DSL include: 1. Asymmetric DSL (ADSL) line – The connection is faster for receiving data than it is for sending data over the Internet 2. Very high bit-rate DSL (VDSL) – This is a fast connection, but works only over a short distance. 3. Symmetric DSL (SDSL) – This connection, used mainly by small businesses, doesn’t allow you to use the phone at the same time, but the speed of receiving and sending data is the same. 4. Rate-adaptive DSL (RADSL) – This is a variation of ADSL, but the modem can adjust the speed of the connection depending on the length and quality of the line. 8. Direct Connection (Leased circuit) Most often used to connect sites within a specific organization; such as a university or business requires owning or leasing of cable (from 64 kbps to T-3) users typically connected via Ethernet LANs multimedia connectivity at its fastest. 9. Satellite connections This connection allows you to download Internet files via a satellite connection. This is an efficient method for receiving large Web graphics and other items, but you still need a modem connection for other features.
You must purchase the connection hardware as well as subscribe to the service. 10. Wireless connections Pagers, cellular phones and personal digital assistants (PDAs) now allow varying levels of Internet access, from notification of E-mail to limited Web connections. Many of these services remain in the experimental stage. The PPP connection is called as TCP/IP connection or PSTN dial-up connection. ISDN connection is called as ISDN dial-up connection. Cable Modem, DSL and Direct Connection are always-on connection. The words “connection” and “account” related to Internet are interchangeable.
1.6 Comparisons of Internet accounts You can compare the two types of Internet accounts - shell and PPP - with two kinds of postal service. Imagine that no mail carrier actually comes to your home to pick and deliver mail. Instead, every time you want to conduct postal business, you go to the post office. This resembles a shell account: The computer that connects you to the Internet is remote, and every time you want to do something on the Internet you must open a terminal, or telnet, session to that computer. PPP, on the other hand, is like home delivery: The Internet comes right to your doorstep, and your computer is literally placed on the Internet by the machine at your ISP that you connect to. Under Microsoft Windows, you use hyperterminal to access a shell account and Dial-Up Networking to access a PPP account. Under Linux, you can choose from among several programs that let you access a shell account. The most commonly used programs are minicom and seyon. To access a PPP account under Linux, you use the PPP daemon, pppd. If you are one of the first users to connect to the Internet through a particular cable channel by using Cable Modem Internet connection, then you may have nearly the entire bandwidth of the channel available for your use. As new users, especially heavy-access users, are connected to the channel, you will have to share that bandwidth, and may see your performance degrade as a result. It is possible that, in times of heavy usage with many connected users, performance will be far below the theoretical maximums. The good news is that this particular performance issue can be resolved by the cable company adding a new channel and splitting the base of users. Another benefit of the Cable Modem for Internet access is that, unlike ADSL, its performance doesn't depend on distance from the central cable office. ADSL is a distance-sensitive technology: As the connection's length increases, the signal quality decreases and the connection speed goes down. The limit for
ADSL service is 18,000 feet (5,460 meters), though for speed and quality of service reasons many ADSL providers place a lower limit on the distances for the service. At the extremes of the distance limits, ADSL customers may see speeds far below the promised maximums, while customers nearer the central office have faster connections and may see extremely high speeds in the future.
1.7 Choosing an Internet Connection (Modem, ISDN, Cable, DSL - ASDL/SDSL) As the Internet becomes increasingly popular with every day that passes, it is now considered as one of the best ways to do business (e-commerce), network (by email), and build partnerships (on-line collaboration). It is arguably, some would say, the most efficient way of gathering information for a wide range of business uses and to interact with customers. One of the main issues today is what is the best way to connect to and use the Internet to its full potential with a view to speed and reliability? Unfortunately, because of the poor quality of the existing telephone network that connects us to the Internet, the speed at which information (web pages, images etc) appears on your screen is slow compared to the latest technology available. Ultimately, DSL (see below) will be the solution that will provide us all with a connection up to ten times faster than the speed at which information arrives to you with a regular modem. As new technology becomes available almost every week, the awareness of the difference between the performance (speed), costs and availability is still unknown to many people and consequently we face problems deciding which connection is best for our business needs. (i) PC Modem - up to 56kbps The PC Modem is the standard way of connecting to the Internet but is now the slowest. The fastest type of standard modem is 56kbps, these are included as standard with all new PC's; but if you do not have one they can be bought from around £15-20 upwards. If you are currently using a modem below 56k (which is unlikely) then the difference in speed will be very noticeable. There is nothing negative about using standard PC modems but the speed may be a crucial factor if time is valuable to your business or if downloading large or numerous files (images, emails, etc) is what you require. (ii) ISDN (Integrated Service Digital Network) - 64/128kbps
ISDN provides a solution by offering two high-speed lines capable of running at 64kbps each through your existing phone network. The advantage of this is that each line can be connected to a different source (e.g. two computers, a computer and a telephone/fax or two telephones). Another feature that may interest you is that the lines can be used simultaneously from a single computer giving a speed of 128kbps. This would be useful should you need the extra speed to work quicker over the Internet at a specific time, or for downloading large images and files. This service requires you to remove your existing modem (if you have one) and replace it with an ISDN card that can be found from most large PC stores. ISDN appears expensive in comparison to ADSL/broadband, but the two phone lines that come with it can be invaluable to a small business. If ADSL is not available in your area, then ISDN offers an effective solution. (iii) Cable Modem- up to 600kbps Cable offers greater speeds but has the initial problem of availability. Just like Cable TV, you can only receive the service if you live within a cable operator's franchise area. Should you find that you are one of the 'chosen few' you may consider this over ADSL (see below) because of the cheaper operating costs; although you should check carefully because prices are always changing. In cable Modem connection, speeds of up to 2Mbps can be achieved in the future. In order to use cable you will need two things: A cable modem and a Network Interface Card (Sometimes referred to as NIC's). You do have to bear in mind the future and consider the following: Once all subscribers in your area have all been connected to the Cable Modem connection, the speed of the service will run at slower rates (kbps). This is because the amount of information that the Cable can carry at one time is shared with all those connected to it. However, you could also consider that there may be further advances in the technology to change this. (iv) ADSL - Over 256 kbps This connection improves the speed at which you can download/upload dramatically compared to the standard PC modem. ADSL uses your existing phone line but gives you the added advantage of being able to use the phone/fax at the same time as being connected to the Internet: the connection time to the Internet is instant as ADSL is "always on" meaning that you can start surfing the net as soon as you turn on your computer. Using such a connection will involve extra hardware such as a box that fits to your wall that you plug a USB modem (also needed) into which will then connect to your computer.
When you connect to ADSL you also get a new phone line, which can be beneficial to many small businesses. The use of this line does not affect the ADSL connection either. Broadband is available in all cities. However, you should check availability in your area before discounting ISDN or 56k. ADSL gives faster downloading speeds (receiving) than uploading speeds (sending). (v) SDSL - upto 2Mbps This service was released in early 2004 -- aimed at businesses -- allowing users to enjoy the same uploading (sending) speeds as it was capable of downloading (receiving). This service is beneficial to businesses that frequently send large files via the internet: the current connection may be causing the network to suffer huge strain when transporting such files. Subscribers can sign up for speeds varying from 256kbps to 2Mbps, depending on preference. This service is much more expensive than ADSL broadband and should only be considered if there is an instant need for the service.
1.8 How to Connect to the Internet and World Wide Web Before you can connect to the Internet and access the World Wide Web, you need to have certain equipment. In brief, you must have a computer (preferably running an up-to-date operating system); a modem and access to a telephone line or a local area network (LAN) that is in turn connected to the Internet; and connection software that will allow you to establish an account with a service provider and access the Internet. A modem is not needed when accessing the Internet through a LAN.
1.8.1 The Right Hardware To operate most of the current Web browsers and on-line services, you should have a computer with at least 32 megabytes (MB) of random access memory (RAM) and 2 GB of free hard disk space. If you are unsure of how much RAM and disk space your computer has, consult your user's manual. If you are accessing the Internet outside of a LAN environment, you will need a modem that will connect you with other computers and interpret the data being sent back and forth. Any modem that is compatible with your computer will do, though the higher the kilobits per second (kbps) rate of your modem, the faster it will transmit data. Modem speed is an important consideration when accessing
sites on the Web that contain lots of digitized data. If you are looking to purchase a modem, buy the fastest model you can afford. You must also have access to a live telephone line. Most modems accept the same jacks as do ordinary household telephones, allowing you to connect your modem to a wall jack using standard phone cord. Some cable TV providers have begun offering Internet connections via cable. Such connections provide much faster transmission speeds than standard phone lines, though you will need a special modem that allows you to link your computer with the cable. If you are interested in a cable Internet connection, contact your local cable operator to see if the service is available in your area. You have to purchase ADSL modem/router if you are going for ADSL Internet connection. You can also connect to the Internet through a LAN with Internet access. If you are unsure as to the capacities of your LAN to do this, contact your site's systems administrator.
1.8.2 The Right Software For best results, make sure that your computer is running the most up-to-date operating system that it can handle. If you have an IBM PC/PC compatible computer, it should be running Microsoft Windows NT, Windows 95/98/Me, Windows 2000 or Windows XP. You can use Linux Operating System also. If you have a Macintosh, it should be running System 8 or higher. To make your connection complete, you will need connection software that allows your computer to dial into an Internet access provider, establish an account, and work with the data in a straightforward manner. Many access providers will give you software that will allow you to access their systems using an all-in-one custom interface. Some software are bundles with Operating System also. Others may give you a collection of separate software packages that can be used together. But whatever software they provide, be sure that it is compatible with your computer and operating system before attempting to use it.
1.8.3 The Browser As you surf the Web, you will come across sites that state, "This site is best viewed with…" and then name a particular browser. Many will even provide a link to a site where you can download the specified browser. Sites make these recommendations because some browsers use special protocols, allowing site creators to offer extra features beyond the standard capabilities of hypertext markup language (HTML). Chief among these browsers are Netscape Navigator' Microsoft Internet Explorer, Opera and Mozilla Firefox.
1.8.4 Plug-ins
The Netscape Navigator, Mozilla Firefox and Microsoft Internet Explorer browsers allow for the use of plug-ins, or extra software applications that run as if they were an integral part of the browser. Browsers also use helper applications that, while not as integral as plug-ins, enhance the browser's capabilities by launching when needed. Helper applications allow your browser to play sound and video files, display animation and other graphic formats, or access special Internet features such as TELNET. Most Web sites that require the use of helper applications will provide links to sites where you can download the necessary software. Chapter 2
Internet Account Tariff Contents • •
Types of Internet connections offered by BSNL Tariff for the various connections
Objectives After completion of this module you will be able to know: • Types of Internet connections offered by BSNL • Different tariff for different Internet connections 2.1 Internet Accounts The different type of Internet accounts offered by BSNL is given below:
Leased line access
Enjoy round the clock internet connectivity at speeds varying from 64 Kbps to 45 Mbps. various plans are available to suit different needs. ISDN dial backup packages for Internet Leased Line Customers are also available.
Direct Internet BSNL also provides DIAS in selected cities of the Country. The DIAS Access (DIAS) offers a wire-line solution for high speed symmetrical Internet access on the existing telephone lines. It provides an "always on" internet access that is permanently available at customer's premises. DIAS combines voice and internet data packets on a single twisted pair wire
at subscriber premises that means you can use telephone and surf internet at the same time.
Account free Internet dial up access based on CLI
Duration based Dialup Internet Service(CLI based) is a unique method providing Internet service in which the Customer can access the Internet service from any telephone through dial up. The service allows automatic registration on first LOGIN. The authentication will be based on CLI of the telephone with the password supplied by the caller. The charging is totally usage based and the service is a post paid service like normal PSTN. The billing will be separating based on the duration of use and will be charged to telephone bill (CLI based) as Internet access charge at the prescribed rate. The service is available in selected cities. The access no. of this service is '172222' in all cities. CLI based dial up internet service is also available for ISDN customers now. The access no. of this service is '172223'
BROADBAND Broadband service is based on DSL technology (on the same copper cable that is used for connecting telephone). This provides high speed connection internet connectivity upto 8Mbps. This is always - on internet access service with speed ranging from 256Kbps to 8 Mbps.
SANCHARNET BSNL has also launched ”SANCHARNET CARD" recently. The Sancharnet Card" is a prepaid Internet Access Card with following CARD features for customers: • • •
Self-register for internet access with your choice of user id Renew your existing Sancharnet Account Wide Range of Internet Access Packages
2.2 Tariff for various Internet accounts The tariff for various Internet accounts offered by BSNL is given below:
2.2.1 Tariff for Direct Internet Access Services (DIAS) DIAS is presently available in 42 cities across India. Tariff for the DIAS will be as detailed below (applicable from 01.06.2005):
Activation Charges (non refundable) Security Deposit Monthly Rental Per user Free Usages per month Additional Usages charges per MB • •
•
• •
•
Plan-0 Plan-I Plan-II Plan-III (Starter) Rs.500 Rs. 500 Rs.500 Rs. 500 Nil Nil Nil Nil Rs.300 Rs.500 Rs.900 Rs. 3000 0.5 GB 1.0 GB 2.0 GB Unlimited Rs.2 Rs.2 Rs.2 N.A
The DIAS services shall be offered to the PSTN subscribers of BSNL, on the same copper pair as is being used for their DELs at present. In case of disconnection of BSNL PSTN connection this DIAS connection is also to be surrendered. In case of disconnection of telephone for non-payment etc., DIAS facility should also be disconnected. This tariff includes internet usage charges. The subscriber need not pay any additional amount for (i) PSTN Dialup Access for internet (ii) Port charges for Internet Leased Line. This tariff is for connection of subscribers to Internet nodes of BSNL. Wherever it is not technically feasible to measure the usage, the present tariff will remain applicable. However, whenever it will be technically possible to apply usages based tariff, subscribers of DIAS should be intimated well in time by giving time period of one month for switchover from existing tariff to the tariff based on usage as above. This tariff will be reviewed after six months.
2.2.2 Tariff for Account free Internet Dial up access based on CLI •
Usage charges for Internet access through BSNL's sancharnet: 10 paise per minute Note: The subscribers will be charged at these usage charge over and above normal PSTN dial up charges.
•
The tariff of CLI service for ISDN (with effect from 1st September 2005): ISDN Type 64 kbps 128 kbps 192 kbps 256 kbps
Tariff for CLI (Rs. Per Minute) 0.20 0.40 0.60 0.80
Note: The above CLI based Internet tariff is in addition to the already applicable ISDN tariff.
2.2.3 Tariff for Internet Access Local Calls The tariff for internet access local calls [Calls made to internet access numbers like 172XXX] are given below: Packages
Peak Hours Period (Hr) Pulse (Seconds)
Standard (TRAI)
0800-2000
120
BSNL Package 0730-2230 450 (with effect from 21.10.2004) * 600 seconds for E10B exchanges Service Tax as applicable shall be extra
Off Peak Hours Period Pulse (Hr) (Seconds) 2000180 0800 2230900* 0730
2.2.4 PSTN & ISDN Limited Access Dialup packages with 4 MB E-mail space The uniform tariff shall be applicable for all new customers. All new connection shall be provided as per the tariff applicable on the date of new connection/renewal. All instructions issued from time to time by BSNL shall remain applicable. PSTN Dialup Access - Limited Access Free access from 1100 PM to 0800 AM on Weekdays and for full day on Sunday and National Holidays S.N. Brand Name Denomination Hrs Validity Charges 1. Corporate 1000 2 yr 4500 2. Gold Pass 500 2 yr 2300 3. Silver Pass 200 2 yr 1000 4. Executive 100 2 yr 500 5. Regular 50 1 yr 250 6. Temporary 25 6 months 150 ISDN Dialup Access at 64 kbps - Limited Access S.N. Brand Name Denomination Hrs Validity Charges 1. Corporate 1000 2 yr 8000 2. Professional 500 2 yr 4500 3. Personal 100 2 yr 1000 ISDN Dialup Access at 128 kbps - Limited Access S.N. Brand Name Denomination Hrs Validity Charges 1. Corporate 1000 2 yr 16000 2. Professional 500 2 yr 9000 3. Personal 100 2 yr 2000 • Service Tax as applicable shall be extra • One User ID and e-mail ID per package except for Corporate Package where it is 2. • Simultaneous logins per user ID shall be 2. • E-mail space per e-mail ID shall be 4 Mb • Free web space for user ID shall be 1 MB • Free access between 2300 hrs to 0800 hrs on weekdays and for full day on Sundays and National Holidays.
Internet P.C.O. (BSNL.) - Rs. 10 per 20 minutes or part thereof
2.2.5 PSTN & ISDN Limited Access Dialup packages with 10 MB E-mail space PSTN Dialup Access - Limited Access S.N. Package Hours 1. Corporate 1000 2. Gold Pass 500 ISDN Dialup Access at 64 kbps - Limited Access S.N. Package Hours 1. Corporate Mail 1000 2. Professional Mail 500 ISDN Dialup Access at 128 kbps - Limited Access S.N. Package Hours
Validity 1 yr 1 yr
Charges Rs. 5000 2500
Validity 1 yr 1 yr
Charges Rs. 9000 5000
Validity
Charges Rs.
1. Corporate Plus Mail 1000 1 yr 18000 2. Professional Plus Mail 500 1yr 10000 • Service Tax as applicable shall be extra • One User ID and e-mail ID per package except Corporate Package. • One user ID and two E-mail IDs with Corporate Package. • Simultaneous logins per user ID shall be 2. • E-mail space per e-mail ID shall be 10 Mb • Free web space for user ID shall be 1 MB • Free access between 2300 hrs to 0800 hrson weekdays and for full day on Sundays and National Holidays.
2.2.6 PSTN & ISDN UNLIMITED ACCESS Dialup packages with 10 MB E-mail space PSTN Dialup Access - Unlimited Access S.N. Package Hours 1. Enterprise Mail Unlimited ISDN Dialup Access at 64 kbps - Unlimited Access S.N. Package Hours 1. Enterprise Mail Unlimited ISDN Dialup Access at 128 kbps - Unlimited Access S.N. Package Hours 1. Enterprise Plus Mail
Unlimited
Validity 6 months
Charges Rs. 9000
Validity 6 months
Charges Rs. 16000
Validity
Charges Rs.
6 months
32000
• • • • • •
Service Tax as applicable shall be extra One User ID and one e-mail ID per package. Simultaneous logins restricted to one. Access restricted from two specified telephone numbers (CLIP restriction). 10 MB e-mail space 1 MB webspace
2.2.7 ISDN UNLIMITED ACCESS Dialup with FIXED IP and 10 MB E-mail space ISDN Dialup Access at 64 kbps-Unlimited Access Package Denomination Hrs Validity Charges Rs. Fixed IP Address Unlimited 6 months 30,000 ISDN Dialup Access at 128 kbps-Unlimited Access Package Denomination Hrs Validity Charges Rs. Fixed IP Address Unlimited 6 months 54,000 • Service Tax as applicable shall be extra • One User ID and one e-mail ID per package. • Simultaneous logins restricted to one. • Access restricted from two specified telephone numbers(CLIP restriction) • Fixed IP address assigned on access (customer has to apply for IP address separately) • 10 MB e-mail space • 1 MB webspace
2.2.8 Tariff for Broadband services BSNL has decided to revise packages of ADSL Broadband Services 'DataOne' for Home and Business users with different Bandwidth (BW) options and download capacities with effect from 16-08-2005. The revise offer and new packages are as under: A. Initial and other charges: Installation charges Modem Rental
Rs 250 (In case of modem from BSNL)
(a) Monthly Rental
Rs 100 (Type I Modem)
(b) Security Deposit (Refundable) Shifting Charges Change of Plan Charges
Rs 500 Nil (Withdrawn w.e.f. 15/07/05) Nil (Withdrawn w.e.f. 09/06/05)
B. Demand Note to New Dataone Customers: At the time of issue of Demand Note, following charges are to be collected: a) Installation charges (As applicable) b) Security Deposit of the Modem (If Applicable) c) Refundable Security Deposit for One month rental as per the plan (As applicable) subject to maximum of Rs. 5000. No Security deposit is to be collected for Home 250 & Home 500 plans. C. DataOne - Home Plans Particulars
Bandwidth Monthly Charges (Rs) Annual Payment Option to Customers (Rs) Download/ Upload Limit (GB) Additional Usage Charges/MB Beyond free Download/Upload Limit (Rs) Free E-mail IDs/Space (Per Email ID) Security Deposit Night Unlimited (0200- 0800 Hrs) Minimum Hire period
Tariff in Rs. Home 250 Home 500 (New)
Home 1000
256 Kbps 250 2500
256 Kbps 500 5000
1800 384 Kbps 512 Kbps 1000 1800 10000 18000
3300 1 Mbps 3300 33000
0.4 GB 1.40
1.0 GB 1.20
2 GB 1.00
5 GB 0.80
10 GB 0.80
1/5 MB
1/5 MB
1/5 MB
1/5 MB
2/5 MB
NIL
NIL
Not Available Three months
Available
1 month 1 month rental rental Available Available
1 month rental Available
Three months
One month
One month
One month
Business
Business
Business
3000 512Kbps MU 3000
5000 1 Mbps MU 5000
9000 2 Mbps MU 9000
Home
Home
D. DataOne - Business Plans Particulars
Bandwidth Single /Multi User-(SU/MU) Monthly Charges (Rs)
Tariff in Rs. Business Business 700 (New) 1200 256 Kbps 256 Kbps SU SU 700 1200
Annual Payment Option to Customers (Rs) Download/ Upload Limit (GB) Additional Usage Charges/MB Beyond free download/upload limit (Rs) Free E-mail IDs/Space (Per Email ID) Static IP Address (On request) Web hosting space (On request) Domain Name (On request) Security Deposit Minimum Hire period
7000
12000
30000
50000
90000
2 GB 1.20
4 GB 1.00
10 GB 0.80
20 GB 0.60
40 GB 0.60
1/5 MB
1/5 MB
2/5 MB
2 / 5 MB
4 / 5 MB
Not Available Not Available Not Available 1 Month rental One month
Not Available Not Available Not Available 1 months rental One month
Not Available Not Available Not Available 1 month rental One month
One
One
5 MB
5 MB
One
One
1 month rental One month
Rs 5000 One month
- Service Taxes extra. - Billing for the service will be included in the normal Bfone bill. The billing cycle shall be monthly for Dataone customers. Monthly rentals and usage charges will be billed in arrears.
E. Modem on Outright purchase: Only Modem Type I with One ethernet port will be available for sale / rental to customers for the present. F. Conditions for providing Home plan or Business plan: 1. Either Plan can be taken by the subscribers having telephones in individual names working at homes/residences used for personal use/purpose. 2. Subscribers having telephones in the name of Company, firms, shops, educational institutes or any other commercial entity can take only Business Plan. They are not eligible for Home Plan. 3. Telephones working in individual names at commercial/ business/ office premises are also not entitled for Home Plans. 4. Home plan can be taken on Bfones in name of Government/company but actually working at residences of their employees. An undertaking shall have to be given by the customer in this regard. G. Registration Fees:
A registration fee of Rs. 100 shall be charged which will be adjusted in the first demand note. H. Waiver of Installation charges: Installation charges of Rs. 250 are waived off for all new broadband customers between 16th August 2005 and 30th September 2005. All other terms and conditions will remain same. The above tariff will be valid until 31/03/2006.
Chapter 3
MODEM Contents • • • •
MODEM fundamental Types of MODEMS Interface Connections
Objectives After completion of this module, you will be able to know: • MODEM fundamental • The two types of MODEMS • Different types of interfaces • Different types of connections
3.1 MODEM fundamental Acronym for MODulator / DEModulator which describes the method used to convert digital data used by computers into analog signals used by the phones and then back into digital data once received by the other computer.
The above pictures help represent a digital signal and an analog signal. All computer data is stored and transmitted within the computer in digital format 1s and 0s. In order for this data to be transmitted over analog phone lines the data must be transmitted into an analog signal which is the noise you hear when connecting to another computer. Once the other computer receives this signal it will then translate the signal back into its original digital format. Typical modems are referred to as an asynchronous device. Meaning that the device transmits data in a intermittent stream of small packets. Once received the receiving system then takes the data in the packets and reassembles it into a form the computer can use. Stop
Data
Start
Stop
Data
Start
1 bit
8 bits
1 bit
1 bit
8 bits
1 bit
Packet 10 bits
Packet 10 bits
The above chart represents how an asynchronous transmission would be transmitted over a phone line. In asynchronous communication 1 byte (8 bits) is transferred within 1 packet which is equivalent to one character. However for the computer to receive this information each packet must contain a Start and a Stop bit therefore the complete packet would be 10 bits. An example of what the above chart would transmit is the word HI which is equivalent to 2 bytes (16 bits).
3.2 Types of MODEMs There are two types of modems used in all computers. Internal: Modem which would be plugged into a slot located within or on the computer.
External: Modem which is located within a box and is hooked up externally to the computer generally VIA the Serial Ports.
3.3 Purchasing Tips Before purchasing a modem take the following into consideration. Today with the popularity of the Internet and multimedia over the Internet, broadband is becoming widely available. If available in your area you may want to consider purchasing a broadband solution such as DSL available through BSNL or third party company, Cable available through your local cable provider, Satellite available through a third party . If a broadband connection is not available in your area, then modem can be purchased. The details about modems are given below:
3.3.1 Standards Originally when the 56k connection was introduced there was not a set standard between two major modem manufactures causing there to be two different technologies, X2 and KFlex. Each of these technologies allowed for a modem to connect to higher speeds however only if the Internet Provider supported the technology. Because of the difficulties and issues with these two different technologies one technology emerged out of the two called V.90. This technology will allow users of any brand of modem to connect at higher speeds. Today all modems (purchased new) are V.90 and this is no longer a concern.
3.3.2 Interface
Interface can be an important when considering purchasing a modem. It is important that your computer has the available connections and resources when purchasing a modem. 3.3.2.1 PCI / ISA (Internal) PCI / ISA modems are modems which are found in most computers today. These modems are installed internally into the computer with an available connection on the back of the modem for the phone line. When purchasing this type of modem it is important that you verify your computer has the available connection for this modem within the computer (PCI or ISA). In addition verify that your computer has the available resources. You can sometimes see difficulties installing a modem if a serial device such as a Serial mouse or Serial PDA is connected to the computer. 3.3.2.2 Serial (External) A serial modem connects to the serial port located on the back of the computer. These modems are generally easy to install however cost more then an internal modem as you can pay additional money for the plastic cover. When purchasing this type of modem it is important that you verify your computer has an available serial connection on the back of the computer, devices such as a serial mouse may already be utilizing your serial port. Some computers may have two serial ports, if this is the case and only one serial port is currently being utilize, verify that the second port can be enabled or is already enabled in CMOS. 3.3.2.3 PC Card (PCMCIA) Solution used with portable computers PC Card modems are fairly cheap and relatively easy to install in the computer. If a modem is already present in your portable computer however you wish to upgrade or the internal modem has gone bad it is important that you verify the pre-existing modem can be disabled before installing the new modem. 3.3.2.1 USB A new solution USB allows a user to install up to 127 devices on the computer and is available for PC and Mac. Before purchasing this solution verify that your computer has a USB connection. If no USB connection is available an additional card will need to be installed in the computer.
3.3.3 Connection The connection can differ depending upon the type of modem purchased with the computer. 3.3.3.1 Internal / External / USB modem Today all modems have a RJ-11 connection which is a standard phone connection on the modem. If important to you, verify that the modem has two available RJ-11 connections. One of these connections will connect the modem to the phone and the other can be used for an office phone. This can be very useful for home or office computer that may need a phone next to it. 3.3.3.2 PC Card modem When purchasing a PC Card modem the connection can be a very important factor consideration. Below we have listed the pros and cons of each of these connection types. 3.3.3.3 Dongle A commonly found solution for PC Card modems, however a very burdensome solution. The Dongle is an additional card that connects from the PC Card to a small opening for a RJ-11 connection. While a good thought we find that these connections get lost often. The pro of this solution is a very sturdy connection and a solution that will allow only a Type II slot to be used allowing and additional slot free for another card. 3.3.3.4 Standard Standard connection like a desktop modem allows for a phone line to be connected directly to the modem. This solution allows for no additional cables. The con to this solution is that these cards will generally occupy your complete PCMCIA slot.
Chapter 4
Windows XP Dialup Networking Contents •
Configuring Dialup Networking in Windows XP
Objectives •
After completion of this module, you will be able to know how to configure Dialup Networking in Windows XP
4.1 Configuring Dialup Networking in Windows XP These instructions assume your modem is properly installed and configured. See information provided by the modem manufacturer for instructions for installing the modem. Windows XP has multiple methods for reaching dialup settings, and your screen shots may vary slightly from those shown below because XP allows users to customize screen settings. Start the "New Connection Wizard" from the start menu Click Start ÖAll Programs ÖAccessories Ö CommunicationsÖNew Connection Wizard. You will get a figure like this:
Click Next and the next screen will appear like this:
Chose the radio button next to Set up my connection manually and click Next to see the Internet Connection window.
Select "Connect using a dial-up modem and Click Next to get the Connection Name window
For the ISP name click in the box and enter the name you want to see for the icon for the connection, in this example we use the Sancharnet name. Click Next to continue.
Enter the phone number as you want it to be dialed for your connection. Choose Next to continue when done.
If multiple unrelated users are sharing a connection you may want to make this setting 'My use only', but if every user of the system is allowed to use this dialup select Anyone's use. Then click Next.
The Internet Account Information window options are left blank - doing this means you will need to provide your id and password every time you connect. If you want to make your connection less secure you can fill in and save the user name and password information. Turning on Internet Connection Firewall is most likely appropriate for most users, but users using a VPN (like an Oracle connection) may find that it will not work with Internet Connection Firewall selected. Click Next
In the 'Finish' screen you can add a shortcut to this connection to your desktop. You may want to do that, if not, you can reach the connection through the start menu. Click Finish (but you may not really done.) If you are going to use the Home Directory service continue with the Advanced configuration below. If all you use the dialup connection for is email and web access then the connections defined this way will probably work just fine without additional setup. To start a dialup session go to the Start Ö Connect To Ö Sancharnet (the name you haven for the Internet connection).
Choosing the connection from the menu will bring a login screen that will take your Dialup Networking ID and password and will make your modem dial in to get your connection.
4.1.1 Advanced configuration If you have problems connecting, or if you plan to use the Home Directory service via your dialup connection, the following steps may be required to force appropriate settings. Go to Start Ö Connect to Ö Sancharnet (or what ever you named the connection) and right-click to get the menu to choose properties - left click on Properties.
The Properties window will looks similar to the following:
The "Connect Using" box should have the name of your modem. If you understand the use of dialing rules feel free to use them, otherwise uncheck the 'Use dialing rules' box and put the full number, as you want it dialed, in the "Phone number" box. You can use the "Alternates" button to provide numbers which should be tried if the first one fails to connect. Choose the "Options" tab.
Your settings on the Options tab should be the same as above, in particular be sure "Include Windows logon domain" MUST NOT be checked or your user name will be sent incorrectly for logon. Redial attemps are optional. Next choose the Security tab
Your securities settings should look like those above to connect to the UVA dialup. Select the Networking tab
Advanced users may want to change some of the settings to be different than those above, but in general the screen should match the one above. Note: for Home Directory users Client for Microsoft Networks MUST BE CHECKED. (If you scroll through the screen 'This connection uses the following items, no additional items need to be checked.) Click on the Internet Protocol (TCP/IP) line and then click on the 'Properties' button on the Network properties window.
If you have previously set up any network connections on this system some of the settings on the TCP/IP properties window may be different (and this window may change with later changes we will make.) The Obtain and IP address automatically is mandatory. Click on the Advanced button, then click on the "DNS" tab for the Advanced TCP/IP Settings.
Click on the Add button below the DNS Server address window - a window will pop up add 128.143.2.7 and 128.143.22.119. Only 2 can be specified so if you make an error select the wrong entry and click on remove. Select the Append these DNS suffix and click add and add virginia.edu (this lets you leave off the virginia.edu part of host names when you specify them in other programs) If you use the Home directory service, click on the WINS tab to bring up the WINS setting window. Initially it is unlikely to look like the one below.
Home Directory users MUST click in the Enable NetBIOS over TCP/IP button. The WINS server settings should not be necessary for Home Directory, but if you are having difficulties, the correct servers for UVa and Home Directory are 128.143.3.199 and 128.143.22.189. If you use a WINS server (ESERVICES users and some HSC users) on the WINS tab and add the appropriate WINS server information. Contact your server administrator for the correct WINS settings for your domain. (Those given above are for the ESERVICES domain.) When finished click OK, you will be taken back to the "Internet Protocol (TCP/IP) Properties" window, some information may be filled in for you.
From this window click OK to get back to the main network connection properties window, and OK again on that window to exit the configuration. Then you should be able to retry your connection. If you have difficulties following these directions or need any other help getting your connection to a UVa modem, please call us at 924-3731. That's the ITC Help Desk. Have your University Computing ID (that's your Email ID) ready and give us as clear a description as possible of what you have done and what is not working.
Chapter 5
ISDN Terminal Adapter Contents • • •
What is Terminal Adapter Types of Terminal Adapters Features of Terminal Adapter
Objectives After completion of this module, you will be able to know: • What is Terminal Adapter • What are the types of Terminal Adapters • What are the features of Terminal Adapter
5.1 Terminal Adapter In telecommunications, a terminal adapter is an interfacing device employed at the "R" reference point in an ISDN environment that allows a non-ISDN terminal at the physical layer to communicate with an ISDN network. It performs a similar role for ISDN to that which a modem performs for the PSTN. A terminal adapter (TA) is a hardware interface between a computer and an Integrated Services Digital Network line. It's what replaces a modem when you are using an ISDN connection. Unlike "plain old telephone service," which carries signal in analog (voice) form between your computer and the telephone company's office, ISDN carries signals in digital form so there is no need to modulate and demodulate between analog and digital signals. The terminal adapter is what you have to install on a computer so that data can be fed directly into the ISDN line in digital form. Since ISDN service is not available from telephone companies in all areas, the terminal adapter is not usually built into a computer. You purchase and install it when you sign up for ISDN service. Some manufacturers and telephone companies use the term ISDN modem, instead. Note: Typically, a terminal adapter will support standard RJ-11 (or other country-specific) telephone connection plugs for voice and RS-232C, V.35 and RS-449 interfaces for data.
5.2 Types of Terminal Adapters There are two main types of ISDN terminal adapters. You can either buy an internal or external terminal adapter. It really depends on what features you want supported with your ISDN line. But as ISDN becomes more common, future computers will probably have terminal adapters built it.
5.2.1 External terminal adapters External adapters are better if your are going to use your ISDN line for "voice" (phone, fax, analog isdn modem, etc.). One has to be careful when purchasing an external TA because vendors claim to give you speeds of up to 64K. However, many external TAs cannot convert synchronous 64 Kbps data into 57.6 kbps asynchronous data. These TAs can only communicate in asynchronous mode at 38.4 kbps.
5.2.2 Internal terminal adapter Internal terminal adapters usually go inside your computer like any other internal card. If you are going to be using ISDN strictly for Internet access, then an internal adapter is the right choice. The internal models are normally cheaper than external, because the manufacturers do not need to include a power supply or enclosure. The internal adapters do not have the serial port bandwidth constraints that the external ones do; hence you do not need to buy any special accessories to squeeze the maximum out of them. However, the internals are not set up well to provide ringers, and they need an
external power connection (or your PC powered on) in order to use them to make a voice call. Features External TAs Internal TAs To use voice
Works as long as TA is PC powered
must
be
additional
on,
or
equipment
purchased Ringer for other devices Can usually provide for six Often requires additional (fax, phone, etc.)
devices
equipment.
DTE speed
Serial port speed constraint Much higher speed.
Cost
More expensive
Less expensive.
5.3 Some of the features to look out for in a TA •
•
•
• • •
Easy to install and use : Installation of TAs is easy and there should be an installation wizard that walks you through the configuration and setup, making the TA up and running in minutes with plug and play support for Windows 95/98/2000/Me/XP and NT. Support for WAN Protocol : TAs should support a full-range of WAN protocols, including X.75, CLEAR (synchronous), CHAP, MD5, PPP, ML-PPP, MP+TM, V.120, X.75 and PAP so that you can connect to a variety of servers on the corporate LAN or Internet. Call Bumping : TAs should support call bumping features that automatically adjust a data call from 128 K to 64 K. It should be able to reduce the data link to one channel to make or receive a phone call while communicating data with two B channels (at 128K). Battery back up : They should provide a built-in battery which supplies power for 2-3 hours in case of power failure. Simultaneous Voice and Data : TAs should be capable of transmitting and receiving data on your computer over one ISDN B-channel and use the other Bchannel for your phone or fax machine using the analog port. Call line identification : For incoming calls from digital lines, the caller's number appears in the telephone display when the phone rings. This feature of TAs will enable to trace anonymous calls over ISDN.
Chapter 6
Proxy Servers Contents • • • • •
Introduction of Proxy Server Functions of Proxy Servers Protocols of Proxy Servers Host Identifiers and Ports Configuration of browser to use Proxy Server
Objectives After completion of this module, you will be able to know: • What is a Proxy Server? • What are the functions of Proxy Servers? • Protocols of Proxy Servers • Host Identifiers and Ports • How to configuration of browser to use Proxy Server
6.1 Introduction of Proxy Servers A proxy is a device which allows connection to the Internet. It sits between workstations on a network and the Internet, allowing for a secure connection, allowing only certain ports or protocols to remain open. When a client requests a page, the request is sent to the proxy server, which relays it to the site. When the request is received from the site, it is forwarded back to the user. Proxy servers can be used to log internet use and block access to prohibited sites. Some home networks, corporate intranets, and Internet Service Providers (ISPs) use proxy servers (also known as proxies). Proxy servers act as a "middleman" or broker between the two ends of a client/server network connection. Proxy servers work with Web browsers and servers, or other applications, by supporting underlying network protocols like HTTP.
6.2 Key Features of Proxy Servers Proxy servers provide three main functions: 1. Firewalling and filtering 2. Connection sharing 3. Caching The features of proxy servers are especially important on larger networks like corporate intranets and ISP networks. The more users on a LAN and the more critical the need for data privacy, the greater the need for proxy server functionality.
6.2.1 Proxy Servers, Firewalling and Filtering Proxy servers work at the Application layer, layer 7 of the OSI model. They aren't as popular as ordinary firewalls that work at lower layers and support applicationindependent filtering. Proxy servers are also more difficult to install and maintain than firewalls, as proxy functionality for each application protocol like HTTP, SMTP, or SOCKS must be configured individually. However, a properly configured proxy server improves network security and performance. Proxies have capability that ordinary firewalls simply cannot provide. Some network administrators deploy both firewalls and proxy servers to work in tandem. To do this, they install both firewall and proxy server software on a server gateway. Because they function at the OSI Application layer, the filtering capability of proxy servers is relatively intelligent compared to that of ordinary routers. For example, proxy Web servers can check the URL of outgoing requests for Web pages by inspecting HTTP GET and POST messages. Using this feature, network administrators can bar access to illegal domains but allow access to other sites. Ordinary firewalls, in contrast, cannot see Web domain names inside those messages. Likewise for incoming data traffic, ordinary routers can filter by port number or network address, but proxy servers can also filter based on application content inside the messages.
6.2.2 Connection Sharing with Proxy Servers Various software products for connection sharing on small home networks have appeared in recent years. In medium- and large-sized networks, however, actual proxy servers offer a more scalable and cost-effective alternative for shared Internet access. Rather than give each client computer a direct Internet connection, all internal connections can be funneled through one or more proxies that in turn connect to the outside.
6.2.3 Proxy Servers and Caching The caching of Web pages by proxy servers can improve a network's "quality of service" in three ways. First, caching may conserve bandwidth on the network, increasing scalability. Next, caching can improve response time experienced by clients. With an HTTP proxy cache, for example, Web pages can load more quickly into the browser. Finally, proxy server caches increase availability. Web pages or other files in the cache remain accessible even if the original source or an intermediate network link goes offline.
Figure 6.1
6.2.3.1 Proxy caching Imagine two people at a office -- let's call them Ram and Latha -- surfing the Net for business research. Suppose Ram has an interest in computer networking books, visits www.oreillynet.com in an attempt to learn more about them. Now it's Latha's turn. Latha is very interested in computer programming. She navigates to www.oreillynet.com and, because this page was cached during Ram's very recent visit, she is surprised at how quickly this content-rich page pops into her browser window. With a great first impression, Latha is now ready to immerse herself in the wonderful world of computer programming. The potential benefits of proxy server caching loom even larger if Ram and Latha have a few hundred coworkers that share the same proxied Internet access and similar interests
or Net surfing patterns. Yet proxy caching is not a silver bullet. Limitations exist that can render this technology much less useful. 6.2.3.2 Drawbacks of Proxy Caching It's reasonable to expect that proxy servers handling hundreds or thousands of Web clients can become a network bottleneck. In addition to using servers with power processors and large amounts of memory, administrators may also choose to deploy multiple proxies to help avoid potential bottlenecks. A proxy hierarchy creates multiple layers of caching support. Clients connect directly to a first-level caching, and if a Web page is unavailable there locally, the request "misses" and automatically gets passed to a second-level caching server, and so on. As with many caching systems, the effectiveness of a multi-proxy server hierarchy is very dependent on the pattern of traffic. In the worst case, all clients will be visiting Web pages completely unrelated to each other, and proxies (the hardware and the additional network traffic they generate) become pure overhead. One would expect that normal traffic patterns will usually not be worst-case, but every network's use pattern will be different. Proxy caching differs from browser caching. Browsers automatically cache pages on the client computer, whereas proxies can also cache pages on a remote Web server. Because browsers already perform their own caching, introducing proxy caching into a network will have only a second-order effect. Proxy caches don't help much with refreshed pages. On some sites, Web pages are set with HTML META tags to expire quickly; expired pages force the proxy cache to reload that page. Similarly, caching is rendered ineffective by pages that change content frequently, such as those on news sites, or weblogs. Proxy caches also introduce measurement uncertainty into the Internet. Normally, a Web server log will record identifying information of visiting clients such as their IP addresses and domain names. For clients with proxy servers, all public requests are made on behalf of the server, using its IP address and identity. Web sites that carefully track the patterns of use of their visitors have much more difficulty in distinguishing unique client visits through proxies.
6.3 Proxy Servers and Protocols Proxy servers work with specific networking protocols. Obviously HTTP will be the most critical one to configure for Web page access, but browsers also utilize these other protocols: • • •
S-HTTP (also called "Secure" or "Security" in the browser) FTP SOCKS
S-HTTP (Secure Hypertext Transfer Protocol) supports encrypted HTTP communications. This protocol is becoming more and more common as ecommerce sites; for example, adopt it to make credit card transactions safer. S-HTTP should not be confused with SSL. Although S-HTTP uses SSL "under the covers," SSL is a lower-level protocol that by itself does not impact a browser's proxy setup. FTP (File Transfer Protocol) supports the download of files over the Web. Before HTTP was developed, FTP was an even more popular way to share files across the Internet. FTP treats files as either simple text or binary format, and it is still commonly used to download compressed archives of non-HTML data (like MP3 files, for example). SOCKS is a firewall security protocol implemented in some proxy configurations. When manually configuring a browser, clients will need to know these details of the proxy server arrangement. Most of the time, network administrators will configure the proxies to serve all protocols to avoid any confusion.
6.4 Host Identifiers and Ports To manually specify a proxy server in the browser, two pieces of information are required. First, the host identifier is either the host's network name (as configured in DNS, NIS, or similar naming service) or the host's IP address. Second, the port number is the TCP/IP port on which the server listens for requests. A single port number is generally used for all of the supported protocols above. This port should not be confused with the standard ports used by the protocols themselves (port 80 for HTTP, port 21 for FTP, and so on). This is a proxy port only, and it should never be assigned to one of the reserved numbers. Unfortunately, a single standard port number does not exist. Some numbers like 8000 and 8080 are used more commonly than others, but the number can be any unassigned value up to 65535. Users manually configuring their browsers will need to be told this port number by their network administrator.
6.5 Proxy Servers and Browsers To take advantage of a proxy server's capabilities, Web browsers like Internet Explorer (IE) must be configured to explicitly use it. In many proxied environments, the client computers do not have direct Internet access, and browsers generally are not configured to use proxies "out of the box." Clients will be unable to access public Web sites in this scenario until proxy settings have been correctly made.
Figure 6.2: IE5 Tools menu
For example, to configure IE to use a proxy server, first click on Tools to access the dropdown menu. Click on the Internet Options... menu item to raise the Internet Options dialog. This dialog is a property sheet featuring multiple tabs. Clicking on the Connections tab makes available a dialog that includes a button in the bottom-right corner named LAN Settings... . Finally, click this button to raise the Local Area Network (LAN) Settings dialog; here is where proxy information must be entered.
Figure 6.3: IE5 Internet Options, Connections tab
IE6 supports both manual and automatic configuration options. As shown the Figure, the "Use a proxy server" check box must be checked to enable the manual entering of a proxy. Either the network host name or the IP address of the proxy server must be typed in the "Address" field. In addition, any internal domains (such as intranet sites) that do not need to go through a proxy can be entered here in order to bypass the server.
Figure 6.4: IE5 Internet Options, Connections tab
Chapter 7
E mail Contents • • • • • • • • • • • • • • • • • • • • •
Email introduction Types of email Accessing email accounts Working principle of email Email protocols Components of email Signature Address Book Mail Boxes Smiley Acronyms Sending/Replying/Forwarding mails Configuration of Outlook Express Different folders of Outlook Express Checking the incoming mails Reading the mails Deleting the mails Composing mails Replying and Forwarding mails Setting up a web based account Checking the incoming mails
Objectives After completion of this module you will be able to know: 1. what is Email 2. what are the types of email 3. how to access email accounts 4. the working principle of email 5. the different email protocols 6. the components of an email message 7. how to introduce Signature 8. what is Address Book 9. the different Mail Boxes 10. how to introduce Smiley 11. how to introduce Acronyms 12. how to Send/Reply/Forward mails
13. how to configure Outlook Express 14. the different folders of Outlook Express 15. how to check the incoming mails 16. how to Read/Delete/Compose the mails 17. how to Reply and Forward mails 18. Set up a web based account 19. Check the incoming mails
7.1 What is email? Email is the method of electronically sending messages from one computer to another. You can send or receive personal and business-related messages with attachments, such as pictures or formatted documents. You can even send music and computer programs. Email is the one of the popular service offered by Internet. It is the replacement of Postal mail. Postal mail is known as Snail Mail because it is very slow. Email is cheaper and faster than Postal Mail, less intrusive than a phone call, less hassle than a FAX. Because of its speed and broadcasting ability, Email is fundamentally different from paper-based communication. Using email, differences in location and time zone are less of an obstacle to communication. Through Email you can exchange: • Ideas, • Agendas, • Memos, • Documents and • Attachments Just as a letter makes stops at different postal stations along its way, email passes from one computer, known as a mail server, to another as it travels over the Internet. Once it arrives at the destination mail server, it's stored in an electronic mailbox until the recipient retrieves it. It is Store and Forward System. Copies can be sent automatically to names on a distribution list. Advise delivery a confirm message when opened by the recipient. This whole process can take seconds, allowing you to quickly communicate with people around the world at any time of the day or night. To receive email, you must have an account on a mail server. This is similar to having an address where you receive letters. One advantage over regular mail is that you can retrieve your email from any location. Once you connect to your mail server, you download your messages to your computer.
7.2 Types of Email There are two basic types of email accounts: paid and free. • •
A paid account includes a mailbox and access to the Internet. You pay an Internet Service Provider (ISP) like BSNL, AOL for this service. A free account includes only a mailbox. Companies like Yahoo and Hotmail provide free mailboxes; in return, you will see advertising. To use a free mailbox, you have to be able to get on the Internet. This type of mail is called as web-mail.
7.3 Accessing the two types of Email Accounts
If you want to send an Email you should have 2 things. • •
An Email address. Email Programme at the client side.
To access your email account, you must be on the Internet. You can send and receive email messages through an email program like Outlook Express or through a browser like Internet Explorer. If you go through a browser, you are using web-mail. Most email accounts can be accessed either way. • If you access your mail through an email program, the messages are downloaded to your computer and removed from the company’s mail server. • If you access your mail through a browser (web-mail), the messages remain on the company’s mail server until you delete them. Most web-mail accounts have a maximum storage space. When your mailbox is completely filled, you will not be able to receive any additional messages. You must regularly delete some messages and empty the trash in order to free up storage space.
7.3.1 Mailers •
The following are Unix Mailers: • Mail • elm • pine
•
These are provided for the Shell Account Internet Users. They are Character Based and we have to work on-line only, and no-off line working. Now all the ISP are not providing Shell account.
•
Graphical Mailers, Used by the TCP/IP Internet Account users • • •
Eudora Pegasus. Out Look Express
The standard protocol used for sending Internet email is called SMTP, stands for Simple Mail Transfer Protocol. It works in conjunction with POP servers. POP stands for Post Office Protocol.
7.3.2 Email address or Email ID If you want to send mail to some one on a different network you need to address the address in a specific way. Address has 2 parts separated by @ Username@domain name
[email protected] [email protected]
First there is the user name that refers to the recipient's mailbox. User name should not contain space or any special character except underscore. Then there's an at-sign (@). Next comes the host name (sancharnet.in, yahoo.com), also called the domain name. This refers to themail server, the computer where the recipient has an electronic mailbox. It's usually the name of a company or organization. The end of the domain name consists of a dot (".") followed by three or more letters (such as .com and .gov) that indicate the top-level domain (TLD). This part of the domain name indicates the type of organization or the country where the host server is located.
7.4 How Email works? When you send an email message, your computer routes it to an SMTP server. SMTP is part of TCP/IP family by which delivery of mail is standardized. Sending and receiving e- mail at Server is done by a program called Transfer Agent. The server looks at the email address (similar to the address on an envelope), then forwards it to the recipient's mail server, where it is stored until the addressee retrieves it. You can send email anywhere in the world to anyone who has an email address. Remember, almost all Internet service providers and all major online services offer at least one email address with every account.
SMT Mail Client
POP
POP 3
SMT
SMTP Server
Mail Serve
SMT
Mail Clien
Mail Client
PC With ShellA/C
ISP UNIX host
Message flow from one end to another Transfer Agent ensures that the messages are transferred orderly fashion according to SMTP. Mail Servers runs Transport Agent 24 hours. There are four types of programs used in the process of sending and receiving mail. They are: •
MUA - Mail users agent. This is the program a user will use to type email. It usually incorporates an editor for support. The user types the mail and it is passed to the sending MTA.
•
MTA - Message transfer agent is used to pass mail from the sending machine to the receiving machine. There is a MTA program running on both the sending and receiving machine. The MTA on both machines use the network SMTP (Simple Mail Transfer Protocol) to pass mail between them, usually on port 25.
•
LDA - Local delivery agent on the receiving machine receives the mail from its MTA.
•
Mail Notifier - This program notifies the recipient that they have mail. Multipurpose Internet Mail Extension (MIME)
Emails are usually just text but can contain pictures, or other files. These 'attachments' or 'insertions' sometimes need special programs to be read. SMTP cannot transmit executable files or other binary objects. There are a number of ad hoc methods of encapsulating binary items in SMTP mail items, for example: o
Encoding the file as pure hexadecimal
o
The UNIX UUencode and UUdecode utilities which are used to encode binary data in the UUCP mailing system to overcome the same limitations of 7-bit transport
o
The Andrew Toolkit representation
None of these can be described as a de facto standard. UUencode is perhaps the most pervasive due to the pioneering role of UNIX systems in the Internet. •
SMTP cannot transmit text data which includes national language characters since these are represented by codepoints with a value of 128 (decimal) or higher in all character sets based on ASCII.
•
SMTP servers may reject mail messages over a certain size. Any given server may have permanent and/or transient limits on the maximum amount of mail data it can accept from a client at any given time.
•
SMTP gateways which translate from ASCII to EBCDIC and vice versa do not use a consistent set of code page mappings, resulting in translation problems.
•
Some SMTP implementations or other mail transport agents (MTAs) in the Internet do not adhere completely to the SMTP standards defined in RFC 821.
•
The Common problems include: o
Removal of trailing white space characters (TABs and SPACEs)
o
Padding of all lines in a message to the same length
o
Wrapping of lines longer than 76 characters
o
Changing of new line sequences between different conventions (for instance characters may be converted to sequences)
o
Conversion of TAB characters to multiple SPACEs.
MIME is a standard which includes mechanisms to solve these problems in a manner which is highly compatible. Using the MIME you can send attachments in your email. Attachments to emails can contain viruses! Do not open an attachment in an email unless you know what it is and who it is from.
7.5 Protocol for Incoming Mail The POP3 mail protocol is the most commonly used mail protocol used for retrieving the mail from the server to the client machine over PPP. IMAP is also can be used for retrieving the mail from the server to the client machine. But most of the Internet Service Providers support only POP3 and not IMAP.
7.6 Components of Email Email messages are similar to letters, with two main parts: • •
Header Body
Header consists of Number of special Lines
Date Time From: To: CC: BCC: Subject:
Automatically inserted Station Time and GMT Automatically inserted. The address of the receiver. Carbon copy. Copy to whom to be sent.( not the primary recipient) Blind Carbon copy / Secrete copy. The primary and CC recipient will not see the name of the people who receive the Blind Copy of the mail. Brief description of the message
The header contains the name and address of the recipient, the name and address of anyone who is being copied, and the subject of the message, your name and address and the date of the message. The body contains the message itself. Just like when sending a letter, you need the correct address. If you use the wrong address or mistype it, your message will bounce back to you -- the old Return to Sender, Address Unknown routine. When you receive an email, the header tells you where it came from, how it was sent, and when. It's like an electronic postmark. Unlike a letter, which is sealed in an envelope, email is not as private. It's more like a post card. Messages can be intercepted and read by people who really shouldn't be looking at it. Avoid including any confidential information unless you have a way to encrypt it.
7.7 Adding Signature to the Outgoing email If you want to add your name and address at the end of each message that you send, you can make use of the signature option provided. A signature is a few lines of text usually including your name or postal address. You can store the information that you want to attach at the end of the messages as your signature. Then you can program your system in such a way that all out going messages will have your signature at the end of the message. Only one signature will be added to one message at a time.
7.8 Address Book Email programs also have address books, where you can keep a list of email addresses. An address book is a place you can store the information about the people to whom you want to send mail. Each time you send mail, you can just select the persons name and the Email id will be automatically inserted.
7.9 Sending Mail to More then one person If you want to send mail to more than one person, you can add more than one mail id in the To: address. To separate from one mail id to another, some email program support semi colon and some program support comma.
7.10 Replying Email When you are reading a mail and want to send reply you can click Reply Button in your Email program. It will automatically includes the original message preceded by a ">". The To: address will be automatically added. The text “RE” will be added in the subject to indicate that it is a reply for the original subject.
7.11 Forwarding mail If you are receiving a mail from some body and you would like to send a copy of it to someone else you can forward the mail. In the Subject the text “FW” will be added to indicate that it is a forwarded message.
7.12 Mail Boxes Most of the Email program will have the following Mail Boxes Inbox Out box Send box Delete box
It will list all the incoming messages. All out going messages composed and yet to be sent out from your PC to SMTP Server. All the messages dispatched from your PC to the SMTP Server. When you delete a message it will go to delete Box. You can retrieve the messages from the Delete box at any time. If you Delete he messages from delete Box you can not retrieve them latter.
7.13 Smiley When we are talking to people face to face our body language, the tone of our voice, gesture and facial expression will play important role. But through email you can personalise your messages by using emotion icons called smileys. You can see some of the Smiley Meaning :-) :-( :-| :-D :-/ :-Q 8-) :>:-e
Smile Frown Expressionless Surprise laughing Perplexed Smoker Eye glass Male Female Disappointment
7.14 Acronym You can use some abbreviations or acronyms in your email. The common acronyms are: AE BTW FM FC FWIW FYI FUA IAE IMO IMHO IMCO IOW NRN OTOH PITA ROFL RSN RTFM SNAFU SITD TANSTAAFL TIA TIC TLA YMMV
In Any Event By the way Fine Magic Fingers Crossed For what it's worth For Your Information Frequently Used Acronyms In any event In my opinion In my humble opinion In my considered opinion In other words No Reply Necessary On the other hand Pain in the butt Rolling on floor, laughing. Real Soon Now [which may be a long time coming] Read the Fine manual Situation Normal: All [bleeped] Up Still in the dark There Ain't No Such Thing As A Free Lunch Thanks In Advance Tongue in cheek Three Letter Acronym (such as this) Your Mileage May Vary
7.15 Draw Back in Email Email also does not convey emotions nearly as well as face-to-face or even telephone conversations. It lacks vocal inflection, gestures, and a shared environment. Your correspondent may have difficulty telling if you are serious or kidding, happy or sad, frustrated or euphoric. Sarcasm is particularly dangerous to use in email.
7.16 Getting a free Email Account and understanding the Login Process The procedure to get a free email account is furnished below: 1. Learn the proper formatting of an email address before you register: Examples:
[email protected],
[email protected],
[email protected].
2. Select a login name that you can remember. It is NOT case sensitive, but why go to the trouble of holding down the shift key when it isn’t necessary? You will have several different login names and passwords to keep up with. When you are assigned an email address, your login name will follow this pattern: first initial, last name. For example, if your name is Rajan Sundar, your login name would be rsundar. When you sign up for a free email account, it could be helpful to use this same pattern. Unfortunately, some of you will find that someone else has already been assigned the same login name. Simply add a number to the end, like rsundar26. 3. Select a password that you can remember. Usually, it should be about six characters and contain at least one number. No spaces. Passwords are case sensitive, so if you type in “Jupiter44,” you will always need to type the capital J. It will be helpful if you follow this guide for login names and passwords: No caps, no spaces. 4. Get a free email account from Yahoo or Hotmail. Do not use someone else’s email address. Free email accounts are readily available.
Configuring POP3 client In order to get access the email server for sending and receiving the mail, you have to configure the Email client software. There are many mail client software. Outlook Express is most commonly used POP3 client software. It is coming along with Internet Explorer. If you install Internet Explorer, Outlook Express will be automatically installed in your Computer. We will see how to configure the Outlook Express in order to send and receive mail.
7.17 Configuring Outlook Express 1. To launch the Outlook Express: Click Start Ö Programs Ö Outlook Express. Outlook Express application will be opened as shown in figure 7-1.
Fig 7-1 2. Now from the Tools menu select the Accounts. Internet Account Dialog Box will be opened as shown in fig 7-2.
Fig 7-2 3. Click the Add button; you will get a cascade menu as shown in fig 7-3.
Fig 7-3 4. Select the Mail… from the cascade menu. Internet Connection Wizard will start as shown in fig 7-4
Fig 7-4 5. Type your name which will display when you send a mail that will appear in the header. Click Next button. 6. In the next step you have to type your valid Email address as shown in fig 7-5. After entering your email address click Next Button.
Fig 7-5
7. In this step you have to tell the Outlook Express to which Mail Server it has to contact. You have to specify the Incoming Mail Server (POP3, IMAP or HTTP) and Outgoing Mail Server IP address or Domain name here. This will be provided by your Internet Service Provider at the time of getting your Internet Account. You can specify the Incoming mail and Out Going mail as shown in Fig 7-6.
Fig 7-6 8. After entering the entries for POP3 server and SMTP server click the Next button. In this step you have to give your Mail Account User Name and Password as shown in Fig 7-7.
Fig 7-7 In this step don’t click Remember password check box if you computer is shared by some body in order to avoid that others may check and read your mails. Click next button. 9. Finally click the Finish Button to complete the configuration. 10. In the Internet Account Dialog box click the Mail tab and check that the account you have created just now will appear as shown this the fig 7-8. If more than one Account is created, all the accounts will be displayed. Select an account and click Set as Default button. Now that account will become your default email account
Fig 7-8 11. You can close the dialog box by clicking the Close button.
7.18 Checking the Mail 1. Connect your computer to the Internet. 2. Open the Outlook Express if it is not already opened. From the 3. Click Tool Ö Send and Receive Ö (your Account Name) as shown in fig 7-9.
Fig 7-9
4. Logon dialog box will appear as shown in fig 7-10. Type your user id and password and click OK button.
Fig 7-10 5. Your Outlook Express will contact your POP 3 Server and down load the emails to Inbox as shown in the fig 7-11.
Fig 7-11
7.19 Folders in Outlook Express The Outlook Express is having 5 local folders called Inbox, Outbox, Sent Items, Deleted Items, and Drafts.
Inbox: Outbox: Sent Items: Deleted Items: Drafts
All the incoming mail will be listed here. Out going mails from this PC and yet to be delivered to the SMTP server. All the out going mails sent out (delivered to the SMTP server). List of deleted messages. When you delete a message it will be moved in this folder. It contains the saved draft of your message (To save a draft of your message to work on later, on the File menu, click Save).
7.20 Reading the Mail Click the Inbox that will show the list of mails received. The List shows the mail received from, subject and date and time of receipt of the mail. The icon in front of each mail will indicate whether the mail is already read or not (the ‘cover’ icon will be opened/closed condition). In the left pane next to the Inbox icon some number will be there with in bracket in blue color which indicates that many new mails (Unread) are there in your Inbox Click on the mail. Outlook Express will open the mail in the bottom pane of the Inbox Window. If you want to open the mail in a separate window double click on the mail. It will open in a separate window as shown in fig 7-12. In this fig an undelivered message is opened. When the message is not delivered, an undelivered message will be sent to you from the postmaster stating the error conditions.
Fig 7-12
7.21 Deleting the Mail If you don’t want to keep the unwanted mail in you inbox, you can delete the mail. If you delete a mail it will go to Deleted Items folder. For deleting the mail select the mail and press delete key or click the Delete button in the tool bar or from the Edit menu select the Delete command. After selecting the mail, you can delete the mail by pressing Ctrl + D also. You can delete a group of mails at a time. For deleting a group of mails click on the first mail and hold the Shift key and click on the last mail. All the mails (the first and the last and in between mails) will be selected. Now you can press Delete key to delete them. For selecting mail at random use control key instead of shift key.
7.22 Un-deleting a mail from the Deleted Items folder Some times you might have deleted some mails that may require for you at latter stage. In that case you can see the deleted mails in the Deleted Items folder. Form there you can open the mail and read by double clicking on the mail. If you want to move the mail back to your Inbox, right click on the mail. You will get a short cut menu as shown in fig 7-13
Fig 7-13
From the short cut menu select Move to Folder. You will get Move dialog box as shown in fig 7-14
Fig 7-14 In the move dialog box select Inbox and click Ok button. The mail will be moved to your Inbox. You can move a group of mails also.
7.23 Composing a new mail For composing a new mail click the Create New button from the tool bar or from the File menu select New Ö Mail Message. New Message Window will appear as shown in fig 7-15.
Fig 7-15 The “From:” address will be automatically inserted. If more than one account is configured in your PC the default account address will be inserted. If you want to change the other address you can select from the drop down list in the “From:” address drop down list box. In the To: address test box, you type the email id to whom you are going to send the mail. You can type multiple addresses also here if you want to send to more than one person. In that case use semi colon “;” to separate each mail id. In the Cc: text box type the email id of the person to whom you want to send the copy of this mail. Here also you can type multiple mail id separated by semi colon incase if you want to send the copy to more than one person. Some times you may want to include BCC, to send blind copies of the mails to many persons. To include the Bcc box, click the View menu, and then select All Headers. Type the relevant information in the Subject: text box. This will help the recipient to understand the topic of the mail so that he can decide to read the mail immediately or at leisurely. The bottom portion of the window is for the body of your message. You can type the message here. You can use the formatting tool bar for formatting the message what you have typed.
After finish typing your message, click the Send button at the left top corner of the window to send the mail. The mail will go to the Outbox if your computer is not connected to Internet. If your computer is already connected to the Internet, Outlook Express will contact the SMTP Server and send the mail. Once the mail is delivered to SMTP server, then the copy of the mail will be moved to Sent Items folder.
7.24 Replying and Forwarding mail If you want to reply a mail to the person who has send the mail, select the mail from the list of Inbox and click Reply button in the Tool bar. If you want to reply to all the persons mentioned in the To: address column and, CC: column click Rely All button. If you want to forward the mail click Forward button.
Web-based Mail Some of the web sites are offering free email. Such mails are called as Web-based Mails. With Web-based e-mail, to send and receive messages, you have to access the website. For example the following web sites offer free email services: http://mail.yahoo.com http://www.mail.com http://www.hotmail.com http://www.rediff.com First visit the web site from where you are having the Email account. Then log on to the site by entering your account name and password. Now you can read your messages, view attachments, send replies, forward messages. Most services offer online address books to store your e-mail addresses and contact information. You can also set up folders to manage your messages.
7.25 Setting up an Account Establishing a new e-mail account takes only a few minutes and could be easier. First visit the web site from which you want to create the Email account. Then click the Sign UP button of that site. You'll have to provide information about yourself and choose an account name and password. Your account name or ID becomes part of your e-mail address.
7.26 Checking the Mail
To login to your web mail account, open a web browser, such as Internet Explorer and type in the URL of the web site into the address bar. For example, if you are having an email account in Yahoo website type the address http://mail.yahoo.com Type your User Name (or ID) in the text field beside UserID:, and your password in the text field beside Password:.
Note: Your user name is not necessarily the same as your e-mail address. If you do not know your user name, please contact your system administrator.
Now you are in your inbox. If not, click the Inbox link. The list of messages you received – which are available in Inbox ─ will be listed. See the above figure. Now click
the link of any one of the mail you received. The content of that message will be displayed. See the figure below:
For using the web based mail, you need not have neither Internet Account nor Personal Computer. You can go to Internet Browsing center, visit the web site where you are having the email account and then login to your account. Since it is free account you will be getting unwanted junk mails called spam mails. Some web sites provide the spam guard to protect you from getting unwanted spam mails.
Chapter 8
DNS Contents • • • • • •
Need of DNS Origin of DNS Understanding DNS Hierarchy of DNS Components of DNS Working of DNS
Objectives After completion of this module you will be able to know: • The need of DNS • Origin of DNS • Working method of DNS • Hierarchy of DNS • Components of DNS
DNS While DNS is one of the least necessary technologies that make up the Internet as we know it, it is also true that the Internet would never have become as popular as it is today if DNS did not exist. Though this may sound like a bit of a contradiction, it is true, none the less. DNS stands for two things: Domain Name Service (or Domain Name System) and Domain Name Servers. One acronym defines the protocol; the other defines the machines that provide the service. The job that DNS performs is very simple: it takes the IP addresses that computers connected to the Internet use to communicate with each other and it maps them to hostnames. Sounds pretty simple, doesn't it? Well, it is. But just because it's simple doesn't make it any less important. Human beings tend to have a difficult time remembering long strings of seemingly arbitrary numbers. The way that our brains work, it's difficult to make information like that stick. And that is where DNS comes in. It allows us to substitute words or phrases for those strings of numbers. Words are a lot easier for people to remember than numbers, especially when they can be tied to a specific idea that is linked to the website. But how does DNS work? What makes it operate? How did it start?
8.1 Web site address Before we get into DNS, let’s start off with breaking down a web address. It essentially gives where the web page is, and how you need to talk to it. Lets use the example of: http://www.bsnl.co.in/pages/cellone.htm The first part is "http://", and that tells your PC what protocol (what language so to speak) to use talking with this site. In this case, you are using HTTP (HyperText Transfer Protocol). Another very common one for web designers to use is "ftp://" or File Transfer Protocol. You would use it to connect to your web server to put the web pages you created onto the server. You also see "https://" quite commonly. This simply means that the connection between you and the web server is secure (meaning the information being sent back and forth is encrypted). You should see "https://" when you are checking out, especially when they are entering credit card information. The next part, "www.bsnl.co.in" is called the Domain Name. The "www" used to be more significant than it is today. Today, the "www" is, for the most part, assumed and you can get to the same page regardless of whether or not you type in "www" your browser. The part "/pages/cellone.htm" tells the web server to look in the directory called "pages"
and send the file called "cellone.htm" to your browser. It is just like the directories on your PC. The “in” of the Domain Name “www.bsnl.co.in” is called as Top Level Domain (TLD). It is the right extreme portion of the domain name. For example the TLD of www.yahoo.com is com.
8.2 IP address Before we get into DNS, we need to explain what an IP address is. Every PC and server has an IP address on the Internet. It has the format of 4 numbers, separated by periods, and looks like "61.1.137.84". Each number should be between 0 and 255. Think of it as your phone number on the internet, it must be unique. It would be bad to have 2 different houses with the same phone number, and it would be bad to have 2 different machines (more properly known as hosts) that have the same IP address on the Internet.
8.3 Why DNS needed? For most people, it is much easier to remember "www.bsnl.co.in" than it is to remember "61.1.137.84". When you enter a URL into your browser, you usually use the easy to remember name. How does your PC know where to find "www.bsnl.co.in? Remember that each machine has a IP address? There is a way to translate from the easy to remember domain name, and the hard to remember IP address. Enter DNS. DNS is an acronym for "Domain Name Service". It's whole purpose in life is to translate between the friendly "www.bsnl.co.in" and the not-so-friendly 61.1.137.84. It handles this translation for web sites, email, FTP servers, database servers, or any machine within a domain name. Let's dig into the process of how that works. DNS means Domain Name Service. It is actually a service that can keep large number of machines’ IP addresses for huge network communication. Now the question arises why is this needed. Let’s understand this with the help of an illustration. Example: Let’s say rose1, rose2, rose3, rose4, and rose5 are the 5 machines in a network, then for communication between each machine, each machine’s /etc/hosts in Unix (or hosts.txt in Windows) file should have all the five entries of the machine name. Within this small network there would be no problem if you add another machine say rose6 in the network. But for this too, the network administrator has to go to each machine, add the rose6 in /etc/hosts file and then comeback to the new comer rose6 machine and add all the other entries (rose1...rose5) including its own name also in /etc/hosts (or hosts.txt) file. But what if the network is setup with say 60 machines and a 61st machine has to be added? Then administrator will have to go to each machine again and write the new machine’s name at /etc/hosts/ (or hosts.txt) file and again comeback and write all the 60 machines name on the 61st machine’s etc/hosts file which is a tedious and time taking job.
Thus, it is better to keep a centralized server, where all the IP addresses will stay and if a new one does enter into the network then the change will have to be done at the server and not on the client’s machine.
8.4 The Origin of DNS Like almost everything else originally associated with the Internet, DNS traces its origins to ARPANET. Alphabetic hostnames were introduced shortly after its inception as a means of allowing users greater functionality, since the numeric addresses proved difficult to remember. Originally, every site connected to ARPANET maintained a file called ‘HOSTS.TXT' which contained the mapping information for all of the numeric addresses used there. That information was shared through ARPANET. Unfortunately, there were many problems that arose from that setup. Errors were commonplace and it was inefficient to make changes considering they needed to be made on each and every copy of the HOSTS.TXT file. By November of 1983, a plan was laid out in RFCs 881, 882, and 883, also known as ‘The Domain Names Plan and Schedule,' ‘Domain Names -- Concepts And Facilities,' and ‘Domain Names -- Implementation And Specification.' These three RFCs defined what has developed into DNS as we know it today. Surprisingly, not a whole lot has changed since that time.
8.5 Understanding DNS DNS organizes groups of computers into domains. These domains are organized into a hierarchical structure, which can be defined on an Internet-wide basis for public networks or on an enterprise-wide basis for private networks (also known as intranets and extranets). The various levels within the hierarchy identify individual computers, organizational domains, and top-level domains. For the fully qualified host name omega.microsoft.com, omega represents the host name for an individual computer, microsoft is the organizational domain, and com is the top-level domain. Top-level domains are at the root of the DNS hierarchy and are therefore also called root domains. These domains are organized geographically, by organization type, and by function. Normal domains, such as microsoft.com, are also referred to as parent domains. They’re called parent domains because they’re the parents of an organizational structure. Parent domains can be divided into sub-domains, which can be used for groups or departments within an organization. There are three types of TLDs. They are: 1. Generic or Organization based TLD (e.g com, edu, gov, mil, net, org, int, aero, museum, etc)
2. Geographical or country based TLD (e.g. in, us, au, etc). This TLS is having 2 letters. 3. Inverse (e.g. arpa). This TLD is to find domain name from IP address. Sub-domains are often referred to as child domains. For example, the fully qualified domain name (FQDN) for a computer within a human resources group could be designated as jacob.hr.microsoft.com. Here, jacob is the host name, hr is the child domain, and microsoft.com is the parent domain. Domain Name System (DNS) is an Internet service that translates domain names into IP addresses. DNS provides a database that stores a list of host names and their corresponding IP address. This process is called name resolution or mapping. Name resolution occurs when a program on a local computer requests a remote host for resources. The local computer sends the host name of the server as part of the request. By using the host name as an index, the DNS database is searched to resolve the IP address of the host.
8.6 Domain Name Space Hierarchy DNS is organized in a hierarchical tree structure. Each branch in the tree represents a domain and each sub-branch in the tree represents a sub-domain. DNS consists of multiple levels of domains. The domains are identified based on the level at which they are placed in the hierarchical tree structure. The various levels of domains in a domain name space hierarchy are: •
•
•
•
•
Domain root: This is the node at the highest point of the hierarchical DNS tree. In a DNS domain name, a trailing period represents the domain root tree (.). It is also shown as two empty quotation marks representing a null value. Top-level domain: This is the next level in the hierarchical tree structure. It represents the region or the type of organization to which a domain belongs. A top-level domain name contains two or three letters such as com, edu, and mil. Second-level domain: This is a domain name registered under a specific top-level domain, such as organizations based on type and geographical locations The Second-level domain names have names with variable length. For example, example.com is a second-level domain name. Subdomain: This is a domain created under a second-level domain. Organizations need to create additional domains to represent organizational hierarchy and various functional groups. A second-level domain also contains a name with variable length. Host or resource: A host or resource computer is the last in the DNS hierarchy. It helps find the IP address of the computer based on its host name.
8.7 Components of DNS The building blocks of DNS are the domain namespace, resource records, DNS server, and DNS clients. Figure 8-1 lists the various components of the DNS:
Figure 8-1: Various Components of the DNS
8.7.1 Domain Namespace A DNS domain is a logical group of computers that either request for DNS service or respond to a service request. However, this logical group might also represent the physical network. A DNS domain can represent all the computers internetworked in a small business network. At the same time, DNS domain can also comprise physical network that is spread across geographical locations. This logical grouping of computers network is further grouped into smaller administrative units, called administrative domains. An administrative domain is a group of computers in a single administrative unit. Each administrative domain has two or more name servers for name resolution. All administrative domains registered with the Internet form a hierarchical structure, called the DNS domain namespace. The domain namespace follows a hierarchical tree structure. Each node and leaf on the tree represents either a set of resource or a DNS host. Based on the position in the namespace hierarchy, each node is assigned a label. The root at the top of the hierarchy is assigned the null label and is called the root domain. The nodes below the root are called the top-level domains. The nodes below the top-level domain are called second-level domain. An example of a second-level domain is example.com where ‘com’ is the toplevel domain. Domain created under an existing domain node is called a subdomain. For example, resource.example.com is a subdomain of example.com. The name of a subdomain is followed by the name of the domain that contains it. In a namespace, domain name are read from left to right. Each label in a domain name is separated by a dot ("."). A complete domain name also includes the root label ends with a dot. Figure 8-2 shows the domain namespace hierarchy:
Figure 8-2: Domain Namespace Hierarchy When an organization registers for the second-level domain, a top-level domain label is assigned based on the type of organization. Table 8-1 lists the commonly uses top-level domains:
Top-Level Domain
Table 8-1: Commonly Uses Top-Level Domains Description
arpa
Used by resources that belongs to the Advanced Research Project Agency (ARPA).
com
Used by businesses that uses the Internet for the commercial purposes.
edu
Used by schools, colleges, and universities.
gov
Used by all types of government organizations.
int
Reserved for international usage.
mil
Used by all types of military organizations, such as Department of Defense (DoD).
net
Used by Internet and telephone service providers.
org
Used by charitable institutions.
biz
Used by businesses.
name
Used for registration by individuals.
info Offers unrestricted use. Note Apart from these top-level domains, country region codes, such as uk, are used in conjunction with the listed top-level domain names.
8.7.2 Resource Records Resource Records (RRs) store and map domain names to the type of resources stored within a domain. Each node in the hierarchical tree is associated with a set of resource information.
Resource records contain information, such as the type, class, TTL, and RDATA. The owner information is not maintained because it is very implicit to a resource record. The variable part of the resource records maintained in a domain is the RDATA. This differentiates between the resource records. Note Short TTLs should be used to reduce caching in the resolver. To prohibit caching, a zero value can be assigned to the TTL.
8.7.3 DNS Server DNS servers, also called as name servers, are responsible for name resolution in a domain. Each domain normally has two or more DNS name servers. The domain-specific information, such as the list of IP addresses along with their host names, is stored in a distributed database called the domain database. This information is distributed across the name servers available in the domain. Name servers use this information to process queries received from a DNS client. Each DNS server is responsible for a specific part of the domain database. The DNS server becomes authoritative for that part of the database. As an output, name server either sends back the IP address of the desired host or sends referral that closely match to the address. However, the entire domain database is replicated among the name servers to help name server continue the name resolution process in case of communication link failure or inaccessibility of DNS hosts. The various types of name servers are: •
Primary server: Stores the master copy of the domain-specific information. Changes in the domain-specific information are updated on the primary name server. As per the DNS design specification, each administrative domain should have two authoritative name servers. One of the authoritative name servers is designated as the primary server.
It stores the DNS database for its zone of authority. It is responsible for answering a query from client. It is an authenticated server; hence called as Authoritative Sever •
Secondary server: Stores the copy of the master data file stored in the primary name server. Each domain has one or more secondary name servers. A secondary name sever is also authoritative for a domain. Secondary name servers are delegated authority by the primary name server to perform name resolution. The secondary name sever are immediately updated in case of a change in the master data file.
It stores a copy of the database of the Primary server. Periodically it will collect the database information from the Primary server. It is also an authenticated server hence called as Authoritative Sever. If primary server fails, then this will answer the query. Once in 3 hours (normally), it will be updated automatically.
•
Cache-only server: Stores the information received by the name servers in the memory till it expires. This cached information is used to resolve queries. A caching server that is not authoritative for a domain is called a cache-only server. However, all name servers are caching servers.
To avoid response delay for a query, Cache server is used. It is a Non-authority server. The TTL (Time To Live) parameter is related to this server. For example TTL duration can be a maximum of 2 days.
8.7.4 DNS Client DNS clients are local computers that are configured to receive DNS services from a DNS server. DNS clients are configured with a resolver that queries DNS servers. The resolver in a DNS client works as an interface between the applications installed on the DNS client and the DNS server. Resolver receives requests from applications such as email programs and sends a query to the DNS server. After the DNS server resolves the query using the resource records, the desired information is returned to the DNS client in a data format that is compatible with the local computer. To resolve a query, DNS client either consults several DNS servers or retrieves the information from local cache. DNS client and enduser program reside on a single computer. The interface that works between a DNS client and enduser program is dependent on the local DNS server. The functions of a DNS client are: • • •
Name to address translation: DNS client translates user-friendly domain names to IP addresses. Address to name translation: DNS client also translates IP addresses to userfriendly computer name. General lookup function: DNS clients help enduser programs to retrieve arbitrary information from a DNS server. Instead of querying a DNS server against IP addresses or user-friendly name, DNS client can also request information mapping to the specified type or class of a resource records.
8.8 Name Space Hierarchy on the Internet The DNS name space hierarchy for the Internet contains two extra levels of domains than a local domain name space hierarchy. These two extra levels form the topmost layers of the Internet name space hierarchy are called the root domain. In the name space, the root domain is represented by a dot (.). The root domain contains two types of subdomains, organizational and geographical. These subdomains are called top-level domains. The organizational top-level domains are com, net, org, mil, gov, edu, and int. The geographic top-level domains determine the location of domains and are assigned a two-lettered or a three-lettered word. For example, subdomains in Britain contain uk as a part of their domain name. Figure 8-2 shows the name space hierarchies of domains on the Internet:
Figure 8-2: Name Space Hierarchies on the Internet The governing bodies of the Internet maintain the Internet root domain, top-level organizational and geographic domains. An organization needs to apply for membership to join the Internet under the organizational or the geographical hierarchy.
8.9 How DNS Works? In a nutshell, DNS translates IP addresses into hostnames and back again. The hostnames are for the benefit of human end users. The IP addresses are the only essential thing, as far as the computers are concerned. In a longer form, we need to begin by looking at the different types of DNS servers. The first type of server is called a ‘Root Name Server.' Each Top Level Domain (such as .com, .edu, .us, .in, .sg etc) has one or more Root Name Servers which are responsible for determining where the individual records are held. These servers are fairly static and every machine on the internet has the capability of reaching any of them, as needed. The servers that the Root Name Servers direct queries to are called ‘Authoritative Name Servers'. These are the servers which hold the actual information on an individual domain. This information is stored in a file called a ‘Zone File.' Zone files are the updated versions of the original HOSTS.TXT file. The final type of name server is called a ‘Resolving Name Server'. These are the servers that do the majority of the work when you are trying to get to a machine with a certain host name. Besides being responsible for looking up data, they also temporarily store the data for hostnames that they have searched out in a cache, which allows them to speed up the resolution for hostnames that are frequently visited. The manner in which these servers work together is fairly straightforward. When you attempt to go to a website, you type in a hostname in your web browser. Let's say, for convenience, that you are going to www.foo.org. In your computers' settings is a list of resolving name servers which it queries to find out what www.foo.org's IP address is. The first thing that the resolving name servers will do is check their caches to see if the DNS information for www.foo.org is already there. If it isn't, they will go and check with the .org root name server to see which authoritative name server holds the zone file for foo.org. Once they have that server's IP address, they connect to it.
Once the resolving name server has queried the authoritative name server, it replies back to your computer with one of a number of different things. Ideally, it will report back with the correct IP address and allow your computer to connect to the web server and show you the web page that you were looking for. However, if the authoritative server is down, doesn't have a record for the specific hostname that you are looking up, or if the root server doesn't have a record that the domain name even exists, the resolving name server will report an error to your computer. Example:
Let's use the example that Ram types "www.bsnl.co.in" into his web browser. How does his PC find the web server that has the page he is looking for, among the thousands of web servers out there? 1. Ram types in www.bsnl.co.in to his browser. 2. Ram's PC looks at it's configuration. It will find something called "DNS Server" or "name server" and there will be an IP address associated with that. Let's say it is 198.6.1.1. Ram's PC sends a message to 198.6.1.1 and asks "I am looking for the IP address of www.bsnl.co.in, can you tell me what it is?" 3. The DNS Server (198.6.1.1) gets the message, and assuming that the server already knows what the IP address of www.bsnl.co.in is, it tells Ram's PC that the IP address is 61.1.137.84. 4. Ram's PC gets the message that the IP address of www.bsnl.co.in is 61.1.137.84. So his PC sends a message to 61.1.137.84 and asks "send me the default web page at 61.1.137.84". 5. The web server (whose IP address is 61.1.137.84) sends the web page to Ram’s browser. That is a simplistic example of how your PC finds a particular web-server and web page. The process of matching a domain name to a IP address is called resolving. So your PC resolves the IP address from the domain name. Let's get into a little more detail. For step 2, how does Ram's PC know that the IP address of the DNS Server is? There are 2 ways it learns what the address is. The first is that Ram asked his ISP what the address was, and entered it himself. There are times manually entering (also known as statically entering) the address is necessary or desirable, but usually the ISP automatically tells your PC what the IP address of the DNS server is. This process is called "DHCP" or Dynamic Host Configuration Protocol. When you select "Obtain IP address automatically" in your Windows Network connections page, you are telling your PC to use DHCP and to ask the ISP to give you the DNS Server address (among a bunch of other things). In step 3, we assumed that the DNS server already knew what the IP address of www.bsnl.co.in was. What if it didn't already know? Let's assume that the DNS server Ram's PC sent a request to, doesn't know where www.bsnl.co.in is.
Have you ever noticed that there are only so many variations of the end of the domain name? There are .com, .gov, .net, .org, .us, .in, .biz, among others. When a DNS server receives a request to resolve an IP address (translate from a domain name to a IP address) for a domain that it doesn't know the answer to, it sends a message to any one of a small number of servers. That small number of servers are responsible for knowing what the "authoritative server" is for EVERY domain name. A realm would be .com, or .org for example, and is properly called a top-level domain. What is an authoritative server? An authoritative server is a DNS server that has a Statement of Authority configured for a particular domain name. That means that the server has absolute and total knowledge of the domain, any information that contradicts the information that the server has is wrong, it is the final word. This becomes more important a little later. For purposes of this discussion, let's ignore backup authoritative servers. The message that Ram's DNS server sends to the top-level domain server "what is the authoritative server for bsnl.co.in?". It is important to understand, that Ram's DNS Server is NOT asking "what is the IP address of the web server for only one creations?". It is only asking "where do I go to find out where the web server for bsnl.co.in is?" Once Ram's DNS server knows where to go to get the answer for Ram's request, it sends a message to the authoritative server asking "what is the IP address of the web server for bsnl.co.in?". The authoritative server responds, and Ram's DNS Server tells Ram's PC the IP address it needs to connect Ram to the webpage he is looking for. To summarize the past few paragraphs, Ram's DNS server receives a request for an IP address that it doesn't know. That server makes a request of a top-level domain server, and gets a response with where to go to get the information that Ram is requesting. The DNS server then makes a request of the authoritative server, and forwards the answer it receives to the PC that made the first request. It sounds long and complex, but it happens very quickly. One way to speed up the process is called caching. Caching is where the DNS server remembers the response from the authoritative server for a period of time. So if Babu makes the same request 5 minutes after Ram did, the DNS server doesn't have to repeat the whole process. Caching will be brought up again in a bit. Remember that Ram's DNS server cached the address for the web server of www.bsnl.co.in, meaning that it remembers that www.bsnl.co.in is has the IP address of 61.1.137.84. Most DNS servers are set to remember that information for 24 hours. So if Ram requests your web page at noon on Monday, Ram's DNS server will cache the IP address of your web server until noon on Tuesday. If you change hosts at 1pm on Monday, Ram will get your old website until at least noon on Tuesday. His DNS server is giving Ram's PC the information it remembers, it doesn't check to see if that is still accurate. So if your old website is down (maybe you have moved hosts, for example), Ram can't get to your new website, until his DNS server refreshes the information (which will point to the new web site).
Chapter 9
Overview of Remote Access Server Contents • • • •
Remote Access Connections Remote Access Protocols Remote Access Security RADIUS
Objectives After completion of this module you will be able to know: • The different Remote Access Connections • The different Remote Access Protocols • Security aspects of Remote Access • What is RADIUS
Remote access clients are connected to either the Remote Access Server's (RAS) resources only (which is sometimes called point-to-point remote access connectivity), or they are connected to the RAS server's resources and the resources of the network to which the server is connected (which is called point-to-LAN remote access connectivity). The latter type of connection enables remote access clients to access network resources as if they were directly attached to the network.
9.1 Remote Access Connections RAS server provides two remote access connection methods: •
•
Dial-in remote access. A remote access client uses the telecommunications infrastructure to create a temporary physical circuit to a port on a remote access server. After the physical circuit is created, the two computers can negotiate the rest of the connection parameters. Virtual private network (VPN) remote access. A client uses an Internet Protocol (IP) internetwork (typically the Internet) to create a virtual point-to-point connection with a remote access server acting as the VPN server. After the virtual point-to-point connection is created, the two computers can negotiate the rest of the connection parameters. (In this lesson VPN is not covered)
9.1.1 Dial-In Remote Access Connections A dial-in remote access connection consists of a remote access client, a remote access server, and a WAN infrastructure, as shown in Figure 9.1. The physical or logical connection between the remote access server and the remote access client is facilitated by dial-in equipment installed at the client and server sites and by the telecommunications network. The nature of the dial-in equipment and telecommunications network varies depending on the type of connection being made.
Figure 9.1: Elements of a dial-in remote access connection
The most common type of WAN connection used by RAS is the Public Switched Telephone Network (PSTN), also known as Plain Old Telephone Service (POTS). PSTN is the standard analog telephone system designed to carry only the frequencies necessary to distinguish human voices. Because the PSTN was not designed for data transmissions, the maximum bit rate that a PSTN connection can support is limited. Dial-in equipment consists of analog modems for the remote access client and the remote access server, as shown in Figure 9.2. For large organizations, the remote access server is attached to a modem array that can contain dozens or hundreds of modems, each of which can service a different client.
Figure 9.2: Dial-in equipment and WAN infrastructure for PSTN connections Integrated Services Digital Network (ISDN) is another form of dial-up connection that provides greater transmission speeds and an all-digital connection. It is originally designed as a digital replacement for the analog telephone network. The standard ISDN installation is called the Basic Rate Interface (BRI) and consists of two 64-Kbps B channels and one 16-Kbps D channel, the latter of which is used exclusively for control traffic. This combination is sometimes called 2B+D. It is possible to combine the two B channels into one 128-Kbps data pipe or use them separately with different devices, such as ISDN telephones and fax machines. Unlike most other high-speed WAN technologies, ISDN is a dial-up service that enables you to connect to different destinations as needed. The connection process is extremely fast, taking about half a second, as opposed to the lengthy dial, ring, and modem negotiation sequence on standard PSTN connections. ISDN is not a portable technology, even though it uses the same cables as PSTN connections. An ISDN connection requires the installation of special equipment to provide its higher speeds. Despite its attributes, ISDN still has not achieved great popularity because of its relatively high cost-permegabit of transmission speed. However, it does provide a higher-speed alternative for RAS connections that functions with RRAS (Routing and Remote Access Service) just as PSTN dial-ups do. Generally speaking, the dial-in RAS architecture is the same; whatever type of WAN technology is providing the connection between the client and the server.
9.2 Remote Access Protocols Remote access protocols control the establishment of connections and the transmission of data over the WAN links connecting RAS clients and servers. The operating system and
LAN protocols used on remote access clients and servers dictate which remote access protocol your clients can use. In nearly all cases, RAS connections use the Point-to-Point Protocol (PPP) for WAN communications because PPP includes mechanisms that provide security and support for multiple protocols at the network layer. Older RAS protocols used with earlier Windows RAS implementations, such as the Serial Line Internet Protocol (SLIP) and Asynchronous NetBIOS Enhanced User Interface (NetBEUI), have fallen into disuse because they do not provide these features. After the WAN connection is established between the RAS client and server, the client can access server resources using PPP. For the client to access resources on the network to which the server is attached, the server functions as a router between the PPP connection and a standard LAN protocol, such as Ethernet or Token Ring. Both PPP and the LAN protocols provide support for all the standard network layer protocols, such as TCP/IP, Internetwork Packet Exchange (IPX), NetBEUI, and AppleTalk. This enables the RAS client to access virtually any type of resource on the server's network, just as if the computer were directly connected to the LAN. The only perceivable difference is the speed of the connection, which is much slower than a standard LAN connection.
9.3 Remote Access Security As with any technology that opens a network up to outside users, security is an important consideration. Remote access offers a wide range of security features, including user authentication, mutual authentication, data encryption, callback, caller ID, remote access account lockout, and access control.
9.3.1 User Authentication The most basic form of security for any network connection is authentication, which is the exchange and verification of credentials that identify the user to the network. To prevent credentials (such as passwords) from being intercepted by third parties, RAS supports a variety of authentication protocols that encrypt the user's credentials before transmitting them over the network. When a client establishes a connection with a RAS server using PPP, the two computers negotiate the use of a specific authentication protocol that controls how the user credentials are exchanged. The authentication protocols supported by RAS are as follows: •
Password Authentication Protocol (PAP). An unsecured authentication protocol, meaning that it transmits the user's credentials in clear text. Anyone capturing network packets with a protocol analyzer (such as the Windows 2000 Server Network Monitor) can read a user's account name and password from the PAP messages and use them to gain access to secured resources. PAP also has no means for a client and a server to authenticate each other. PAP typically is used only when the RAS client and server have no other authentication protocols in common. To protect your users' passwords from being compromised, you can disable the use of PAP on your RAS server. When you do this, clients that do not
•
•
•
•
support one of the more advanced authentication protocols are unable to connect to the server. Shiva Password Authentication Protocol (SPAP). A variant of PAP designed for use with Shiva remote networking products (now owned by Intel). Windows clients connecting to a Shiva server device or Shiva clients connecting to a RAS server use SPAP to transmit their user credentials over the network connection in encrypted form. SPAP is more secure than PAP, but it uses a reversible form of encryption that makes the data packets containing the user credentials subject to replay. Replay occurs when a potential intruder takes a packet containing an encrypted password and uses it to access unauthorized resources without decrypting the contents. Challenge Handshake Authentication Protocol (CHAP). An authentication protocol that uses the Message Digest 5 (MD5) hashing algorithm to encrypt the authentication information. The server sends a message called a challenge to the client in encrypted form, and the client must decrypt it and transmit the appropriate response back to the server. Because CHAP never transmits passwords in clear text, the credentials remain secure during the authentication process. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 1 and version 2. An extension of the CHAP authentication protocol that provides greater security and support for the use of Windows authentication information. MS-CHAP is also the only authentication protocol supported by Windows 2000 that enables users to change their passwords during the logon process. In an MS-CHAP version 1 authentication, the server sends a challenge to the client that contains a session identifier and an arbitrary challenge string. The client's response contains the user's account name, plus a nonreversible encryption of the challenge string, the session identifier, and the user's password. The server then evaluates the response and either grants or denies access. MS-CHAP version 2 provides even greater security by supporting mutual authentication, separate encryption keys for transmitted and received data, and keys that are based on the user's password plus an arbitrary challenge string so that each time a user connects with the same password, the encryption key is different. The MS-CHAP v2 authentication process proceeds in the same way as the version 1 process, except that the client's response to the server's challenge contains an arbitrary peer challenge string for the authentication of the server, in addition to the other components. When the server responds to the client's authentication attempt, it includes an encrypted string of its own. The client then verifies the authentication of the server, after which the connection is established. Extensible Authentication Protocol (EAP). A protocol that enables RAS clients and servers to negotiate the use of any authentication mechanism that the two have in common. EAP makes it possible for the client and server to conduct an open-ended conversation in which the server issues individual requests for authentication information and the client responds to each request. As the server processes each response, it advances the client to the next authentication level. When all the requests have been satisfied, the client is fully authenticated and access is granted. The authentication mechanisms used by EAP are called EAP types; for authentication to occur, the client and server must support the same type.
You can configure a Windows 2000 RAS server to use any or all of these authentication methods. If the remote access does not support any of the authentication protocols that the server is configured to use, the connection is denied.
9.3.2 Mutual Authentication As mentioned earlier, mutual authentication is obtained by authenticating both ends of the connection through the exchange of encrypted user credentials. This is possible through the use of PPP with MS-CHAP version 2 or with EAP-TLS. During the mutual authentication procedure, the remote access client authenticates itself to the RAS server, and then the RAS server authenticates itself to the remote access client.
9.3.3 Data Encryption Data encryption encodes the data sent between the remote access client and the RAS server. However, remote access data encryption provides protection only on the WAN link between the RAS client and server. If end-to-end encryption is needed, such as between a RAS client and another computer on the server network, you can use the IP Security (IPsec) extensions to create an encrypted end-to-end connection after establishing the RAS connection. Data encryption on a remote access connection is based on a secret encryption key known to the RAS server and the client. This shared secret key is generated during the user authentication process. Data encryption is possible over dial-in remote access links when using PPP along with EAP-TLS or MS-CHAP. As with authentication, you can configure the RAS server to require data encryption. If the remote access client cannot perform the required encryption, the connection attempt is rejected.
9.3.4 Callback With callback, the remote client dials into the RAS server, authenticates itself, and then severs the connection. The server then calls the client back and reestablishes the connection. You can configure the server to call the client back at a preset number or at a number specified by the client during the initial call. This enables a traveling user to dial in and have the RAS server call back the remote access client at the current location, saving telephone charges. When you configure the server to always call the client back at the same number, you prevent unauthorized users from connecting to the server using different telephone numbers.
9.3.5 Caller ID RAS can use caller ID to verify that a call from a client is coming from a specified phone number. You configure caller ID as part of the dial-in properties of the user account. If the caller ID number of the incoming connection for that user does not match the configured caller ID, the connection is denied.
9.3.6 Remote Access Account Lockout The remote access account lockout feature enabled in the registry on the server providing authentication specifies how many failed remote access authentication attempts a user is permitted before the server denies remote access. Remote access account lockout is especially important for VPN connections over the Internet. Malicious Internet users can attempt to access an organization's intranet by repeatedly sending credentials (a valid user name and a guessed password) during the VPN connection authentication process. With remote access account lockout enabled, this type of attack is thwarted after a specified number of failed attempts.
9.3.7 Access Control In addition to the various connection techniques described in the previous sections, you can also control remote client access to your network in other ways. You can configure individual Windows 2000 user accounts to permit or deny remote network access, and you can create remote access policies to control whether remote users can access a server, based on a variety of criteria.
9.4 What Is RADIUS? RADIUS (Remote Authentication Dial-In User Service) provides three services to a network: Authentication, Authorization, and Accounting. These services’ names are beginning with letter A and hence called as 3A. For a number of reasons, it can be quite difficult to secure a network that has many remote users. Such a network may need to allow remote connections from other locations in the network or from users who are dialing in from home or even while traveling. This last group—roaming users—poses a network’s largest security risk. Allowing users to connect from any location makes it difficult to maintain control over incoming connections to the private network. The purpose of RADIUS is to control the actions of remote and roaming users without allowing sensitive network information like usernames and passwords out of the private network. RADIUS does this by using a client/server architecture that is specifically designed for a geographically dispersed environment. It is important to remember that RADIUS is not a full remote-access solution. It merely adds security and accounting to a remote-access design for a network. RADIUS protects a private network by isolating authentication of remote users from the rest of the data exchange that occurs over lines that are not secure. In a traditional remote-access solution, the RAS server connects users to the network, and all data transfer occurs through the RAS server including authentication and accounting information such as transaction logging. In a RAS solution that uses RADIUS, the RAS server still controls the transfer of data between the remote client and the private network, but it passes to the RADIUS service the responsibility of authenticating the user, authorizing user actions, and tracking remote user actions.
9.4.1 Tracking Remote Connections with RADIUS Accounting
The accounting service provided by RADIUS increases control over remote connections. Because RADIUS can log remote connections to a network, such network usage can be monitored. The accounting service can log the IP address of the computer that requests authentication, the time of the call, the call status (such as success or failure), which RADIUS client sent the request and which RADIUS server accepted the request. This accounting service, which is separate from the authentication and authorization services provided by RADIUS, can also be used for billing or security purposes. We’ll see how Internet Service Providers (ISPs) can use the accounting feature to charge for RADIUS services that are provided to a network.
9.4.2 RADIUS Service Basics Although RADIUS is a service, the term RADIUS can also refer to a protocol because networking services are often named after the protocol that runs the service. (Just like the FTP service is run by the FTP protocol, the RADIUS service is run by the RADIUS protocol.)
9.5 Summary • • • •
•
Remote access provides two different types of remote access connectivity: dial-in remote access and virtual private network (VPN) remote access. A dial-in remote access connection consists of a remote access client, a remote access server, and a wide area network (WAN) infrastructure. Remote access protocols, such as Point-to-Point Protocol (PPP), control the connection establishment and transmission of data over WAN links. Generally remote access supports the following local area network (LAN) protocols: Transmission Control Protocol/Internet Protocol (TCP/IP), Internetwork Packet Exchange (IPX), AppleTalk, and NetBIOS Enhanced User Interface (NetBEUI). Remote access offers a wide range of security features, including secure user authentication, mutual authentication, data encryption, callback, caller ID, and remote access account lockout.
Chapter 10
Security Contents • • • • • • • • • •
Various methods of social engineering Situations to watch out for Ways that information can be gleaned from employees. Various ways to secure the user’s computer and network access Enforced policies Encryption and authentication Firewalls. Incidence response plan Deal with an incident when it happens Test the plan before an actual incident occurs.
Objectives After completion of this module you will be able to know: 1. various methods of social engineering 2. situations to watch out for 3. to reduce the number of ways that information can be gleaned from employees. 4. various ways to secure the user’s computer and network access 5. enforced policies, encryption and authentication, and properly configured and installed firewalls. 6. how to formulate an incidence response plan 7. how to deal with an incident when it happens 8. how to test the plan before an actual incident occurs.
In a world where security has become an enormous factor and network administration must cover everything from desktop support to business continuity planning, the scope of IT duties has widened and budgets have narrowed. This lesson covers several different aspects of security to help you find ways to keep your network safe by spotting potential risks in the user environment before an incident happens and showing you how to handle a security problem, should it occur. The lesson also helps you evaluate your disaster recovery plan. It guides you through social engineering, safe telecommuting, and the pitfalls of wireless LAN, and then takes you through incident response, disaster recovery.
10.1 Social Engineering You see new articles about network security and vulnerabilities in software and hardware every day. This visibility has caused security to become a priority in most companies. Efforts to make sure the network is secure generally focus on how to implement hardware and software such as intrusion detection, Web filtering, spam elimination, and patch installation. One of the biggest threats of which we, as security professionals, are often unaware and cannot control is social engineering. There's very attention paid to the person-machine interaction. This lesson focuses on some of the methods of social engineering that are commonly used to obtain information that can enable an intruder to penetrate the best hardware and software network defenses. Social engineering is a method of obtaining sensitive information about a office through exploitation of human nature. It's an attempt to influence a person into revealing information or acting in a manner that would disclose information that normally would not be provided. It's based on the trusting side of human nature and people's desire to be helpful. Social engineering is hard to detect because you have very little influence over lack of common sense or ignorance on the part of employees. Business environments are fast paced and service oriented. Human nature is trusting and often naive. Before we get into the methods of social engineering, let's look at the planning of an attack. An intruder seldom decides to infiltrate an office randomly. The attack is usually very methodical. A social engineering attack is very similar to the way intelligence agencies penetrate their targets: 1. Gather intelligence. 2. Select a specific vulnerable area as the entry point. 3. Execute the attack.
In the intelligence-gathering phase, the attacker can find readily available information through the following: • • • • • •
Dumpster diving Web pages Ex-employees Vendors Contractors Strategic partners
This information is the foundation for the next phase, in which the intruder looks for weaknesses in the organization's personnel. Some of the most common targets are people who work the following: • • • •
Help desk Tech support Reception Administrative support
These employees are most likely to be affected by an intimidation type of attack (discussed later), simply because they handle a large volume of calls and they're trained to deliver good customer service. The last phase is the attack, also commonly known as the con. There are three broad categories of attacks: • • •
Ego attacks Sympathy attacks Intimidation attacks
These attacks are discussed in further detail a little later in this lesson.
10.1.1Attack on the physical level There are two levels at which social engineering occurs: the physical level and the psychological level. Let's first look at the physical level, which is looking for information in ways other than direct contact with the office or anyone in the office. We'll start with dumpster diving. 10.1.1.1 Dumpster diving As humans, we naturally seek the path of least resistance. Instead of shredding documents or walking them to the recycle bin, we often throw them in the nearest waste basket. Equipment sometimes is put in the garbage. Intruders know this, so they often don't even have to contact anyone in the office in order to extract sensitive information -they can find it all in the office's dumpsters. This is known as dumpster diving. Again,
this is the path of least resistance -- no phone calls, no visits, simply look through the garbage. Anyone looking to extort money from the office or to steal identities could have easily made hundreds of thousands of rupees from the information they could have gleaned in those dumpsters. They would have had access to Social Security numbers, addresses, and a wealth of personal and financial information. This incredible security breach not only jeopardized the clients, but upon release of the story in news papers, the office stock plummeted and lawsuits ensued. In any office, the potential for this type of information access is huge. What happens when an employee is leaving the office? He cleans out his desk. Depending on how long the employee has been there, what ends up in the garbage could be a goldmine for an intruder. Other potential sources of information that are commonly thrown in the garbage include • • • • • • • •
Old office directories Old QA or testing analysis Employee manuals Training manuals Hard drives Floppy disks CDs Printed e-mails
TIP All these items should be disposed of properly. You should formulate a policy on destruction of data. The safest policy is to physically destroy the media and the information stored on it. Destruction is the only safe method of completely removing all traces of information stored on a removable media device. All paper-generated information should be shredded and/or taken away by a bonded destruction office. 10.1.1.2 Web pages The Web pages of an office are a great place to find out information and organizational structure. Many companies also include the biographies of top executives. This information can be used to impersonate that person or someone who is an associate of the executive. For example, you could call an office and ask the receptionist for Manohar. She tells you that Manohar is out of the office until Monday. You ask who is in charge until he returns. You are told Mary. You leave a message for Mary, requesting information that she would have access to, saying you're working with Manohar and he said she could fax or e-mail the information you need while he's out of the office. 10.1.1.3 Additional methods of trickery
Another form of getting information is for an intruder to get employees to enter a contest. Say, for example, that you got an old office directory through dumpster diving. You could then send a contest letter to all employees asking them to register online at your Web site. Because many users use the same password for various accounts, it's likely that you would get some network passwords from the employees who register for the contest. E-mail social engineering is done by tricking someone into believing that the e-mail is a legitimate request. Social engineering involves knowing the target and this includes knowing the e-mail addresses of your target. For instance the I LOVE YOU virus uses the social engineering technique. This virus created so much damage because it used an emotion-triggering subject, I LOVE YOU. WARNING E-mail social engineering is a much more direct means of gaining access to a system because attachments can launch worms, viruses, and back doors. Ex-employees are a great source of information on the inner workings of a office, especially if they left the office under unhappy conditions. Vendors, contractors, and strategic partners are another fantastic source of information. It's easier to impersonate someone from another office than it is to impersonate an employee.
10.1.2 Attack on the psychological level These categories of attacks -- ego, sympathy, and intimidation -- are all on the psychological level of social engineering. This means that the intruder appeals to the employee through the use of emotion. Let's examine each of these attacks. 10.1.2.1 Ego attacks An ego attack is perhaps one of the favorite types of social engineering attacks simply because you know that as network administrators, we all have big egos. The attacker appeals to the vanity, or ego of the victim. The victim wants to prove how smart or knowledgeable he is and unthinkingly provides sensitive information. We're all anxious to show how much more we know than the next person or how much better our equipment is than theirs. The perfect scenario for this type of engineering is a user group meeting held after work. You know of several groups that meet once a month or so after work in some of the local clubs. Mix egos and guess what happens? It's amazing what employees will reveal without a whole lot of coaxing. How many of the employees are unwitting revealing information in social settings without realizing who they are talking to? This can happen in any type of social setting. For example, suppose you attend a birthday party for a friend. Some of the other attendees are also in the field and the topic of conversation turns to servers. Everyone is comparing equipment. You'll know what
operating systems are running, what kind of equipment is running on each, and what issues each one is having. Talking about our jobs and comparing problems are simply part of human nature, and ego attack victims never realize what has happened, but the information extracted can be extremely dangerous in the wrong hands. Ego attackers also target those they sense are frustrated with their current job position. Unhappy employees are very likely to reveal information with little prodding because they feel mistreated. Attackers also have been known to pretend to be law enforcement officials, and their victims feel obliged and sometimes even honored to help them by providing information. 10.1.2.2 Sympathy or intimidation attacks The following are all examples social engineering that either use intimidation or prey on sympathy: •
•
•
You receive a call from someone saying he's a General Manager. He states that he's in real trouble. He's attempting to do a presentation for Microsoft and has forgotten his password; therefore he can't log into the Web site to do the presentation. He just changed it yesterday and can't remember what it is. He needs to have it right away because he has a room full of clients waiting and he's starting to look incompetent. This is an extremely important client that could mean millions of dollars in revenue for the office. Someone you have never seen before approaches you as you're entering a secured building. She has her hands full carrying coffee and doughnuts. She smiles sweetly and says she has her ID badge in her pocket, but just doesn't seem to have an extra hand to swipe the card and still carry all she has. She asks that you please hold the door for her. You receive a call from the corporate office saying that a new mail server is being put into place and there's an immediate need to verify current user accounts and passwords. You are told that it's not safe to send this information via e-mail, and are asked to please print it off and fax it directly to a number given to you. You're told that the number is a direct line for the person putting the new server into place.
These attacks are very successful because our business needs change daily and we live in a fast-paced world. This type of attack plays on the empathy and sympathy of the victim, and an attacker can shop around until he finds someone who will help. Here are some social-engineering approaches an intruder can use to get information: • • •
Pretends to be a fellow employee or a new hire, contractor, or a vendor. Insists there's some urgency to complete some task or obtain some information. Needs assistance or he will be in trouble or lose his job.
• • •
Pretends to be someone influential, an authority figure, or, in some cases, a law enforcement official, and uses that authority to coerce the victim into cooperation. If met with resistance, uses intimidation and threats such as job sanctions or criminal charges. If pretending to be law enforcement officer, claims the investigation is hush-hush and not to be discussed with anyone else.
WARNING Employees can exploit social engineering just as well as outsiders. Keep in mind that more damage is done to a network by disgruntled employees than by outsiders. You'll learn how to recognize a social engineering situation shortly. Here's a scenario that actually happened: A user came to a network administrator with his laptop and requested that it be joined to the domain. The administrator logged the user off the laptop, logged in as himself, and joined the laptop to the domain. So, what's wrong with that? The user had keystroke logging software installed on the laptop. He proceeded to go back to his work area, read the log file, log in as the administrator, browse to the main server, and copy the SAM (Security Accounts Manager) to a file. (For those of you unfamiliar with the SAM, it holds user account information that includes usernames and passwords.) He took the file home and that evening ran L0phtCrack, which is password-cracking software, on the file. The next day, he had the logins and passwords for every user in the office. He periodically logged in as other users and accessed information he should not have. As time went by, he got bolder, logging in as the administrator and shutting down services, causing problems on the network. Eventually, his bragging got him into a bind and he was dismissed for his actions. The best way to avoid this type of situation is to never join a machine to the domain from a user's machine. The account should be created at the server console instead.
10.1.3 Learn to recognize a social engineering situation Well, now that you know about the methods of social engineering, it's time to look at how to spot a potential situation. To keep from becoming a victim, you should know how to recognize an intruder. You can be neither suspicious nor trusting of everyone, so where do you draw the fine line? Remember the Manohar scenario from earlier in this lesson? If the office had a policy requiring employees to obtain contact information when a call comes in for an out-of-theoffice employee, one sign to look for would be refusal to leave contact information. In this example, the receptionist simply states that Mr. Manohar is out of the office, and then asks for your name and a number at which you can be reached, and what the call is in regard to, so that your call may be properly returned. If you're an intruder, would you leave this information? Not likely. If you're a persistent intruder, you may press the receptionist for information such as when Mr. Brown will return and who is in charge in his absence, and act irate. This type of behavior is also a concern. The caller is
deliberately avoiding giving out information about him while trying to push the receptionist into giving out more information about the employee. What about someone who is rushing or is in a big hurry? We are all busy people; you're in as big hurry as the next person. Look out for someone who tries to breeze by you as you're entering a secure building. She may strike up a conversation, and then say she's late for a big meeting and doesn't have time to be fishing for her ID badge, so she'll just come in with you. If you allow this, you may be admitting an intruder into the building. A genuine employee understands the security issue and finds her ID badge for admittance. Name-dropping is often used to impress the people you are conversing with. Many folks like to drop names -- it makes them feel more important. In social situations like the ones described earlier, many a conversation begins with, "The other day I was talking to soand-so." If the speaker is talking about someone in your office, you get the feeling that he knows something about what is going on in your office and that you might trust him. Instead of proceeding to discuss the office, which is what the intruder wants, you may want to ask him questions such as how do you know so-and-so to get a feel for whether the person is being truthful or not. Of lesson, if he starts acting uneasy at the questions you're asking, you know that he's a potential intruder. Intimidation is one of the best ways to get information out of people, especially from people who tend to be timid by nature. Employees should be able to address intimidation situations without fear of punishment for not giving excellent customer service if they ask additional questions or for more information. Odd questions or asking for classified information can also be a dead giveaway that someone is fishing for attack information. In the situation where the vice president needed a password, the approach should be that this is a potential intruder and not a vice president. Good practices can neutralize many of these social engineering situations. We'll discuss these practices next.
10.1.4 Promote practices that prevent attacks The impact of social engineering and the ease of an attack are usually high. Technical, operational, and environmental controls individually will not prevent attacks. You need a combination of all three along with user awareness training. Here's a list of items that can be useful in preventing social engineering attacks: • • •
All employees should have a security mind-set and be able to question situations that do not seem right. Cleaning crews should search the wastebaskets for sensitive information and turn it over to management. Policies need to be in place for data destruction, including paper, hard drives, CDs, disks, and so on.
• • • • •
•
• • • • • •
Implement self-service password management to address weaknesses with help desk and password administration. Employees should have continued training in security awareness. Require all guests to sign in, wear a guest badge, and be escorted within the office. Have shredders located in convenient areas or hire a reputable office to pick up and shred documents. Extra security training in the area of social engineering and office security policies should be provided for security guards, receptionists, and help desk employees. Put policies in place for how to handle situations where an unknown person tries to slip in with a legitimate employee (called tailgating). Be sure that all employees know the policy and enforce it. Instruct employees on what can and cannot be discussed in social settings outside of work. Encrypt information on desktops, laptops, and PDAs. Have polices regarding e-mail and voice mail notifications for employees on vacation or out of the building for a period of time. Have incident response teams to lessen the damage if a breach occurs. Apply technology where possible such as biometrics or electronic security badges. Test your defenses periodically.
This by no means covers everything or all situations. The important factors to remember are that there must be policies in place and that all employees must be aware of these policies. Training must start as soon as the job begins. Employees should know they play a part in the security of the office and that their jobs depend on their vigilance. You're faced with customer service and courtesy issues everyday. Technology cannot control these situations. We all must rely on each other to use our best judgment when revealing information about our office and ourselves. Remember, the best defense is a good set of policies, proper education, and continued awareness training.
10.2 Secure Computer and Network We have seen the ways in which an intruder can use social engineering to attack a network. Here, you'll see how an intruder can use a telecommuter's computer to attack your network and how you can make that computer more secure. Many IT professionals work from home at least part of the time. All of this makes for a flexible work environment. That flexibility can also cause the IT professional a huge headache, because you have no control over what goes on in the confines of an employee's home. There were strange incidents happening on the network. A cracker had accessed the network and was wreaking havoc. No matter what this administrator did to change and tighten security, the cracker always got back in. Eventually it was discovered that the cracker was getting into the network through the administrator's home machine, which was always left on and connected to the Internet.
With information security, you cannot allow even the top leaders to sidestep or ignore policy. An employee cannot be allowed to work at home until the home machine is secured. This should part of the security policy and all employees should have signed a statement to that fact when they were hired. Should you find yourself in this situation, it must be passed to the next level of management or someone who manages security.
10.2.1 Understand the home environment What happens employees are allowed to work from home? They're given a office machine or allowed to use their own, IT sets them up to access the network, and then we forget about them. Let's consider a few factors about telecommuting employees. After all, they're doing office work. Most of them have children or spouses who use the same computer that they use to access the work environment. Employees who have more that one computer usually set up a home network. Those who care about their home aesthetics or don't want to pull wire set up wireless networks at home. Here are a few scenarios, each of which poses a threat to the work environment: A office engineer has a daughter and a son who each have a laptop. The engineer purchases a wireless router and hooks up all the machines -- including the work machine -- so that all the machines can use the high-speed Internet connection. One of the reasons that wireless is so popular with home users is that you can just plug it in and have it start working. In this scenario, then, there's little probability that the engineer enabled WEP (Wired Equivalent Privacy) on the laptops, so the computers are left vulnerable because the information is sent in clear text. An employee's home workstation is running Windows 98. (In all operating systems prior to Windows NT, all passwords are stored in the .pwl file.) The Internet connection is always on, because the children want Internet access on that computer, especially in the summer when school's out. The virus software is disabled because it interferes with the children's favorite game. In this situation, the always-on connection leaves the machine open to. The .pwl file can easily be accessed for a list of passwords, and disabling the virus software leaves the unguarded against viruses. You've installed keystroke-logging software to track where your children have been on the Internet, because many times they use your computer unsupervised. This software runs constantly. You've made it extremely easy for a cracker to get your password to the network, because all he has to do is read the log file. This is a giveaway -- he has no work to do because you've done it for him. Keystroke logging software should not be used on a machine that
has been supplied by the employer unless the employer had installed it and is aware that it's on the machine. You are constantly having issues with your computer because you let your children use it. What do you think the chances are that someone has already penetrated the network where he works and is slowly stealing information or planting maladies?
10.2.2 Establish effective policies Every office should have policies in place to protect the network from attacks via home users. These might include the following: •
• • • • • • • •
Requiring the employee to notify IT immediately if he changes his home connection from dial-up to high speed, so that policies and procedures can be addressed. Not permitting an office-owned PC to be used for other purposes or by unauthorized individuals. Not allowing virus protection software to be disabled, and requiring that it be updated regularly. Requiring immediate disconnection from the network and immediate support contact in the event that the machine contracts a virus. Requiring the use of a firewall, and not permitting it to be disabled. Requiring that the machine be either disconnected from the network and the Internet or turned off completely when the employee finishes working for the day. Mandating that a boot disk be handy in the event a virus renders the machine unusable. Requiring that data be backed up if the employee is storing office information on a home computer. Requiring that the operating system and all applications on the machine be kept up to date.
TIP Post information about patches and updates, whether the IT department supplies them or the employee is expected to acquire them on his own. Posting provides no excuse for an employee failing to comply. • • •
Requiring strong passwords. Requiring that non work-related shares be turned off. Mandating that auditing be turned on (if the operating system allows).
Although it may seem like a lot of work, it's worth your while to periodically send questionnaires to all employees working from home who are using office computers. The main information you want from the employees is: • • •
The operating system and version All applications installed and their versions The type of Internet connection
• • •
The location of the emergency boot disk How many other machines are using the Internet connection Any hardware changes
Then compare the current responses with the condition in which the machine left the office. If this is done on a regular basis, you will soon be able to tell who is using the computer strictly for work purposes and who is not. Often, what you'll find is that children use the computer to play games and download music files. These require the installation of additional programs. They also take up disk space and may require better video cards as well as extra memory. With policies in position, let's see how machines can be set up to securely connect to the work environment from home.
10.2.3 Secure home machines As you learned in the previous section, you really have very little control over the home user. Even with good policies in place, there's no guarantee that telecommuters will follow them. What you can control is how the telecommuters connect to your network, and that's what we'll discuss now. When you allow telecommuters to access your network, they usually do so by first connecting to the Internet and then connecting to the network A VPN (Virtual Private Network) is a network connection that permits access via a secure tunnel created through an Internet connection. Using an Internet-based VPN connection is very popular for several reasons: • •
•
Users in an organization can dial a local Internet access number and connect to the corporate network for the cost of a local phone call. Administrative overhead is reduced with a VPN because the ISP (Internet Service Provider) is responsible for maintaining the connectivity once the user is connected to the Internet. There are various security advantages to using a VPN, including encryption, encapsulation, and authentication.
For users who travel, a local access number usually is available. If possible, you should provide this information to employees who travel -- it saves phone calls to the help desk and enables them to test the numbers before they have to give presentations. Figure 1 shows how a VPN works. Setting up the users' computers (clients) to connect to the server is a two-step process:
Figure 1: VPN remote access over the Internet. 1. Establish an Internet connection. This can be dial-up or broadband. 2. Connect to the VPN server. This involves dialing another connection. Once the client is setup, it can use the VPN. Here's how a client uses a VPN to access a corporate LAN through the Internet: 1. The remote user dials into his local ISP and logs into the ISP's network. 2. The user initiates a tunnel request to the server on the corporate network. The server authenticates the user and creates the other end of tunnel. 3. The user then sends data through the tunnel, which is encrypted by the VPN software before being sent over the ISP connection. 4. The server receives the encrypted data, decrypts it, and forwards it to the destination on the corporate network. Any information sent back to the remote user is encrypted before being sent over the Internet. VPNs provide great opportunities for employee productivity while reducing longdistance charges, and a good VPN guarantees privacy and encryption. But it is authentication that ensures the integrity of the data. We've discussed the situations that home users get themselves into and how easily passwords can be breached on unsecured machines. In order for a VPN to provide the level of security that's intended, a solid means of authentication must be established. This brings us to two-factor authentication. In two-factor authentication, a user must supply two forms of ID before she can access a resource: one is something she knows, such as a password, and the other is something she has or is. For example, you may be required to type password and place your thumb on a thumbprint scanner to properly identify yourself. Figure 2 illustrates this type of authentication.
Figure 2: Two-factor authentication. The most common form of this type of authentication is a smart card. The security in this authentication is that both are need for validation. If the card is stolen, or the PIN is discovered, neither one of these alone can enable someone else to log on as the user. Smart card readers are attached to a computer port and a digital certificate is downloaded to activate the card. Smart card logon requires the user to insert the card and enter a PIN in order to log on. 10.2.3.1 Understand tunneling The purpose of a VPN is to secure your network communications. There are two broad categories of tunneling: • •
Voluntary Compulsory
In voluntary tunneling, the situation is as described earlier and shown in Figure 2-1. The cable modem dials the ISP, and the user is then connected to the VPN server via the Internet. In compulsory tunneling, the tunnel is set up between two VPN servers that act as routers for network traffic. This type of tunnel is most useful for connecting a remote office with its own network to a central office. Sometimes as an office is growing, it allows employees to run offices out of their homes with those employees hiring several people to work for them, or it may be in the situation where a contractor works out of an office that is shared by other contractors. Figure 3 shows an example of this type of tunneling.
Figure 3: Compulsory tunneling. This type of server would be placed in a larger office but remote users and traveling employees could create a connection with a local or corporate VPN server instead of
connecting to an ISP first, thus eliminating the need to supply traveling employees with a list of local numbers for the ISP. WARNING Tunneling should not be used as a substitute for encryption. The strongest level of encryption possible needs to be used within the VPN. Let's take a look at personal firewalls that can be installed to help detect intrusions in home computers.
10.2.4 Examine personal firewalls The potential for crackers to access data through the telecommuter's machine has grown substantially, and threatens to infiltrate our networks. Cracker tools have become more sophisticated and difficult to spot. Always-connected computers, typically with static IP addresses, give attackers copious amounts of time to discover and exploit system vulnerabilities. How can a user know when his system is being threatened? You can help thwart attacks by making sure that all telecommuters have firewalls installed on their systems. Firewalls come in two varieties: software and hardware. Like most other solutions, each has strengths and weaknesses. By design, firewalls close off systems to scanning and entry by blocking ports or non-trusted services and applications. 10.2.4.1 Software firewalls Software firewalls are more flexible in that they enable the user to move from network to network. Typically, the first time a program tries to access the Internet; a software firewall asks whether it should permit the communication. You can opt to have the firewall ask the user each time the program tries to get online. The prompts usually get so annoying that most users end up making hasty decisions with little more information than they originally had. Another danger is that firewall filtering can get too complicated for the average user to fix easily, which makes users reluctant to deny permission to anything. There should be help available to telecommuters to aid in configuring these types of firewalls. Its one thing to say that telecommuters have firewalls, but quite another to ensure that those firewalls are correctly configured. Here's a list of the most commonly used software firewalls: • • • • • •
McAfee.com Personal Firewall Norton Internet Security Sygate Personal Firewall ZoneAlarm BlackIce Tiny Personal Firewall
10.2.4.2 Hardware firewalls
Hardware firewalls provide an additional outer layer of defense that can more effectively hide one or more connected PCs. There are inexpensive router appliances that move traffic between the Internet and one or more machines on home networks, which simply hide the IP addresses of PCs so that all outgoing traffic seems to come from the same address. Recently, router manufacturers have been including actual firewalls that block inappropriate inbound and outbound traffic making these a much better choice. In general, the average user will like the nature of hardware solutions because they operate in the background without generating as many queries and alerts as software firewalls. In addition, the physical installation is easy, but the normal home user won't know how to configure the firewall should the default settings not be strong enough. Remember that even a good firewall cannot protect the user if he does not think before he downloads or does not exercise a proper level of caution. No system is foolproof, but the right combination of hardware, software, and good habits can make your telecommuters' computing environment safer.
10.3 Intrusion Detection We will see what actually happens when your network is invaded or damaged. We develop and deploy hardware and software in such an extremely quick fashion to meet the demand of business and home consumers that we don't always take the time to be sure that these technologies are properly tested and secured. This puts our networks at risk not only from the professional cracker but also from curious or disgruntled employees. Let's first look at intrusion detection and intrusion prevention systems that can help spot a potential intrusion.
10.3.1 Examine intrusion detection systems One of the best ways to catch an intruder before too much damage is done is through IDSs (intrusion detection systems), which are designed to analyze data, identify attacks, and respond to the intrusion. They're different from firewalls in that firewalls control the information that gets in and out of the network, whereas IDSs can identify unauthorized activity. Intrusion-detection systems are also designed to catch attacks in progress within the network, not just on the boundary between private and public networks. The two basic types of IDSs are network based and host based. As the names suggest, network-based IDSs look at the information exchanged between machines, and host-based IDSs look at information that originates on the individual machines. Here are some specifics: •
Network-based IDSs monitor the packet flow and try to locate packets that may have gotten through the firewall and are not allowed for one reason or another. These systems have a complete picture of the network segment they are
configured to protect. They see entire network packets, including the header information, so they're in a better position to distinguish network-borne attacks than host-based IDS systems are. They are best at detecting DoS (Denial of Service) attacks and unauthorized user access. Figure 4 details a network-based IDS monitoring traffic to the network from the firewall.
Figure 4: Network-based IDS. •
Host-based IDSs (sometimes called HIDSs) monitor communications on a hostby-host basis and monitor traffic coming into a specific host for signatures that might indicate malicious intention. They also monitor logs to find indications that intrusions or intrusions attempts are going on, and some of the HIDSs also monitor system calls and intercept them. These types of IDSs are good at detecting unauthorized file modifications and user activity.
Network-based IDSs try to locate packets not allowed on the network that the firewall missed. Host-based IDSs collect and analyze data that originates on the local machine or a computer hosting a service. Network-based IDSs tend to be more distributed.
Host-based and network-based approaches are complementary to each other because they have different strengths and weaknesses. Many successful intrusion detection systems are built using mixes of both, and ultimately, this is what network administrators should consider for their own environments. When an IDS alerts a network administrator of a successful or ongoing attack attempt, it's important to have documented plans for incident response already in place. There are several forms of response, including the following: •
•
•
Redirecting or misdirecting an attacker to secured segmented areas, allowing him to assume that he has been successful. This serves two purposes: it prevents access to secured resources and gives you time to trace or track the intruder. ICE (Intrusion Countermeasure Equipment) can be used to provide automatic response in the event of intrusion detection. ICE agents have the capability to automatically lock down a network or to increase access security to critical resources in the event of an alert. After identification of an attack, forensic analysis of infected systems can detect information about the identity of the attacker. This information may then be used to direct the attention of the proper authorities.
Later, analysis of successful intrusions should be used to harden systems against additional attempts of the same nature. Planning should include access restrictions in addition to making the network less desirable to potential attackers.
10.3.2 Explore intrusion prevention systems IDSs alert IT system administrators to potential security breaches within the perimeter of a network environment, which is a good start. The problem with them is that they're passive and reactive. They scan for configuration weaknesses and detect attacks after they occur. When an attack occurs, it's reported, and combinations of antivirus and intrusion detection vendors develop a rapid solution to distribute, but by that time, the attack has delivered its payload and paralyzed the network or several networks. In fact, the damage is often already done by the time the IDS alerts you to the attack. Intrusion prevention software differs from traditional intrusion detection products in that it can actually prevent attacks rather than only detecting the occurrence of an attack. IPS architectures serve as the next generation of network security software that is proactive. Host-based IPS will become increasingly popular in the next few years, possibly pushing host-based IDS out of the picture. Intrusion prevention offers considerable advantages: •
•
It actually secures internal resources from attacks based inside the network by restricting behavior of potentially malicious code, providing a record of attack, and notifying enterprise security personnel when an attack is repelled. It defines appropriate behaviors and then enforces those behaviors on every enduser desktop and network server across an enterprise. By looking at system and
•
•
application behavior and defining which actions are legitimate and which are suspect, an IPS can stop an errant system action when it attempts to do something that is not in the realm of expected behavior. Rules can be configured to control which type of actions applications can perform on files and system resources. As an intelligent agent, these run by intercepting system actions, checking rules, and then allowing or denying the action in question based on those rules. Statistical logging data can be used to generate reports that indicate overall network health. IT staff can monitor how current rule sets are working and adjust them, if necessary.
For an intruder, the real value of your network lies in key machines such as database servers and the information they contain. An intruder won't celebrate breaking through your firewall if all it gets him is access to a couple of printers. The idea of intrusion prevention is to ensure exactly that. By allowing only certain behaviors on critical hosts, the technology leaves an intruder with little freedom to do anything malicious. If you have a personal firewall such as Norton Personal Firewall or ZoneAlarm, you may've already seen intrusion prevention in its simplest form. Recall from the above that this type of software relies on rules and scanning to spot inappropriate activity. It uses predefined attack signatures, and it also learns what behaviors you'll allow every time you click yes or no when an application wants to do something. WARNING Sometimes the data that is collected by these systems is overwhelming. When you start trying to do something with the intrusion detection data, you realize the magnitude of deciphering or reading the data is well beyond the resources and time you want to put in to make it effective. Often, incidents happen even though you have firewalls and intrusion detection. So, you've got ten thousand alarms going off, five of them are probably valid, two of them you really need to do something about, but you don't have the time or the resources to find what those five are and what the two really are. You end up doing nothing because you don't know how to respond. Please do not let this happen. Make the time and resource to use these tools effectively. Preventing actual damage to your company's business functionality is critical to protecting today's open networks. Intrusion prevention technology serves as a strategy for those who desire proactive and preventive security measures in the face of attacks. No incident response solution is complete without a proper plan, so let's tackle that next.
10.3.3 Plan your incident response Incident response refers to the actions an organization should take when it detects an attack, whether ongoing or after the fact. It's similar in concept to a DRP (disaster
recovery plan) for responding to disasters. Incident response plans are needed so that you can intelligently react to an intrusion. More importantly, there's the issue of legal liability. You're potentially liable for damages caused by a cracker using your machine. You must be able to prove to a court that you took reasonable measures to defend yourself from crackers. Having an incident response plan definitely helps in this area. Unplanned application and operating system outages have become commonplace. When an incident occurs, the last thing you should do is panic, which, of course, is exactly what happens if there is no plan in place or you have no idea where it is. Don't overlook the effect an incident has on employees. The interruption to the workplace not only causes confusion but also disrupts their schedules. Proper planning should be beneficial to customers as well as employees. The components of an Incidence Response Plan should include preparation, roles, rules, and procedures. 10.3.3.1 Prepare Although the preparation requirements may be different for each office, some of the basics should include: • • • • • •
A war room where the response team can assemble and strategize. A response team that will handle all facets of the incident. Contact information for the response team, vendors, and third-party providers. Change-control policies, which are useful especially when an application or operating system needs to be rolled back. Software listing of the operating systems and applications being used so the scope of the incident can be properly assessed. Monitoring tools to determine the health of the machines.
10.3.3.2 Assign roles The incidence response team is responsible for containing the damage and getting the systems back up and running properly. These steps include determination of the incident, formal notification to the appropriate departments, and recovering essential network resources. With this in mind, the team should comprise the following personnel: • •
• • •
Technical operations: Security and IT personnel Internal communications support: Someone to handle management, employees, and food for the response team (Yes, food is an important part of the response process!) External communications support: Vendor, business partner, and press handling Applications development: Developers of in-house applications and interfaces Data Center operations: Database managers
10.3.3.3 Create rules
Some basic rules should apply to the response team, which could include the following: • • •
The entire team is responsible for the success of the incident handling. No one on the team is allowed to leave until the incident is handled. Everyone works from the war room. This is the central command post and investigation takes place here.
Lastly, procedures need to be put into place. Let's discuss those procedures now.
10.3.4 Plan the procedures Incidents happen from time to time in most of organizations no matter how strict security policies and procedures are. It's important to realize that proper incident handling is just as vital as the planning stage, and its presence may make the difference between being able to recover quickly, and ruining business and customer relations. Customers need to see that the company has enough expertise to deal with the problem. Larger organizations should have an Incident Response Team. In the previous section, we discussed the department members that should be assigned this task. Realize that this team is not a full-time assignment; it's just a group of people who have obligations to act in a responsible manner in case of an incident. The basic premise of incident handling and response is that the company needs to have a clear action plan on what procedures should take place when an incident happens. These procedures should include: •
• • •
• •
• • •
Conducting initial assessment: Identify the initial infected resources by getting some preliminary information as to what kind of attack you are dealing with and what potential damage exists. Initial communication: Notify key personnel, such as the security department and the response team. Assemble the response team: Converge in the war room for duty assignment. Decide who will be the lead for the incident. Initial containment of the incident: Diagnose the problem and identify potential solutions. Set priorities and follow them closely. The incident response team has to be clear about what to do, especially if the potential damage is high. Intrusion evaluation: Shoot the problem to additional teams if necessary. The key is to understand what actually happened and how severe the attack was. Collect forensic evidence: Gather all of the information learned about the incident up to this moment and store it in a secure location on secure media, in case it's needed for potential legal action. Communicate the incident in public: Public communications may be subdivided into several categories: Law enforcement: An incident of large proportion or repetitive pattern should be relayed to municipal, provincial, or federal authorities. Other companies: The incident may be reported to IT security companies for help or notification to other companies.
• •
•
• •
•
•
•
Customers: Customers should be notified as soon as there is something to be said. News media: If the company is large enough, and the event is worthy of a news story, expect to be contacted by the media. There needs to be one person authorized to speak to the media. Incident handling personnel must be aware of this and direct all media queries to appropriate team member. Restore service: Implement and test a solution. If it was an unknown attack or attack that is known to have ill effects on the system, it may be in the best interests of the company to completely reinstall the system. Monitor: Be sure that recovery was successful. Prepare an incident report: Determine and document the incident cause and solution. This report is an internal document that puts everything in perspective, from the minute the incident was noticed until the minute the service was restored. Calculate damage: The ultimate dollar figure should look beyond actual and obvious losses associated with service outages and business interruptions to include all costs resulting from the incident, such as legal fees, loss of proprietary information, system downtime costs, labor costs, hardware/software costs, consulting fees, bad reputation, and publicity. Summary and updates: Gather the entire security response team for a meeting and review the process and timelines in detail making any modifications that are necessary to the plan. Periodic analysis: Check that the modifications made are appropriate.
This is a brief model and by no means is a complete plan. Every company must evaluate its needs and plan accordingly. Once a plan is formulated, it must be tested, which brings us to the last part of this lesson.
10.3.5 Test the plan You formulate a plan, put it on a shelf, and when an incident happens, you realize there are huge flaws in the plan. You forgot something or the person that you picked to do internal communications support did an extremely poor job of handling his responsibilities and left even though the rules for the team stated otherwise. The security response team lead needs to be sure that every person onboard did the best they could and performed the most appropriate action given the circumstances. This person also needs to look at the situation to see if the overall strategy of the department is useful or where it needs changing or fixing. The only way to do this before an actual incident is to test the plan ahead of time. The approach taken to test the plan depends on the strategies selected by the company. Many times tests are conducted by what are called Tiger Teams. This can be an outside group of consultants. The tests are often conducted without notification to the departments involved in order to see how well the plan functions. The following are key components of a testing plan:
•
•
• • • •
Define the test purpose and approach: Specify the incident that is to be tested. How a virus infection is handled will be different from how to handle a Denial of Service attack or a Web server defacement. Identify the test team: Specify whether employees or outside consultants will conduct the test. No response team members should be on the test team because they will be responsible for handling the incident. Structure the test: Plan exactly what you want to accomplish and set up the equipment in a testing environment. Conduct the test: To be most effective, this should be done without prior notification to the departments involved, because that is how incidents happen. Analyze test results: Evaluate how well or poorly everyone responded and how easily the incident was resolved. Modify the plan: After a dry run, there are usually some modifications. Be sure they're implemented.
Chapter 11
Firewall Contents • •
Various Generations of Firewalls FAQ.
Objectives After completion of this module you will be able to know: • • •
The different Generations of Firewalls Why firewall is needed? Answers for FAQ
Firewall In its most basic terms, a firewall is a system designed to control access between two networks. There are many different kinds of firewalls—packet filters, application gateways, or proxy servers. These firewalls can be delivered in the form of software that runs on an operating system, like Windows or Linux. Or, these firewalls could be dedicated hardware devices that were designed solely as firewalls.
11.1 Understand the evolution of firewalls Learn how firewalls have progressed from simple packet filtering to more sophisticated application-level filtering. Webopedia.com defines a firewall as “a system designed to prevent unauthorized access to or from a private network.” Although technically accurate, this definition tells us only what a firewall does and doesn’t address the more important question of how it does it. For administrators who are continually focused on keeping their networks secure, it is helpful to take a closer look at the way firewalls function and how they have evolved in recent years to better protect our corporate networks.
11.1.1
First-generation
firewalls:
Packet
filtering
11.1.1.1 Static packet filters One of the simplest and least expensive forms of firewall protection is known as static packet filtering. With static packet filtering, each packet entering or leaving the network is checked and either passed or rejected depending on a set of user-defined rules. Dealing with each individual packet, the firewall applies its rule set to determine which packet to allow or disallow. You can compare this type of security to the Gate-keeper at a club who allows people over 21 to enter and turns back those who do not meet the age rule requirements. The static packet filtering firewall examines each packet based on the following criteria: • • • •
Source IP address Destination IP address TCP/UDP source port TCP/UDP destination port
For example, to allow e-mail to and from an SMTP server, a rule would be inserted into the firewall that allowed all network traffic with a TCP source and destination port of 25 (SMTP) and the IP address of the mail server as either the source or destination IP address. If this were the only filter applied, all non-SMTP network traffic originating outside of the firewall with a destination IP address of the mail server would be blocked by the firewall.
Many people have asked the question, “Is a router with an access list a firewall?” The answer is yes, a packet filter firewall can essentially be a router with packet filtering capabilities. (Almost all routers can do this.) Packet filters are an attractive option where your budget is limited and where security requirements are deemed rather low. But there are drawbacks. Basic packet filtering firewalls are susceptible to IP spoofing, where an intruder tries to gain unauthorized access to computers by sending messages to a computer with an IP address indicating that the message is coming from a trusted host. Information security experts believe that packet filtering firewalls offer the least security because they allow a direct connection between endpoints through the firewall. This leaves the potential for a vulnerability to be exploited. Another shortcoming is that this form of firewall rarely provides sufficient logging or reporting capabilities. 11.1.1.2 Stateful packet inspection Within the same generation of static packet filtering firewalls are firewalls known as stateful packet inspection firewalls. This approach examines the contents of packets rather than just filtering them; that is, it considers their contents as well as their addresses. You can compare this to the security screener at an airport. A ticket validates that you must be traveling from your source to your destination; however, your carry-on contents must be checked to get to your final destination. These firewalls are called stateful because they can permit outgoing sessions while denying incoming sessions. They take into account the state of the connections they handle so that, for example, a legitimate incoming packet can be matched with the outbound request for that packet and allowed in. Conversely, an incoming packet masquerading as a response to a nonexistent outbound request can be blocked. By using something known as session or intelligent filtering, most stateful inspection firewalls can effectively track information about the beginning and end of network sessions to dynamically control filtering decisions. The filter uses smart rules, thus enhancing the filtering process and controlling the network session rather than controlling the individual packets. Basic routers typically do not perform stateful packet inspections unless they have a special module. A dedicated firewall device or server (with software) is usually required when the level of security demands stateful inspection of data in and out of a network. Although stateful packet inspection offers improved security and better logging of activities over static packet filters, it has its drawbacks as well. Setting up stateful packet examination rules is more complicated and, like static packet filtering, the approach allows a direct connection between endpoints through the firewall.
11.1.2
Second-generation
firewalls:
Proxy
services
The next generation of firewalls attempted to increase the level of security between trusted and untrusted networks. Known as application proxy or gateway firewalls, this approach to protection is significantly different from packet filters and stateful packet
inspection. An application gateway firewall uses software to intercept connections for each Internet protocol and to perform security inspection. It involves what is commonly known as proxy services. The proxy acts as an interface between the user on the internal trusted network and the Internet. Each computer communicates with the other by passing all network traffic through the proxy program. The proxy program evaluates data sent from the client and decides which to pass on and which to drop. Communications between the client and server occur as though the proxy weren't there, with the proxy acting like the client when talking with the server, and like the server when talking with the client. This is analogous to a language translator who is the one actually directing and sending the communication on behalf of the individuals. Many information security experts believe proxy firewalls offer the highest degree of security because the firewall does not let endpoints communicate directly with one another. Thus, vulnerability in a protocol that could slip by a packet filter or stateful packet inspection firewall could be caught by the proxy program. In addition, the proxy firewall can offer the best logging and reporting of activities. Of course, this security solution is far from perfect. For one thing, to utilize the proxy firewall, a protocol must have a proxy associated with it. Failure to have a proxy may prevent a protocol from being handled correctly by the firewall and potentially dropped. Also, there is usually a performance penalty for using such a firewall due to the additional processing for application-level protocols.
11.1.3 Firewalls evolved: The third generation The newest generation of firewalls may be defined as state-of-the-art perimeter security integrated within major network components. These systems alert administrators in real time about suspicious activity that may be occurring on their systems. Although it's a lot to swallow, this new generation of firewall has evolved to meet the major requirements demanded by corporate networks of increased security while minimizing the impact on network performance. The requirements of the third generation of firewalls will be even more demanding due to the growing support for VPNs, wireless communication, and enhanced virus protection. The most difficult element of this evolution is maintaining the firewall's simplicity (and hence its maintainability and security) without compromising flexibility. The most recent category of firewalls attempting to meet this demand performs what has been termed stateful multilevel inspection, or SMLI. SMLI firewalls eliminate the redundancy and CPU-intensive nature of proxy firewalls. SMLI's unique approach screens the entire packet, OSI layers 2 through 7, and rapidly compares each packet to known bit patterns of friendly packets before deciding whether to pass the traffic. Coupled with or integrated into an intrusion-detection system (IDS), SMLI offers the first glimpse of this new definition of a firewall. Among the products that use this new technology are Check Point’s FireWall-1, Elron Software’s Internet Manager, and SonicWall’s line of access security products.
11.2 Frequently Asked Questions Why would you want a firewall? Firewalls will protect your network from unwanted traffic. Many times, the unwanted traffic is harmful traffic from hackers trying to exploit your network. You want a firewall to protect your network, just as you want locks on your door and windows at your home. Is a proxy server a firewall? A proxy server is a form of a firewall. In legal terms, a proxy is someone who goes and performs some action on your behalf. A proxy server performs network transactions on your behalf. The most common use for this is a Web-proxy server. A Web-proxy will take requests from users’ Web browsers, get the Web pages from the Internet, and return them to the user’s browser. Many times, a proxy server also performs authentication to see who is requesting the Web pages and also logs the pages that are requested and the user they are from.
What is NAT? NAT is Network Address Translation. NAT is usually used to translate from real/global/public Internet addresses to inside/local/private addresses. These private addresses are usually IP addresses: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. NAT provides some security for your network as you do not have a real Internet IP address and your network, usually, cannot be accessed from the Internet without some outbound connection first being created from your private/inside network. However, you still need a firewall to protect your network as NAT only hides your network but doesn’t really stop any packets from entering your network. Do firewalls stop Viruses, Trojans, Adware, and Spyware? No, in general, firewalls do not stop Viruses, Trojans, Adware, or Spyware. Firewalls, usually, only protect your network from inbound traffic from an outside (Internet) network. You still need antivirus software, anti-adware and anti-spyware software applications to protect your system when it does go out on the Internet.
How do I know that my firewall is really protecting my network? Just like any security system, a firewall should, periodically, be tested. To test a firewall, you could have a professional security-consulting company do a security vulnerability scan. However, this is usually something you can do yourself. To do this, you could use a port-scanner or a more advanced tool like a vulnerability assessment tool (such as Retina, Saint, or ISS). What are the different types of firewalls? The different types of firewalls are: Packet filter – A packet filter looks at each packet entering the network and, based on its policies, permits or denies these packets. A Cisco IOS Access Control List (ACL) is a basic firewall that works in this way. Stateful packet filter – A stateful packet filter also has rules; however, it keeps track of the TCP connection state so it is able to monitor the “conversations” as they happen on the network. It knows the normal flow of the conversations and knows when the conversations are over. Thus, it more intelligently is able to permit and deny packets entering the network. Because of this, a stateful packet filter (stateful firewall) is much more secure than a regular packet filter. Application gateway – An application gateway is a system that works for certain applications only. It knows the “language” that that application/protocol uses and it monitors all communications. An example would be a SMTP gateway. Proxy Server – A proxy server performs network transactions on your behalf. The most common use for this is a Web-proxy server. A Web-proxy will take requests from users’ Web browsers, get the Web pages from the Internet, and return them to the user’s browser. What do VPNs have to do with firewalls? Virtual Private Networks (VPN) are used to encrypt traffic from a private network and send it over a public network. Typically, this is used to protect sensitive traffic as it goes over the Internet. Many times, you will have a VPN encryption device combined with a firewall as the private network traffic that is being encrypted also needs to be protected from hackers on the public network. If I have a firewall, do I have a DMZ? No, you do not necessarily have a DMZ (De-Military Zone) if you have a firewall. A DMZ is a network that is semi-protected (not on the public network but also not on the fully-protected private network). Many hardware firewalls create a DMZ for public mail servers and Web servers. Most small networks or homes do not have DMZ networks. Most medium-to-large corporate networks would have a DMZ. What are IDS and IPS? Also, what do they have to do with firewalls? An Intrusion Detection System (IDS) monitors for harmful traffic and alerts you when it enters your network. This is much like a burglar alarm.
An Intrusion Prevention System (IPS) goes farther and prevents the harmful traffic from entering your network. IDS/IPS systems recognize more that just Layer 3 or Layer 4 traffic. They fully understand how hackers use traffic to exploit networks and detect or prevent that harmful traffic on your network. Today, many IDS/IPS systems are integrated with firewalls and routers. What is a DoS attack and will a firewall protect me from it? A Denial of Service (DoS) attack is something that renders servers, routers, or networks incapable of responding to network requests in a timely manner. Firewalls can protect your network and its servers from being barraged by DoS traffic and allow them to respond to legitimate requests, thus, allowing your company to continue its business over the network. How do you configure, monitor, and control a firewall? As there are many different types of firewalls, there are also many different types of firewall interfaces. You could have a command line interface (CLI), a Web-based interface, or some other proprietary program that is used to configure the firewall. For example, with Cisco PIX firewalls, you can configure them with the CLI interface (called PixOs), or the PIX Device Manager (PDM), a Java-based interface that works with a Web browser. How do I know what firewall I should use? The size of the firewall you choose is usually based on the volume of traffic your network links receive or the bandwidth of your network links. You also must take into consideration other things for which you might be using the firewall, such as VPN, IDS, and logging. What are some new features to look for in firewalls? Firewalls, today, are offering more and more features built into the firewall. Some of them are: intrusion prevention, hardware-based acceleration, and greater recognition of applications (moving up the OSI model towards layer 7). How can I configure an inexpensive firewall? There are a wide variety of firewalls available today. Perhaps the most basic firewall is the personal PC firewall, such as that built into Windows XP. Next come more advanced PC software firewalls, like ZoneAlarm Pro or BlackICE. There are midrange firewall solutions like Microsoft ISA or hardware firewalls. Next on the scale are large Cisco PIX or Checkpoint firewalls used for large businesses or Internet Service Providers.
Chapter 12
Overview of NIB I and Types of ISP Nodes Contents
What is NIB? Classification of NIB Nodes Three Tier Architecture of NIB I Components of NIB Connectivity Architecture Firewall Architecture Inter - Connectivity among nodes Bandwidth among nodes
Objectives After completion of this module you will be able to know: • • •
The architecture of NIB I About NIB II in future How to maintain the NIB I nodes
12.1 Introduction Short for Internet Service Provider, a company that provides access to the Internet is called ISP. Any Internet Service Provider will have several ISP nodes as Point of Presence of Internet (POP) at various locations across the country. BSNL is also an Internet service provider, providing Internet service throughout the entire country except in New Delhi and Mumbai, under the brand name of "Sanchar net". Sancharnet provides free all India roaming and enables it's users to access their accounts, using the same access code (172233) and user ID from any where in the Country. The Internet Access given by ISPs are: 1. Dial-up Connection 2. ISDN Connection 3. Leased Line Connection 4. DIAS Connection 5. Broadband
12.2 What is NIB? NIB stands for National Internet Backbone of BSNL which comprises of 436 ISP Nodes in India networked in a definite fashion. The NIB Nodes are classified as A1, A2, B, C1, C2 & C3 on the basis of: Functions to be carried out International Connectivity No. Of PSTN Subscriber Routing (Internal & External) Equipment Deployment Trained Manpower Availability Cost It follows a Three Tier architecture for locating these nodes. First Tier Metros and Major Cities Type ‘A’ Nodes(A1 and A2) Second Tier Medium Towns Type ‘B’ Nodes Third Tier District Head Quarters Type ‘C’ Nodes (C1,C2 and C3) and Small Towns
12.3 Basic essential Components of all NIB Nodes Basically any ISP node will essentially have the following three equipments 1. Remote Access Server 2. Router 3. Switch 12.3.1 Remote Access Server
RAS is equipment that is dedicated to handling users that are not on a LAN but need remote access to it. The remote access server of NIB allows users to gain access to Internet services from a remote location. For example, a user who dials into a network from home using an analog modem or an ISDN connection or a leased line will access a remote access server of the ISP Node. Once the user is authenticated he will get access to all internet services. 12.3.2 Router Router is a device that forwards data packets along networks. Routers are one of the vital equipment of an ISP. Basically a router is used for connecting o at least two networks, commonly two LANs or WANs or a LAN and its ISP’s network. In the case of ISP nodes the any ISP node is connected to another ISP Node at a remote location and hence this is WAN network and Routers are used for routing the packets. Routers use headers and forwarding tables to determine the best path for forwarding the packets, and they use protocols such as ICMP to communicate with each other and configure the best route between any two hosts. 12.3.3 Switch A Switch is a inter-connecting component. Switches operate at the data link layer (layer 2) and sometimes the network layer (layer 3) of the OSI Reference Model and therefore support any packet protocol. In the ISP node, the switch is used to interconnect the RAS, Router , Help Desk PC etc. Connectivity among the above three components of an ISP node is as shown in the figure.
12.4 Additional Components available in specified node types only International gateways: In all A1 nodes International Gateway is connectivity to the ISP of another country to route the packets intended for any host outside our country. www server: 1 each @ A nodes(A1 and A2) This is a web server to host web sites
Radius server : New Delhi=1 Bombay=1 Bangalore=1 Short for Remote Authentication Dial-In User Service, an authentication, authorization and accounting system used by Internet Service Providers (ISPs). When the Customer dials in to the ISP he enters username and password. This information is passed to a RADIUS server, which checks that the information is correct, and then authorizes access to the ISP system. DNS: At New Delhi=1 and at Bangalore=1 Short for Domain Name System (or Service or Server), an Internet service that translates domain names into IP addresses. Because domain names are alphabetic, they're easier to remember. The Internet however, is really based on IP addresses. Every time a domain name is used , a DNS service must translate the name into the corresponding IP address. For example, the domain name www.example.com might translate to 198.105.232.4 using the DNS. Mail Server: New Delhi Used for giving email services to our NIB customers. Firewall Server: All A1 Nodes (A1 and A2) A firewall is a first line of defense in protecting the NIB network. NMS Server: All A1 Nodes Network Monitoring System at all A1 nodes will monitor all the nodes connected them. They will manage the nodes, ports, links and devices. Proxy Server This is used for caching the pages visited by their customers to avoid unnecessary bandwidth occupation on international gateway.
Connectivity architecture of all the components is as shown in the figure.
12.5 Firewall Architecture Firewall is an equipment used to protect the internal network from outside entrants. The firewall architecture divides the network into the following three separate zones (sub networks):
Secure Zone - This shall be highly protected zone. Only authorised and authenticated personnel shall be permitted beyond this zone. DNS, NMS etc servers shall be in the zone.
Demilitarised Zone - This shall be semi-protected zone. Only users who have been checked and authenticated shall gain access to this zone. Application servers like Proxy, Radius, Email Server shall be in this zone.
Open Zone - These are open zones containing Remote Access Servers, Routers and WWW servers.
12.6 Inter connectivity among various types of Nodes Normally the C nodes are connected to B nodes and the B nodes are connected to A nodes. But if a C node is very near to A node than to a B node then the C node will be connected to A node. Bareli Kathua Ghaziabad Jammu Jalland Bhopal Jaipu Kanpur Patna Imphala Raj Poona Gauhati Delhi Calcutta Surat Ahmedgbad Mumbai Baroda Chennai Bangalore Hyderabad Ernakula Madurai Calicut Coimbatore Type A I location Trichy Trichur Trivandrum with Internet Gateway Type A II locations Ooty without Type B Illustration of Connectivity Diagram for Type C I/ C II / CIII Internet Locations of NIB location Multiple Please see the diagram above for connectivity architecture of NIB I nodes. As far as A 1 nodes are concerned, they are mesh connected, ie each A 1 node is connected to every other A 1 node.
12.7 Bandwidth between nodes
The bandwidth among nodes is as shown in the figure. However, based on traffic reports and the bandwidth occupation, bandwidth between nodes will be increased as and when requirement arises.
Chapter 13
Overview of NIB II Project Contents
•
What is NIB II?
Various Projects in it
Connectivity Architecture of Project 1, 2.1 and 2.3
Components of NIB II
Services in EMS
Objectives After completion of this module you will be able to know: • •
The architecture of NIB II The implementation Strategies of NIB II
13.1 A brief on NIB-I infrastructure: BSNL’s NIB-I is a TCP/ IP based network consisting of about 436 nodes covering most of the district headquarters. The network comprises of a three-tier architecture with 14 Alevel nodes, 31 B-level nodes and the rest C-level nodes. Among the 14 A-nodes, six of them are interconnected in near full mesh with link bandwidth of 34 Mbps. These are referred to as A-1 cities. The remaining A-type cities are referred to as A-2 nodes and are dual homed to the A-1 nodes with link bandwidths of 34 Mbps. All A-1 cities and Ernakulam (C type) have International Gateway. The 31 B-level cities are connected to the 14 A-level nodes in a hierarchical with link bandwidths of 4 Mbps. The C-nodes are connected to the B-nodes with link bandwidths of 2 Mbps.
13.2 Introduction to NIB II The National Internet Backbone (NIB-II) envisages the four Projects namely Project 1 : MPLS based IP Infrastructure in 71 cities Project 2.1 : Access Gateway Platform Narrowband, Project 2.2 : Access Gateway Platform Broadband Project 3 : Services Platform consisting of Messaging, Provisioning, Billing, Customer Care and Enterprise Management System.
13.3 Services in NIB-II: a) Internet Access i) Dialup access services/ Leased Access Services ii) Digital Subscriber Line (DSL) access services: Broadband “always-oninternet” access over copper cables iii) Direct Ethernet access services: Broadband “always-on-internet” access using Fiber-to-the-building b) Virtual Private Network (VPN) services i) Layer 2 MPLS VPN Services: Point-to-point connectivity between corporate LAN sites ii) Layer 3 MPLS VPN Intranet and Extranet Services: LAN interconnectivity between multiple Corporate LAN sites iii) Managed Customer Premises Equipment (CPE) Services c) Value Added services i) Encryption services: one of the end-to-end data security features
ii) Firewall Services: one of the security features provided to customer iii) Network Address Translation (NAT) Services: Service that will enable private users to access public networks d) Messaging services e) Data Centre Services at Bangalore, Delhi and Mumbai f) Broadband services through DSL & Direct Ethernet i) ii) iii) iv)
Fast Internet Access services Terminating Dialup and DSL/Direct Ethernet customers on MPLS VPNs Multicast Video streaming Services Video on Demand services
13.4 Node Types The NIB-II nodes are proposed in 71 cities and categorized as A1, A2, A3, A4, B1 & B2 nodes. NIB I had B nodes and the same has been further classified as B1 and B2 in NIB II. The implementation of these projects will mainly include deployment of : a. Routers, LAN switches – Project 1 b. Narrowband RAS – Project 2.1 c. BRAS, DSLAM , Tier1 and Tier2 – Project 2.2 d. Servers for different applications like Messaging, Billing, Radius, LDAP etc. – Project 3. e. Customer Servers in Data Centers collocated with the backbone network nodes – at Delhi, Mumbai and Bangalore.
13.4.1 NIBII - Project1 The project 1 of NIB II envisages on provisioning of a MPLS VPN network for corporate networks. For this MPLS VPN nodes will be installed at 71 locations in India which are called Physical nodes. Additionally, around 200 places have been declared as Virtual Nodes. The VPN Service in any of the virtual nodes or any place in India requires physical connectivity between the customer site and the nearest physical node. As the demand for MPLS VPN grows, in addition to building connectivity of each customer site to nearest physical node, option of aggregating the traffic from multiple sites through an aggregation router was thought of. In this regard, following norms for the deployment of Aggregation Router for aggregating traffic from multiple sites of a customer in a particular city/SSA is followed. [1] There should be dedicated Aggregation router for each customer for a particular city /SSA [2] The option of deployment of Aggregation router be explored under following conditions.
(a) The number of sites to be connected in VPN for a particular customer in a particular city / SSA is three or more (b) The bandwidth requirement at each site under reference is 64 kbps /128 kbps (c) The city/SSA under reference should not be covered under list of 71 cities where NIB-II node is planned. [3] The Aggregation router can be any normal router with multiple low speed sync serial ports (upto 128 kbps) and at least one high-speed sync serial port (2 Mbps) for connectivity to nearest physical node. [4] The Aggregation router thus deployed will act as a Customer Premise equipment (CPE) for the edge router of VPN network
13.4.1.1 Connectivity of Core router: The Core routers in A1 nodes viz Delhi, Mumbai, Chennai, Kolkatta and Bangalore will be connected on mesh topology on STM16. The Core routers in 9 nodes viz A2 Node (Total 3) at Pune, Hyderabad & Ahmedabad and A3 Nodes (Total 6) at Lucknow, Jullundhar, Jaipur, Indore, Ernakulam & Patna are connected to A1 Nodes in dual mesh with link bandwidths of STM-16. The core routers in A4 nodes (Total 10) at Chandigarh, Allahabad, Guwahati, Ranchi, Bhubaneshwar, Coimbatore, Raipur, Mangalore, Nagpur and Vijayawada shall be dual homed over STM-1 links to the nearest A1/A2/A3 nodes. 13.4.1.2 Connectivity of Edge router in A1, A2, A3 and A4 Nodes There will be four edge routers in A1 Nodes, three edge routers in A2 Nodes, Two edge routers in A3 Nodes and one edge router in A4 Node. One of the edge router in each A1, A2, A3 and A4 Node will be collocated with the Core router in the above node, connected through gigabit Ethernet Interface. The remaining edge routers in A1, A2 and A3 nodes will be geographically distributed in each city to serve different pockets
interconnected on a SDH metro-ring fibre network with STM-1 interfaces for each edge router 13.4.1.3 Connectivity of Edge router in B1 and B2 Nodes: One number of Edge router will be deployed in 21 B1 nodes and 26 B2 Nodes. The edge routers in B1 and B2 nodes will be dual homed to the core at A1, A2, A3 and A4. The core routers in A1, A2 and A3 cities are proposed to be interconnected via the DWDM systems . The interconnectivity of core routers in A4 nodes and edge routers in B1 and B2 cities is via STM-1 links connected through SDH rings 13.4.1.4 Services planned to be offered under Project 1: The following services shall be offered to customers using the MPLS based IP networks. i.) Layer 3 MPLS VPN Services • Intranet-Managed & Unmanaged • Extranet Managed & Unmanaged • Internet Access services ii.) Layer 2 MPLS VPN Services • Ethernet over MPLS • Frame relay over MPLS • PPP over MPLS • Cisco HDLC over MPLS (Optional) • VPLS (Virtual Private LAN service) • Layer 2 Any-to-Any Interworking (Except ATM) iii.) Encryption Services iv.) Multicast Services v.) Firewall Services vi.) Network Address Translation (NAT) Services The Primary objectives in setting up the MPLS based IP network 9 Building a common IP infrastructure that shall support all smaller networks and subnetworks. 9 The platform is intended to be used for convergent services, integrating data, voice and video and shall be the primary source of Internet bandwidth for ISPs, Corporate, Institutions, Government bodies and retail users. 9 Making the service very simple for customers to use even if they lack experience in IP routing, alongwith Service Level Agreement (SLA) offerings. 9 Make a service very scalable and flexible to facilitate large-scale deployment. 9 Capable of meeting a wide range of customer requirements, including security, quality of service (QoS), and any-to-any connectivity.
9 Capable of offering fully managed services to customers.
13.4.2 NIBII - Project2.1 13.4.2.1 Access Gateway Platform (Narrow band) The NIB-II Access Gateway platform shall provide Internet Access at any time of the day, from any place, using any device such as PC, analog phone, wireless or mobile phone, or Personal Digital Assistant (PDA). The Access Gateway Platform(AGP) is built around two distinct platforms, one supporting a unified dial network architecture that delivers voice, data and fax services through an open programmable gateway and the other supporting a unified always-on Internet Access platform on Ethernet-IP. The open programmable dial gateway is dimensioned to provide 80% plain data RAS and 20% Universal RAS ports. The solution shall be based on open interfaces that can be configured by use of network elements of a third party. NIB-II Universal Access Gateway infrastructure is conceived as an open infrastructure for carrying following services. (i) Internet Access service (ii) Wholesale Dial or port retailing service (iii) Internet Call Waiting service (iv) IP based Unified Messaging Service (v) Teleconferencing Service (vi) Internet Telephony Service (vii) Hosted voice services / IP Centrex 13.4.2.2 Components of Narrow Band Access Network • Narrow Band Remote Access Server • LAN Switch • eMS Server
13.4.3 NIBII-Project2.2 This Project is for the deployment of broadband services in 198 cities with 69 important cities where Digital Subscriber Line Access Multiplexer (DSLAM) shall be deployed. The cities are categorized under A1 (3 cites), A2 (3 cites), A3 (6 cites), A4 (10 cites), B1 (21 cites), B2 (cites), and others (129 cities). Delhi and Mumbai will not have any broadband equipment under Project 2.2 of NIB-II. 13.4.3.1 Services of Project 2.2 • Primary source of Internet bandwidth for retail users for application such as Web
browsing, e-commerce etc • Multicast video services, video on demad etc through Broadband Remote Access Server (BRAS). • Allow wholesale BRAS ports to be assigned to smaller ISPs through the franchises model wherein the later has a separate network of DSLAMs, AAA, LDAP through a revenue scheme of BSNL. • Dialup VPN (VPDN) user connects to NIB-II through the Narrow band RAS and connected to its private network through a secure L2TP tunnel established between Narrowband RAS and Broadband RAS. • Support for both prepaid and postpaid Broadband services. 13.4.3.2 Components of Broad Band Access Network • Broad Band Remote Access Server (BBRAS) • Gigabit and Fast Ethernet Aggregation Switches (LAN Switches) • Digital Subscriber Line Access Multiplexers (DSLAMs) • SSSS/SSSC (Subscriber Service Selection System/ Centre) • Servers for AAA, LDAP at Pune • Provisioning and configuration management at NOC The city-wise deployment of DSLAM is given in Table below.
13.4.3.3 Network Architecture of Project 2.2
The Customer premises equipment (CPE) will be aggregated at DSLAMs.The DSLAM will be collocated with the exchange (MDF), either in the same room or as close as possible to MDF. The DSLAM traffic will then be aggregated through a Tier 2 LAN Switch Aggregator through Ethernet on dark fibre. The traffic from Tier 2 LAN Switch Aggregator will be further aggregated through a Tier 1 LAN Aggregator through Ethernet on dark fibre. In B cities, since there is no Tier1 LAN Switch Aggregator, the Tier 2 LAN Switch Aggregator will be connected to the nearest Tier 1 LAN Switch Aggregator of A cities through Ethernet on SDH. The BRAS will be connected to the Tier 1 LAN Aggregator on Gigabit Ethernet Interface. 1. All 198 cities will have DSLAMs and Tier2 LAN switches (for aggregation of DSLAM). 2. All A cities and Noida (Total 23 cities) will have one BRAS, one SSSS and one Tier 1 LAN switch. 3. There will be no BRAS, SSSS and Tier 1 LAN switch in any other cities. All DSLAM are initially aggregated using Tier 2 LAN switch, through one pair of dark fibre. 4. The 240 port DSLAM will have two numbers of FE interfaces. 5. The FX or GBIC module in DSLAM and LAN switch should be capable of driving up to 10kms on a single mode fibre. The SX or GBIC module in LAN switch used for connecting Tier2 to Tier1 will support 40kms distance. 6. In bigger cities like A1, A2, A3 and A4, one BRAS per city will be deployed. There will be no BBRAS at B1 and B2 cities. 7. The DSLAMs in B1, B2 and other lower hierarchical cities will be aggregated through Layer 2 switches, and will be connected to the nearest BRAS of A cities on Ethernet over SDH. 8. The BRAS shall terminate the PPP sessions initiated by the customer and extend the connection further to MPLS VPN/Internet as desired by the customer. 9. The DSLAM will in general be colocated with existing PSTN exchange, which provides last mile access to customers over copper wire up to average span lengths of 3 kms. 10. All DSLAM will be aggregated through Fast Ethernet (FE) interface except 480 port DSLAM, which will be aggregated through Gigabit Ethernet (GigE) interface.
Internet Tier 1 Gigabit Ethernet LAN Switch Planned along with Interfaces per Switch City Type No of A1 A2 A3 A4
3 3 7 10
Total Gigabit
GE aggregation Switch per city Qty 1 1 1 1
GE
26 22 16 14
FE 24 24 24 24
Ethernet LAN Switch Required
GE: Gigabit Ethernet Interface (1000 Mbps) FE: Fast Ethernet Interface (100 Mbps) The number of ports requirement in Tier 2 Switch can be calculated using the following formulae: • 480 port DSLAM require one number of Gigabit Ethernet Interface (GE) • 240 port DSLAM require two numbers of Fast Ethernet Interface (FE) • 120 ports, 64 ports, 48 ports and 24 ports require one number of FE • In addition two Gigabit Ethernet ports are required for interconnecting Tier 2 LAN Switch to Tier 1 LAN Switch Aggregator (for A cities) • In case of B cities, one Fast Ethernet is required for interconnecting Tier 2 LAN Switch to Tier 1 LAN Switch of A city. • In addition one Gigabit Ethernet and Two number of Fast Ethernet be kept as spare So, for e.g if a particular Tier 2 LAN Switch in say A1 city aggregates seven number of 480 port DSLAM, six numbers of 240 port DSLAM, five numbers of 120 port DSLAM and two numbers of 64 port DSLAM then the total port Requirement for this aggregation comes to Gigabit Ethernet = 7*1+2 + 1 (spare) = 10 Fast Ethernet = 6*2+5*1+2*1 + 2 (spare) = 21 9 While planning the deployment of Tier 2 LAN Switch Aggregator, it is to be ensured that the distance between Tier 2 LAN Switch Aggregator and any of the connected DSLAM should be less than 10 K.m. 9 The distance between the Tier 1 LAN Switch Aggregator and any of the connected Tier 2 LAN Switch Aggregator can be maximum 40 K.M. 9 If the distance exceed sthe specified limits, the connectivity will be through a medium with optical to electrical converters at both the ends. • •
13.4.4 NIBII-Project3 Enterprise Management System (EMS) [Messaging and Storage Service Platform, Provisioning, Billing & Customer care, Enterprise Management System (EMS) and Security System.] Brief Description of the Messaging and Storage Service Platform: 1. This shall envisage design and up gradation of the current messaging system to grow from the existing infrastructure in NIB-I supporting 650,000 users to support the increasing user base.
Internet 2. The Core messaging system shall be the heart of NIB-II that will enable BSNL to add users across varied value added services. The salient aspects of the projects are summarized as follows: (i) (ii) (iii)
Setting up proven, robust, scalable Messaging Solution with best in class security components. Roll out across the country supported by 5 Messaging & associated storage systems at Delhi, Mumbai, Bangalore, Chennai and Kolkata. Designed with High Availability architecture with no single point of failure
13.4.4.1 Components of the Solution: The proposed solution shall consist of the following components with the items of functionality listed below: (i) Messaging a) DNS, AAA b) MMP c) LDAP (Consumer, Replicator Hub, Primary and Secondary) d) SMTP IN & OUT e) Messaging Servers f) Address Book Servers, etc.
Internet (ii) Storage a) SAN Switch & SAN Storage b) Tape Library c) Staging Servers, etc. 13.4.4.2 Storage platform Various Applications servers placed at the 5 Messaging Storage locations like LDAP, AAA, EMS, Messaging, UMS & Billing etc. would require Data Storage Capacities for storing User’ mailboxes, Billing data etc. Such huge storage requirements need to be met with the Fast, Reliable & Scalable Storage Devices that would be deployed as “End to End High Performance Switched Architecture Fiber Channel SAN (Storage Area Networks) providing No Single Point of Failure”. Such Storage Device should be compatible with all the Servers of major companies such as HP, IBM, SUN, Dell etc. so that choice of Application Servers Platform remains independent of the Storage Device. Brief Description of the Billing & Customer care, Enterprise (EMS) and Security System:
Management System
The system is an integrated provisioning, billing, customer care and accounting platform and shall support billing for the complete range of IP based services mentioned & meet next-generation requirements as well. Customization as and when required by BSNL is possible. Besides meeting comprehensive, future-ready rating, billing and data collection requirements, it shall take care of activation, suspension, deactivation and change in the subscribed services. The system is designed to support: (i) On-line services such as internet, pay-per-view TV and video on demand or a combination of all or some of the above. (ii) Periodic charges, such as telephone line and cable TV rental. (iii) One-time costs, such as connection fees. (iv) Events, such as telephone calls, data service usage, pay-per-view TV selections, home shopping purchases, utility metered usage – such as electricity supply (live site example) (v) Financial services (vi) Telephony services. (vii) Enterprise Backup Systems. The billing system shall be capable of: i. Providing electronic versions of bills to customers over the Internet. ii. Creation/modification of service. iii. Processing Service requests in real time and non-real time and accounting in real time. iv. Producing flexible billing depending upon the use of service.
Internet 13.4.4.3 Security Systems. a) Load Balancers b) Firewall Appliances c) Intrusion Detection System d) Antivirus system, etc.
13.5 Network Operation Center (NOC) The NOC shall provide facility for centralized Network Management and end-to-end Provisioning of multiple services, giving a single view of the entire network services being delivered countywide. The servers for the NOC shall be connected through a Gigabit Ethernet link from Core router with three zones of firewall within the Centre. The network shall be centrally managed from Network Operation Centre NOC located at two sites, one of them being master and the other the disaster recovery site. The main NOC is at Bangalore with Disaster Recovery is at Pune. Interface to the NMS back-office facility shall be provided along with Firewall security in the Data Centre. All customer databases shall reside centrally at NOC. The NMS of NIB-II project 1 is the comprehensive NMS for entire NIB-II including NIB-I, MPLS VPN, Project 2.1, Project 2.2, which will support entire F (Fault), C (Configuration), A (Accounting including Access/Inventory), P (Performance) and S (Security functionality).
Internet Chapter 14
Packages used in BSNL Course Contents •
The Front end and Back end used for each package
•
Salient Features in each package
•
Modules
Objectives After completion of this module you will be able to know: •
Major packages used in BSNL
•
The usage of each package with its features elaborated.
Internet
14. Packages Used in BSNL 14.1 Mobile Billing 14.1.1 Basic Details •
Front end-JAVA
•
Database-Oracle 8i
•
Operating System-Sun Solaris Unix.
•
Language- C, C++, JAVA, JAVA Script
14.1.2 Salient features This application is client-server based where the data or information is contained in one or more centralized database on servers and the user interfaces reside in the workstation. The application can be used in a local area network (LAN) environment or WAN Network. In BSNL there is four Billing zones namely BSNL West, BSNL East, BSNL South, and BSNL North. For example for BSNL west Zone the billing centre is at
Pune.
14.1.3 Modules The Billing System comprises of three main modules. 1. Arbor/OM (Order Management) 2. Mediation 3. Arbor / BP (Billing Module).
Internet
Arbor/OM is an order entry and management system that supports order handling and workflow management activities for products and services in converging telecommunications markets. Arbor/OM operates in tandem with Arbor/BP, as the completed order data is used for the provision of products, services, and accounts for future billing activity. Arbor/OM interface is used to • enter and revise orders. • view order history information. • manage workflow processing. • manage number and equipment inventories. The Service Provisioning Module acts as a interface between OM and the Switch. The Order from the OM Module is sent to the switch through the Service Provisioning Module. SP is also part of the Mediation Module. SP is designed in CORBA. (Component Object Request Broker Architecture) Arbor/BP is the designated Rating and Billing Engine and will perform rating and billing services offered by each of these circles to its subscribers. The rating subsystem of Arbor/BP requires the mediation device to do the following:
Internet Send one and only one usage event for one billable call. Essentially this means mediation device will forward all billable calls to billing system, in case of exceptions such as long duration calls which will be consolidated and sent as one billable record to the billing system. The source of collecting usage records i.e. the network elements may vary based on the functions they handle. The various network elements that BSNL has are MSC, SMSC, VMS, WAP, and IN. Therefore, the mediation device must have the ability to connect to every network element and collect usage from it. The IN platform will provide Pre-Paid, VPN and ARS (Advanced Routing Services).Pre-paid Cdr’s are pre-rated, as they will be rated on the IN platform and passed to Arbor/BP as pre-rated CDRs. Thus, no rating will be done by Arbor/BP for prepaid subscribers; however the CDR is still passed through the billing system and kept for historical reference. VPN and ARS CDR’s will be sent to the Arbor/BP from the IN platform via the SSP.
14.2 DoT Soft 14.2.1 Basic Details • • •
Front end – Developer 6i Back end Database- Oracle 9i Client Server Model- 2 layer architecture
DoT Soft is the first integrated Telecom Software Application in BSNL comprising of Billing, Commercial, FRS & Directory Enquiry. Developed by in-house group of Telecom Professionals of AP Telecom Circle, the package was initially implemented at Guntur in 1997 making it the first Telecom District in BSNL to have an integrated customer care and billing software. Dotsoft is integrated with other systems such as call centre, BSNL portal (www.bsnl.in). BSNL portal enables online bill payments and availability of duplicate bills for its customers. In addition, Dotsoft, AP has a tie-up with e-seva, the most popular e-governance project of Andhra Pradesh government. BSNL portal - www.bsnl.in, provides customers with a complete online delivery, review and payment solution…all at a single mouse click.
14.2.2 Salient features 1. Application entry:- Online application entry for landline connections (Permanent, temporary, casual, PTs, swatantra senani, senior citizens, retired BSNL employees, working BSNL employees, gallantry award winners & service connections). Online
Internet application entry for WLL connections-Fixed & Mobile (permanent, service). Certain application details can be changed. All India wait list transfer - Incoming & Outgoing. 2. Waitlist:- For all landline (except casual, temporary & service). For WLL-mobile (permanent & service). Certain waitlist details can be changed. Out of turn and All India shift incoming connections can be centralized / decentralized. Waitlist process for landline connections (except casual, temporary & service). Waitlist entry is possible through the offline mode also for landline connections. 3. Phone number store:- Phone numbers can be created for all valid levels and can be marked reserved/blocked. 4. Messages to field:- Messages can be sent by CO to all field units for priority execution, suspension, return back, continue etc. 5. Advice note release:- Capacity allocation to be done before bulk release. Advice notes can be bulk released, single release, cancelled & revised by respective CO for land line connections. For WLL, the release is single for cent/decent. Centralized release for out of turn and AIS incoming cases is possible. 6. Advice note routing:- Routing is automatic to the concerned field officer (Outdoor / MDF / Indoor ). For WLL mobile the routing is to Indoor only. For WLL fixed the routing is to outdoor & indoor. 7. Advice note completion:- Completion of advice notes is online for all landline (except ISDN) and WLL connections. However it is possible to complete manual released / system released advice notes through the offline mode. For ISDN connections, the completion is only through the offline mode. 8. Subrouting:- COs, DEs-External, AEs-Outdoor, MDF, Indoor, Test desk can delegate their work to their subordinates without disclosing their password. 9. Request registration:- Requests for working lines activities can be registered online. The requests can be approved / suspended / cancelled by CO or referred to AO. After approval, the advice note is generated. 10. Raise D/N:- CO or AO can raise demand note for any activity. 11. Level change:- Level change operations can be done with/without meter change. 12. Area transfer:- Area transfer can be done for a single number or in bulk. 13. Disconnections:- The disconnections for non payment are initiated centrally and flow to AO. After approval, the flow is to Indoor. Reconnections are initiated by AO and then flow to Indoor. No advice notes are released. These operations are possible through the offline mode also.
Internet 14. Closures:- The closures for non payment are initiated centrally and flow to AO and then CO. Advice notes are generated by CO which flow to the field. Reconnections are through the request registration module. 15. Fault booking:- This is done online centralized for the SSA. Then the complaints are routed automatically to the respective initial testing operators at MDF. 16. Fault routing:- Based on the initial test results, the fault is routed to the corresponding SFC position (lineman at outdoor, indoor, MDF, cable). After the fault is rectified, it is routed to the final test position. 17. Fault clearance:- The fault is checked at the final test position. It is either cleared or sent back to SFC position. 18. Bulk Billing:- Billing can be done for all landline, ISDN, Centrex & WLL phones (except casual). The billing can be done for some or all exchanges. Call records error generation and clearance is possible. Unaddressed bills are generated for phones not listed in the commercial database. Group billing is possible for grouped phones. It is possible to bill deposits also. 19. Single Phone billing:- This is possible for any past period, future period or from any past date to current date. 20. Billing periodicity:- Billing can be done monthly for landline(except STD-PTs), WLL, Centrex, ISDN phones. Bi-monthly billing possible for all landline phones (except PTs), WLL & Centrex. STD PT billing is fortnightly. 21. Discounts:- Individual bill / Group bill discounts are possible. Discount on installation charges possible. 22. Bill operations:- A bill can be cancelled, given instalments, disputed or written off. Instant & Final bills possible for closed connections. Bill adjustments, pay-by-date extension can be done before payment for a single bill. 23. Bill payment:- Online payments can be done for all bills including group bills. This is authorized to a specific cashier for that day only. After the time expiry of the counter, the daily list is generated and tallied. The AO will then close the counter through a counter close module. Online payment processing is then done. Offline payments entry & processing are also possible through batch control. Receipt cancellation is possible. Surcharge carry forward, waival is possible through authorization. 24. Trunk calls:- Trunk call / Phonogram entry is possible. Trunk rate evaluation is automatic. 25. Refund order:- Refund of registration deposits is possible if application is cancelled. 26. Ledgers:- Ledgers are generated for revenue, service tax and surcharge.
Internet 27. Voluntary deposits:- These deposits are adjusted in the bill. Interest calculation module is also available. 28. Dishonoured cheques:- Bounced cheques can be entered in dotsoft to nullify the payment. 29. Enquiries:- Enquiries are possible on all customer related data. 30. Reports:- Various reports are possible on all customer related data. 31. Dotsoft Mail:- Dotsoft users can use this mail facility and chat even. By this DoTSoft Package all the above steps are made online. Commercial online reduces the headache of file management between various sections. Whenever a Customer Pays money for new connection, Advice Note is released online without any delay and the new connection is provided immediately on demand. An integrated system such as DoTSoft ensures better customer satisfaction and transparency in BSNL services.
14.3 TVARIT 14.3.1 Basic Details TVARIT means immediate and this package is to avoid the delay provisioning of leased lines all over the country. Front end-ASP, JAVA Script
14.3.2 Salient Features ¾ This is a Web based Program residing in a Web Server at Mumbai ¾ TVARIT package is for Computerization of Leased Line operations – logs the process right from registration till commissioning and Updating for Maintenance operations including Periodic billing. ¾ All the Circles connect through Dialup or Leased Line to the Server ¾ Separate Access is given to AO, CO and Nodal Officer of each SSA. Using this package we can do lot of things related to leased lines like ¾ Registration of New Circuits ¾ Payment of Leased charges
Internet ¾ Issue of work order ¾ Wiring, testing and commissioning ¾ Periodic billing ¾ Accounting ¾ Management Summaries ¾ Migration of existing circuits on TVARIT ¾ Shifting, cancellation and modification ¾ Customer Queries ¾ Online help Home Page for TVARIT
14.4 Fleet Management g)
14.4.1 Basic details •
HTML as front end
•
Java Script for client side validation
•
PHP for server side scripting
•
Database is Oracle 9i
Internet •
Operating System as Linux
14.4.2 Salient Features This software allows the user to enter the following details. •
Vehicle Detail
•
Purchase Detail
•
RTO Detail
•
Insurance Detail
•
Allotment Detail
•
Scrapping Detail
Fleet Management System is a web based software application. The design and development of Fleet (Vehicle) Management System (FMS) software for BSNL was done by O/o CGM IT Project Circle, BSNL, Pune. The location of Web/Database server of FMS application is at Trivandrum, IT Cell, BSNL, Kerala Circle. This application enables the management of vehicle inventory, month wise history of costs on oil, fuel, etc. Apart from these features, this package also contains pages pertaining to the instructions and guidelines for the maintenance of the vehicles. The application has the provision for guiding the process of asset management by tracking vehicle records and planning to put scrapping/replacement schedules, working out fleet justification for the future and the month wise record on private hiring vehicles and the expenditure on them. The package is designed in such a way that it aids in maintaining the hierarchical design of SSA, Circle and BSNL HQ. All the information fed at the SSA level can be forwarded to Circle Office. The Circle Office can feed the information about the vehicles at Circle Office and receives the information from its SSAs/Units and then all these collective data regarding detailed information of departmental vehicles and a brief information about hired vehicles (no of hired vehicles and expenditure on them) in Circle can be forwarded to the BSNL HQ.
Internet
14.5 Trichur Billing package 14.5.1 Basic Details •
This automates SSA level billing for PSTN calls
•
Front end-Unix
•
Database-Oracle 9i
Internet
14.5.2 Salient Features This package is used to generate PSTN bills from the meter reading of the individual exchanges. This software reads the meter reading from the binary format CDRs. The CDRs are collected from various switches in MOD or cartridge at periodic interval. For one SSA one Billing centre will be there. Gross metered calls are taken from the Open Meter Reading and Closed Meter Reading.Usage charge is calculated from the Gross Metered Calls by applying the Rating Engine. Accordingly bill is generated for every Consumer Number.
14.6 MIS Management Information System 14.6.1 Basic Details •
HTML is used for front-end screen design.
•
ASP used for necessary logic for submitting/updating/modifying the Data.
•
Java script is used for data validation at client side.
•
Database is implemented in Oracle on Linux.
•
MIS Reports are developed in VB 6.0 using DLLs to enhance the speed and performance of report generation.
14.6.2 Salient Features ¾ It has more than 30 input forms for submitting Management Information. ¾ System data/report as per new format of BSNL HQ Basic MOC and then MIS data is keyed by SSA level users and data is stored at central database server ¾ For the identical fields in MOC & MIS, once entered in MOC, same fields data entry automatically updated in MIS ¾ Application generates MOC & MIS reports dynamically based on SSA, Month and Year of selection. MIS deals with preparation of templates and maintaining uniform and standardized formats for various circles. The application is Web-based and field units
Internet from anywhere in the BSNL network can access the system located at Trivandrum through Internet. User-friendly interfaces are provided for entering data and any report as per requirement can be generated. The application follows three-tier architecture for BSNL, Circles and SSAs respectively.
14.6.3 Concepts used h) ¾ Package is a Web based application having the two-layer Architecture (2 Layers). ¾ Layer one encompasses Business logic along with the input forms and the next layer includes Database server. These two layers can be accommodated in a single machine or on separate machines. ¾ It has 40 input forms for submitting Management Information System data as per the new format of BSNL HQ. ¾ The basic MIS data is keyed by SSA level users and data is stored at central database server. ¾ In a single window concept, user can input the data and obtain the respective output report. Home page of All India MIS
The menu consists of Admin OTE (One Time Entry) MOC (24 point reports) QPI (Qualitative Performance Indicator) DP (Development Performance) U/P (Rehabilitation /Up gradation)
Internet HRD (Human Resource & Development) FP (Financial Performance) BD & MKTG ¾ Separate input forms are available for inputting one time data (Closing status for previous year ending) for DP, HRD, UP (Circle/SSA Administrators are only permitted to input this data) ¾ It is a two stage process. ¾ In first stage data flow is from SSAs into central data store. In the next stage data is processed based on the selected SSA/Circle/ BSNL HQ, Month and Year for generating the Reports. ¾ Before storing the data (inputted by end users) into database, package takes care of validation and correctness of the data, as it is required for generation of correct MIS report. ¾ End users (SSA level) inputted data is stored in tables and are maintained Report wise like. QPI, DP, UP, HRD etc., in a single MIS Database. ¾ Each SSA Data is stored in the database uniquely. ¾ Each row is identified with the Circle name, SSA name, month and year. ¾ For avoiding data duplication and maintaining data consistency normalization techniques are used. ¾ The basic data used for generating the MIS Report at all levels and is strictly adhering to the format of MIS supplied by BSNL HQ. ¾ Completion status of Form can be viewed and modified by Module Level users. ¾ Module can be viewed and modified by SSA Level Administrators and viewed by users at SSA. ¾ All the Modules of all SSAs of a Circle can be viewed by respective Circle Administrator and Users at Circle. ¾ All the reports SSAs and Circles can be viewed by Administrator and Users at HQ. ¾ Application generates MIS reports dynamically based on SSA, Month and Year of selection. ¾ MIS report is available at the following levels: o Form Level Report
Internet o Module Level Report o SSA Level Report o Circle Level Report o BSNL HQ Report (Final)
14.7 HRM Package (Human Resource Management Package) 14.7.1 Basic Details •
Operating System - Unix/Linux.
•
Database- Oracle 10g.
•
Front end coding-J2EE.
14.7.2 Salient Features ¾ Web based on-line application. ¾ Complete and comprehensive solution for Human Resource management of BSNL. ¾ Integrated with Payroll. ¾ Caters to the complete employee lifecycle, from recruitment to retirement. ¾ Role based user participation. ¾ Centralized, secured database. ¾ User friendly design. ¾ Access to every employee in BSNL. ¾ On-line flexible reports for management. The package envisages the total gamut of HR activities including staff details, transfers, training, promotions, leave etc. Staff master comprising of: ¾ Staff details ¾ Absorption details ¾ Police verification ¾ Training detail ¾ Present, Home town Address ¾ Career history
Internet
Creation of Units.
Attaching sections to unit.
Internet
Internet
14.8 Inventory Management Package 14.8.1 Basic Details •
The system is a web-based application.
•
Oracle 9i as the back-end database.
•
Client - server model Client - A remote computer accessing Server through dialup/leased line. Server- A high end server and associated servers Located in Trivandrum.
14.8.2 Salient Features ¾ Web enabled multi-user application. ¾ User-friendly data entry forms. ¾ Various queries/reports for master data from Admin/Circle/SSA levels. ¾ User-role based access. ¾ System logout on expiry of session ensuring security. ¾ Forced logout by user ensuring security. ¾ Forced change of password on first login. ¾ Data validation all over the circle since it resides on a single server. ¾ Multiple roles can be assigned to a single user. ¾ This system is designed for planning/accounting of Materials in BSNL up to field units thereby bringing uniformity in Material Management. ¾ This system is designed to start operation from the Circle tier. Connectivity Diagram:
Internet
Inventory Management involves ¾ Project Planning ¾ Purchase order management ¾ Indenting and allotment at SSA/Field level ¾ Receipt of stores at Circle / SSA stores ¾ Checking the material for quality and taking into stock ¾ Issue of stores from Circle/SSA stores. ¾ Purchase Billing
Internet
14.8.3 Modules The Main Modules of this package are 1. Head of Accounts ¾ Groups ¾ Types ¾ Major Heads ¾ Minor Heads The Head of Accounts view is provided to all users. The privilege is given only to the system administrator. 2. Estimate Masters ¾ Group ¾ Type The privilege is given only to the system administrator. 3. Item Masters Item Category - Broadly classified according to inventory heads like Switching Equipments, Lines and Wires ,UG Cables, battery etc.. 4. Consignee Master ¾ Helps in the preparation of Purchase Orders released from Circle or SSA. ¾ This facility is extended to all the users with Purchase Order Management. This is a pool of officers from which consignee to a particular Purchase Order is selected by Circle/SSA. ¾ Consignee addition by the SSA is compulsory since this is required for Circle Purchase Order Preparation. 5. Ordering Authorities Master ¾ Ordering authorities for Circle/SSA Purchase Orders. ¾ This facility is extended to all users with Purchase Order Management.
Internet
6. Paying Authorities Master ¾ This is a master of paying authorities for Circle/SSA. ¾ This facility is extended to all users with Purchase Order Management. 7. Purchase Order conditions Master ¾ The general conditions of BSNL PO can be entered into PO conditions master. 8. Price Variation Master ¾ Price of the material w.e.f from a date is entered through this link. ¾ Since the variation is same through out BSNL the same can be entered by system administrator. 9. Tax Master ¾ Different taxes applicable to BSNL and pertaining to each circle can be entered through this link. ¾ The privilege is given to each circle administrator. 10. Tax Structure ¾ The tax structure of each circle can be copied into the system . ¾ The tax structure of the circle is very important during store receipt and billing. ¾ The privilege is given to each circle administrator. 11. Manufacturer Masters ¾ The manufacturers who are the supplier of BSNL can be entered through this link. This privilege is given to the circle administrators. 12. Local Dealers ¾ The local dealers of each manufacturer in each circle can be entered through this link. ¾ This privilege is given to the Circle administrator.
Internet 13. Manufacturer item ¾ The items manufactured by the manufacturers are entered through this link. ¾ This privilege is given to the system administrator. 14. Store depot ¾ The store depots pertaining to each circle/SSA is entered through this link. Care should be taken to see that the in charge of the store depot and the consignee of the Purchase order released from circle/SSA should be the same, otherwise the system will not give permission to account the items in a store depot.
Internet Chapter 15
ATM (ASYNCHRONOUS TRANSFER MODE) Contents •
Background information on ATM technology
•
Difference between STM & ATM
•
ATM protocol
•
Different switching
•
ATM interfaces and connections
•
ATM network architecture
•
ATM type of switches
•
ATM cell format, UNI/NNI format
•
ATM RM & layer functions
•
ATM benefits
•
ATM switch architecture
•
ATM services
•
Underlying transmission system for ATM
Objectives After completion of this module you will be able to: •
Understand the background information on ATM technology
•
Understand the difference between STM & ATM
•
Understand the ATM protocol
•
Understand the different switching
•
Understand the ATM interfaces and connections
•
Understand the ATM network architecture
•
Understand the ATM type of switches
•
Understand the ATM cell format, UNI/NNI format
•
Understand the ATM RM & layer functions
Internet •
Understand ATM benefits
•
Understand ATM switch architecture
•
Understand the ATM services
•
Understand the underlying transmission system for ATM
Internet
15.1 Introduction 15.1.1 Pre ISDN situation 1st generation switches are dedicated to specific purposes such as telephony, facsimile and low speed data transfer used circuit switched telephone network. So high-speed data transfer over this network is not possible due to lack of bandwidth, flexibility, quality of transmission media and equipment. Then for the purpose of high-speed data transfer, another network called packet switched network came into existence.
15.1.2 ISDN situation ITU-T (the new avatar of CCITT) set new standards for public telecom network. In 1984, ITU-T defined a new method called 2nd generation switch known as ISDN " a network that provides end to end digital connectivity to support a wide range of services including voice and non-voice service, to which users have access by a limited set of standard multipurpose UNI". For this, 2 interfaces called BRI or BRA (192Kbps) and PRI or PRA (2.048Mbps) are defined at the basic rate of 64Kbps. By this, maximum transmission is restricted to 2Mbps only.
15.1.3 N-ISDN situation With the basic bit rate of 64Kbps, the network can offer a maximum of 1.544Mbps (called T1 link) or 2.048Mbps (called E1 link). So, such a type of working is called NISDN. However with the concept of LAN, transmission of images with good resolution may require higher bit rates. This leads the new conception and realization of 3rd generation switch, based on B-ISDN. ITU-T in 1993, defines B-ISDN as "a service or system requires transmission channels capable of supporting rates greater than PRA or PRI".
Internet
15.1.4 B-ISDN situation So the concrete idea of B-ISDN was support to: 1. Add new high-speed channels to the existing channel spectrum. 2. Defines new broadband UNI (User Network Interface). 3. Rely on existing 64Kbps ISDN protocols and only modify or enhance them when absolutely unavoidable. So B-ISDN was perceived to replace the entire telephone system and all the specialized networks with a single integrated network for all kind of information transfer. The services offered by B-ISDN include video-on-demand, full motion picture from many sources, full motion multimedia electronic mail, CD quality music, LAN interconnection, high speed data transport for industry and many other services that have not yet even been thought of, all over the telephone line. Hence B-ISDN is defined as "an ISDN system using transmission channels capable of supporting rates that are greater than PRA".
15.2 ATM situation The underlying technology that makes B-ISDN possible is ATM (Asynchronous Transfer Mode). Mode means specific method or way. Transfer means transmission and switching aspects. Switching by means of Cell Switching. Transmission by means of Primary rate of 155.52Mbps or above. Asynchronous means information packets will be transferred based an irregular or random occurrence pattern as they are filled according to the demand. Hence "ATM is a method of transmission & switching of information in the form of packets which may occur an irregular occurrence pattern as they are filled according to the demand of the user".
Internet
15.3 STM Y
X B
B
A
Y
A
X
M U X
Fig-1
In the above Fig-1, even though the Cell X and B are empty, they will also be Multiplexed and sent on the output side. By this, the bandwidth is not used effectively.
15.4 ATM Y
B
X
A
Y
M U X
A
Fig-2
In the above Fig-2, the empty Cells X and B are not at all transferred towards output side. By this, the output bandwidth is effectively used. This technique is used in ATM switching Packet switching technology is used. Statistical multiplexing (another name of Asynchronous Time Division Multiplexing) is used. Cell Relay method is used. Hence ATM is a standardized technology that enables the convergence of a variety of services such as:
Internet Low bandwidth and Very high bandwidth. Synchronous and Asynchronous. Voice, Video and Data. Constant Bit Rate (CBR) and Variable Bit Rate (VBR). Real-Time (RT) and Non-Real-Time (NRT). Slotted and Pocketsize. Switched and Non Switched. In addition, ATM is an independent of Transmission medium, which means the medium can be Wire (Twisted Pair/Copper Pair/Co-axial/ Fiber) or Wireless. ATM technology allows a variety of bit rates to be transported, with which sophisticated bandwidth management enables the network to be more efficient and at the same time, maintain a QoS (Quality of Service) that is custom suited to each other.
15.5 ATM Protocol ATM is the protocol designed by ATM Forum and adopted by the ITU-T. ATM can be thought of as the “Highway” of the information Super highway. So ATM can do every thing that N-ISDN can do but with better quality. In ATM System, the packet size is fixed to 53 octets known as a CELL. Any type of traffic viz Voice, Data, Video, Synchronous or Asynchronous, Short or Long packets can be converted into ATM Cells by a process known as emulation. So ATM can also be called as Cell relaying technology or Cell switching technology. Can be called as B-ISDN services switch. Primary rate of transmission in ATM is 155.52Mbps.
15.6 Cell Switching Switching means creating a temporary connection between two or more devices linked to the switch, a Hardware and/or Software devices. Traditionally, 3 methods of switching have been important called Circuit Switching, Packet Switching and Message Switching.
15.7 Circuit switching
Internet Circuit switching create a direct physical connection between two devices such as phones or computers. As in Fig-3, devices A & G are connected by the switches 1,2 and 4 via path I and III. Circuit switching is mostly used at the physical layer of OSI Model
D A B
1
C
I
II
3
III
4
E
2 F G
Fig-3
15.8 Packet Switching For Data communication Packet switching technology was designed. User data are packetized and sent packet by packet using the path in shared manner. Two different approaches are available under packet switching. One is called Datagram approach and second is called Virtual circuit approach. The latter is used in ATM. The identifier that is actually used for data transfer in Virtual circuit approach is called the Virtual circuit identifier. A VCI is a smaller number that only has switch scope. It is used by a frame. When a frame arrives at a switch, it has one VCI. When it leaves, it has another VCI. Fig-4 shows how the VCI in a data frame changes from one switch to another
Internet
VCI
VCI Data 21
Switch
X
Data 88
Fig-4
15.9 ATM Interfaces ATM has 2 interfaces namely 1. User to Network Interface (UNI) 1. Private UNI 2. Public UNI 2. Network to Network Interface (NNI) UNI is used between user and network where as NNI is used between networks.
15.10 ATM Connections ATM or B-ISDN offers 2 types of connections called PVC & SVC and ATM services are connection oriented.
15.11 Permanent Virtual Connection (PVC) A source and a destination may choose to have a dedicated virtual circuit. In this case, the corresponding table entry is recorded for all switches by the system administrator. An outgoing VCI is given to the source and an incoming VCI is given to the destination. The source always uses this VCI to send frames to that particular destination. The source always uses this VCI to send frames to that particular destination. The destination knows that the frame is coming from that particular source if the frame carries the corresponding
Internet incoming VCI. In a simple word, PVC is like a Hotline/P Wire/ Point to Point/ Leased line and the nature is static. Fig-5 shows the PVC setup. Incoming Outgoing Port VCI Port VCI 11 14 31 34
x
A Data 14
Incoming Outgoing Port VCI Port VCI 41 44 51 54
31
41
11 21
Data 34 Fig-5
x
x
51
22
B Data 54
Data 44
Incoming Outgoing Port VCI Port VCI 21 34 22 44
15.12 Switched Virtual Circuit (SVC) If a source needs connection with several destinations or any other destination, it needs a PVC for each destination which is costly. An alternative approach is the SVC. So SVC creates a temporary, short duration connection which exists only whenever data are being transferred by the end users. In other words, this is dynamic in nature. This approach requires a series of action called connection setup, setup acknowledgement, data transfer and tear down phases. ATM supports both types of connections
15.13 ATM network architecture ATM network consists of access devices called the end points, available at user end, are connected through a interface called UNI to the ATM switch. Another ATM switch of the network is connected through an interface called NNI. The architecture is shown in the Fig-6.
Internet
UNI
UNI
A B C
Switch
1
D
NNI
NNI
Switch
Switch
2
E
3 F
ATM Network
End Points
End Points
Fig-6
15.14 Virtual Path/Virtual Connection or channel or circuit/Transmission Path Connection between two end points is accomplished through transmission path (TP), virtual path (VP) and virtual circuit (VC). A transmission path (TP) is the physical connection (wire/wireless) between an end point and a switch or between two switches. A TP is divided into several virtual paths (VPs). A virtual path provides a connection or set of connections between two switches. Within a VP, many circuits called virtual circuits (VCs) will be available which is used for connection. Cell networks are based on virtual circuits. All cells belonging to single message follow the same VC and remain in their original order until they reach their destination. TP, VP and VC are shown in Fig-7.
Internet
VP inside Trans Path
Transmission path
VC inside VP Which is inside Trans Path
Fig-7
15.15 VPI/VCI In a virtual circuit network, to route data from one end point to another, the virtual connection need to be identified. For this purpose, the designer of ATM, created a hierarchical identifier with 2 levels called virtual path identifier (VPI) and virtual circuit or channel identifier (VCI). The VPI defines the specific VP and the VCI defines a particular VC inside the VP. Both the connection identifier are shown in Fig-8.
VPI inside Trans Path
Transmission path
VP1
VC1 VC2 VC3
VP2 VP3
VCI inside VPI Which is inside Trans Path
Fig-8
15.16 VP Switch/VC Switch Most of the switches (Core switch) within typical ATM network are routed using VPI (VP switch). (i.e) The switching can be taken place by changing the VPI but keeping VCI within VPI intact. Such switches are called VP switch. If switching can be taken place by changing both the VPI and VCI, then such switches are called VC switch. The switches at
Internet end points (Edge switch) of the ATM network use both VPIs and VCIs (VC switch). Both switches are shown in Fig-9.
VP and VC Switching VC Switch VCI 1
VCI 2
VPI 1
VC Switch
VCI 3 VPI 3
Port 1
VCI 4 VPI 2
Port 2
VPI 2
VCI 4
VCI 1 VCI 2
VPI 1
VPI 3
VCI 3
VCI 1 VCI 2
VPI 4
VPI 5
VCI 1 VCI 2
VP Switch
Port 3
Fig-9
15.17 ATM Transmission Rates At present, rate of transmission is 155Mbps called primary rate. Higher order is also possible in multiple of 4 times.
15.18 ATM Cell Format ATM Cell consists of 2 fields called Header Field and Information Field as in Fig-10. HEADER FIELD 5 OCTETS
INFORMATION FIELD 48 OCTETS
Fig-10
Internet
15.18.1 Header Field Header field is different for UNI and NNI in the ATM network
15.18.1.1 GF FC ( Generic Flow Control - 4 bits) It is used to assist the customer network in the cell flow control, but not carried through the network. 15.18.1.2 VPI/VCI (Virtual Path Identifier-8 bits/Virtual Channel Identifier-16 bits) This label identifies a particular virtual path and virtual channel or circuit on a transmission link. The switching nodes use this information and along with the routing information established at connecting setup, routes the cells to the appropriate output ports. The switching nodes changes the input value of VPI/VCI fields to new output values. Since VPI field is 8 bits (at UNI) and VCI has 16 bits field, a host can have theoretically 256 bundles, each containing up to 65,536 circuits. 8 VPI bits provide 28
= 256 bundles
16 VCI bits provide 216 = 65,536 circuits
Internet 15.18.1.3 CLP (Cell Loss Priority-1 bit) Having one of the two values ‘0’ or ‘1’, the CLP indicates priority of a cell when the network element has to make the decision to drop the cell when its throughput bandwidth exceeds its transfer rate. In congestion situations, cells with CLP =1 may be dropped and not transferred at all. 15.18.1.4 PTI (Payload Type Identifier-3 bits) It identifies the payload type i.e. whether the cell payload contains user data or network information and also provides congestion identification. 15.18.1.5 HEC (Header Error Control-8 bits) HEC code detects and corrects a single bit error or detects multi bit errors in the header field. It is based on CRC-8 with the devisor polynomial as X8+X2+X+1.
Internet
15.18.2 Information Field (48 Octets)
CSI => Convergence Sub layer Indicator (1bit) SN => Sequence Number (3bits) SNP => Sequence Number Protection (3 bits) The Information Field does not contain all the 48 octets of user data. One or two octets are dedicated for administration and call sequence purpose. The first octet (after the overhead bits or Header octets) consists of three sub fields. The first bit is known as the convergence sub layer indicator (CSI). It is used to indicate whether the pointer is used or not. The next three bits are sequential number (SN) from 000 to 111 used to detect the type of cells. The next three bits are the Sequence Number Protection (SNP). It performs error detection on the CSI and SN sub fields. One bit is not used at present. The second octet is optional and is used as a pointer to mark the start of long encapsulated messages. 48-octet information field is only scrambled.
Internet
15.19 Format
15.20 ATM Reference Model: ATM functionality is organized in a stack of layers; each layer assigned a specific function. It consists of three planes called 1) User Plane 2) Control Plane 3) Management Plane
Internet
Management Plane: All the management functions that relate to whole system are located in the management plane, which is responsible for providing coordination between all planes. Two types of functions i) Layer Management ii) Plane Management. Layer Management: 1.Management functions relating to resources and parameters residing in its protocol entities. 2.Handles specific OAM information flow for each layer. Plane Management Management of all the planes for its proper functions. Control Plane Responsible for the call control and connection control functions. These are all signaling functions for setup, supervise and release a call or connection.
Internet User Plane Deals with transport of user information, flow control and recovery from errors.
15.21 ATM Protocol Layers ATM standard defined 3 layers. They are from top to bottom, the AAL (ATM Adaptation or Application Layer), the ATM Layer and the Physical Layer as in Fig-11
AAL
Layer-3
ATM
Layer-2
PHYSICAL
Layer-1
Fig-11
Normally the end switches use all the 3 layers while the intermediate switches use only the bottom 2 layers as in Fig-12
AAL ATM
ATM
ATM
PHYSICAL
PHYSICAL
AAL ATM
PHYSICAL
End Point
PHYSICAL
X
X
Switch
Switch ATM N/W
Fig-12
End Point
Internet
15.22 Functions Of Each Layer 15.22.1 Physical Layer This Layer deals with issues related to physical connectivity of the transmission medium and transmission of ATM Cells. This layer is divided into 2 sub layers called 1.Physical Medium Dependent (PMD) 2.Transmission Convergence (TC) Functions Of Physical Medium It is the lowest sub layer and includes 2 functions namely 1.The PMD functions. 2.Bit timing functions. PMD functions provide the bit transmission capability, including bit alignment. Line coding and if necessary, electrical/optical conversions is performed by this layer. In many cases PM will be an OFC. Other media such as coaxial and twisted pair cables are also possible. The transmission functions are medium specific. Bit timing functions are the generation and reception of waveforms suitable for the medium, insertion and extraction of timing information, and line coding if required. The TC sub layer performs 5 functions namely 1.Transmission frame generation & recovery. 2.Transmission frame adaptation is responsible for all actions to adapt the Cell flow according to the payload structure of the transmission system (interface). Two interfaces are defined namely (1) SDH based interface or Byte structured interface and (2) Cell based interface. Under SDH based interface, 155.520Mbps (STM-1) & 622.080Mbps (STM-4) rates are recommended for UNI. 3. Cell delineation is the process, which allows identification of the Cell boundaries. 4. HEC sequence generation/verification. This is the value for the 1st 4 octets of the Cell header and inserts the result in the 5th octet HEC field. This is capable of detecting and correcting single bit error & detecting certain multiple-bit errors.
Internet 5.Cell rate decoupling. The insertion & discarding of idle Cells is called Cell rate decoupling.
15.22.2 ATM Layer It deals with flow issue of ATM Cells, Cell header related and path related issues. Functions of ATM Layer This layer is above the Physical Layer This layer has got four functions: 1.Cell multiplex/demultiplex. VC and VP are multiplexed and demultiplexed. 2.VPI and VCI translation. 3.Cell header generation/extraction. 4.Generic Flow Control.
15.22.3 ATM Adaptation Layer (AAL) This layer lies between ATM Layer and Higher Layer. It has two functions. 1. Segmentation And Reassembly (SAR) 2. Convergence Sub layer (CS) 1) Service Specific Convergence Sub layer (SSCS) 2) Common Part Convergence Sub layer (CPCS) AAL can be classified by four methods namely 1. Based on Timing. Timing between source and destination required or not required. Real time services like voice & video required timing syn where as non-real time services like data transfer not required syn. 2. Based on Bit rate. Bit rate constant or variable. Switched speech has CBR where as packet transfer has VBR. 3. Based on Connection. Connection oriented or not. 4. Based on Services offered. 5 layers called AAL1 to AAL5. AAL Layer
Support
Acceptable data from
CS Level
Addition at
Output in
SAR Level
Bytes
Internet Higher Layer AAL1
64Kbps Voice/Video
Bits stream in
Packet size One as
CBR
Byte 48
47 as Header
Bytes w/o Header
AAL2
AAL3/4
No CBR, but low Short
in 44
Bytes One
Byte 48
bit rate & short packets
data and 3 as Header
frame traffic like
bytes
mobile services
Header
Connection
In
packets 44
Bytes Two Bytes 48
oriented/Connection up to 64KB
per packet as Header
less
after adding
and 4 Bytes
two as
Bytes each Trailer as Header and Trailer AAL5
All types of traffic
(SEAL)
In
packets -
-
48
up to 64KB
15.23 ATM Switch Type Knockout switch, cross bar switch or single stage switch, shared memory switch, shared medium switch, fully interconnected switch, space division switch, banyan switch or multi stage switch, batcher-banyan switch and sunshine switch are the different type of ATM switches. Batcher-Banyan switch is widely used
Internet
15.24 Benefit Of ATM 2 Main benefits are 1) Traffic management 2) QoS Traffic Management Protects the network and the end system from congestion in order to achieve network performance objectives Promotes the efficient use of network resources Mechanisms are both preventive and reactive Fairness by identification and isolation of misbehaving traffic and per flow processing Parameters for traffic management 1) Connection Admission Control (CAC) 2) Usage Parameter Control (UPC) 3) Network Parameter Control (NPC) 4) Cell Loss Priority (CLP) 5) Traffic Shapping 6) Frame Discard 7) Feed Back Control 8) Network Resource Management QoS contracts parameter negotiations are defined in UNI Ver 3.0, UNI Ver 3.1 and UNI Ver 4.0 (Ver 4.0 is the latest one) and PNNI Ver 1.0 signalling for native ATM environment and LANE Ver 2.0 (Latest one) for non-native ATM environment. ATM QoS Parameters Six parameters are defined for ATM QoS. They are 1) Negotiated parameter (Dynamic nature-Sl.No 1,2 & 3) and 2) Non-Negotiated parameter (Static nature-Sl.No 4, 5 and 6) Sl.No 1
Parameter Cell Delay Variation
Abbreviation CDV
Meaning Difference between a single observation of Cell transfer delay and the mean Cell transfer
Internet delay on the same connection. 2
Cell Error Ratio
CER
Ratio of errored Cells to the number of delivered Cells.
3
Cell Loss Ratio
CLR
Ratio of lost Cells to transmitted Cells.
4
Cell Misinsertion Ratio
CMR
Number of misinserted Cells per connection/second
5
Cell Transfer Delay
CTD
Arithmetic average of specified number of Cell transfer delays.
6
Severely
Errored
Cell SECBR
Block Ratio
Ratio of number of Severely errored
Cellblocks
to
total
number of Cellblocks.
15.25 ATM QoS service classes 3 metrics were devised to give 3 different service classes such as Fastest traffic, average traffic and best effort traffic under traffic contract scheme Sl.No
Metric
Abbreviations
Meaning
1
Peak cell Rate
PCR
The highest rate at which traffic will run for any length of time
(defined
in
cells/sec) 2
Sustainable cell Rate
SCR
The mean rate at which traffic ideally will travel (defined in cells/sec)
3
Maximum burst Size
MBS
The
largest
cell
burst that will be tolerated by traffic contract (defined in
Internet cells/sec)
15.26 ATM Signalling concepts VPI=0 and VCI=5 is used for default signalling channel VPI=X and VCI=Y is used for data transfer Any VPI and VCI=5 can also be used for signalling Switching is done according to the called number within signalling message Signalling purpose to establish, release and maintain the user communication channel or path
15.27 ATM Switch Architecture The basic function of the ATM switching system is to route the cells from the input port to the appropriate output port of the switch. The ATM switching system must contain the function defined by the U-Plane, C-Plane and M-Plane of the B-ISDN PRM in addition to relaying of cells. Also the ATM system should support & implement the traffic control function based on ITU-T & ATM-F recommendations. All these functions are distributed within the ATM system switch architecture as in the Fig-13 with the following functional parts: 1) Input Modules (IMs) 2) Cell Switch Fabric (CSF) 3) Output Modules (OMs) 4) Connection Admission Control (CAC) 5) System Management (SM) 6) Muliplexer/Demultiplexer (Optional)
Internet Generic ATM Switch Architecture M U X
Non Native ATM
IM
Native ATM
IM
OM
IM
OM
IM
OM Switching Network (CSF)
Control Fig-13
CAC
SM
Input Module (IM) 1) Handle i/c traffic 2) Conversion of optical to electrical signal 3) Extracting the digital bit stream 4) Identifying the cell boundaries 5) Extracting the ATM cells 6) Discarding the empty cells 7) Error checking the cell header 8) Traffic shapping 9) UPC/NPC verification from database & notification to SM Cell Switch Fabric (CSF) This is primarily responsible for transferring data cells between the IM & OM after processing the signalling cells with the help of CAC & operation and maintenance cells with the help of SM It includes cell buffering, VPI and VCI translation, multicasting, broadcasting, cell scheduling based on user priorities and congestion monitoring. Output Module (OM) 1) It is the counter part of IM 2) Handles the outgoing traffic 3) Insertion of signalling/management cells received from CAC & SM into o/g cell 4) New VPI/VCI allocation from database 5) Mapping of ATM cells
Internet 6) Filling up of empty cells 7) Line coding 8) Electrical to optical conversion CAC The signalling/control information is routed to CAC through CSF or from IM directly. It performs the connection admission discussion and resource allocation for all connections in the switch SM It is responsible for managing the entire switching system. It includes fault management,
performance
management,
configuration
management,
security
management, accounting management and traffic management by means of congestion control. Also responsible to support Interim Local Management Interface for each UNI. Mux/Demux It is an optional item. It will be available only if non-native ATM devices are to be interconnected with ATM switch. Numbering Convention It is defined as per ITU-T recommendation I-361 which says that: Octets are sent in increasing order starting with octet 1. Therefore the header field will be sent 1st followed by the information filed. Bits within an octet are sent in decreasing order starting with bit 8. So, for all fields, the 1st bit is the MSB. CELL A Cell is a block of fixed length. It is identified by a label at the ATM layer of the B-ISDN PRM.
15.28 Types of Cell 7 types of Cells are there namely i)
Idle Cell
ii)
Valid Cell
iii)
Invalid Cell
iv)
Assigned Cell
Internet v)
Unassigned Cell
vi)
Meta signalling Cell
vii)
OAM Cell
Idle Cell This is inserted or extracted by the physical layer in order to adapt the Cell flow rate to the available rate of the transmission system. Valid Cell This is a Cell with no header error or with a corrected error. Invalid Cell This is a Cell with a non-correctable header error. Assigned Cell This is a valid Cell that provides a service to an application using the ATM layer service. Unassigned Cell This is an ATM Layer Cell, which is not an assigned Cell. Meta Signalling Cell This is used for establishing or releasing a switched virtual connection, Administration and Maintenance of ATM node and the network channel connection. Permanent Virtual Channel connection needs no Meta signalling. OAM Cell This is used for Operation & Maintenance.
15.29 ATM Services ATM services are classified into 4 categories. Sl.no
Name of services
Uses
1
Conversational services
Provides the interacting,
1.Bi-directional
real-time end to end.
2.Uni-directional
Application Voice services
Video telephony, Videoconference.
Internet 2
3
Retrieval services
Data library services
Film, high resolution
1. Selective
stored in a central
images, audio and video
2.All
places
retrieval.
Messaging services
Not real time services.
Message handling
Data may get stored in
services, mail services
nodes and forwarded from location to location 4
Distribution services
Cable TV transmission.
Stock market information,
a) W/o user-individual
User has no control over weather broadcast,
presentation control
time or order of
newspaper services and
presentation.
TV programs
b) With user- individual
Information is
Inter active electronic
presentation control
transmitted as a
news paper
sequence of frames with cyclic repetition. User has control over time or order of presentation.
15.30 Underlying Transmission System For ATM Switch SDH- Asper ITU-T recommendation, follows all countries except NORTH AMERICA and JAPAN. SONET-Asper ANSI recommendation, follows NORTH AMERICA and JAPAN. BSNL implemented with SDH as in the Fig-14
Internet ATM Switch With SDH Transmission Ring ATM Node
ATM Node
SDH RING
ATM Node
ATM Node
Fig-14
15.31 Conclusion The key to efficient utilization of the ATM networks is the integration of multiple services over a common infrastructure. Traffic management with QoS plays a significant role. ATM is going in a big way to play in different flavor like BB etc. To support this, various native ATM & as well as non native ATM protocols are defined.
Internet Chapter 16
MULTI PROTOCOL LABEL SWITCHING And VIRTUAL PRIVATE NETWORK Contents •
Introduction.
•
Circuit Switching.
•
Packet Switching.
•
Label Switching.
•
MPLS Architecture.
•
MPLS protocols.
•
Traffic Engineering.
•
Virtual Private Network.
Objectives After the completion of the module, the trainee will be to know about •
Circuit Switching.
•
Packet Switching.
•
Label Switching.
•
Evolution of the MPLS.
•
Functions and features of MPLS.
•
Function and features of VPN.
Internet
MULTI PROTOCOL LABEL SWITCHING 16.1 Introduction Switching is the process by which, two circuits are interconnected for exchanging information. Information is in the form of either analog or digital. In electro mechanical era, information was in the form of analog. Presently, information is in the form of digital. In order to interconnect the circuits, supporting the digitized information, suitable digital switches are designed. Digital Switches are classified as (1)Circuit switch (2) Packet switch Apart from the above models of switching, Multi Protocol Label Switching model is configured in Packet Switch Area.
16.2 Circuit Switches Circuit switch mainly supports the switching the voice paths. Digital spectrum is divided into equal parts (64 kbps). Circuit switch uses these 64 kbps path for voice switching. Voice samples of a particular conversation should reach the destination sequentially through the 64 kbps digital path by maintaining maximum permissible delay of 125 us, to avoid the loss of intelligence. In order to satisfy the above conditions, switched path should be permanent until the end of the conversation. . Hence, the routing becomes connection oriented. No other user also can intrude in that path. Also the switched paths can be categorized according to the type of services and class of services. Example:-
Class of Services Emergency Services Routes Special Services Routes Type of Services Normal users (non priority users) Prioritized users.
16.3 Packet Switches Instead of dividing the digital spectrum, entire message is divided into packets, addressed and numbered. Packet switch sends the addressed and numbered packets one by one to the destination, in different routes, by using the entire spectrum available in last week. For an example, if the packet size is 2 mb, then the packet switch uses the 2 mbps digital spectrum for the period of one second. At destination, packets are arriving randomly at different time. Even the first packet may arrive lastly. Receiver has to wait until all the packets are received.
Internet Then packets are arranged sequentially and then converted as message. Since the packets are routed through different routes, this routing becomes connection loss. Routing and no dedicated path is used between source and destination. Packet switches are presently used in ISP Network.
16.3.1 Comparison of circuit and packet switches Circuit Switch Packet switch 1) Since this switch follows connection 1) Since this switch uses connection loss oriented routing (dedicated path), there will routing, loss of packets may be possible be no loss of intelligence. 2) Latency can be kept within the limit 2) Latency cannot be maintained 3) Class of services can be defined 3) Class of services cannot be defined. 4) Type of users can be defined 4) Type of users could not be defined. 5) Security is high during the transaction, 5) Security is meager. Intrusion is possible since the switched path could not be during transaction. Eg. Receiving many intruded. advertisements during downloads. 6) Part of the address of the destination 6) Entire address (IP address) is analyzed (Rout code, Exchange code, etc.) is for selecting best match. analyzed. Hence, the limitations of the packet network are summarized as follows: • Creation and processing of routing table is tedious. • Class of services (Priorities) as in circuit switch is not implemented presently. • Type of services (category) as in manual board is not available in the present IP network. • Loss of packet, because of the random routing of packets. • Delayed processing at receiving end, since packets are not reaching the destination sequentially. • Security problem.
16.4 Label Switching •
Above limitations can be overcome by using following techniques in the present IP network. Connectionless IP routing is converted into connection oriented routing by overlaying Network Layer function with Data link layer Function.
•
IP address is converted as Labels (Rout codes in circuit switch), according to the class and type of services like categories and Priorities in circuit switches.
•
Intermediate Routers uses the Labels only (Rout Codes in Circuit Switch) for further routing of destined IP packet with appropriate Label.
Internet The above techniques are used in Multi Protocol Label switching. Hence, MPLs is the implementation of circuit switch model in the Packet switch area. MPLS frame uses the various Data Link frames like ATM, Frame Relay PPP/Ethernet etc. Since MPLS uses label switching and supports the multiple protocols, it is called Multi Protocol Label Switching.
16.4.1 Components of MPLS IP Network •
Customer Edge, which works at IP level.
•
Provider Edge is the entry point of MPLS Domain. It is called “Label Edge Router”
•
Provider Routers are working as transit switches in between LERs. These are known as “Label Switching Routers”.
•
Label switched path is the data path between two routers, through which packets are traveling.
16.5 MPLS Architecture
Internet
16.5.1 Customer Edge It structures the customer message into IP Packets and sends to the entry node of MPLS domain. While receiving the IP Packets from the egress node of the MPLS domain, CE sends packets to Network layer of its own, after removing the IP address.
16.5.2 Label Edge Router Label Edge Routers are working as the gateways of MPLS Domain. Ingress LER, it receives the IP Packet from CE, assigns the appropriate Label. After wrapping label, it sends labeled packet towards the next hop through the Label Switched Path, which is assigned for the specific Forward Equivalence Class. Assigning the Label is known as Label Binding. LER also acts as the egress Router. It receives the labeled IP Packets from the previous transit router, pops up the label (removes the label) and routes the IP
Internet packets towards the destined CE.
LER receives the multiplexed input from CE, and
extends the switched output towards the transit routers.
16.5.3 Label Switching Router Label Switched Routers are basically working as transit switches in MPLS cloud. It receives Labeled IP packets through the appropriate LSP. It analyses the Label bound over the packet, consults the forwarding information table (LIB) and routes the packet through the appropriately mapped out going LSP. When the LSR is routing the packets from incoming LSP to outgoing LSP, it strips out the Incoming Label and assigns a new label to same packet to ensure the security from the intruders. This process is known as Label Swapping or Label Changing. MPLS Network architecture is as shown in the diagram. Lines, shown between CE and LER carry the IP Packets bi-directionally.
16.5.4 Label Switched Paths Within an MPLS domain, a path is set up for a given packet to travel based on an FEC. The LSP is set up prior to data transmission. Lines, shown in the MPLS domain, are the Label Switched Paths that carry labeled IP Packets between the routers. There are two types of Label Switched Path. One is Static LSP and the other is Signaled LSP.
• Static LSPs Static LSPs are configured manually on each LSR in the LSP. No signaling protocol is used. To establish a static LSP, you configure the ingress LER, transit LSRs, and egress LER, manually specifying the labels to be applied at each hop. •
Signalled LSPs
Signalled LSPs are configured only at the ingress LER. When the LSP is enabled, RSVP signaling messages travel to each LSR in the LSP, reserving resources and causing labels to be dynamically associated with interfaces. When a packet is assigned to a signaled LSP, it follows a pre-established path from the LSP's ingress LER to its egress LER.
16.5.5 How MPLS works?
Internet
LER receives destined IP packet 61.2.1.1 from the Customer Edge and selects the correct label (5) from its LIB. It binds the selected label (5) according to the FEC over the IP packet and sends it through the pre programmed LSP (2) towards the LSR 1. On receipt of labeled IP Packet, LSR1 analyses label only and it will ignore the IP address. It will consult its LIB for further routing. As the result it removes the incoming label (5), winds the newly assigned label (3) over the IP Packet and sends it towards the LSR2 over the assigned LSP (7). LSR2 consults its LIB and transmits the IP Packet after swapping the incoming Label (3) with outgoing Label (10) towards the egress LER over the pre assigned LSP (4). Egress LER stripes the label (10), goes through the destined IP address (61.1.2.1) and hands over it to the correct CE.
16.5.5 Forward Equivalence Class Forward equivalence class (FEC) is a representation of a group of packets that share the same requirements for their transport. All packets in such a group are provided the same treatment en route to the destination. As opposed to conventional IP forwarding, in MPLS, the assignment of a particular packet to a particular FEC is done just once, as the packet enters the network Forward Equivalence Class is created in the LER based on •
Class of service requirement.
•
Quality of Service requirement.
•
Prefixes of the IP addresses.
Based on Class of service requirement: IP packets from different users are categorized on the basis of class of services they are entitled and allotted with one Forward Equivalence Class number .For an example, One FEC represents all the VOIP packets received from different users and MPLS Domain a treats them equally.
Internet Based on Quality of Service requirement: Some online services like video conferencing requires constant and high-speed data transmission. If delay exceeds, there could be a loss of intelligence. Such IP packets could not be made to wait in the queue. Such services deserve the separate FEC. Based on the prefixes of the IP addresses: FEC is assigned on the basis of the prefixes of the IP address of the destination.
16.5.6 Label A label in MPLS is used as the routing code like STD code in circuit switch. It identifies the path a packet should traverse in the MPLS domain. Label is encapsulated in a Data Link Layer 2 header. So, new layer is formed in between Network Layer and Data Link Layer in OSI Layer concept. The name of the new layer is MPLS SHIM Layer. Function of this layer is to bind the MPLS Label over the IP packet received from the customer edge. Label contains the information about next hop address. Value of the label is having local significance. So same label number can be reused in some other area.
16.5.7 Generic MPLS Label Format
MPLS Layer works between Network layer and Data Link Layer as shown in the Diagram. Label binding and popping is done by the ingress and egress LERs respectively while LSR does the Label Swapping. •
VPI/VPC of ATM, DLCI of Frame Relay are used as Labels, while they are supported by MPLS.
Internet •
MPLS also supports the PPP. Shim Layer is created in between L3 header and L2 header in all LERs for the insertion of label to the IP packets received from Customer Edge.
16.5.8 ATM’s header as Data Link Layer
16.5.9 Frame Relay header as Data Link Layer
16.5.10 Point-to-Point (PPP)/Ethernet as the Data Link Layer
16.5.11 Label Bindings Once a packet has been classified as a new or existing FEC, a label is assigned to the packet. The label values are derived from the underlying data link layer. ATM, Frame Relay, Point-to-Point Protocol/ Ethernet, and MPLS are having following common characteristics: •
Connection oriented protocols.
•
Associated with the frame level functioning.
•
Transfer the IP packets between the adjacent nodes only.
Internet These are the obvious reasons for MPLS supporting these protocols. So data link layers (such as frame relay or ATM), Layer-2 identifiers, such as data link connection identifiers (DLCIs) in the case of frame-relay networks or virtual path identifiers (VPIs)/virtual channel identifiers (VCIs) in case of ATM networks, can be used directly as labels. The packets are then forwarded based on their label value. Labels are bound to an FEC as a result of some event or policy that indicates a need for such binding. These events can be either data-driven bindings or control-driven bindings. The latter is preferable because of its advanced scaling properties that can be used in MPLS. Policy of label binding is based on • • • • •
Destination unicast routing Traffic engineering Multicast Virtual private network (VPN) Quality of Service.
16.5.12 LABEL MERGING The incoming streams of traffic from different interfaces can be merged together and switched using a common label if they are traversing the network toward the same final destination. Label merging is the replacement of multiple incoming labels for a particular FEC with a single outgoing label.
16.5.13 Label Stack In MPLS architecture different labeled IP packets bound to a common destination can be assigned with a common label. Thereafter that common label can be used up to the destination as shown in the diagram.
Internet It achieved by stacking the label at LSR based on the instant of arrival packets through the incoming LSPs. It is organized as a last-in, first-out stack. We refer to this as a "label stack". Last label has 1 in the stack field, while others filled with 0 in the stack field.
16.6 Different types of protocols used in MPLS Networks •
Open Short Path first (OSPF) is the routing protocol, that multicasts the change in routing table of a host to all other hosts with in the boundary of Network. In MPLS Network, this protocol is used as Label Distribution Protocol between peers. This protocol is one among the Interior Gateway Protocols (IGP)
•
Border Gateway Protocol is also one among the routing protocol, which provides loop-free inter domain routing between autonomous systems. An autonomous system is a set of routers that operate under the same administration. Here MPLS Domain becomes autonomous system. BGP is often run among the VPN networks and MPLS Network.
•
Protocol-independent multicast (PIM), which is used for multicast states label mapping.
•
Resource Reservation Protocol is not the routing protocol and works in conjunction with other routing protocols to keep the Quality of Service with in the MPLS cloud. It uses exchanging of labels pertaining to the services require time management (on line services like Video Conferencing, IP Telephony etc. RSVP provides the creation of Tunnels in MPLS Domain.
16.6.1 Label Creation Label is created during the following events:•
The construction of MPLS architecture.
•
The creation of new LER and LSR.
•
Introduction of new user with distinguished service like VPN etc.
There are several methods used in label creation: • •
Topology-based method—uses normal processing of routing protocols (such as OSPF and BGP) Request-based method—uses processing of request-based control traffic (such as RSVP)
Internet •
Traffic-based method—uses the reception of a packet to trigger the assignment and distribution of a label using label request and label assign mechanism for routing the unlabeled IP packet is received.
16.6.2 Label Information Base Label Information Base is Software database crated in both LER and LSR. It contains the mapping information of Incoming label & LSP with outgoing Label & LSP. This database is created during the installation of the router and subsequently updated automatically when the new LSR and LER is added by using Label Distribution Protocol. Label Information Base contains the following components: 1)
FEC–to-label bindings.
2)
Forward Information Base.
FEC–to-label bindings This table contains the mapping information for binding the label over the IP Packet based on the FEC. This table resides in LIB of LER. .
FORWARD INFORMATION BASE FIB contains the following components of information. Next Hop Label Forwarding Entry (NHLEF) • Incoming Label Map (ILM) • FEC to NHLFE Map (FTN)
Next Hop Label Forwarding Entry(NHLFE) Entry is used for routing IP packet towards the next hop. Also it defines how the IP packet is to be treated. Hence, this entry contains the following information: 1) Next hop address 2) Interface number (LSP) in between the routers. 3) Label binding (LER) /swapping (LSR) information, for binding/changing the label. 4) Layer 2-encapsulation information. 5) Label encoding procedure.
Internet 6) Packet processing information. NHLEF is created in all LERs and LSRs. More than one NHLFE may be created in LER and LSR, depending upon the number of next hop LSRs connected with it.
Incoming Label Map (ILM) When an labeled IP packet is received from the previous LSP or LER, the LSP analyses the information available in the label. Then it will consult the ILM data base and decides the NHLFE to which it should be handed over to decide the next hop to which the IP packet is to be sent after changing the label. Thus ILM information is used to map the Incoming IP packet with the NHLFE. Since LSR uses ILM, LSRs store ILM information in their FIBs.
Forward Equivalence Class to NHLFE Map When the destined IP Packet is received from the Customer Edge, LER assigned the appropriate Label according to the FEC. Then it looks into the FEC to NHLFE Map (FTN) entry to rout the labeled IP Packet further. So LERs contains the FTN information.
16.6.3 Label Distribution in MPLS Domain MPLS architecture does not mandate a single method of signaling for label distribution. It uses •
LDP—maps unicast IP destinations into labels. It provides hop-by-hop or dynamic label distribution, using IGP (OSF). The resulting labeled paths, called label switch paths or LSPs, forward label traffic across an MPLS backbone to particular destinations. It uses the request based label distribution also. LDP uses the following events, for distributing labels Discovery messages – announce and maintain the presence of new router in the network. Session messages – establish maintain and terminate sessions between LDP peers to exchange messages. Advertisement messages-Create or change or delete mapping for FECs. Notification messages – provides signaling error information.
Internet •
•
•
RSVP—used for traffic engineering and resource reservation. When the new VPN /Video Conferencing/IP telephony user is created this protocol supports the distribution distinguished Labels with in the MPLS domain, resulting with the Traffic Engineered Tunnels which carry the distinguished user’s traffic. Protocol-independent multicast (PIM)—used for multicast states label mapping. Some users may want to broadcast their messages to different users, this protocol supports the distribution of multicast labels. As a result multiple of LSPs are formed between single users to multi-user during the broadcast period only. BGP— VPN functions out side of the MPLS network. But it uses the MPLS domain. Hence distinguished label is to be used when VPN- IP packet enters in the MPLS domain. This protocol supports the distribution of such Labels. Request method of label distribution: - When new destined IP packet arrives at any one of the LER in MPLS domain, that ingress LER sends Label request to all other LERs in the MPLS cloud, specifying the new IP address. The related egress LER to which the new destined IP address is connected, responds the request and sends the Label for that new IP user towards requesting ingress LER in the same route in which label request is made, but in opposite direction. In between, LSRs will update their LIBs and forward appropriate Labels towards ingress LER. Finally ingress LER will update its LIB. Thereafter that LER will use that label while forwarding packets destined to that Peer Egress router.
16.6.4 Signaling Mechanisms •
Label request—Using this mechanism, an LSR requests a label from its downstream neighbor so that it can bind to a specific FEC. This mechanism can be employed down the chain of LSRs up until the egress LER (i.e., the point at which the destined packet exits the MPLS domain).
•
Label mapping—In response to a label request, a downstream LSR will send a label to the upstream initiator using the label mapping mechanism.
16.6.5 Routing in the MPLS Cloud
Internet •
Hop-by-hop routing—Each LSR independently selects the next hop for a given FEC. This methodology is similar to that currently used in IP networks. The LSR uses any available routing protocols, such as OSPF, ATM private network-tonetwork interface (PNNI), etc.
•
Explicit routing—Explicit routing is similar to source routing, that contains all the rout information. It uses the RSVP-TE signaling protocol. The ingress LSR (i.e., the LSR where the data flow to the network first starts) specifies the list of nodes through which the Traffic Engineered LSP traverses. The path specified could be no optimal, as well. Along the path, the resources may be reserved to ensure QoS to the data traffic. This eases traffic engineering throughout the network, and differentiated services can be provided using flows based on policies or network management methods. It uses the signaled LSP.
•
Constraint-Based routing- to maintain the QOS, while routing the IP packets in the MPLS network characteristics of the Path and Link to be selected.
Path involves much number of Links between the ingress and egress peers. Less loaded path with minimum hops should be selected, while selecting the path. Link involves the selection of next Hop and associated LSP. QOS dictates as follows. 1. Bandwidth of the LSP. 2. Permissible maximum delay. Whether the IP Packet should stand in the Queue or it should be given priority. CB- routing mechanism takes care of all the above. It uses the source routing concept These labels not only contain information based on the routing table entry (i.e., destination, bandwidth, delay, and other metrics), but also refer to the IP header field (source IP address), Layer 4 socket number information, and differentiated service. Once this classification is complete and mapped, different packets are assigned to corresponding Labeled Switch Paths (LSPs), where Label Switch Routers (LSRs) place outgoing labels on the packets.
16.7 Traffic Engineering in MPLS Traffic engineering is essential to optimize utilization of network. Network resources should not be wasted. At the same time QOS is to be maintained for the users. In MPLS Layer3 is overlaid with connection oriented switching function of Layer2. By
Internet using this property, we can define Traffic Engineered dedicated paths for different category of IP packets to maintain the QOS. Thus MPLS network is converted into homogeneous to handle the heterogeneous type of traffic these dedicated paths are known as Traffic Engineered Tunnels. MPLS uses the above concept. MPLS Tunnels are created by using CR- Based Explicit Routing. Different type of TE Tunnels is created based on the QOS of different users. Sample MPLS Traffic Engineering Tunnel Configuration
16.7.1 Inferences 1. LE Routers and LS Routers are not analyzing the entire IP address to select best matching. Only they analyze the Label and LSP details that reduce the delay in routing the data packets. Construction of Routing Table becomes simple. It looks like circuit switch analyses the Rout Code only for routing the call. 2. LSPs and Labels are selected for routing according to the Forward Equivalence Class of that IP Packet (category and priority) which is followed in the Circuit Switch by the LSRs. 3. Since it is a connection oriented transmission protocol, loss of Packet is avoided. 4. Security is ensured, because of Label Swapping. MPLs supports the following services efficiently with full integrity •
Virtual Private Network
•
Intranet
•
Voice over Internet Protocol.
•
Extranet.
Internet
Virtual Private Network 16.8 Function and features of VPN. Branches of Corporate giants are normally distributed geographically over the entire nation at least. Since it is the competitive world, they may require their own private, secured, faster and economical data network between Corporate Office and all branch offices. Construction of their data network is not economical and unwise, because it involves provision of individual paths in between their offices to ensure the safety and authentication. Virtual Private Network comes as the solution of the above problem. Virtual Private Network is Private Data Network, carved out from the Public Data Network. In this concept only switched paths(virtual paths) are assigned between the hosts. VPN can be constructed by using conventional IP network. But the users have to encounter with the defects in present IP backbone as discussed earlier. Since MPLS adopts the connection oriented routing, VPN can be overlaid on MPLS architecture, by constructing Tunnels. Other users according to their FECs can share tunnels. In case of Circuit Switch area, PBX is used for local distribution of calls, by using the Junctions lines from the Exchange. In Telephone Exchange, only one number is assigned as Primary Directory Number.
The subscriber is expected to dial only
Primary Directory Number to get connected with any one of the Extension Telephones. The same concept is adopted in the Virtual private Network. VP Networks are created in the cloud of IP Network. Each VPN sight is provided with one router at the edge, that acts as the gateway with the service provider network. It is known as”customer Edge”. Router, that accommodates the CE is known as” Provider Edge”. There are two types of VPN model basically. •
Overlay VPN Model.
•
Peer VPN Model. Overlay VPN Model, which supports direct IP routing between CEs, by using Service Provider Backbone. CE is connected with “Provider Edge” that acts as the
Internet gateway of IP backbone. CE is connected with PE by using from L1toL3.VPN logic (L3 functions) resides in the customer Edge. CE performs routing between its coordinated CEs (Hub), before it gets connected with the Provider Edge. Hence it is also known as “CE-based VPN”. Architecture of this type is as shown in the figure.
In this case Provider Edge performs Layer 2 Services only, since Customer Edge performs Layer3 functions. PE and P network is used to only provide the routing and forwarding that supports the tunnel endpoints on between CE devices. Peer VPN Model, in which CE is not having any routing resources for having direct routing with other CEs. It has direct routing adjacency within the HUB. Out side of the Hub it depends upon the Provider Edge. Here Provider Edge performs Layer3 function. It works as shown in the diagram.
Internet
P
PE PE
If the a corporate customer wants Layer3 VPN, Service Provider has to configure the IP addresses of the all Branch Offices and Corporate Office. Serving Customer Edge will be configured and maintained by the Service Provider. Every VPN user is allotted with unique VPN address or tag or header, which is represented by 8 bytes. While transmitting the IP packet from one of the VPN member, Customer edge adds VPN header with designated IP address and sends to LER of service provider. LER affixes appropriate Label according to the FEC and sends those packets through the designated LSP (Tunnel) by LER. At last the packet will reach the egress LER that will send that VPN IP packet to C.E after removing the label. Then the C.E.checks the VPN tag and routes the IP Packet to the destined terminal. VPN works as shown in the figure. Customer Edge supports more than one IP Terminals. Path between CE can be a shared one. VPN Forwarding information(VFI) is available with the PE(LER)
Internet
In such a way, a corporate can create his private data network by using public MPLS network.
Internet Chapter 17
MANAGED LEASED LINE NETWORK (MLLN) Contents: •
Overview of MLLN
•
Structure of MLLN
•
MLLN Network Management System
•
Digital Cross connect
•
Network Terminating Units
•
Tellabs 8100 System Overview
Objectives: After completion of this module, the participants will be able to know •
What is MLLN
•
What is the structure of MLLN
•
How a digital cross connect works
•
What are the network terminating units
Internet
MANAGED LEASED LINE NETWORK (MLLN) 17.1 Scope This Module is to familiarize with the newly developed technology of managed leased lines, its advantages, usage, basic configuration, equipments involvement, etc.
17.2 General 17.2.1 Leased Line. A leased line is basically dedicated pair/pairs of copper wire connecting between two points that is available 24 hours a day for use by a designated user (Individual or Company). A synonym is non-switched line (as opposed to switched or dial up line). A leased line can be a physical path owned by the user or rented from a telephone company like BSNL/MTNL/VSNL. In earlier days these leased line equipment used to be the same as that of the telecomm transmission equipment as the requirement of leased line networks were low. With the burgeoning need for the leased line, now a days Managed Leased Line Networks (MLLN) are being used
17.2.2 Managed Leased Line Network. The MLLN is an integrated, fully managed, multi-service digital network platform through which service provider can offer a wide range of services at an optimal cost to Business Subscribers. Backed by a flexible Network Management System with powerful diagnostics and maintenance tools, the MLLN can be used to provide high-speed leased lines with improved QoS (Quality of Service), high availability and reliability. The Network Management System also supports Service Provisioning, Network Optimization, Planning and Service Monitoring. The system offers features such as end to end circuit creation and monitoring, Circuit Loop Test and fault isolation, Alternate rerouting of traffic in case of trunk failure, Software programmability of NTUs, etc. Due to its wide range of applications in various sectors like banking, financial institutions, stock markets, newspaper industry, broadcasting houses and Internet Service Providers, this managed leased line equipment will benefit all sections of people by way of faster Internet access, accessibility of bank accounts from anywhere, instant news coverage etc.Various organizations like banks, ATM operators, IT companies will be using this flexible leased line solution. The following are the few features, which are the beneficial for the customers. 1. Customers need not to buy 2 pairs of Modems. 2. Modems will be supplied and maintained by Service Provider. 3. 24 Hours performance monitoring of the circuit. 4. Circuit fault reports generated proactively. 5. On demand the bandwidth can be increased. 6. Low lead-time for new circuit provisioning. 7. Protection against the failure of the circuit.
Internet 8. Long drive on single pair copper. 9. Centrally managed from Network Management System. The MLLN also supports enhanced features such as Corporate Internet Access, Point to Point Data, Point to Multipoint Data, LAN-IC, Hotline, EPABX Inter-connect, EPABX Remote Extension and ISDN Line Extension, Virtual Private Network, etc.
Internet
17.3 TYPICAL STRUCTURE OF MLLN SYSTEM. The MLLN is planned as three-tier structure of consisting of aggregation and connectivity at two different levels:
A. Central Node: It will provide following functionality: (i) NMS Center. (ii) Connectivity to second stage nodes. (iii) Leased line aggregation.
Internet
B. Second stage Node: It will be located at major cities of a Telecom Circle, where demand for leased line is high. It will provide following functionality: (i) Connectivity to third stage nodes. (ii) Leased line aggregation. C. Third Stage Node: It will be located at smaller cities / towns of a Telecom Circle, where demand for leased line is lower (near 10). It will provide Leased Line aggregation.
17.3.1 Functional Requirements. The MLLN system is able to provide the following functionality: (i) Speedy end-to-end service provisioning. (ii) Round-the-clock end-to-end performance monitoring. (iii) Automated alarm / fault management. (iv) Easy re-routing and configuration. (v) Accounting and Security management. (vi) On-demand bandwidth availability up to 2 Mbps.
17.3.2 Technical Requirements. The various components of the MLLN shall be: a) Network Management System (NMS). b) Digital cross Connect (DXC). c) Versatile Multiplexer (VMUX). d) Network Termination Unit (NTU).
17.4 Network Management System. The NMS of MLLN is centrally managing all the elements of MLLN viz. Digital Cross Connect, VMUX and NTUs. This NMS shall be built using the open architecture _utilizing an industry standard commercially available operating system and relational data base management system. The Network Management System shall allow the Network operator to configure, Provision, manage and monitor all aspects and parameters of the remote elements of the MLLN without the need of local intervention. It is possible to manage the entire network from any single location.
17.4.1 The NMS is able to perform the following:
Internet • NMS auto recognize any change of configuration of any network element. The change of configuration or other settings locally at NTUs shall not be provided. All local settings on VMUX and DXC shall be password protected. • Re-initialisation of the network element shall be possible from NMS. This shall be equivalent to manual start-up (physical jack-out and jack-in) of the network element. This might be required in case of a complete or partial 'network element' stoppage due to hardware/software failures. • NMS has the capability to configure the bandwidth on demand of any leased line for specified time of the day. This bandwidth on demand is configurable to all possible programmable bandwidths of NTUs. • NMS has the capability to assign priority to the leased line at the time of configuration. This allows the high priority customer lines to be routed first to the standby route, in case of failure of the main route. • The configuration of the various network elements like building, viewing, and changing is possible remotely from the central NMS. The configurations of the network elements are stored at some place in NMS from where it can be retrieved in case of failure. • It supports macro command facility to carry out the same kind of operation on a group of interface by a single command. • The NMS is capable of placing the Network elements In or Out of service.
17.4.2 Route Management. A predefined routing schedule is supported by NMS enabling the MLLN to route automatically. It is possible to perform fast re-establishment of circuits within the network across alternative paths totally automatically, in the event of failure. Point-topoint and point-to- multipoint channel routings on an end-to-end basis.
17.4.3 Fault Management. • It is able to inform the operator about the problems occurring in the network elements and their modules. • The fault events are logged in a fault log file and are accessible when required through database style facilities for information retrieval. • The fault information provided contains type of network element, the time at which fault occurred, time when it corrected.
Internet • In addition to the fault information, it provides a brief explanation of the cause of the fault and proposed corrective action to be taken to rectify the fault. • The printout of active faults and fault log file is possible. • It is possible to list: (i) total number of active faults in the network. (ii) Number of active faults in a specified network element. (iii) Number of active faults in each of the faulty network elements. • The equipments of MLLN is capable of reporting to a pre-specified destination on detection of an alarm condition. Faults in the network elements, links & system generate audible alarms also. The activation / inhibition of the audible alarm is controlled by the Network Manager.
17.4.4 Performance Management. • It supports the end –to- end performance-monitoring functionality as per ITU-T recommendation G.821 for links and circuits. • The information provided includes Total time, Unavailable time, Errored seconds, SeverelyErrored seconds and degraded minutes. • It is possible to configure the interval when this performance data is to be collected by the NMS • It provides information about the percentage bandwidth usage of the network elements like VMUX, DXC for a specified period. Performance management module supports collection, processing & presentation of the performance related data from all the Network elements. Facility is provided for collection of the network data continuously. • All the VMUX and DXC must be polled at least once in 5 minutes at Primary NMS level. All other network elements must be polled at least once in every 5 minutes at Primary NMS level. It is possible to collect network data periodically; and for definite interval of time, as required. • These are configurable by the Network operator through NMS. Further it is possible to configure collection of network data for specific or all network elements. The network data for NMS includes following information from the Network elements.
Internet A. Status. B. Control parameters. C. Performance parameters. D. Alarm information. E. Configuration parameters. F. Accounting and billing information. • Data base hard disk memory is sufficient to store all the information in para above and any other necessary system information for at least one month duration. This information is auto backed up (or backed up by operator action) to secondary memory devices (off line storage devices) before deleting / overwriting any portion of this information, on completion of one complete month. Minimum, of 16 Gb of configured secondary storage space (secondary hard disk / cartridges / tapes etc) is supplied.
17.4.5 Security Management • It supports the user identification and operator passwords with various privileges for giving commands. It records all the login and logout operations done on the NMS. It is able to set the time of expiry of the operator passwords. It supports password protection for the for the network elements in the MLLN. • Network Manager is able to create the operators' passwords. Network Manager is also be able to control and limit operator's authorizations, rights and privileges. (Here Network Manager is an account in NMS will full control, rights and privileges. Operator created accounts by Network Manager for other personnel to help him in controlled way.) • NMS allows changing of the password by the Network Manager for all accounts. NMS allows Operator to change their own password. Change of password shall not required system • NMS provides for validation of source addresses of all the data that are coming from the network elements. The data transport mechanism from network elements to NMS centre has necessary in built facility for error checking and correction.
17.5 DIGITAL CROSS CONNECT (DXC or DACC).
Internet
DACC or DXC is a large capacity cross connect device and is installed at different main sites for providing VMUX connectivity. DACC is made up of Cluster Master control subrack and slave subracks. Single Subrack (RXS-S) is used as slave subrack and its units depend on the port capacity ordered. In addition to multiplexing and demultiplexing the signal, the node takes also care of crossconnecting the signal. (The signal is first demultiplexed into a lower level after which it is cross-connected and then multiplexed again). A digital corss-connect (DXC) is a device used in transmission networks. It separates channels coming from other devices and rearranges them into new channels for output. A digital cross-connection means that the connection is set up and released by the network operator, but not through subscriber, which is the case in switching.
17.5.1 DXC NOMENCLAUTRE: (a) DXCs at metros (Delhi, Mumbai, Kolkata & Chennai) for maintenance regions will be designated as Regional DXCs (R-DXC). (b) DXCs of maintenance regions apart from Regional DXCs as above will be called subregional DXCs (SR-DXC). (c) DXCs in the SSAs will be called SS-DXC. The DXC comes in the following configurations. • DXC-256 = 256 E1 ports. • DXC-128 Expandable to 256 = Equipped with 128 Ports. • DXC-96 Expandable to 128 = Equipped with 96 Ports. • DXC-64 Expandable to 128 = Equipped with 64 Ports. • DXC- 16 Expandable to 64 DXC SS-DXC TO SR-DXC : The DXCs of the SSA will also be connected to the subregional DXC initially by 2 E1 for each SS-DXC, for the circuit going out of the city. Additional E1s to meet the demand
Internet shall be connected to those SS-DXC under whose coverage area demand has grown, if there are more than one SS-DXCs at a station. SR-DXC to SR-DXC Sub-Regional DXC to Sub-Regional DXC in the same region may initially be connected by 1 E1 each. REGIONAL NETWORK. Multiple R-DXCs at the same station:R-DXC at metro stations consist of multiple DXCs. Connectivity among these DXCs should be in mesh configuration of 2 E1s each to meet the requirement of switching the time slots from a station connection at one DXC to the destination connected on the other DXC. Core Network of R-DXCs: All four regional DXC stations will be connected to each other with 8E1s each. The links may be distributed among multiple DXCs. The no. of links may increase as the demand increases. R-DXC to SR-DXC: • DXCs are to be connected to SR-DXCs in the same region by 3E1s each. • R-DXCs are to be connected to all SR-DXCs in the distant regions also by 2E1s each to start with. • SR-DXC links are to be distributed among multiple DXCs at the metro stations to MIinimize use of inter-DXC links at that station. At the start up it will not be possible to connect SR-DXC to all of such DXCs. It may be done as and when additional links are justified in future. R-DXCs to SS-DXCs: SS-DXC may also be connected directly to Regional DXC if the bandwidth consumed by the circuits from the SSA to concerned Regional is more than 8 Mb. The E1s may be optimally distributed among DXCs at SS-DXC side as well as R-DXC side such that the use of inter DXC connectivity at the same station is minimized.
Internet
17.5.2 REDUNDANCY REQUIREMENT MLLN has to provide high reliability service and it is proposed to offer SLA for 99.5% or better efficiency. Therefore, all the E1 links should be provided as rings wherever available. In long distance network, E1, between same stations can be split into alternate physical path of rings to the extent feasible. This will also save on port capacity required for providing alternate path within MLLN.
17.6 VERSATILE MULTIPLEXER (VMUX) Versatile Multiplexer (VMUS) is a small capacity cross connect device and is installed at different sites for providing user connectivity. VMUX is made up of Basic Node, which is the building block of the MLLN system. The VMUX is provided with two types of interfaces to connect STU-160 ( SDSL product family used for point- to- point connections) and CTU-S (HDSL product family modem , with line connection rate up to 4640 Kbit/s ) modems. The number of interfaces depends on the type of VMUX configuration supplied. There are Four types of VMUXs supplied Viz. VMUX-Type I, VMUX-Type-II, VMUX-Type-III/DC operation, VMUX-Type-III AC operation. • The V-MUXs also have a digital cross connect capability and additional E1 ports have been provided in the V-MUXs. Therefore inter-connectivity among V-MUXs in the same city can be established using the spare E1 ports for extending local circuits. • Initially one V-MUX should be connected to a maximum of 2 other V-MUXs in the same city directly with one E1 each. As the demand for circuits in the areas served by VMUXs grows, more E1 links can be directly established among the V-MUXs. • If there are more than one VMUXs in one exchange area, then depending upon justification, one of the VMUXs can be dedicated to provide local circuits through direct route to other VMUXs in the city. This will save DXC ports. However, SS-DXC
Internet connectivity, where SS-DXC is available, shall also be maintained for setting up leased circuits to VMUXs with which direct route is not available. • Efforts should be made that no circuit should pass through more than three VMUXs. However, use of more than four VMUXs in tandem for one circuit must be avoided. • Routes shows as ‘standby’ are to be used for meeting incremental requirements of long distance circuits from other V-MUXs if the direct routes are full and the other link has spare capacity. This is done with the intention of saving port capacities. Protection path can also be provided against failure of other links to SS/SR-DXC. V-MUX to SS-DXC in the same City / SDCA. • V-MUX to DXCs connectivity in the same city/SDCA will serve two purposes: first to set up circuits to other V-MUXs in the city and second to set up circuits going out of the city. • Direct V-MUX to V-MUX connectivity should be utilized for local circuits as per the plan indicated above. However, for local circuits to other V-MUX areas where the requirement is, say, less than 10 in the beginning, the circuits can be routed via the E1 link established with the DXC. • Each V-MUX site in the city should be connected by at least two E1s to the SS DXC. This connectivity may be distributed in case of multiple SS-DXCs. Number of E1s can be increased as the requirement grows. • If there are more than one VMUXs in the same exchange area, DXC connectivity may be distributed on each of them.
17.7 NETWORK TERMINATING UNITS (NTUs)
Internet • Base band modems (Network Terminating Units = NTUs) are usually customer premises equipment (CPE). They are typical “last mile equipment.” • NTUs can also be used for standalone point-to-point connections without the NMS. • NTUs allow use of the existing telecom copper cables (twisted pair) for digital traffic with medium distances (~5 km) and high speeds. • NTUs must be capable of being managed from the centralised NMS for the following essential parameters: (i) Speed (ii) Line loop testing (iii) Diagnostic • NTU on the DTE side must support the V.35/V.24/V.28/V.36/ V.11/G.703 data interfaces. • NTU must be functionally compatible for all features with the integrated Line drivers of the VMUX ports. • NTU should work with the line side interface, which is a built-in feature of the VMUX and shall support the end to end manageability with NMS of the Managed Leased Line Network. • NTU must perform internal self-tests on power-up and provide a visual indication if an internal failure is detected. • After power-up, the NTU configurations shall be automatically downloaded from the connected node.
Internet
MLLN developed by M/s. Tellabs 8100 The services in the Tellabs 8100, managed by an access system can be divided into two categories; business and mobile services. The Tellabs 8100 system provides network elements for accesss, consolidation and backbone levels. The service can be provided efficiently through Tellabs8100 customer Nodes and high speed NTUs (Network Terminating Units). Each service and the entire network are controlled by the network management system known as the Tellabs 8100 network manager. The network management system also supports service provisioning, network optimization, planning and service monitoring. The system offers features such as end to end circuit creation and monitoring, circuit loop test and fault isolation , alternate re-routing of traffic in case of trunk failure, software programmability of NTUs etc.. It also support enhanced features such as Corporate internet access, point to point data, point to multipoint data, LAN-IC hotline, EPABX interconnect, EPABX remote extension and ISDN line extension , Virtual private network etc. Manageability The concept of manageability is at present not a novelty, but rather a need. Today’s leased line network is unmanaged. TRAI had advised the mandatory need of Service Level Agreements (SLA), for every service being provided. This SLA is achieved with statistics on an end to end status by MLLN. Today a degradation/disruption in service is made known to the service provider on a subscriber notification. But in MLLN the service provider can proactively detect and take corrective measures. In such an above faulty status, MLLN feature of automatic re-routing of traffic ensures customer satisfaction and also prevent a likely loss of revenue. Tomorrow, if the network customer is to demand the service flexibility in SLA, the negotiable bandwidth during the different time of the day, it can only be provided through MLLN. DXC ( DACC ) – DIGITAL CROSS CONNECT DXC is a large capacity cross connect device and is installed at different main sites for providing VMUX connectivity. DXC is made up of Cluster Master control sub rack and
Internet Slave sub racks. The Basic Node is used as Slave sub rack to build the Cluster Node in the MLLN system. The DXC comes in the following configurations. Configuration
Master sub rack Fully equipped Bare single sub Slave sub rack rack
DXC 32 Ports
1
1
0
DXC 64 Ports
1
2
0
DXC 64 Expandable to 128 Ports
1
2
2
DXC 96 Expandable to 128 Ports
1
3
1
DXC 128 Ports
1
4
0
DC 128 Expandable to 256 Ports
1
4
4
DXC 160 Ports
1
5
0
DXC 192 Ports
1
6
0
DXC 224 Ports
1
7
0
DXC 256 Ports
1
8
0
The block diagram of DXC 256 Ports is shown below:Power Requirement DXC operates on –48 Volts DC Power supply. Power requirement for Cluster Master = 10 Amp. Power requirement for each Slave sub rack = 5 Amp Max.
Internet Each sub rack power supply unit receives –48 Volts DC through individual MCB placed at the top rear side of each rack. The list of cards equipped in the Cluster Master rack is as shown. Configuration 64 Ports
96 Ports
128 Ports
Unit Expandable to Expandable toExpandable to 256 Ports 128 Ports
128 Ports
256 Ports
RXS-CD
1
1
1
1
PFU-A
2
2
2
2
PFU-B
2
2
2
2
CCU
1
1
1
1
CXU-M
2
2
2
2
CXU-S
2
2
2
2
CXU-A
4
6
8
16
The E1 Cables are connected from QMH / G.703 – 120Q units in the Slave sub racks and terminated on the DDF
VMUX (Versatile Multiplexer )
Internet VMUX is a small capacity cross connect device and is installed at different sites for providing user connectivity. VMUX is made up of Basic Node, which is the building block of the MLLN system. It is provided with different types of interfaces to connect STU-160 and CTU-S modems. The number of interfaces depends upon the type of VMUX configuration supplied. The different types of VMUXs are shown in the table below.
The block diagram and power requirement of a VMUX rack is given below.
VMUX Item Type – I
Type – II
Type – III DC
Type – III AC
RXS-S
1
1
1
1
XCG
1
1
1
1
PFU-A
1
1
1
0
PAU-10T
0
0
0
1
IUM-8
4
2
1
1
OMH
1
0
0
0
QMH / HCQ
0
1
1
1
Internet QMH / G.703
2
0
0
0
N.B: The DXC and VMUX systems are installed in standard 19” coms rack with the following dimensions. Height: 2.048 m Width: 0.596 m Breadth: 0.325 m DXC and VMUX equipments are designed to operate in a controlled environment. The standards those are met by these equipments are as per ETSI 300019-1-3. The environmental conditions that are required are: 1) Dust free clean environment. 2) A/c with temperature and humidity control. 3) A/c failure being exemptible for a maximum period of 2 hours at a time. 4) Operating temperature: 20 to 30°C. Network Terminating Unit (NTU) The NTUs are located at customer premises and work on 230 Volt AC. Copper pair connects the NTUs to the respective VMUX. The NTUs compatible with this network is given below. • 64 / 128 Kbps NTU with V.35 interface. • 64 / 128 Kbps NTU with G.703 interface. • 64 / 128 Kbps NTU with ether net interface. • N * 64 Kbps NTU with V.35 interface. • N * 64 Kbps NTU with G.703 interface. • N * 64 Kbps NTU with Ethernet interface.
Internet
Internet
Internet
Chapter 18
Internet
DIAS Contents • • • • •
Introduction DIAS Feature DIAS Architecture Interface Conclusion
Objectives After completion of this module you will be able to: • Understand the Introduction on DIAS • Understand the DIAS Feature DIAS Architecture Functional Components of DIAS Interconnection of DIAS Components at CPE and SPE/APE
Internet
18.1 Introduction The Direct Internet Access System (DIAS) jointly developed by Banyan Networks, Madras and TeNet Group, IIT Madras, allows the Basic Telecom Service Providers to provide simultaneously voice and always on Internet services or any one of the two over the same copper pair of telephone lines to residential as well as corporate subscribers in contrast to the existing PSTN (Public Switched Telecom Network) and ISDN (Integrated Switched Digital Network) and Dial-up access. DIAS is a high bandwidth Internet service and does not require any changes in the existing cable network of the basic telecom system. It works with Existing Digital Technology Switches and New Digital Technology Switches. It is scalable for advanced applications. This system provides the following two types of accessing speed to the customers. a) 128 Kbps b) 2048 Kbps 128 Kbps speed is provided by either only Internet access at a speed of 128 Kbps or Internet access at 64 Kbps along with basic voice service at 64 Kbps. 2048 Kbps speed is provided by either Internet access at a speed of 2048 Kbps or Internet access along with provision of 4 to 8 basic voice service. Internet speed is scaled down in steps of 64 Kbps for off-hook condition of each phone.
18.1.1 DIAS Feature 18.1.1.1 User side Interface i) Up to 60 BDSU (Basic Rate Digital Subscriber Unit) subs each supporting 128 Kbps per port. ii) Up to 20 HDSU (High Bit Rate Digital Subscriber Unit) subs each supporting 2.048 Mbps per port. iii) Any combination of BDSU & HDSU iv) BDSU / HDSU operates on normal 220 V AC Mains v) Telephone service (POTS) is always available even in case of 230V AC Mains failure at Customer premises 18.1.1.2 ISP or PSPDN side Interface i) Up to 4 Mbps speed WAN connectivity using two E1 links ii) 10 BaseT/ 100 BaseT Ethernet interface.
18.1.1.3 PSTN Interface i) The E1 links interface with V5.2 signalling ii) Optional sixty 2 wire connectivity using LL2W unit or SMUX 18.1.1.4 System Capacity
Internet i) Four IAN’s can be Cascaded for both data and voice to support 240 BDSU or 80 HDSU subs ii) Data cascading through Ethernet switch iii) Voice cascading through E1 links iv) Control cards and Power supply cards are working in Hot-Stand-By in each IAN 18.1.1.5 General i) CLI for IAN configuration ii) RADIUS Client/Server S/W for AAA functions iii) Blue Bill S/W for billing functions iv) MySQL Data base v) Computation Module for billing computing vi) NAT support vii) PPPOE support for Access with Radius Server viii) DIAS View- Element Manager S/W (EMS) ix) Stacking of IAN’s during concentration for Data and voice with proprietary stack management protocol. x) SNMP and MIB – II support for Network and Data management. xi) V5.2 Support for Voice management. xii) Secret ID between DSU and DIAS Server as Private key using proprietary protocol for secured accounting and access information xiii) Easy S/W up gradation from remotely using TFTP xiv) Password sending on MD5 Digest (Encrypted Format) xv) Dual Server Concept with Pulse Server Monitoring S/W xvi) Supports 3 Subscriber Classification called Class-1,2 & 3. BSNL uses Class-3 method. (Dynamic IP Address Allocation) 18.1.1.6 Power requirements i) DIAS consumes 250 W Power (48V/5A DC) per IAN ii) 2KVA Inverter for VT 100/220 Terminal & Ethernet Switch.
18.2 DIAS Architecture DIAS Architecture (Fig 1) may be divided as follows: a) CPE(Customer Premises Equipments) b) SPE(Service Provider Equipments) or APE(Access Provider Equipments) c) Interface (Connecting CPE and SPE/APE) Interface CPE
SPE / APE
Internet Fig-1
18.2.1 CPE Following are the equipments available at Customer Premises as in Fig 2. a) BDSU (Basic Rate Digital Subscriber Unit) b) HDSU (High Bit Rate Digital Subscriber Unit)
CPE
BDSU
HDSU Fig-2
18.2.1.1 BDSU Basic Rate Digital Subscriber Unit is designed for the SOHO (Small Office Home Office) users. It provides a permanent Internet connection at a maximum data rate of 128 Kbps, which drops to 64 Kbps dynamically when the telephone is in use for voice and transparently goes back to 128 Kbps when the telephone goes Off-hook. BDSU may be categorized as in Fig-3 BDSU-DA (BDSU for Data Alone) which provides always 128 Kbps speed of data and BDSU-DV (BDSU for Data with Voice) which provides 128 Kbps/64 Kbps alternatively. BSNL had chosen the latter one. Maximum 13 PC’s can be connected through Hub/Switch with BDSU.
Internet
BDSU Local AC Power
Local AC Power
BDSU- DA
BDSU- DV
PC
PC
Phone
Fig-3 BDSU will have the following terminations /LED’s as in Fig-4 & Fig-5 A) Front view of BDSU 1) Power on LED to indicate power supply is on 2) & 3) Trans & Receive LED which blinks during data Transfer/Reception between IAN & BDSU 3) Sync LED to indicate that the BDSU is synchronized with service provider equipment. 4) Activity LED to indicate that Data activity is going on between PC & BDSU 5) Link LED to indicate the healthy condition of the Ethernet connectivity between BDSU and PC Front View of BDSU 6
5
4
3
2
1
PC/Hub DSL Line status Fig-4 All LED’s are green in colour
Internet B) Rear Side of BDSU 1) DC power termination 2) Exchange line termination 3) Line/ Phone 4) PC/HUB
- I/P – 230 V AC/50 Hz to the Adapter - O/P- 12 V/ 1A - RJ11 Socket - RJ11 Socket - RJ45 Socket Rear Side of BDSU 1
2
3
4
Fig-5 18.2.1.2 HDSU High Bit Rate Digital Subscriber Unit is designed for Corporate Subscriber with maximum connectivity speed of 2048 Kbps. Like BDSU, HDSU also may be categorized as (in Fig-6) HDSU- DA and HDSUDV. HDSU has Ethernet port (RJ45) for connecting Internet and RJ11 point for termination of phone lines. HDSU-DV’s may be available in the following forms (as in Fig-6) Maximum 13 PC’s can be connected through Hub/Switch with HDSU. i) ii) iii)
HDSU-DA with no phone instrument HDSU-D4 with 4 independent instrument HDSU-D8 with 8 independent instrument
HDSU
HDSU-D8
PC
RJ 45 RJ 45
AC power RJ 11
HDSU-DA RJ 45 RJ 45
PC
HDSU-D4 RJ 45 RJ 45
RJ 11
Phone1
RJ 11
Phone2
PC RJ 11
Phone3
RJ 11
Phone4
RJ 11
Phone 1 Phone 2 . . . .
RJ 11
Phone 8
Internet Fig-6 18.2.1.3 Phone & PC Connection at Customer Premises as in Fig 7 & Fig8 1) Connection –I (Single PC) BDSU- DV HDSU-DV PWR
Phone
Line
PC/Hub
AC- DC Adapter Phone
Ethernet Card PC Exchange DSL cable Fig -7
2) Connection-II(Multiple PC’s)
Internet BDSU- DV HDSU-DV PWR
Phone
Line
PC/Hub
AC- DC Adapter Phone
16 Port Ethernet Hub
Exchange DSL cable Ethernet Card PC- 1
Ethernet Card …….
PC -13
Fig - 8 18.2.1.4 Requirements for DIAS Connection at Customer Premises 1) Hardware 1. BDSU / HDSU 2. AC Power 3. Telephone Line 4. PC/PC’s 5. Ethernet Card 6. HUB/Switch/Router (Incase of SOHO) 2) Software 1. Username & Password 2. O.S (WIN-9X or High-end Version) 3. A.S (As per requirement) 4. Driver for Ethernet Card 5. PPPOE
18.2.2 SPE/APE The equipments available at the Service Provider/Access Provider may be viewed as follows:
Internet i) ii) iii) iv) v) vi) vii) viii)
Internet Access Node(IAN) RADIUS Server (Stand alone or Integrated with Billing Server) Router Ethernet Switch LifeLine 2 Wire Unit (LL2W) or SMUX (Optional) VT-100/220 Terminal (Optional) Main Rack or Cabinet Billing Server (Stand alone or Integrated with RADIUS Server)
18.2.2.1 IAN Internet Access Node (IAN) is the most important and intelligent equipment of DIAS in the sense that it is able to differentiate the PSTN and Internet traffic. It is in the form of a sub rack which is mountable in a 19” cabinet (Main Rack) with conventional cooling. The cabinet can accommodate a maximum of Four number of IAN’s, Two number of LL2W units, a Ethernet Switch and one Router. The RADIUS Server will be mounted on a separate Rack and provided adjacent to the cabinet. RADIUS Server can be provided per exchange basis or as single unit for many exchanges at a centralized basis. BSNL provides at a centralized place called as DIAS Server or RADIUS Server. Both set ups are shown in Fig-9 and Fig-10 Each IAN can support a maximum of 60 BDSL subs/Ports or 20 HDSL subs/ports. 60 BDSL subs are achieved by means of 5 DSL cards (one type) with each card termination capacity as 12 ports. 20 HDSL subs/Ports are achieved by means of 5 DSL cards (another type) with each card termination capacity as 4 ports. IAN supports any combination of both these cards but to an extent of 5 BDSL cards only. IAN supports redundant power supply cards so that failure of one card will not affect the system operation. Power supply cards are working as Hot-Stand-By It is a DC-DC converter with a -48 V + / -8 V DC as input and 5V, 3.3V as DC and 75 V AC as output.75V AC is used as Ringing current to sub phone instrument. IAN sub rack consists of duplicate switch card, which is the basic fundamental part of the system, which contains all the system software. All Protocols and IP Packet forwarding is performed by this card. Switch cards are working as Hot-Stand-By. So in the case of a failure of one switch card, the other card will take over. During the change over condition of switch card, in the present software version, the data calls will get disturbed for a small amount of time where as the voice calls will be protected. Having 10 BaseT Ethernet port to connect with ISP through Ethernet switch, console port for debugging through PC/Laptop at locally and CLI for System configuration/maintenance.
Internet E1 cards are the ones that connects the DIAS system to the PSTN, to ISP and Cascading of other IAN’s for voice. These are achieved by 4 E1 ports of each E1 card. Working as Hot-Stand-By operation for fault tolerant purpose. Life Line Control card (LLC) is used to interface with PSTN on V5.2 signalling Protocol. This card along with LLL are essential if DIAS to be interconnected with New Technology switches for voice connectivity in V5.2 signalling. Life Line Line card (LLL) used for V5.2 protocol connectivity. This is used to feed Dial Tone/Power (as life line) in case of power failure of BDSU/HDSU at CPE. One Child card in IAN separates / combines Two sets of 30 Sub ports input each, coming from Two No. of LL2W cards into 5 sets of 12 Ports output each, & connected to each BDSL card.
Internet IAN sub-rack with six different type of cards are shown in Fig-11 S S B W W D S C C L A A 1 R R D D 1 2
B D S L 2
B D S L 3
B D S L 4
B D S L 5
L L C
L L L 1
L L L 2
P S U 1
P S U 2
Child card Fig-11
Router Ethernet Switch IAN 1 IAN 2
VT 220/100 Terminal with Key board
IAN 3 IAN 4 RADIUS Server
LL2W 1 LL2W 2 Main Rack Fig-9
Internet Router Ethernet Switch IAN 1 IAN 2 IAN 3
VT 220/100 Terminal with keyboard
IAN 4 LL2W 1 LL2W 2 Main Rack Fig-10
18.2.2.2 Block Diagram of IAN for PSTN and ISP connectivity as in Fig-12 Ethernet Switch
Router
ISP Ethernet Port
5 O/Ps Each O/P is 12 ports
Data + Voice Input
BDSL Cards 1-5
Child Card
Switch Card 1 Switch Card 2
PC E1 Card 1
Ethernet
E1 Card 2
PSU 1&2
2 E1 2 E1
2 E1 ISP
Phone
PSTN
ISP 5 V 3.3 V
LLC BDSU/ HDSU
Local cable interface
DC
LLL 1
LLL 2
30 Sub (2 W)
Exchange MDF
30 Sub (2 W)
75 V AC
Internet
Fig - 12 18.2.2.3 LL2W DIAS supports a unit called LL2W (Life Line 2 Wire interface) or SMUX (Sub Mux) for direct 2 wire connectivity with PSTN exchange having Existing Digital technology switches (Not supporting V5.2 protocol). This unit consists of 10 line cards which provide 12 ports each for 2 IAN’s, 2 controller cards and 2 power supply cards for 120 lines, which are working as Hot Stand-By respectively. The controller card is connected with 2 E1 links coming From E1 card of IAN and Demultiplexed To 5 sets of 12 ports which are connected 5 line cards. In the reverse way the controller card is connected by 2 E1 links with E1 card of IAN after multiplexed From 5 line cards. Dedicated 2 Wire O/P from each port of line card is going towards PSTN for voice. One controller card supports 4 E1 links for 2 IAN’s So the DIAS cabinet can have Two number of LL2W units for 4 IAN’s This unit is only as optional and the card configuration of LL2W is in Fig-13. L I N E
L I N E
L I N E
L I N E
L I N E
C O N
C O N
C A R D
C A R D
L I N E
L I N E
L I N E
L I N E
L I N E
P S U
P S U
Fig-13 18.2.2.4 RADIUS Server It is also called as DIAS Server. It acts as a centralized user database. It performs authentication using username and Password. It does the authorization function to allow various Internet services for each user. Logs the user Accounting information and pass on to Billing Server for consolidated Billing purpose. It allows roaming access to users.
Internet It listens on port 1812 for user authentication requests from DIAS (RADIUS clients) It listens on port 1813 for accounting requests from DIAS (RADIUS clients) as Accounting start and Accounting Stop for Accounting Log. Client IP addresses are present in each client’s profile. Users information are stored in MySQL Database. User Password is exchanged in encrypted format using MD5 digest and shared key.
Connectivity of RADIUS Server is shown in Fig-14.
ISP
Router
LAN
DIAS Client
MySQL DataBase
RADIUS Server
Fig-14 18.2.2.5 Billing Server Blue Bill software is running on this Server. This is used to compute data usage of user and appropriate charge using computation module. It interacts with RADIUS Server to 1) Provide subs information like IP address and Sub Net Mask. 2) Gets subs accounting information from RADIUS to compute usage and charging. System administrator can admin billing S/W from his PC to define new tariff, package name, discounts for normal day/Holiday etc., Data limit, rate and validity period. Subs can see their account information from his/her PC. System administrator can do Subs administration.
Internet
Connectivity of Billing Server is shown in Fig-15. ISP
Router
LAN
DIAS Client
MySQL DataBase
Billing Server
Fig-15 18.2.2.6 Router ZYNO-220 , a versatile edge device performing the advanced routing function & for DIAS. ZYNO-220 is built around high performance DSP processors providing excellent processing power for wire–speed packet forwarding and other advanced management functions. ZYNO-220 ensures the bandwidth is efficiently managed for optimal usage of the ISP link. Optional features are NAPT (IP address sharing, Bandwidth control, Access control list ), packet filtering firewall and QOS (CB-FBC). ZYNO View (GUI S/W) allows full remote management and local configuration through Telnet and local console respectively. Supports customized power working (DC 48 V instead of normal AC 230 V) ZYNO – 220 supports one Ethernet port and 2 WAN ports. Ethernet port is used to connect with Ethernet switch and WAN ports are used to connect with ISP from DIAS via E1 links if required. Alarms and Healthy condition of Router is indicated by means of LED’s. It is rack mountable device.
Internet ZYNO – 220 Router is shown in Fig-16 S Y N
A L M
8 7 |_____| WAN 0
S Y N
A L M
6 5 |_____| WAN 1
A C T
L N K
E R R
P W R
4 3 2 1 |_____| |_____| Ethernet Sys
Fig-16 18.2.2.7 Ethernet Switch 16 Port Ethernet switch used in DIAS makes the network managers life easy. Gives excellent throughput. Ensures secure communication. Two ports are connected to ZYNO -220 WAN ports 0 & 1 for outgoing towards ISP. 2 ports are connected to both switch card 1 & 2 of each IAN as input for switch. Incase more IAN’s are equipped, then they also will be connected to Ethernet switch ports via switch cards of each IAN. Ethernet switch is powered through AC 230 V drawn from 2KVA inverter. Adaptive Cut Through Switching Techniques (Hybrid of Store & Forward and Cut Through Switch) used in this Ethernet switch. 18.2.2.8 Main Rack or Cabinet The Main Rack or Cabinet (as in Fig -9 & 10) is able to house a maximum of Four number of IAN’s, one Router, one Ethernet Switch and two LL2W units (optional). Conventional cooling mechanism is used. 18.2.2.9 VT 220/100 terminal This is connected to RJ45 connector of active switch card through RS232 interface, by which the DIAS could be completely managed. DIAS also supports the Telnet Protocol, using which one could login to the IAN and the complete CLI (Command Line Interface) could be accessed remotely. The RJ45 cable to be changed to Active Switch card manually only if one switch goes faulty. Power supply is given by 2KVA inverter.
Internet Terminal Connection shown in Fig-17. VT 220/100 Terminal
RJ45
Key Board
RJ45
AC 230 V Fig-17
Active Switch Card in IAN
Internet 18.2.2.10 PPPOE S/W usage in DIAS as in Fig 18
DIAS End
ISP End
Radius/ Billing Server
Ethernet Switch
Router Supports PPPOE
Router Supports PPPOE E1 link Ethernet Switch
PC With PPPOE
BDSU
Local cable interface
DIAS IAN
Customer End
PPPOE Request from user RADIUS Response Fig - 18
18.3 Interface The physical link or interface ( as in Fig-1) between BDSU/HDSU and IAN is established using a twisted copper pair. Incase of BDSU, the maximum copper length allowed is 4 KM when 0.4 mm twisted pair copper is used. As regards HDSU, the maximum copper length allowed is 2 KM if 0.4 mm twisted pair copper is used.
18.4 Conclusion DIAS provides an excellent solution for accessing both Internet and voice services simultaneously. It is a 24 hour Internet service through copper pair but without dialing. It
Internet behaves like ISDN or leased circuits but it has its own characteristics. BSNL implemented it in wider ways.
Internet Chapter 19
BROAD BAND ACCESS(Wired and Wireless) Contents • • • • • •
Introduction What is Broadband Broad Band Acess Wired Line Acess Wireless Acess Conclusion
Objectives After completion of this module you will be able to know: •
About various Broad Band access technologies being deployed around the globe.
19.1 Introduction Advances in telecommunications and data technology are creating new opportunities for countries, businesses and individuals—just as the Industrial Revolution changed fortunes around the globe. The new economy is defining how people do business, communicate , shop, have fun, learn, and live on a global basis—connecting everyone to everything. The evolution of Internet has come into existence & Internet service is expanding rapidly. The demands it has placed upon the public network, especially the access network, are great. However, technological advances promise big increases in access speeds, enabling public networks to play a major role in delivering new and improved telecommunications services and applications to consumers .The Internet and the network congestion that followed, has led people to focus both on the first and last mile as well as on creating a different network infrastructure to avoid the network congestion and access problems. The solution to this is Broadband.
19.2 What is Broadband? A definition to broadband is a must as different service providers defines in their own terms & context. TRAI (Telecommunication Regulatory Authority of India) defines broadband as follows:An ‘always-on’ data connection that is able to support interactive services including Internet access and has the capability of the minimum download speed of 256 kilo bits per second (kbps) to an individual subscriber from the Point Of Presence (POP) of the service provider intending to provide Broadband service
Internet where multiple such individual Broadband connections are aggregated and the subscriber is able to access these interactive services including the Internet through this POP. The interactive services will exclude any services for which a separate licence is specifically required, for example, real-time voice transmission, except to the extent that it is presently permitted under ISP licence with Internet Telephony.”
19.3 Broadband Access Broadband access technology is broadly classified into two categories. They are Wired Line & Wireless and further classified as detailed in the following diagram.
Broadband Access Technologies Wiredline
Wireless
DSL (Digital Sub’s Line)
3G Mobile
Cable Modem
Wi-Fi (Wireless Fidelity)
PLC (Power Line Communication)
WiMAX
Optical Fibre Technologies
FSO (Free Space Optics) LMDS & MMDS Satellite
19.3.1
Wired Line Access:
19.3.1.1 DSL (Digital Subscriber Line) :DSL uses the exisiting twisted-pair telephone lines as the access media. Over a period of time, a number of technologies (xDSL) have been introduced to provide faster data speeds over this medium. The various xDSL technologies are given below. 1. ADSL (Asymmetric Digital Subscriber Line) 2. VDSL (Very High-Speed Digital Subscriber Line) 3. RADSL (Rate Adaptive Digital Subscriber Line) 4. HDSL (High Data-Rate Digital Subscriber Line) 5. SDSL
(Symmetric Digital Subscriber Line
Internet
ADSL (Asymmetric Digital Subscriber Line) Asymmetric Digital Subscriber Line (ADSL) is a form of DSL, a data communications technology that enables faster data transmission over copper telephone lines than a conventional modem can provide.ADSL has the distinguishing characteristic that the data can flow faster in one direction (used for download streaming) than the other(used for upload streaming) i.e., asymmetrically. WHY ADSL? ADSL is in place due to both technical and marketing reasons. On the technical side, there is likely to be more crosstalk from other circuits at the DSLAM (Digital Subscriber Line Access Multiplex) end (where the wires from many local loops are close together) than at the customer premises. Thus the upload signal is weakest, while the download signal is strongest at the noisiest part of the local loop. It therefore makes DSLAM transmit at a higher bit rate than does the modem on the customer end. Since the typical home user in fact does prefer a higher download speed, thus telecom companies chose to make a virtue out of necessity, hence ADSL come to place. HOW ADSL WORKS ? To obtain the asymmetrical data transfer to suit requirement of Internet and LAN access, ADSL works by firstly splitting the available bandwidth on the twisted copper wire (telephone wires) into three different channel: 1)A high speed downstream channel (ranges from 1.5 to 8 Mbps) 2)A medium speed upstream channel (ranges from 16 kbps to 1 Mbps) 3)POTS (Plain Old Telephone Service) channel ADSL uses two separate frequency bands. With standard ADSL, the band from 25.875 kHz to 138 kHz is used for upstream communication, while 138 kHz - 1104 kHz is used for downstream communication.
Internet
Frequency plan for ADSL
First the POTS channel is splits off from the digital modem by filter, thus guaranteeing uninterrupted POTS. After the POTS channel are splitted from the digital data transfer bandwidth, the 26kHz to 1.1mhz data bandwidth could be further separated by using one of two ways as describe below: 1)Frequency Division Multiplexing (FDM) :- FDM assigns one band for upstream data and one band for downstream data. Time division multiplexing divides the downstream path into one or more high speed channels and one or more low speed channels. But the upstream path is only multiplexed into corresponding low speed. 2)Echo cancellation :- Echo cancellation assigns the upstream band to over-lap the downstream. To separate them is by local echo cancellation. This technique is common in V.32 and V.34 modems(Conventional Modems). By using either one of the above techniques, ADSL splits off a 4khz region for POTS at the DC end of the band.
Internet Upstream
Downstream
Basic Telephone Service
FDM
Frequency Upstream Downstream Basic Telephone Service
Echo Cancellation Frequency
ADSL MODULATION ADSL uses two types of Modulation i.e CAP(Carrierless Amplituse Phase Modulation) & DMT(Discrete Multi Tone) & DMT is the most widely used one. CAP(Carrierless Amplituse Phase Modulation) : It is a variation of QAM (Quadrature Amplitude Modulation).QAM generates a DSSC (Double Sideband Suppressed Carrier) signal constructed from two multi-level PAM (Pulse Amplitude Modulated) signals applied in phase quadrature to one another. CAP modulation produces the same form of signal as QAM without requiring in-phase and quadrature components of the carrier to the first be generated. The following diagrams illustrates the CAP modulation. CAP TRANSMITTER & RECEIVER In-Phase Filter
an Binary Constellatio Input n Encoder
Quadrature Filter
bn
+
D/A
Passband Line Filter
Output To line
Internet
In-Phase Adaptive filter Line Input
~ an Decision Device
A/D
Quadrature Filter
Decod er
Data Out
~ bn
Discrete Multitone Modulation (DMT) DMT is basically a multicarrier modulation technique. DMT spread the original spectrum of the input signal over numerous sub-channels each of which carries a fraction of the total information. All these sub-channels transmit data in parallel to In-Phase each other and are independently modulated with a carrier frequency. By using DSP Adaptive techniques, multiple sub-channels could be established using Fast Fourier Transform filter ~ each other. (FFT), where the sub-carriers had to have orthoganlity with an Data As mentioned before, DMT utilizes the spectrum between 26kHz and 1.1Mhz. After Line Out Decision using FDM of bandwidth is Decod split up into A/D cancellation technique, this spectrum Inputor echo er which upstream band(26kHz to 138kHz) and downstream bandDevice (138kHz to 1.1MHz), ~ is then further divided into 256 discrete sub-channels each of whichbhad a bandwidth n of 4kHz. Quadrature One of DMT most significant Filter feature is that it is able to dynamically adapt to the line condition to obtain the maximum throughput for each unique telephone line. DMT does this by framing the data bits into chunks and spreads them over the sub-channels. The allocation of data into each sub-channel is dependent on the characteristics of the line and on the SNR (Signal to Noise Ratio) of the line. There could be no data at all in a really noisy channel and there could be as high as 15 bits/Hz in a channel where SNR is optimum. By using the average signal to noise ration (SNR) of the sub-channel, the number of bits to be allocated to that sub-channel can be decided. The number of bits to be assigned to the nth channel could be calculated from this equation.
Internet
The major stages in transmitting and receiving could be seen in the following block diagram .
Data Input
Serial to Parallel Input Data Buffer
DMT Symbol Encoder
1
IFFT
Output To line
2
D/A
N
N (Complex) Sub-channel Symbols
DMT Symbols Transmitted Serially
Line Filter
Internet
FFT line
1 2
Filter
DMT Symbol Decoder
A/D
Parallel To Serial Data Output Out Data Buffer
N DMT Symbols Received Serially
N (Complex) Sub-channel Symbols
The chunk of bits that are being assigned to each sub-channel as described above are encoded as a set of quadrature amplitude modulated subsymbols. These subsymbols are then pass into an Inverse Fourier Transform(IFFT) which combines the subsymbols into a set of real-valued time domain samples, the output of the IFFT is then send a Parallel-toSerial block with cyclic prefix which is added to remove InterSymbol Interference (ISI) between the sub-channels. The output is then pass into an digital to analog converter which is then send through the twisted copper telephone wire. The receiver would receive the signal from the twisted copper telephone wire and does the reverse process to obtained the required data. To reduce error in transmission and to counter those problem of using telephone lines as a data transfer medium, DMT had uses Reed Solomon forward error correction method .The size of this Reed Solomon codeword depends on the number of bits assigned to each sub-channel.
Internet Common Elements In ADSL
The common elements of ADSL are a) CPE(Customer Premises Equipment) containing a Splitter, ADSL Modem & a PC. b) Central Office Premises Equipment containing DSLAMs(Digital Subscriber Line Access Miltiplex),MDFs & PSTN. c) Aggregator and ATM core consists of Tier II,TierI switches,BRAS(Broad Band Remote access Service) ,Servers and Core routers. Factors Determining ADSL Connectivity: More the distance from the DSLAM(Digital Subscriber Line Access Multiplex) to the customer end the data rate reduces.Signal attenuation and Signal to Noise Ratio are defining characteristics, and can vary completely independently of distance (e.g., non-copper cabling, cable diameter).The performance is also dependent to the line impedance, which can change dynamically either dependent on weather conditions (very common for old overhead lines) or on the number and quality of joints or junctions in a particular cable length.
Data Rate - Wire Size – Distance Data Rate
Wire Size
Distance
1.5-2.0 Mbps
0.5 mm
18000 Feet
5.5 Kms
1.5-2.0 Mbps
0.4 mm
15000 Feet
4.6 Kms
6.1 Mbps
0.5 mm
12000 Feet
3.7 Kms
6.1 Mbps
0.4 mm
9000 Feet
2.7 Kms
Internet
ADSL standards Standard name Standard type Downstream rate Upstream rate 8 Mbit/s 1.0 Mbit/s ANSI T1.413-1998 Issue 2 ADSL ITU G.992.1 ADSL (G.DMT) 8 Mbit/s 1.0 Mbit/s ITU G.992.2 ADSL Lite (G.Lite) 1.5 Mbit/s 0.5 Mbit/s ADSL2 12 Mbit/s 1.0 Mbit/s ITU G.992.3/4 ITU G.992.3/4 Annex J ADSL2 12 Mbit/s 3.5 Mbit/s 12 Mbit/s 1.0 Mbit/s ITU G.992.3/4 Annex L¹ ADSL2 ITU G.992.5 ADSL2+ 24 Mbit/s 1.0 Mbit/s ITU G.992.5 Annex L¹ ADSL2+ 24 Mbit/s 1.0 Mbit/s ITU G.992.5 Annex M ADSL2+ 24 Mbit/s 3.5 Mbit/s Additionally, the non-Annex ADSL2 and ADSL2+ support an extra 256 kbit/s of upstream if the bandwidth normally used for POTS voice calls is allocated for ADSL usage.While the ADSL access utilizes the 1.1 MHz band, ADSL2+ utilizes the 2.2 MHz band. VDSL (Very-High-Speed DSL) Very-high-speed DSL (VDSL) promises even higher speeds than ADSL, although over much shorter distances. Originally named VADSL (A –Asymmetric) but was later extended to support both symmetric & asymmetric.Requires one phone line and supports voice & data.It works between 0.3-1.37 kms depending on speed. It supports upstream data rate of 1.6-2.3 mbps & downstream data rate of 13-52 mbps. The following figure illustrates shows the data rate, wire size & distance. Downstream
Upstream
Distance Feet Kms
12.96 Mbps
1.6-2.3 mbps
4500 Feet
1.37 Kms
25.82 Mbps
1.6-2.3 mbps
3000 Feet
0.91 Kms
51.84 Mbps
1.6-2.3 mbps
1000 Feet
0.30 Kms
Internet RADSL(Rate-Adaptive DSL) As the name implies, rate-adaptive DSL (RADSL) modems adjust the data rate to match the quality of the twisted-pair connection. Emerging software should make this an automated process with little human intervention. HDSL(High-Data-Rate DSL) HDSL modem is viewed as equivalent of PCM stream(2 MBps) and offers the same bandwidth both upstream and downstream. It can work up to a distance of 3.66 to 4.57 kms depending upon the speed required. It can deliver 2048 kbps a) On 2 pairs of wires, each line carrying 1168 kbps b) On 3 pairs of wires, each line carrying 784 kbps. SDSL(Symmetric DSL) Symmetrical digital subscriber line (SDSL) is similar to HDSL but requires only one pair of wires. Transmission speed ranges from n x 64 kbps to 2.0 Mbps in both directions. In this the upload and download streams are of equivalent bandwidth.
19.3.1.2 CABLE MODEM The cable network was primarily designed to deliver TV signals in one direction from the Head-End to the subscribers homes. Operators had to upgrade the cable network so that signals could flow bi-directionally.One spectrum is used for the signals that move from the Head-End towards the cable subscriber. Another spectrum of signal frequencies are used for the signals that move from the cable subscriber towards the Head-End. By way of replacing the existing one way amplifiers with two way amplifiers,Cable Operators are able to separate the upstream and downstream signals and amplify each direction separately in the right frequency range. In the downstream direction (from the network to the computer), network speeds can be up to 27 Mbps. In the upstream direction (from computer to network), speeds can be up to 10 Mbps. Most modem producers have selected a more optimum speed between 500 Kbps and 2.5 Mbps. A cable modem with a splitter can provide Internet access to multiple PCs, if they are connected via a local area network (LAN).Cable modems typically have an Ethernet output, so they can connect to the LAN with a standard Ethernet hub or router.
Internet
A typical CABLE MODEM SETUP at CUSTOMER END.
Internet
There are 3 types of cable modem. 1). External Cable Modem ¾ External box connected to computer through Ethernet connection ¾ Can use USB interface too. 2). Internal Cable Modem ¾ Is typically a PCI bus add-in card for a PC 3.). Interactive Set-Top Box ¾ Provides a return channel –often through the POTS-giving access to webbrowsing through the TV screen. Disadvantages of Cable Modem: 1) Bandwidth Sharing: Users in a neighborhood have to share the available bandwidth provided by a single coaxial cable line. Therefore, connection speed can vary depending on how many people are using the service at the same time. Often the idea of a shared line is seen as a weak point of cable Internet access. 2) Security: A more significant weakness of cable networks using a shared line is the risk of loss of privacy, especially considering the availability of hacking tools for cable modems. 3) Connectivity Problem :Many cable Internet providers are reluctant to offer cable modem access without tying it to a cable television subscription. 4) Cost factor: The cost of Cable modem & splitters is high as complared to ADSL modems. 19.3.1.3 Power Line Communication (PLC) PLC also called Broadband over Power Lines (BPL) or Power Line Telecoms (PLT), is a wireline technology that is able to use the current electricity networks for data and voice transmission. The carrier can communicate voice and data by superimposing an analog signal over the standard 50 or 60 Hz alternating current (AC). Traditionally electrical utilities used low-speed power-line carrier circuits for control of substations, voice communication, and protection of high-voltage transmission lines.More recently, high-speed data transmission has been developed using the lower voltage transmission lines used for power distribution. A short-range form of power-line carrier is used for home automation and intercoms.A computer (or any other device) would need only to plug a BPL "modem" into any outlet in an equipped building to have high-speed Internet access. PLC modems transmit in medium and high frequency (1.6 to 30 MHz electric carrier). The asymmetric speed in the modem is generally from 256 kbit/s to 2.7 Mbit/s. In the repeater situated in the meter room the speed is up to 45 Mbit/s and can be connected to 256 PLC modems. In the medium voltage stations, the speed from the head ends to the
Internet Internet is up to 135 Mbit/s. To connect to the Internet, utilities can use optical fiber backbone or wireless link. TYPICAL PLC LAYOUT
High-speed data transmission, or Broadband over Power Line uses the electric circuit between the electric substations and home networks. A standard used for this is ETSI PLT. PLC uses the following frequencies bands. Low frequencies z Below 400 kHz (US) z Below 125 kHz (Europe) z Transmission rate about 1 to 10 kbps Low Band is used for Telemetry,Security & Remote Control. High frequencies z 2 to 30 MHZ (HF) z Transmission rate about 1 to 40 Mbps High Band is used for Telephony & Internet.
Internet PLC Distribution Network
Getting beyond the transformer
Insert Power Line Carrier at middle voltage
Backhaul to NAP (fiber, DSL, wireless, satellite)
ADVANTAGES The major advantage of BPL over regular cable or DSL connections is the availability of the extensive infrastructure already available which would appear to allow more people in more locations to have access to the Internet. DISADVANTAGES Utility power systems are adverse electromagnetic environments for broadband communications. 1. Network characteristics (topology, impedance, splices, terminations, grounding) and devices (regulators, capacitors, re-closers) can adversely affect signal strength and quality. 2. Electronic loads and nearby high frequency radiation sources may cause high frequency noise that interferes with BPL. 3. Equipment will be exposed to severe lightning and switching surges. 4. Utility operations and maintenance personnel may damage or improperly install equipment 5. Some of the PLC systems are not fully operable at very low or no load without battery backup. 6. Physics limits frequency on power lines to 66 kV) power lines. 8. Conventional electronic surge arrestors severely attenuate BPL signal. 9. Other electronic devices (plasma screen TV’s, variable speed drives) interfere with BPL signal or vice versa. 10. Existing vendors’ technologies are not interoperable. 11. There is not yet an IEEE standard for BPL 19.3.1.4
OPTIC FIBER TECHNOLOGIES
Optical fibers, clearly the chosen technology for transmission media, are beginning to find their place in the subscriber's loop. Currently fiber costs are high as compared to copper but there is a trend towards decreasing costs of optical fiber cables and photonics employed. In addition the tremendous advantages in terms of information capacity of fiber, its small weight and size over copper cable are making it a very attractive technology to replace copper in subs loop when advanced broadband services need to be offered to the customer. To carry the same information as one fiber cable we would need hundreds of reels of twisted wire Cu cables. Further, fiber is 23 times lighter than Cu cable and 36 times less in cross- sectional area. These features of light weight and small size make it easier to handle fiber cable. In crowded city networks they can easily be accommodated in existing ducted systems. Fiber in loop (FITL) can be developed in several configurations. 1) 2) 3) 4)
Fibre to the Curb(FTTC) Fibre to the building(FTTB) Fibre to the home/Office(FTTH/FTTO) PON (Passive Optical Network)
Fibre to the Curb(FTTC) in which the terminal equipment is located on the curb from where it would be convenient to serve a suitable service area. Since the distribution would still be copper, suitable location for the terminal would be one which optimizes the cost, reduces back-feeding, reduces distribution cost and takes safety factors into consideration. Space and power availability need to be confirmed before finalising the location. Fibre to the building(FTTB) in which the terminal equipment is located inside a multistoreyed building. This brings higher bandwidth closer to the subscriber. The distribution part is still copper. For new buildings, the planners may negotiate for suitable location well in time. Fibre to the home/Office(FTTH/FTTO) in this method the fibre goes upto the subscriber premises
Internet Typical Architecture of Fibre in Local Loop
Depending upon the location of the cabinet (CAB-see above diagrams ) or the terminal equipment we call FTTC,FTTH or FTTO and FTTB. The optical fibre cabinet consists of fibre optic transmission equipment and customer access equipment. It consists of three internal chambers. A battery chamber that houses upto 2 batteries, an MDF chamber housing MDF, alarms and fibre splice box, an equipment chamber housing transmission and access equipment. Exchange side of cabinets connect to exchange on 2Mbps or channel level or on a V 5.2 interface and subscriber side of cabinets connect to subscribers via copper lines. These can be installed as outdoor or indoor cabinets. Outdoor cabinets are environmentally fitted and could be installed on curbs or in remote areas. Usual capacities of fibre optic cabinets have capacities 120, 240,480 and 1920 channels. Each cabinet requires two fibres for operation and one dark fibre-pair is usually kept as spare. The fibre optic cabinets offer point to point connections and can take care of POTS, ISDN(BA and PRI), DID, Payphones, 64Kbps leased lines.
Internet 19.3.1.5 Passive Optical Networks (PONs) Most networks in the telecommunications networks of today are based on active components at the serving office exchange and termination points at the customer premises as well as in the repeaters, relays and other devices in the transmission path between the exchange and the customer. By active components, we mean devices which require power. With Passive Optical Networks, all active components between the central office exchange and the customer premises are eliminated, and passive optical components are put into the network to guide traffic based on splitting the power of optical wavelengths to endpoints along the way. This replacement of active with passive components provides a cost-savings to the service provider by eliminating the need to power and service active components in the transmission loop. The passive splitters or couplers are merely devices working to pass or restrict light, and as such, have no power or processing requirements and have virtually unlimited Mean Time Between Failures (MTBF) thereby lowering overall maintenance costs for the service provider. The basic components of PON are a) Optical Line Terminal(OLT): It is located in the central office and interfaces with switch (possibly through V5 interface) .It provides system control and implements protocol for transmission. b) Splitter : It splits the source optical beam into multiple fibers. c) Optical Network Unit (ONU) : It interfaces with subscriber terminals and works under the control of OLT to implement the transmission protocol.It can be configured in FTTC, FTTB and FTTH configurations
Typical PON Connectivity
Internet
There are different PON technologies exists and are given below. a) APON (ATM PON) b) EPON (Ethernet PON) c) GPON( Giga Bit EthernetPON) . PON benefits PON systems offer a number of benefits to the operator and the end users. 1).Fiber is less costly to maintain than copper based systems so operators can reduce costs, increase profits or lower costs to the end-users. 2) The technology conserves fibre,passive elements and optical interfaces. All this leads to cost effectiveness. 3) Reliabilty of the network is very high. 4) Both business and residential customers can be served on the same platform and customers get better quality of service. 5). Network can be upgraded to support future services
19.4 Wireless Technologies 19.4.1 Bluetooth It is a Wireless Technology used for short range applications ( about 10 meters) namely in Personal Area Networks(PAN). It operates on 2.4 Ghz band with 1+ Mbps speed and Frequency Hopping Spread spectrum modulation technique is employed. It is a Combination of circuit switching and packet switching supporting both voice and data. Bluetooth lets these devices talk to each other when they come in range, even if they are
Internet not in the same room, as long as they are within up to 100 metres (328 feet) of each other, dependent on the power class of the product. Products are available in one of three power classes: Class 1 (100 mW) [still readily available]: It has the longest range at up to 100 metres (328 ft). Class 2 (2.5 mW) [most common]: It allows transmission to a distance of 10 metres (33 ft). Class 3 (1 mW) [rare]: It allows transmission of 10 cm (3.9 in), with a maximum of 1 metre (3.3 ft). With UWB (Ultra Wide Band technology) speed upto a maximum of 400Mbps is achieved. 19.4.2
3G Mobile Of late cellular mobile telephony has started maturing in delivering data access over the air. The evolution of cellular mobile telephony has taken place in following steps 1. 2G – GSM, CDMA 2. 2.5G – GSM(GPRS/EDGE), CDMA 2000 1x 3. 3G – UMTS/WCDMA, CDMA 2000 1xEVDO/EVDV The speeds achieved with above different cellular mobile telephony is given below. 1).2G GSM/CDMA 9-14 Kbps 2).2.5G GSM GPRS 115 Kbps EDGE 384 Kbps 3).2.5G CDMA 2000 1x 170 Kbps 4).3 3G UMTS/WCDMA 384K (M), 2048K(S) 5).3G CDMA 2000 1x 384K (M), 2048K(S) EVDO/EVDV
However the technologies 2.5G GSM(EDGE) & 3G (Both CDMA 2000 1x EVDO*/EVDV* & UMTS*/WCDMA*) falls into the category of Broadband access. (*Note:_EVDO-Evolution Data Optimised ,EVDV-Evolution Data and Voice ,UMTSUniversal Mobile Telephony System & WCDMA – Wideband Code Division Multiple Access) 19.4.3 Wi-Fi( Wireless Fidelity) Wi-Fi (also WiFi or wifi) is an abbreviation for "wireless fidelity” & is a trademark controlled by the Wi-Fi Alliance (formerly the Wireless Ethernet Compatibility Alliance), the trade organization that tests and certifies equipment compliance with the IEEE 802.11 standards for wireless local area networks( WLANs). Wi-Fi was intended to allow mobile devices, such as laptop computers and personal digital assistants (PDAs) (PDAs) to connect to local area networks, but is now often used
Internet for wireless Internet access and wireless. Many computers are sold today with Wi-Fi built-in; others require adding a Wi-Fi network card (Wireless Ethernet/LAN card). A Wi-Fi-enabled device is able to connect to a local area network when near one of the network's access points (see the figure below). The connection is made by radio signals; there is no need to plug the device into the network. If the local area network is connected to the Internet, the Wi-Fi device can have Internet access as well. The geographical region covered by several access points is called a hotzone. The range of an access point varies. The access point built into a typical Wi-Fi home router might have a range of 45 m (150 ft) indoors and 90 m (300 ft) outdoors.
Wireless Ethernet standards Wi-Fi is based on the IEEE 802.11 specifications. There are currently four deployed 802.11 variations: 802.11a, 802.11b, 802.11g and 802.11n. The b specification was used in the first Wi-Fi products. The n variant is most recent. IEEE 802.11 The Initial release of the standard capable of transmissions of 1 to 2 Mbps and operates in 2.4 GHz band using either frequency hopping spread spectrum (FHSS) or direct sequence spread spectrum (DSSS). IEEE 802.11a
Internet Capable of transmissions upto 54 Mbps and operates in 5 GHz band and uses an orthogonal frequency division multiplexing OFDM encoding scheme . IEEE 802.11b Capable of transmissions of upto 11 Mbps and operates in 2.4 GHz band and uses only DSSS encoding scheme. IEEE 802.11g Capable of transmissions upto 54 Mbps and operates in 2.4 GHz band and uses an orthogonal frequency division multiplexing(OFDM) encoding scheme. IEEE 802.11n Capable of transmissions upto 100 Mbps and operates in 2.4 GHz band and uses an orthogonal frequency division multiplexing(OFDM) encoding scheme. Advantages of Wi-Fi • Unlike packet radio systems, Wi-Fi uses unlicensed radio spectrum and does not require regulatory approval for individual deployers. • Allows LANs to be deployed without cabling, potentially reducing the costs of network deployment and expansion. Spaces where cables cannot be run, such as outdoor areas and historical buildings, can host wireless LANs. • Wi-Fi products are widely available in the market. Different brands of access points and client network interfaces are interoperable at a basic level of service. • Competition amongst vendors has lowered prices considerably since their inception. • Many Wi-Fi roaming, in which a mobile client station such as a laptop computer can move from one access point to another as the user moves around a building or area. • Many access points and network interfaces support various degrees of encryption to protect traffic from interception. • Wi-Fi is a global set of standards. Unlike cellular carriers, the same Wi-Fi client works in different countries around the world (although may require simple software configuration). Disadvantages of Wi-Fi • Though the use of the 2.4 GHz Wi-Fi band does not require a license in most of the world, local regulations do require that Wi-Fi devices stay below the local regulatory limits on transmission power and accept interference from other sources, including interference which causes the devices to no longer function. Legislation/regulation is not consistent worldwide. • The 802.11b and 802.11g flavors of Wi-Fi use the 2.4 GHz spectrum, which is crowded with other equipment such as Bluetooth devices, microwave ovens, cordless phones (900 MHz or 5.8 GHz are, therefore, alternative phone frequencies one can use to avoid interference if one has a Wi-Fi network), or video sender devices, among many others. This may cause a degradation in performance. Other devices which use these microwave frequencies can also cause degradation in performance. • Closed access points can interfere with properly configured open access points on the same frequency, preventing use of open access points by others.
Internet •
Power consumption is fairly high compared to other standards, making battery life and heat a concern.
19.4.4 WiMAX WiMAX is an acronym that stands for Worldwide Interoperability for Microwave Access, a certification mark for products that pass conformity and interoperability tests for the IEEE 8802.16 standards.(IEEE 802.16 is working group number 16 of IEEE 802 specializing in point-to-multipoint Broadband wireless access).WiMAX covers wider, metropolitan or rural areas. It can provide data rates up to 75 megabits per second (Mbps) per base station with typical cell sizes of 2 to 10 kilometers. This is enough bandwidth to simultaneously support (through a single base station) more than 60 businesses with T1/E1-type connectivity and hundreds of homes with DSL-type connectivity. It is similar to Wi-Fi in concept, but has certain improvements are done at improving performance and should permit usage over much greater distances. IEEE 802.16 networks use the same Logical Link Controller(standardized by IEEE 802.2) as in other LANs and WANs, where it can be both bridged and routed to them. An important aspect of the IEEE 802.16 is that it defines a MAC (Media Access Control) layer that supports multiple physical layer specifications in 2 to 11 Ghz & 10 to 66 Ghz bands. It will provide fixed, portable, and eventually mobile wireless broadband connectivity and also provides POTS services.
802.16 Last Mile Networks
WiMAX Subscriber Station
WiMAX Backhaul
POTS
WiFi
WiMAX Access Pt to Multipt.
Internal Access Point with hub Ethernet
PSTN Internet Telco core network Or private (fiber)
WiMAX Base Station
Customer Premise (Home, Business or HOTSPOT)
The MAC is significantly different from that of Wi-Fi (and ethernet from which Wi-Fi is derived). In Wi-Fi, the MAC uses contention access—all subscriber stations wishing to pass data through an access point are competing for the AP's(Access points) attention on a random basis. This can cause distant nodes from the AP to be repeatedly
Internet interrupted by less sensitive, closer nodes, greatly reducing their throughput. By contrast, the 802.16 MAC is a scheduling MAC where the subscriber station only has to compete once (for initial entry into the network). After that it is allocated a time slot by the base station. The time slot can enlarge and constrict, but it remains assigned to the subscriber station meaning that other subscribers are not supposed to use it but take their turn. This scheduling algorithm is stable under overload and oversubscription (unlike 802.11). It is also much more bandwidth efficient. The scheduling algorithm also allows the base station to control Quality of Service by balancing the assignments among the needs of the subscriber stations. This is also an important aspect of why WiMAX can be described as a "framework for the evolution of wireless broadband" rather than a static implementation of wireless technologies.
19.4.5
Free Space Optics FSO is optical, wireless, point-to-point, line-of-sight broadband technology that is an alternative to fiber optic cable systems without expense of fiber. Speed is comparable to fiber optic transmissions and transmits up to 1.25 Gbps at distance of 4 miles (6.4 kilometers) in full-duplex mode. It uses low-powered infrared (IR) beam sent through open air by transceivers. Uses unlicensed higher frequency. Currently FSO uses two different wavelengths(780nm & 1550nm), but expect worldwide standard in near future.
FSO TRANSCEIVER Advantages of FSO 1.Significantly less expensive than fiber optic or leased lines 2.Much faster installation, days or weeks compared to months for fiber optic cables 3.Transmission speed can be scaled to meet user’s needs; from 10 Mbps to 1.25 Gbps 4.Security is key advantage; not easy to intercept or decode
Internet Disadvantage of FSO 1.Scintillation is temporal and spatial variations in light intensity caused by atmospheric turbulence that acts like prism to distort FSO signals 2. Loss of Signal due to Fog (Intensity of Light is reduced) . 3. Interference of signal due to bird/flies obstructing the signal path. 4. Obstruction of signal by swaying of tall structures/buildings due to winds and seismic activity.
19.4.6 (a) Local Multipoint Distribution Service(LMDS) LMDS is a broadband wireless access technology that uses microwave signals operating between the 26GHz and 29GHz bands. It is a point-to-multipoint service, hence is typically deployed for access by multiple parties. Throughput capacity and distance of the link depends on the modulation method used - either phase-shift keying or amplitude modulation. Links up to 5 miles from the base station are possible.
Internet
Central Office
Video PSTN Internet
Content & Application Providers Backhaul for Hotspots
Data,PSTN Video Access
LMDS Cell Site
Data,PSTN Video Access
LMDS TYPICAL LAYOUT Factors determining LMDS 1).Line-of-sight—LMDS requires direct line.Tall buildings may obstruct line of sight and the solution is to divide area into smaller cells. 2). Antenna height—placed on taller buildings can serve larger cells without obstructions Advantages a)Lower cost for both user and carrier than wired alternatives b)Increased service area; network may be expanded one cell at a time c)Capacity; with as much as 1,300 MHz of spectrum in a local market, carriers can support 16,000 telephone calls and 200 video channels simultaneously Disadvantages a)Requires line-of-sight between buildings; LMDS network is limited by surrounding objects b)Affected by precipitation; LMDS systems are susceptible to interference from rain and fog 19.4.6 (b) Multichannel Multipoint Distribution System(MMDS) Multichannel multipoint distribution service, also known as MMDS or wireless cable, is a wireless telecommunications technology, used for general-purpose broadband
Internet networking . Similar to LMDS, MMDS can transmit video, voice, or data signals at 1.5 Mbps downstream and 300 Kbps upstream at distances up to 35 miles.Mounted MMDS hub uses point-to-multipoint architecture. Pizza box (13 x 13 inch) directional antennas are mounted at receiving location & a cable runs from antenna to MMDS wireless modem, which converts analog signal to digital and may be attached to single computer or LAN.
Advantages a)Signal strength—low frequency MMDS RF signal travels farther and with less interference than high-frequency LMDS RF signals b)Cellsize—seven times larger than area covered by LMDS transmitters c)Cost—MMDS is less expensive than LMDS Disadvantages a)Requires direct line-of-sight—makes installation difficult and eliminates locations blocked by taller obstructions b)Shared signals—decreased speed and throughput since users share same radio channel c)Security—Unencrypted transmissions may be intercepted and read d)Limited markets—available in limited areas in USA 19.4.7 SATELLITE Satellite broadband offers two-way internet access via satellites orbiting the earth about 22,000 miles above equator. The PC through a special satellite modem broadcasts the requests to the satellite dish ,located on top of the roof/building which in trun transmits and receives signal from the satellites. But satellite broadband is slower in both uplink and downlink compared to any DSL technology for example. At present we use VSAT (Very Small Aperture Terminals) & DTH (Direct To Home) terminals for satellite transmission. C, Ku & Ka bands are used for services involving fixed terminals and L band is used for mobile services. It Offers data rates 9.6 Kbps for a handheld terminal and 60 Mbps for a fixed VSAT terminal at present. Satellite broadband has got an advantage, that it can be deployed in every region in a country. Satellite explores the possibility of usage in rural areas where tough terrain conditions prevails. It provides an always on Connection without dialling .It offers incredible reliability, better than 99.9%. and need not worry about dropped connections during critical transactions, or missed emails..
Internet
21.5 Conclusion With the advent of new technologies in the field of communication which has brought the world closer and closer, the consumer will be in a better position to choose and reap the benefits, the broadband technology offers viz. High Speed Internet, Video Conferencing, Telemedicine, Video on Demand ,Internet Radio, Instant messaging, etc.
Internet Chapter 20
Next Generation Networks Contents
Introduction
History
Different types of Networks
Definition
Features
Applications
Characteristics
Objectives After completion of this module you will be able to know: •
The features of NGN
•
Applications Of NGN
•
Characteristics of NGN
•
Elements of NGN
Internet
20.1 Introduction Next Generation Networks (NGN) are the next step in world communications. NGNs are the culmination of 100 years of telecommunications evolution, combining the scalability and reliability of the public telephone network with the reach and flexibility of the Internet. The next-generation network seamlessly blends the public switched telephone network (PSTN) and the public switched data network (PSDN), creating a single multi service network. Traditionally, now there are three separate networks: the PSTN voice network, the wireless network and the data network (the Internet). NGN converts all of these three networks into a common packet infrastructure. This intelligent, highly efficient infrastructure delivers universal access and a host of new technologies, applications, and service opportunities. The fundamental difference between NGN and today’s network is the switch from current ‘circuit-switched’ networks to ‘packet-based’ systems such as those using Internet Protocol (IP). The need for global standards is critical as most operators expect to move to an IP infrastructure. One area to be addressed is the concept of ‘nomadicity’, which will give fixed line and mobile users completely seamless communication. It means that the underlying technology will be invisible to the user regardless of a multi-service, multi-protocol, multi-vendor environment.
20.2 History The global telecommunications infrastructure has evolved over the past 100 years. The last two decades, however, have heralded seminal change that has accelerated this
Internet evolution manifold. The emergence of the converged network — driven largely by growth in video, voice and data traffic across the globe has been a major primer for change and all industry watchers agree that this is only the beginning. Traditional circuit-switched telecommunications infrastructure is the foundation for the public switched telephone network (PSTN) that delivers telephony connections to homes and businesses today. This network is extremely demanding in its requirements for reliability and high availability. People expect, and generally receive, a dial tone when they pick up the phone. How is such a reliable network assured? Under the existing paradigm, the phone system creates a dedicated circuit between the caller and the destination to complete a call. This line cannot be used by the system for other purposes during the duration of the call. Time division multiplexing (TDM) technology, on which circuit-switched telephony is based, allows the system to place multiple calls on its major trunk lines, but the dedicated circuit still consumes more network bandwidth than necessary. High reliability and voice quality — as well as the lack of any viable alternative — meant that TDM based communication technologies grew and flourished. Till the Internet emerged! The Internet is a network of network, connecting millions of computers across the world. Widespread adoption of PC devices, evolution of killer applications such as the WWW and e-mail, as well as its efficiency in transfer of data traffic across the world saw a surge in Internet users through the 1990s.
At the crossroads The telecommunications world is at the crossroads today. As the amount of data traffic crossing the globe increases every second, the conventional infrastructure is seen to be increasingly incapable of handling it. On the other hand, the flexible and efficient data network — the Internet — can carry all forms of service traffic over it, but has been found to be unsuited for telephony. As is usually the case — the market found a way out. The clash of the old-world and the new led to a wave of innovation and evolution for telecommunications. Today, copper and fibre optic lines that used to carry voice traffic now also transmit data, fax, and video. Traditional circuit switching is giving way to more efficient and flexible packet switching technologies as a result of the explosive growth of IP (Internet Protocol) networks. New companies are entering the telecommunications space as service providers and old companies are adopting new business models built on new technology. In this competitive marketplace, telecommunication firms are looking to enhance the services they provide to their customers and reduce the costs of delivering them. One critical area of communications infrastructure that has been rapidly evolving in recent times has been switching technologies, as traditional switching functions give way to next generation of telecommunication switches. Switching is the core of all telecommunication networks, allowing efficient point-to-point communications without direct connections between every node. To operate in the demanding and highly intensive PSTN domain, telecom switches are needed to be compatible with existing legacy systems and standard communications protocols. They are expected to deliver the high reliability that is expected today from a TDM network. They are also expected to support value-added features and services that service providers allow carriers to differentiate themselves based on service and scale on demand.
Internet Such increasingly open architecture demands switching technology to upgrade to accommodate the emerging requirements from a communications network.
Rapid progress in the late 1990s During the late 1990s, very rapid progress was made in overcoming these limitations. Gateways that can pass traffic between IP networks and the PSTN have been available since early 1998, and various groups have been working on the development of software that can be used to control gateways, in order to enable managed delivery of voice over IP. The era of circuit-switched telecommunication networks is drawing to a close. We are seeing the beginnings of a transition that will gather pace over the coming decade, from distinct and separate sets of infrastructure for telephony and data, towards the `nextgeneration network', a single IP-based infrastructure for carrying all the voice, data and multimedia traffic associated with an increasingly wide range of network services. One of the key reasons for the rapid acceptance for this technology has been its openstandards based architecture, which provides great flexibility for carriers to develop custom solutions based on best-of-breed hardware and software components.
20.3 Different Types of Networks 20.3.1 Circuit Switching In this method, a connection called a circuit is set up between two devices, which is used for the whole communication. Information about the nature of the circuit is maintained by the network. The circuit may either be a fixed one that is always present, or it may be a circuit that is created on an as-needed basis. Even if many potential paths through intermediate devices may exist between the two devices communicating, only one will be used for any given dialog. This is illustrated below
Circuit Switching In a circuit-switched network, before communication can occur between two devices, a circuit is established between them. Communication link from A to B, and B to A are shown in figure. Once set up, all communication between these devices take place over
Internet this circuit. The classic example of a circuit-switched network is the existing telephone system. When A calls B and he answers, a circuit connection is established. That circuit function the same way regardless of how many intermediate devices are used to carry the voice. You use it for as long as you need it, and then terminate the circuit. The next time you call, you get a new circuit, which may (probably will) use different hardware than the first circuit did, depending on what's available at that time in the network.
Internet
20.3.2 Packet Switching
In this network type, no specific path is used for data transfer. Instead, the data is chopped up into small pieces called packets and sent over the network. The packets can be routed, combined or fragmented, as required to get them to their eventual destination. On the receiving end, the process is reversed—the data is read from the packets and reassembled into the form of the original data. Packet Switching In a packet-switched network, no circuit is set up prior to sending data between devices. Blocks of data may take any number of paths as it journeys from one device to another. In circuit switching, a circuit is first established and then used to carry all data between devices. In packet switching no fixed path is created between devices that communicate; it is broken into packets, each of which may take a separate path from sender to recipient.
The traditional Public Switched Telephone Network (PSTN) 1. Built to provide VOICE service 2. Intelligence at the core (central switch ) 3. Dedicated circuit set up for each call 4. Dumb terminals (cheap CPE) 5. ATM, SDH, copper local loop technology 6. Very reliable 7. Licensed and highly regulated 8. Usually monopoly 9. Universal service obligation 10. Emergency call service
The Mobile Telecom Network 11. Built to provide VOICE/data service
Internet 12. Intelligence at the core (central switch) 13. Dumb mobile devices 14. BSS, MSS, HLR/VLR, SIM cards 15. Dedicated circuit set up for each call 16. Less reliable than PSTN 17. Licensed and highly regulated 18. Two or more competing providers 19. Emergency call service 20. Interconnect to other mobile networks and PSTN by agreements
The Internet 21. Built over PSTN to provide data service 22. Information is routed, not switched 23. Best efforts rather than guaranteed QoS 24. Intelligence at the edge, large variety of devices and services connected to the internet 25. Unregulated 26. Many competing providers 27. No Universal Service Obligation or Emergency call service 28. Interconnect between clouds by peering or transit agreements
Voice over Data As data traffic began to equal and surpass voice traffic on telecommunications networks it became economic for operators to consider transporting their voice traffic over packet switched networks. This convergence would help reduce the costs associated with operating and maintaining separate networks. However there are many problems associated with obtaining circuit switched levels of service for real-time traffic (e.g. voice) on packet switched networks which may not always have the sufficient capacity (packets are discarded under congested conditions in packet switched networks resulting in delayed or lost data which is unacceptable during telephone conversations).
20.4 Definition of Next Generation Network by ITU A Next Generation Network (NGN) is a packet-based network able to provide services including Telecommunication Services and able to make use of multiple broadband, QoS-enabled transport technologies and in which service-related functions are independent from underlying transport-related technologies. It offers unrestricted access by users to different service providers. It supports generalized mobility which will
Internet allow consistent and ubiquitous provision of services to users.
20.5 Features Of NGN
Packet-based transfer Separation of control functions among bearer capabilities, call/session, and application/ service Decoupling of service provision from network, and provision of open interfaces Support for a wide range of services, applications and mechanisms based on service building blocks (including real time/ streaming/ non-real time services and multi-media) Broadband capabilities with end-to-end QoS and transparency Interworking with legacy networks via open interfaces Generalized mobility Unrestricted access by users to different service providers A variety of identification schemes which can be resolved to IP addresses for the purposes of routing in IP networks Unified service characteristics for the same service as perceived by the user Converged services between Fixed/Mobile Independence of service-related functions from underlying transport technologies Compliant with all Regulatory requirements, for example concerning emergency communications and security/privacy, etc.
20.6 Applications of NGN 20.6.1 Telepresence Telepresence is the ability to interact in real-time with another person who is at a different location using telecommunications. Telephony is a Telepresence application in its most simple form. Advanced Telepresence systems operating on next generation networks will enhance users’ experiences of realism while communicating. Applications such as high quality video-conferencing systems would require capacities of between 2 and 8Mbit/s1 per user. (Current video conferencing systems can operate at capacities of between 128 and 384 kbit/s but provide a low quality service.) Video conferencing technology is currently most common in the business world, and applications are also being developed in the fields of education and medicine. When NGNs make ample capacity available it is conceivable that video conferencing could be adopted on a mass basis as a replacement or augmentation of basic telephony.
20.6.2 3D Imaging Adding three-dimensional aspects to the imaging systems of Telepresence will further enhance the experience of Telepresence. Initially, this sort of enhancement could have applications for business users, enabling delegates to sit down to a virtual meeting and hold real time discussions while viewing other delegates on three dimensional monitors..
Internet Other applications are in the medical and educational fields .At a more advanced stage Telepresence will become interchangeable with virtual reality, and applications in entertainment are envisioned.
20.6.4 Virtual Reality When we think of virtual reality we often think of applications involving complete TeleImmersion. However it is likely that applications will develop that blend reality and virtual reality forming hybrid realities to enhance our experiences. An example of this could be a type of visual display that could project images onto a user’s normal field of view using devices mounted on eyeglasses, allowing them to receive augmented information relating to their environment such as directions to the nearest hospital or police station. To further enhance users’ sense of realism the sense of touch could be incorporated into virtual reality systems through interfaces. Such systems allow users to touch and manipulate virtual objects. This aspect is essential for telesurgery applications,It is conceivable that in the future the senses of taste and smell could also be incorporated in virtual reality systems. 20.6.5 Data Augmentation Further value can be added to Telepresence applications by augmenting services with additional information. In many ways this could allow Telepresence to surpass real face to face communication. For example, future face to face communications may often have files attached to them such as work that had been jointly undertaken during a Telepresence meeting. 20.6.6 Tele-Learning/Tele-Education Tele learning or Tele-education is the application of telecommunications technology in education and training. Next generation Tele-education applications will use advanced graphical visualisation tools to help users understand difficult or abstract topics and also provide users with an opportunity to learn in a safe and non-critical environment (e.g. flight simulation training, surgical procedure training). Some of these applications will require the use of three dimensional and virtual reality simulators. Interactivity is also an important feature of Tele-education, allowing users in remote locations to focus on areas where they are experiencing particular difficulties for example, and will enable a higher level of one to one interactivity with tutors (real or virtual). Applications of this type could involve a mixture of real-time and stored data. Interactive Tele-education is also applicable in class-room environments. Already on-line learning is a growing Internet application. Tele-education provides users with the convenience of being able to learn at more convenient times and places (e.g. from home in the evenings instead of at a college during the day, or in work at the desktop). Also, Tele-education gives users the opportunity to select more specific course material that is directly applicable or tailored to their individual interests.
Internet The capacity requirements of these systems will vary according to the level of quality sought from the video images, and it can therefore be expected that capacities of 2Mbit/s or more would be required for video-conferencing applications. 20.6.7 Tele-Medicine Tele-medicine or medical informatics is the use of telecommunications technology in medical applications. These applications would be greatly facilitated by highly reliable next generation networks. Tele-medicine will allow the transfer of records or actual medical conditions between patients and medical personal in geographically diverse locations. Furthermore, Telepresence applications will enable medical staff to conduct face to face meetings with other staff and patients without the need to travel. An important future Tele-medicine application is Tele-surgery, in which a surgeon views the patient through a three dimensional display and conducts a surgical operation via robotic instruments from a remote location using a high capacity telecommunications link Other medical imaging techniques are well suited to Tele-medicine allowing for the diagnosis process to occur at a different location from the patient and collection of information (e.g. digital imaging, tissue sample analysis). This form of Tele-medicine is now common on hospitals’ local area networks with the transmission of x-ray images. Next generation networks will enable widespread use of such applications. Tele-education also has applications in the medical area. Similar imaging techniques to those used by the remote surgeons mentioned above can be used in the training of medical staff.
20.6.8 Home Care Home care involves monitoring and caring for patients at home using telecommunications technology. Time and costs can be saved by allowing nurses to conduct daily virtual visits to patients in geographically dispersed areas. Furthermore, the concept of person to machine communications could be utilised here as home care patients could be constantly monitored, reducing the recovery times needed in hospitals. Home care using telecommunications links can allow the elderly to extend the time that they can live independent lives in their own homes.. Although many of these applications do not require high data rates their mass adoption could produce significant traffic loads on next generation networks.
Data Integrity and Privacy Important data integrity and privacy issues arise from the application of Tele-medicine. Tele-medicine applications that involve real time data concerning the well being of patients are critical in terms of data integrity. Any erroneous transmissions could result in mistreatment with potentially serious consequences. Also, as medical information is of a highly private nature security is a priority and will become a key consideration in the design of next generation networks.
Social Interactivity and Entertainment High capacity applications will emerge in the areas of gaming, movies and social interactivity. Interactive gaming with multiple participants is already an established
Internet internet application. However, with increasingly intense gaming applications (e.g. high resolution video graphics) more and more capacity is needed from telecommunications networks to support multi-player real-time use. Streaming video and audio entertainment will be important applications of next generation networks as traditional broadcasting services and delivery methods converge with telecommunications (e.g. interactive TV). Applications such as video on demand (VOD) providing users with personalised viewing services and applications with added interactivity will require high capacity networks to serve them. Peer to peer networking of video, audio and even 3D virtual reality archives could also bear heavily on next generation networks as users swap massive amounts of data.
Machine to Machine Communication In the paragraphs above mostly human to human and human to machine communications have been considered. As the number of devices or machines that are able to communicate continues to increase, telecommunications traffic between these machines will continue to increase exponentially. A number of commentators have suggested that machine to machine communication will exceed person to person communication on next generation networks in around five years. Although, for the most part, the early applications envisioned here would be narrow band applications (e.g. environmental sensors to detect temperature, moisture levels, light intensity, movement etc.), the vast numbers of routine communications will make their aggregate capacity significant. Machine to machine communication could also allow for the development of smart environments which are environments or workspaces that are aware of the context in which they are being used. For example, if a child approached a TV terminal, children’s’ programs could be shown instead of stock market information. In a business environment a user could automatically receive relevant information based on a particular caller, or the attendees at a meeting. Other applications of machine to machine communication could include improved safety on our roads by allowing road traffic to be automated. This would enable guidance systems in vehicles to communicate with one another to ensure that collisions did not occur.
Business Applications Increasing levels of e-commerce will place increasing demands on next generation networks. Highly secure and reliable next generation networks will in turn encourage the growth of business applications as users become accustomed to and develop trust in ecommerce applications. Increased telecommunications traffic from applications such as online banking and shopping will create large amounts of e-commerce traffic. Furthermore, video conferencing and virtual reality show rooms may change the way in which we choose products and services.
Characteristics of Next Generation Networks Next generation networks will for the most part be high speed packet based networks capable of delivering a multitude of broadband services. Among other things these
Internet networks need to be both flexible and reliable. Although next generation networks will develop in many different ways they will all have a common set of broad characteristics. These characteristics are 29. Protocol Independence 30. Reliability 31. Controllability and Quality of Service 32. Programmability 33. Scalability
Protocol Independence In order to facilitate multiple forms of communications, next generation networks will need to be capable of operating a multitude of different communications protocols Traditionally networks have been designed and implemented to transmit certain specific types of data such as voice, video or data. This required separate networks, using different sets of equipment (although usually using the same cables or transmission media) to support multi-media communications.
Users IP Network Circuit Switched Network
Figure 3.1: A simplified diagram of overlaid IP and Circuit Switched Networks showing the duplication of network resources. Essentially, protocol independence is the ability of a network to operate any protocol that may be required.).The ability of equipment to be multi-functional is increasingly required by telecommunications operators. It enables them to save on operational costs as equipment is managed from a single platform. Also, the physical space and hence costs
Internet that are saved with multi-functional equipment is a critical factor. Another significant factor is a reduction in the amount of power consumed by using less equipment.
Reliability Increased dependency on advanced new applications in the future will place even greater reliability requirements on next generation networks. Individuals’ expectations of availability and quality of service, grounded in a perception of high quality in traditional telephony and television services, will impose high standards of performance. E-commerce applications will lead to highly resilient telecommunications networks as businesses become increasingly reliant on telecommunications to function. For other highly sensitive applications, such as tele-medicine, network reliability and resilience is imperative, since a patient’s health could depend on the quality of the information transmitted In order to achieve the necessary levels of resilience and reliability next generation networks will need more diverse topologies and redundant elements than is normal in today’s networks.
Controllability It is essential for network managers to be able to design, adapt and optimise their networks to accommodate simultaneously different types of media with varying network requirements. The main issue here is of quality of service, (i.e. the ability of a network to provide a particular level of service or to guarantee a certain amount of bandwidth and response time over a specified period). For example a voice or video conferencing application could not normally afford to have information packets (i.e. pieces of the conversation) lost or even delayed. Therefore these types of services need a guaranteed high level of quality of service to function adequately. On the other hand, non critical applications such as internet browsing can afford to lose occasional packets of information as these can be re-sent without degrading the service. Control of these aspects of a network is an important characteristic since it allows network managers and network management software to optimise utilisation of network resources by dynamically setting the balance between the amount of capacity that is dedicated to real time applications and mission critical applications. Network managers also need to control the amount of flexibility that is applied to non-real time services such as file transfers (e.g. downloading of design files from a design centre to the manufacturing plant). This is known as traffic engineering. Traffic engineering features of next generation networks will help overcome both the problems of guaranteed quality of service in current packet switched networks (e.g. IP) and the problem of wasted capacity in dedicated circuit switched networks. See annex 1. A common shortcoming of current packet switched networks is that it can be difficult for telecommunications network operators to specify or guarantee an end to end quality of service, particularly where part of the communications link is carried over a third party’s network. For example a call originating on a network with a sufficiently high quality of service may terminate on a network, perhaps in a different country, where the quality of service is noticeably lower, thus resulting in a poor quality call. Using traffic engineering, operators can define specific levels of service and then enter into service level agreements with other operators who have similar traffic engineering capabilities. This process facilitates further interconnection between operators and networks.
Internet
Programmability The more programmable and re-configurable next generation networks are the more flexible they will be, and the more they will be able to cope with new services and user requirements. Programmability will allow for traffic engineering and the dynamic allocation of network resources enabling next generation networks to adapt quickly to new services or requirements. Programmability yields more simple scalability since the less manual configuration that has to be performed during a network upgrade the more quickly services can be expanded. The time it takes to provision new capacity in networks can be reduced from several weeks (in manually configurable networks) to a few hours or less through programmability. Fully programmable networks could be upgraded remotely from a single location eliminating the need for expensive site visits. To aid interoperable and programmable networks open standards need to be supported by all equipment vendors. This will mean the provisioning of open Application Programming Interfaces (APIs) enabling developers to create software for equipment from various vendors to operate in interconnected networks.
Scalability Scalability is an important attribute that can help protect next generation networks from becoming obsolete. In order to cope with growing traffic loads network operators will have to over-provision transmission capacity (i.e. lay more fibre optics than currently needed). Next generation network equipment will need to be scalable to allow for the addition of capacity as required without the need to replace equipment once it reaches its design capacity. The more general purpose that telecommunications equipment is the greater the chance that it can be programmed, adapted and scaled to cope with future needs. Furthermore, next generation networks will need to be scalable in terms of address space (i.e. the number of devices that can be connected and individually identified on a network).
Typical Next Generation Network Elements Some typical next generation network elements are described below:
Softswitches Soft switches are the key component that enables next-generation networks to be built.. They can be programmed to act as gateways allowing communication between packet based networks (e.g. IP) and traditional circuit switched networks. The soft switch can mediate between IP-centric, or VoIP services and circuit switched telephony services converting all of the necessary added services accordingly.Soft switches execute the same functions as traditional switches and are completely transparent to end-users. Telecommunications companies are embracing soft switches because they are functionally equivalent to conventional phone switches; only better, faster, and cheaper. Soft switches tend to be modular, smaller, and less expensive than their conventional switching counterparts. This modularity makes scaling easy, critical when telephony markets and technologies can change overnight. All this is accomplished without any compromises on the high availability and reliability delivered by conventional switches.
Internet
DSLAM Digital Subscriber Line Access Module, used to connect multiple DSL users to the rest of a network. A multi-service DSLAM interconnects to voice networks as well as other data networks.
Next Generation Edge Switch A multi-protocol switch that can connect users various access methods (e.g. ISDN, Dialup modem, Analogue telephony) to next generation core networks.
Broadband Access Switch Connects broadband access networks (e.g. Broadband leased circuits) directly to core networks. These devices connect network segments that are suitable for direct connection to core next generation networks.
Conclusion
Today • Multiple networks • Simple devices • Disparate services Transition • Converged packet network • Multimedia devices • Linked services
Next Generation Network(Tomorrow) • Packet/optical network • Multimedia services • Ubiquitous broadband • Integrated functionality
Internet The evolution from current telecommunications networks to next generation networks will mainly be gradual and will initially develop in network cores eventually moving out toward the network edges and the access segments. However, while some next generation networks will evolve from existing architectures others will be developed as entirely new networks. Nevertheless, public networks will have to integrate with one another regardless of the level of advancement or protocol types used.
Internet
Chapter 23
Configuration of CPE for Broad Band Objectives After completion of this practical you will be able to : • • • •
Configure Configure Configure Configure
ADSL modem (HUAWEI MT800) ADSL modem (HUAWEI MODEM SmartAX MT880) ADSL modem (UTSTAR UT 300R) ADSL modem (UTSTAR UT 300R2)
Internet
Configuration of CPE for Broad Band In this method first an IP address setting has to be done in the Personal Computer(PC) and then we can proceed for configuration of ADSL modem. At customer premises, only IP configuration is required and no installation of PPPOE software in the PC. 1) Setting up of IP Address ,DNS ,Gateway in the PC in WINXP/WIN 2000. a)GO to START->Settings->Control Panel->Network Connections->Local Area Connection. b)Select Internet Protocol(TCP/IP) and click properties and the screen appears as follows.Please click the button against Use the following IP address. c) Please enter the following data. IP ADDRESS : 192.168.1.x (Where x can be between 2 to 254.) Subnet Mask : 255.255.255.0 Gateway IP : 192.168.1.1 DNS : 192.168.1.1 d)After entering the above data CLICK OK.In windows XP/Windows 2000, the screen appears as follows after saving.
Internet
2) 1) Setting up of IP Address ,DNS ,Gateway in the PC in WIN98//WIN Millinieum/NT4. a)GO to START->Settings->Control Panel->Network->Local Area Connection. b)Select (TCP/IP-> name of the card) and click properties
Internet
The screen appears as follows. Please enter the following data against the particular menus. IP ADDRESS : 192.168.1.x (Where x can be between 2 to 254.) Subnet Mask : 255.255.255.0 Gateway IP : 192.168.1. and Click ADD DNS : 192.168.1.1 and HOST as BSNL and CLICK ADD.
Internet
Click OK and the Windows will restart.
Configuration of ADSL modem (HUAWEI MT800) 1)Open the browser. Type 192.168.1.1 in the address column and enter. A dialog box will appear: 2) Type username as : admin and password as: admin. And then click OK.
Internet
The Home Page of the modem appears as follows
Internet
3) Click on ATM setting and the resulting appears as follows.
Internet
4) Click on the radio button PPP & the resulting page will be as follows:
Internet
5) .Please only do the following entries & leave the other entries as such. 1) 2) 3) 4) 5)
Select radio button PPPOE Enter service provider name as BSNL Enter the user name and password as created for the particular subscriber. Enable DNS Afterwards click the Submit button.
After Submitting the resulting page will be as follows
Internet
6) We see the Magnifying Glass icon at the last row. Now press the Magnifying glass Icon. Another window pops up.The resulting POP up window will appear as follows.
Internet
7) Select the Always on button under Change Status menu and then submit. This screen is saved and pops up again.The resulting window will look as follows.
Internet
8) Now click the close button ,this window closes and the previous window in the background appears. Now the resulting window will look as follows.
Internet
9)Now click submit to save the settings. Now go to Save & Reboot. The window appears as below. Select Save and submit
Internet
10) Instead of REBOOT, We can switch off and switch on the modem which is as good as REBOOT. The MODEM configuration is over and is ready for installation at customer premises.
HUAWEI MODEM SmartAX MT880 :1)Go to the Browser and type http://192.168.1.1 and enter. A dialog box appears as follows. Type against User name - admin & against Password- admin and click OK.
Internet
The Home Page will appear as shown below.
Internet
3)Go to HOME and select WAN settings & click
Internet
The resulting page appears as follows.
Internet
4) Select PVC0 Select PPPOE button and the resulting page will appear as follows.
Internet
5) Please enter the foolowing data and leave other data as such. 1) Please enter the user name & password as created for the particular subscriber. 2)Select click the enable button against DNS 3)Click APPLY . 6) A windows pops up asking you to save and reboot. Click YES and OK. Wait for 2 minutes till the device restarts
Internet
7) Go to TOOLS. Select System Settings. Click SAVE & RESTART button. Wait for 2 minutes till the device restarts. Afterwards Switch OFF & ON the modem. Now the Modem configuration is over and is ready for installation at sub premises.
Internet
Configuration of ADSL modem (UTSTAR UT 300R) 1) Open the browser. Type 192.168.1.1 in the address column and enter. A dialog box will appea as follows. Type username as : admin and password as: utstar and press enter.
Internet
2) Click on ‘Bridging’ tab.
Internet
4) There are many interface names available. Delete all entries except eth-0 clicking
Internet
The resulting page will appear as follows:
Internet
5) Click on RFC 1483 interface. Delete all the entries in the screen by clicking the button
Internet
Resulting page:
Internet
Internet 6) Click on ATM VC. Delete all except the entries with VCI value as 16 or 35 by clicking the button. (for example in the following screen shot delete all entries except entries 1 and 3)
Resulting page:
Internet
7) Click on WAN Tab. Click on PPP. There will be no PPP interface. Click on ‘Add’ key
Internet
8) Leave all the entries as it is ans only do the following: In the service name type ‘BSNL’ Enable DNS Type the user name and password of the subscriber to whom the modem is going to be made over. Please click the submit button.After Submitting the screen re-appears after saving.
Internet
9)Then the close the window,the resulting page will appear as follows.
Internet
10) Click on ‘Admin’ tab and the resulting page will appear as follows.
Internet
11) Click on Commit & Reboot. Click on Commit key,the configuration of the modem is saved in memory. Instead of Clicking the Reboot key,the modem can be switched off and on,which is same as Reboot. The modem Configuration is over and now the modem is ready for installation at subscriber premises.
Internet
Configuration of ADSL modem (UTSTAR UT 300R2) 1) Go to any Browser and type http://192.168.1.1 and enter. Type against Username :- admin & against Password:- utstar and Click LOGIN
Internet
2) The resulting page will appears as follows. Go to SETUP.
Internet .
3)Click pvc 0-35 which is on the left hand side
4) The resulting will appear as follows.Go to BRIDGE(Slide Box).Select PPPOE on the slide box.
Internet
The resulting page will appear as follows. 5) Please enter the user name & password as created for the particular subscriber. Go to ON DEMAND & Check the box (put a tick mark). Go to Idle Time Out and type 0 seconds. Go to APPLY and click it. After APPLY, the screen is saved and re-appears. Now Close the window.
Internet
6) Go to TOOL and the resulting page will look as follows.
Internet
7)Click on System Commands which is on the left hand side. Now click SAVE ALL.The configuration done on the MODEM is saved in the memory.
Internet
Afterwards Switch off the browser & the modem. Now the Modem configuration is over. It is now ready for installation at Subscriber premises. .
Internet
Internet
Internet
Internet
Internet
