What is PPP?

PPP (Point-to-Point Protocol), is the most widely used method for transporting IP packets
over a serial link between the user and the Internet Service Provider (ISP).

Although PPP is primarily used

over dialup lines, variants such as
PPoE (PPP over Ethernet) and PPoA (PPP over ATM) extend PPP to new data-link layer
protocols.

PPP was designed to enable the transmission of different protocols over one point-to-
point link by utilizing encapsulation. Encapsulation is the process of storing packets from
the foreign protocol inside PPP frames.

In addition to this encapsulation function, PPP also provides:

• A Link Control Protocol (LCP) for establishing, configuring, and testing the data-
link connection.
• A suite of Network Control Protocols (NCPs) for establishing and configuring
different network-layer protocols.

PPP LCP
The PPP Link Control Protocol is responsible for establishing, configururing, managing,
and terminating the point-to-point link.

LCP accomplishes these tasks through the use of simple control messages:

Link Configuration messages used to establish and configure a link:

• Configure-Request
• Configure-Ack
• Configure-Nak
• Configure-Reject

Link Termination messages used to terminate a link:

• Terminate-Request
• Terminate-Ack

Link Maintenance messages used to manage and debug a link:

• Code-Reject
• Protocol-Reject
• Echo-Request
 • Echo-Reply
• Discard-Request

PPP NCP's
A PPP Network Control Protocol must be defined for each type of network packet which
is to be encapsulated and transmitted across the PPP link.

Some of the defined PPP NCP's are:

• Internet Protocol Control Protocol

• OSI Network Layer Control Protocol
• Xerox NS IDP Control Protocol
• DECnet Phase IV Control Protocol
• Appletalk Control Protocol
• Novell IPX Control Protocol
• Bridging NCP
• Stream Protocol Control Protocol
• Banyan Vines Control Protocol
• Multi-Link Control Protocol
• NETBIOS Framing Control Protocol
• Cisco Systems Control Protocol
• Ascom Timeplex
• Fujitsu LBLB Control Protocol
• DCA Remote Lan Network Control Protocol (RLNCP)
• Serial Data Control Protocol (PPP-SDCP)
• SNA over 802.2 Control Protocol
• SNA Control Protocol
• IP6 Header Compression Control Protocol
• Stampede Bridging Control Protocol
• Compression on single link in multilink group control
• Compression Control Protocol
What is Token Ring?
Token Ring is a local area networking system originally conceived in the late 1960s by
IBM and patented in 1981, with IBM promoting its use throughout most of the 1980s.
Although initially very successful, it was eventually displaced by Ethernet as the favored
technology and architecture for local area networks (LAN); although IBM undertook a
valiant effort to compete, this was not successful and IBM itself eventually stopped using
token ring as its LAN standard

How Token Ring Works

The token ring network is simple in design and conceptual operation.

The key to the system is a 'token' - which is actually a data frame or container for storing
data that is to be transmitted down a 'ring' of computers connected to the network. A
simple analogy is to imagine a clock with each number on the clock face representing one
computer on a network; 12 numbers, 12 computers.

A 'free' (or empty) token is released into the network, moving around the network,
'stopping off' at each computer to check if it is needed. Assume that computer 3 wants to
send a data package to computer 9. When the free token 'stops off' at computer 3, it is
grabbed and the data is 'injected' into the empty vessel and then sent on its way. The
token passes each computer in the sequence (e.g. computer 4, 5, 6 and so on); each
computer notes that the packet is not addressed to it and 'rejects' it, in effect, "passing" it
on to the next computer in the series.

Once the packet or token reaches computer 9 (to which the data is addressed), it is
'grabbed' again and an exchange of data occurs - the data is released to computer 9, and
the computer 'injects' an acknowledgement receipt into the token. The token (with the
acknowledgement receipt) is released back into the network, proceeding down the chain
(e.g. moving to computers 9, 10 and so on) with each one again 'rejecting' the token since
it is not addressed to them.
What is a VLAN?
The Basic Definition
The acronym VLAN expands to Virtual Local Area Network. A VLAN is a logical local
area network (or LAN) that extends beyond a single traditional LAN to a group of LAN
segments, given specific configurations. Because a VLAN is a logical entity, its creation
and configuration is done completely in software.

How Is a VLAN
Identified
Since a VLAN is a software concept, identifiers and configurations for a VLAN must be
properly prepared for it to function as expected. Frame coloring is the process used to
ensure that VLAN members or groups are properly identified and handled. With frame
coloring, packets are given the proper VLAN ID at their origin so that they may be
properly processed as they pass through the network. The VLAN ID is then used to
enable switching and routing engines to make the appropriate decisions as defined in the
VLAN configuration.

Why Use VLANs

Traditional network designs use routers to create broadcast domains and limit broadcasts
between multiple subnets. This prevents broadcast floods in larger networks from
consuming resources, or causing unintentional denials of service unnecessarily.
Unfortunately, the traditional network design methodology has some flaws in design

• Geographic Focus - Traditional network designs focus on physical locations of

equipment and personnel for addressing and LAN segment placement. Because of
this there are a few significant drawbacks:
• Network segments for physically disjointed organizations cannot be part of the
same address space. Each physical location must be addressed independently, and
be part of its own broadcast domain. This can force personnel to be located in a
central location, or to have additional latency or connectivity shortfalls.
• Relocations of personnel and departments can become difficult, especially if the
original location retains its network segments. Relocated equipment will have to
be reconfigured based on the new network configuration.

A VLAN solution can alleviate both of these drawbacks by permitting the same broadcast
domain to extend beyond a single segment.
 • Additional Bandwidth Usage - Traditional network designs require additional
bandwidth because packets have to pass through multiple levels of network
connectivity because the network is segmented.

A proper VLAN design can ensure that only devices that have that VLAN defined on it
will receive and forward packets intended as source or destination of the network flow.

Types of VLAN
There are only two types of VLAN possible today, cell-based VLANs and frame-based
VLANs.

• Cell-based VLANs are used in ATM switched networks with LAN Emulation (or
LANE). LANE is used to allow hosts on legacy LAN segments to communicate
using ATM networks without having to use special hardware or software
modification.
• Frame-based VLANs are used in ethernet networks with frame tagging. The two
primary types of frame tagging are IEEE 802.10 and ISL (Inter Switch Link is a
Cisco proprietary frame-tagging). Keep in mind that the 802.10 standard makes it
possible to deploy VLANs with 802.3 (Ethernet), 802.5 (Token-Ring), and FDDI,
but ethernet is most common.

VLAN modes
There are three different modes in which a VLAN can be configured. These modes are
covered below:

• VLAN Switching Mode - The VLAN forms a switching bridge in which frames
are forwarded unmodified.
• VLAN Translation Mode - VLAN translation mode is used when the frame
tagging method is changed in the network path, or if the frame traverses from a
VLAN group to a legacy or native interface which is not configured in a VLAN.
When the packet is to pass into a native interface, the VLAN tag is removed so
that the packet can properly enter the native interface.
• VLAN Routing Mode - When a packet is routed from one VLAN to a different
VLAN, you use VLAN routing mode. The packet is modified, usually by a router,
which places its own MAC address as the source, and then changes the VLAN ID
of the packet.

VLAN configurations
Different terminology is used between different hardware manufacturers when it comes
to VLANs. Because of this there is often confusion at implementation time. Following
are a few details, and some examples to assist you in defining your VLANs so confusion
is not an issue.
Cisco VLAN terminology

You need a few details to define a VLAN on most Cisco equipment. Unfortunately,
because Cisco sometimes acquires the technologies they use to fill their switching,
routing and security product lines, naming conventions are not always consistent. For this
article, we are focusing only one Cisco switching and routing product lines running Cisco
IOS.

• VLAN ID - The VLAN ID is a unique value you assign to each VLAN on a

single device. With a Cisco routing or switching device running IOS, your range
is from 1-4096. When you define a VLAN you usually use the syntax "vlan x"
where x is the number you would like to assign to the VLAN ID. VLAN 1 is
reserved as an administrative VLAN. If VLAN technologies are enabled, all ports
are a member of VLAN 1 by default.
• VLAN Name - The VLAN name is an text based name you use to identify your
VLAN, perhaps to help technical staff in understanding its function. The string
you use can be between 1 and 32 characters in length.
• Private VLAN - You also define if the VLAN is to be a private vlan in the VLAN
definition, and what other VLAN might be associated with it in the definition
section. When you configure a Cisco VLAN as a private-vlan, this means that
ports that are members of the VLAN cannot communicate directly with each other
by default. Normally all ports which are members of a VLAN can communicate
directly with each other just as they would be able to would they have been a
member of a standard network segment. Private vlans are created to enhance the
security on a network where hosts coexisting on the network cannot or should not
trust each other. This is a common practice to use on web farms or in other high
risk environments where communication between hosts on the same subnet are
not necessary. Check your Cisco documentation if you have questions about how
to configure and deploy private VLANs.
• VLAN modes - in Cisco IOS, there are only two modes an interface can operate
in, "mode access" and "mode trunk". Access mode is for end devices or devices
that will not require multiple VLANs. Trunk mode is used for passing multiple
VLANs to other network devices, or for end devices that need to have
membership to multiple VLANs at once. If you are wondering what mode to use,
the mode is probably "mode access".

Cisco VLAN implementations

VLAN Definition

To define a VLAN on a cisco device, you need a VLAN ID, a VLAN name, ports you
would like to participate in the VLAN, and the type of membership the port will have
with the VLAN.

• Step 1 - Log into the router or switch in question and get into enable mode.
• Step 2 - Get into configuration mode using "conf t".
 • Step 3 - Create your VLAN by entering "vlan X" where X is the ID you would
like to assign the VLAN.
• Step 4 - Name your VLAN by entering "name <VLAN Name>". Replace <Vlan
Name> with the string you would like to identify your VLAN by.
• Step 5 - If you want your new VLAN to be a private-vlan, you now enter "private-
vlan primary" and "private-vlan association Y" where Y is the secondary VLAN
you want to associate with the primary vlan. If you would like the private VLAN
to be community based, you enter "private-vlan community" instead.
• Step 6 - Exit configuration mode by entering "end".
• Step 7 - Save your configuration to memory by entering "wr mem" and to the
network if you have need using "wr net". You may have to supply additional
information to write configurations to the network depending on your device
configuration.

You have now created a vlan by assigning it an ID, and giving it a name. At this point,
the VLAN has no special configuration to handle IP traffic, nor are there any ports that
are members of the VLAN. The next section describes how you complete your vlan
configuration.

VLAN Configuration

A VLAN isn't much use if you haven't assigned it an IP Address, the subnet netmask, and
port membership. In normal network segment configurations on routers, individual
interfaces or groups of interfaces (called channels) are assigned IP addresses . When you
use VLANs, individual interfaces are members of VLANs and do not have individual IP
addresses, and generally don't have access lists applied to them. Those features are
usually reserved for the VLAN interfaces. The following steps detail one method of
creating and configuring your VLAN interface. NOTE: These steps have already
assumed that you have logged into the router, gotten into enable mode, and entered
configuration mode. These specific examples are based on the Cisco 6500 series devices.

• Step 1 - Enter "Interface VlanX" where X is the VLAN ID you used in the VLAN
definition above.
• Step 2 - This step is optional. Enter "description " where VLAN description
details what the VLAN is going to be used for. You can just simply re-use the
VLAN name you used above if you like.
• Step 3 - Enter "ip address <address> <netmask>" where <address> is the address
you want to assign this device in the VLAN, and <netmask> is the network mask
for the subnet you have assigned the VLAN.
• Step 4 - The step is optional. Create and apply an access list to the VLAN for
inbound and outbound access controls. For a standard access list enter "access-
group XXX in" and "access-group YYY out" where XXX and YYY corresponds
to access-lists you have previously configured. Remember that the terms are taken
in respect to the specific subnet or interface, so "in" means from the VLAN INTO
the router, and "out" means from the router OUT to the VLAN.
 • Step 5 - This step is optional. Enter the private VLAN mapping you would like to
use if the port is part of a private VLAN. This should be the same secondary
VLAN you associated with the primary VLAN in VLAN definition above. Enter
"private-vlan mapping XX" where XX is the VLAN ID of the secondary VLAN
you would like to associate with this VLAN.
• Step 6 - This step is optional. Configure HSRP and any other basic interface
configurations you would normally use for your Cisco device.
• Step 7 - Exit configuration mode by entering "end".
• Step 8 - Save your configuration to memory by entering "wr mem" and to the
network if you have need using "wr net". You may have to supply additional
information to write configurations to the network depending on your device
configuration.

Now you have your vlan defined and configured, but no physical ports are a member of
the VLAN, so the VLAN still isn't of much use. Next port membership in the VLAN is
described. IOS devices describe interfaces based on a technology and a port number, as
with "FastEthernet3/1" or "GigabitEthernet8/16". Once you have determined which
physical ports you want to be members of the VLAN you can use the following steps to
configure it. NOTE: These steps have already assumed that you have logged into the
router, gotten into enable mode, and entered configuration mode.

For access ports

• Step 1 - Enter "Interface <interface name>" where <interface name> is the name
Cisco has assigned the interface you would like to associate with the VLAN.
• Step 2 - This step is optional. Enter "description <interface description>" where
<interface description> is text describing the system connected to the interface in
question. It is usually helpful to provide DNS hostname, IP Address, which port
on the remote system is connected, and its function.
• Step 3 - This step depends on your equipment and IOS version, and requirements.
Enter "switchport" if you need the interface to act as a switch port. Some
hardware does not support switchport mode, and can only be used as a router port.
Check your documentation if you don't know the difference between a router port
and a switch port.
• Step 4 - Only use this step if you used step 3 above. Enter "switchport access vlan
X" where X is the VLAN ID of the VLAN you want the port to be a member of.
• Step 5 - Only use this step if you used step 3 above. Enter "switchport mode
access" to tell the port that you want it to be used as an access port.
• Step 6 - Exit configuration mode by entering "end".
• Step 7 - Save your configuration to memory by entering "wr mem" and to the
network if you have need using "wr net". You may have to supply additional
information to write configurations to the network depending on your device
configuration.

For trunk ports

 • Step 1 - Enter "Interface <interface name>" where <interface name> is the name
Cisco has assigned the interface you would like to associate with the VLAN.
• Step 2 - This step is optional. Enter "description <interface description>" where
<interface description> is text describing the system connected to the interface in
question. It is usually helpful to provide DNS hostname, IP Address, which port
on the remote system is connected, and its function.
• Step 3 - This step depends on your equipment and IOS version, and requirements.
Enter "switchport" if you need the interface to act as a switch port. Some
hardware does not support switchport mode, and can only be used as a router port.
Check your documentation if you don't know the difference between a router port
and a switch port.
• Step 4 - Only use this step if you used step 3 above. Enter "switchport trunk
encapsulation dot1q". This tells the VLAN to use dot1q encapsulation for the
VLAN, which is the industry standard encapsulation for trunking. There are other
encapsulation options, but your equipment may not operate with non Cisco
equipment if you use them.
• Step 5 - Only use this step if you used step 3 above. Enter "switchport trunk
allowed vlan XX, YY, ZZ" where XX, YY, and ZZ are VLANs you want the
trunk to include. You can define one or more VLANs to be allowed in the trunk.
• Step 6 - Only use this step if you used step 3 above. Enter "switchport mode
trunk" to tell the port to operate as a VLAN trunk, and not as an access port.
• Step 7 - Exit configuration mode by entering "end".
• Step 8 - Save your configuration to memory by entering "wr mem" and to the
network if you have need using "wr net". You may have to supply additional
information to write configurations to the network depending on your device
configuration.

For private VLAN ports

• Step 1 - Enter "Interface <interface name>" where <interface name> is the name
Cisco has assigned the interface you would like to associate with the VLAN.
• Step 2 - This step is optional. Enter "description <interface description>" where
<interface description> is text describing the system connected to the interface in
question. It is usually helpful to provide DNS hostname, IP Address, which port
on the remote system is connected, and its function.
• Step 3 - This step depends on your equipment and IOS version, and requirements.
Enter "switchport" if you need the interface to act as a switch port. Some
hardware does not support switchport mode, and can only be used as a router port.
Check your documentation if you don't know the difference between a router port
and a switch port.
• Step 4 - Enter "switchport private-vlan host association XX YY" where XX is the
primary VLAN you want to assign, YY is the secondary VLAN you want to
associate with it.
• Step 5 - Enter "switchport mode private-vlan host" to force the port to operate as a
private-vlan in host mode.
• Step 6 - Exit configuration mode by entering "end".
 • Step 7 - Save your configuration to memory by entering "wr mem" and to the
network if you have need using "wr net". You may have to supply additional
information to write configurations to the network depending on your device
configuration.

You should now have your VLAN properly implemented on a Cisco IOS device.

HP VLAN terminology

HP's Procurve line of switchgear is becoming more and more prevalent in enterprise and
other business environments. Because of this, it isn't uncommon to have to get Cisco and
Procurve hardware to integrate, and because of terminology this can be a challenge.
Below some of the VLAN terminology is defined so there is less opportunity for
confusion.

• VLAN ID - Fortunately, VLAN id's are pretty much the same everywhere, the
only significant differences are the range of IDs that can be used. With Procurve
devices, the number of VLANs is defined in the configuration. The default
maximum VLANs supported on a Procurve device differs between models and
firmware revisions, but is commonly set to 8. Newer Procurve hardware supports
4,096 VLAN ids, but only 256 concurrently defined VLANs on a single device.
VLAN ID 1 is reserved for the "DEFAULT_VLAN" or the default administrative
VLAN.
• VLAN names - VLAN names are text fields that assist technicians to identify
VLANs. Procurve allows names up to 32 characters, but if you want it to properly
display in menu configuration mode, you should probably limit the name to 12
characters.
• VLAN modes - Procurve has three modes of operation for VLANs on the chassis,
Untagged, Tagged, and No. Untagged mode is cisco's access mode. This mode is
used for ports that connect to end nodes, or devices that will not be passing
VLAN traffic forward. Tagged mode is the same as Cisco's trunk mode. This
mode is used for ports that are connecting to devices that will be passing VLAN
traffic forward, or for trunking multiple VLANs. No mode means that the port in
question has no association whatsoever with that VLAN.
• Special note on "trunk" - Lots of confusion surrounds the word "trunk" when you
go between vendor equipment. In Cisco's case, trunking is only used with
VLANs. If you want to group multiple ethernet ports into a single logical ethernet
group, they call it a channel-group. This is regardless of whether FEC or LACP is
used for the channel properties. Procurve uses "trunk" to define a group of
ethernet ports when using the HP trunking protocol, and the term "Tagged" for
what Cisco calls a VLAN trunk. Of course, these two technologies have nothing
to do with each other, but because of naming conventions, confusion arises.

HP Procurve VLAN implementations

VLAN Definition
Most modern Procurve switches enable VLAN use by default, but if, for some reason,
you have an older model, log into the switch, get into manager mode, go to the switch
configuration menu (usually item 2), then the VLAN menu (usually item 8), then the
VLAN support item (usually item 1), and make sure VLANs are enabled. If you change
this setting, you will need to reboot the switch to get it to activate properly. The
configuration menu is useful for these kinds of activities, troubleshooting, and other
things, but is a little more difficult for configuring multiple switches or for using
configuration templates, so the rest of the HP Procurve configuration details will be
provided for the console configuration mode. Aside for enabling VLAN support as a
whole, VLAN definitions and configuration are created in the same place, so the rest of
the configuration examples will be provided under the VLAN configuration topic.

VLAN Configuration

Configuring VLANs on a modern Procurve is pretty simple, you must first define the
VLAN, set its properties, and then set up membership for ports and the VLAN mode they
will support. The following list should help you accomplish these tasks. NOTE: HP has
defined its interface ports by using a module/port convention. If you have a non-modular
chassis (such as the 3448cl) then ports are numbered only using numbers, such as 1 or 36.
If the chassis is modular (such as the 5308) then the ports number is prepended with the
module slot, such as A1 or H6. No reference to the type of switch port (ethernet, fast
ethernet , gigabit ethernet) is used for port reference.

• Step 1 - Log into the switch and get into manager mode. If, after logging in, you
are in the configuration menu, exit the configuration menu by selecting item 5 (in
most cases) or by using the arrow keys on your keyboard to highlight the
"Command Line (CLI)" item.
• Step 2 - Enter "conf t" to get into terminal configuration mode.
• Step 3 - Enter "vlan X" where X is the VLAN id of the VLAN you would like to
create.
• Step 4 - Name your VLAN by entering "name "<VLAN Name>"" where <VLAN
Name> is a text string from 1 to 32 characters (12 characters if you care about the
configuration menu display). You should use quotes when naming the VLAN.
• Step 5 - Give the VLAN an IP address by entering "ip address <ip address>
<netmask>" where <ip address> is the IP address you want to assign this switch
in that subnet, and <netmask> is the network mask for the subnet assigned.
• Step 6 - This step is optional. If you want to assign some end node ports to the
VLAN enter "untagged <port-list>" where <port-list> is a list of ports either
comma delimited if they are non-sequential, or using a dash between list
beginning and end if they are. An example of this is "untagged 1,3,5,7-16". This
would configure ports 1, 3, 5, and 7 through 16 to be untagged on that VLAN.
• Step 7 - This step is optional. If you want to assign some VLAN trunk ports to the
VLAN enter "tagged <port-list>" where <port-list> is a list of ports either comma
delimited if they are non-sequential, or using a dash between list beginning and
end if they are. An example of this is "untagged 1,3,5,7-16". This would configure
ports 1, 3, 5, and 7 through 16 to be untagged on that VLAN.
 • Step 8 - Enter "exit" to leave VLAN configuration mode.
• Step 9 - Exit configuration mode by entering "exit" again.
• Step 10 - Save your configuration by entering "wr memory".

You have now successfully configured your HP Procurve VLAN.

What is a Firewall?
A firewall is a system that is set up to control traffic flow between two networks.
Firewalls are most commonly specially configured Unix systems, but firewalls have also
been built out of many other systems, including systems designed specifically for use as
firewalls. The most common commercial firewall today is CheckPoint FireWall-1, but
competitors such as Cisco's PIX are quickly catching up on CheckPoint.

Many people disagree on the

definition of a firewall, and in this
discussion I will use the term loosely.

The Packet Filtering Firewall

One type of firewall is the packet filtering firewall. In a packet filtering firewall, the
firewall examines five characteristics of a packet:

• Source IP address
• Source port
• Destination IP address
• Destination port
• IP protocol (TCP or UDP)

Based upon rules configured into the firewall, the packet will either be allowed through,
rejected, or dropped. If the firewall rejects the packet, it sends a message back to the
sender letting him know that the packet was rejected. If the packet was dropped, the
firewall simply does not respond to the packet. The sender must wait for the
communications to time out. Dropping packets instead of rejecting them greatly increases
the time required to scan your network. Packet filtering firewalls operate on Layer 3 of
the OSI model, the Network Layer. Routers are a very common form of packet filtering
firewall.

An improved form of the packet filtering firewall is a packet filtering firewall with a
stateful inspection engine. With this enhancement, the firewall "remembers"
conversations between systems. It is then necessary to fully examine only the first packet
of a conversation.
The Application-Proxy Firewall
Another type of firewall is the application-proxy firewall. In a proxying firewall, every
packet is stopped at the firewall. The packet is then examined and compared to the rules
configured into the firewall. If the packet passes the examinations, it is re-created and
sent out. Because each packet is destroyed and re-created, there is a potential that an
application-proxy firewall can prevent unknown attacks based upon weaknesses in the
TCP/IP protocol suite that would not be prevented by a packet filtering firewall. The
drawback is that a separate application-proxy must be written for each application type
being proxied. You need an HTTP proxy for web traffic, an FTP proxy for file transfers,
a Gopher proxy for Gopher traffic, etc... Application-proxy firewalls operate on Layer 7
of the OSI model, the Application Layer.

The Application-Gateway Firewall

Application-gateway firewalls also operate on Layer 7 of the OSI model. Application-
gateway firewalls exist for only a few network applications. A typical application-
gateway firewall is a system where you must telnet to one system in order telnet again to
a system outside of the network.

The SOCKS Firewall

Another type of application-proxy firewall are SOCKS firewalls. Where normal
application-proxy firewalls do not require modifications to network clients, SOCKS
firewalls requires specially modified network clients. This means you have to modify
every system on your internal network which needs to communicate with the external
network. On a Windows or OS/2 system, this can be as easy as swapping a few DLL's
How do I configure Wireless Security?
Wireless security is used to limit the scope of users that have access to services you
install when implementing a wireless access point or wireless router device. These
devices are used to provide convenient intranet and/or Internet access without having to
run cable through buildings or other areas of coverage where return on investment is low.
There are two methods used with wireless systems today to limit access:

• Coverage Area
• Authentication and Authorization Mechanisms

Coverage Area
You can limit coverage area with an access point by using the proper antenna for the
coverage needs. This prevents our wireless signals from emitting beyond your coverage
area. Unfortunately, with the proper antenna in place on the receiver side, this method is
easily defeated. An individual or group who has enough interest and funding to buy better
equipment is the limiting factor here.

Authentication and Authorization

You can also limit access to services by having proper authentication and authorization
services in place that are required before wireless system access is permitted. This
requires configuration of authentication services on your wireless devices which should
include encryption in the transport.

Disabling SSID Broadcast

Some devices allow you to disable "SSID Broadcast". Although this helps to limit who
might see which networks are available to attack, knowledgeable attackers do not rely on
SSID values to attack systems. SSID values can also be determined if an attacker is using
a network sniffer with wireless capabilities. Disabling SSID broadcast also makes it more
difficult for the intended users of the wireless network to configure and connect to the
wireless network. This is considered to be a "security through obscurity" technique.

Picking an Encryption Technology

There are a few common encryption technologies used in wireless infrastructures today.

WEP or Wired Equivalent Privacy

WEP is usually found in 64bit, 128bit, and 256bit implementations. WEP has been found
to be weak cryptographically, and should not be used for any wireless infrastructure you
would like to have secured. Choosing a good passphrase or password does not increase
the level of security offered by WEP.

WPA - Wifi Protected Access

WPA is based on WEP, but the WPA algorithm changes the effective key more often.
WPA is still weak cryptographically, so choosing a passphrase or password of 20
characters or more is important to keep your wireless network secure. If you use a good
passphrase with WPA is it believed that attacks are impractical.

WPA2 - the Second Generation of Wifi Protected Access

WPA2 uses new encryption technologies called AES or TKIP which are not based on
WEP. WPA2 is the preferred encryption technology if it is available. As of March 13,
2006, all equipment using the WiFi trademark must be certified for WPA2.

Mixing WPA and WPA2 clients

Devices that support WPA2 mixed mode allow clients using both AES and WEP
configurations to interoperate. This does not include broadcast and multicast traffic.

Encryption Keys

Encryption requires a key exchange for the algorithms to have a common starting point.
Wireless devices usually provide two methods for key exchange, pre-shared keys (PSK
or password), and enterprise (RADIUS). For individuals and small businesses it is better
to use a pre-shared key mechanism. For environments that will have many different
wireless access devices, enterprise is generally a better choice.

• Pre-shared keys - A pre-shared key is just a password or passphrase you configure

on all of your wireless devices and clients so they can initiate communication.
Selecting a good password is imperative in providing the proper level of security
for your wireless network.
• Enterprise - Enterprise key exchange is usually provided by a RADIUS service.
Both systems connect to the RADIUS system for the initial key exchange. This
method makes it easier to manage more wireless devices and clients with less
effort.

Authentication and Authorization can be provided by many means including:

• MAC address filters

• Login and Password credentials validation
• Identity validation through public key encryption, soft-token, or certificates
• Identity validation through hard-token or key FOB
MAC Address Filters

MAC address filtering prevents or allows clients to attach to your wireless network using
a look-up table. If the wireless network card MAC address is on the list it can be
permitted or allowed. Unfortunately, a knowledgeable attacker can use a wireless
network sniffer to capture MAC address values of currently connected systems and
change his MAC address value accordingly. It is a trivial matter to change your systems
MAC address. Because of this, this security technique is considered "security through
obscurity".

Login and Passwords

Some systems will not pass traffic from connected systems until the user authenticates
with the wireless device. The authentication details may be stored in a table locally on the
wireless device, or they may be checked remotely from the device using the RADIUS
protocol, TACACS, or some other remote authentication technology.

Soft-tokens and Certificates

Soft-tokens is a software package installed on client systems that interact with the
authentication and authorization software on the wireless device to validate users.

Certificates are special files installed on the client machine that must properly match up
with certificate information on the wireless device to validate a wireless network client.

Hard-tokens and Fobs

Hard-tokens are small computing devices that use a challenge-response mechanism with
the wireless device to validate a user or wireless network client.

A Fob is a piece of hardware you can attach and detach from a client system that provides
credentials to the wireless device for client validation.

Conclusion
In conclusion, you should use WPA2, then WPA, and then WEP in that order, for your
wireless encryption if you have a choice. Setting up WEP is better than having a
completely open wireless network. For key exchange use pre-shared keys if you don't
many wireless devices to manage, or set up a RADIUS server for that function if you
have lots of devices to manage. You can disable SSID Broadcast, and use MAC filtering,
but don't rely on them solely to secure your wireless network.

What is a RADIUS Server?

RADIUS stands for "Remote Authentication Dial In User Service", which is a system
procedure and offers centralized entrance, approval, as well as accounting administration
for individuals or computers to add and utilize a network service. There is often need of
"Authentication" when an individual tries to fix to a network. People have to face a lot
more problems while connecting their computers to a telecommunication network. For
example-the telco wants to know the operator of the computer. When the identification is
given, it may ask what services are preferred by the user. Plus, at that moment the telco
collects billing date concerning to the consumed time or capability.

To solve all these problems and allow people to easily connect their computers to
telecommunication network, RADIUS is used by most of the widespread open source and
decorum systems. Systems associated
with RADIUS are frequently put into
services by telcos or several companies to identify their customers or employees with
ease. RADIUS is good to use because it can easily determine the authorized rights of the
users to execute and create a testimony of the entrance in the "Accounting" feature of the
server.

RADIUS is in fact, an open-regular and UDP-based protocol that is originally developed

by the IETF. It mechanically combines the verification and authorization procedures that
make it quite hard to run only one but no more. Furthermore, RADIUS doesn't hold up
the Novell Async Services Interface protocol, the NetBIOS Frame Protocol Control
Protocol, X.25 Packet Assembler/ Dissembler or even Apple Talk Remote Access
Protocol.

However, the RADIUS associated servers can verify that the information is exact through
confirmation schemes including PAP, CHAP and EAP as well. Moreover, the RADIUS
is frequently utilized to ease roaming services between ISPs and many companies use it
because it provides a particular universal position of testimonials that can be used by
most of public networks. The primary use of RADIUS is for Internet Service Providers,
since it can be used on any network, which requires a centralized verification and
accounting services for its workstations.

Hence, RADIUS enables centralized running of certification data like, usernames and
passwords as well. The RADIUS server can accumulate these certified data locally but it
may also store authentication data in an outdoor SQL database or even an external UNIX
file. In fact, the RADIUS is an exceptional option to perform accounting without any
hassle. It can also appreciably improve safety by enabling the centralization of password
executive. Overall, if people take over the RADIUS server, they would have everything.

SUMMARY: overall, RADIUS is good for internet services providers, as well as

companies to identify their customers or workers with ease. It can help users connect
their computers to telecommunication without hassles.

What is Access Control?

 Access control is a term taken from the
linguistic world of security. In general, it means the execution of limitations and
constrictions on whoever tries to occupy a certain protected property. Guarding an
entrance of a person is also a practice of access control. There are many types of access
control. Some of them are mentioned in this article. You, the reader of this article, will
have several types of access control around you.

Access Control for Computers (Anti-Virus etc)

Nowadays, almost every computer user has a firewall or antivirus running on his
computer, a popup blocker and many other programs. All of these are with access control
functions. All of these programs guard us from intruders of sorts. They inspect everything
trying to enter the computer and let it in or leave it out. Computers have complicated
access control abilities. They ask for authentication and search for the digital signatures.

Access Control for Buildings/Landscapes

If you leave your computer chair for a moment and go out of room, you will pass through
a door. This door is similar to the window close to it. This is the most famous method of
access control in any basic home security.

Take a look at the door's handle. You twist it in order to open or close the door. It is the
access control at its very centre. Without this handle the door would be swinging and
wouldn't stop anyone from entering the room. Below this handle, there is a sort of lock
and a keyhole. This keyhole will stop anyone trying to get through the door. Nowadays,
there are different types of keypads and access control systems. In today's world the keys
and locks are beginning to look different. With the passage of time, the key locks also got
smarter. They can identify the patterns of your physical features, your voice, and
fingerprint locks can read your fingerprints.

Huge Market for Access Control

Access control is a rapidly growing market and soon may manifest itself in such ways we
cannot even imagine. Nowadays, security access control is a necessary component for
businesses. There are many ways to create this security. Some companies hire a security
guard to stand in the gateway. There are many security devices that prevent or permit
access such as a turnstile. The best most effective access control systems are operated by
computers.
What is IP Address Spoofing?
IP address spoofing denotes the action of generating IP packets with fake source IP
addresses in order to impersonate other systems or to protect the identity of the sender.
Spoofing can also refer to forging or using fake headers on emails or netnews to - again -
protect the identity of the sender and to mislead the receiver or the network as to the
origin and validity of sent data.

Basics of IP Address
Spoofing
The Internet Protocol or IP is the fundamental protocol for sending/receiving data over
computer networks and the Internet. With the Internet protocol, each packet sent or
received contains information relevant to the operation such as the source and the
destination of the packet. With IP address spoofing, the information placed on the source
field is not the actual source of the packet. By using a different address in the source field
of the packet, the actual sender can make it look like the packet was sent by another
computer and thus the response of the target computer will be sent to the fake address
specified in the packet - unless the attacker wants to redirect the response to his own
computer.

Effects of IP Address Spoofing

IP address spoofing is very useful especially in the case of denial of service (DoS) attacks
where large amounts of information are sent to a target computer or system without the
perpetrators caring about the response of the target systems. This type of attack is
especially effective since the attack packets seem to be coming from different sources
and thus the perpetrators are hard to trace.

Hackers using IP address spoofing frequently make use of randomly chosen IP addresses
from the entire spectrum of IP address space while some more advanced hackers only use
the unregistered portions of the IP address range. IP address spoofing, however, is less
effective than using botnets for DoS attacks because it can be monitored by Internet
authorities using backscatter technique which can determine a DoS attack based on the
number of invalid IP addresses used in the attack. Nevertheless, it remains a viable
alternative for hackers.

IP address spoofing is also a very useful tool in infiltrating networks and overcoming
network security measures. This happens when IP address spoofers use a trusted IP
address within the network and thus circumvent the need to provide a username or
password to log in to the system. This sort of attack generally is based on a specific set of
host controls (such as rhosts) that are configured insecurely.
IP Address Spoofing Defense
Ingress filtering or packet filtering the incoming traffic from outside the system using a
technology is an effective way of defending against IP address spoofing since this
technique can determine if packets are coming from inside or outside the system.
Consequently, egress filtering can also block spoofed IP address packets from exiting the
system and launching an attack on other networks.

Upper layer protocols such as the TCP or Transmission Control Protocol in which a
sequence of numbers is used to established a secure connection with other systems is also
an effective way of defending against IP address spoofing.

Turning off source routing (loose and strict) on your network routers can also assist in
preventing hackers from taking advantage of many spoofing features. Source routing was
a technology used widely in the past to prevent a single network fault from causing a
major network outage, but the current routing protocols on the Internet today makes it all
but unnecessary.

What are Passwords?

Passwords are strings of characters used to authenticate computer system users.

Computer users are normally asked

to enter their username (or login
name) and their password (or pass phrase) before they are give access to a system.

If the person knows the username and the password, the computer systems trusts that
they are the account owner and grants them access to their data.

Selecting a good password

Choosing a good password is critical for personal security, requiring password crackers
to take additional time and resources to get access to your personal information and
computer credentials. A poor password creates a false sense of security, and may
endanger your personal information, access to computer resources, or even allow another
individual to spawn attacks and viruses using your personal credentials.

Password Construction
Password crackers have many tools at their disposal to cut down the amount of time it
takes to crack your password. Selecting a secure password will help to ensure that the
password cracker must take as much time as possible to guess or otherwise identify your
password. No password is ultimately secure, but if it takes the password cracker longer to
crack the password than it takes for the password to become useless, you will have
succeeded in thwarting the cracker's attack.

Insecure methods

• Passwords should not be created using personal information about yourself or

your family. A password cracker with incentive to break your personal password
will use this information first, making these passwords the least secure passwords.
Examples of bad passwords of this type are: your name, birthplace, nickname,
family name, names of pets, street address, parents names, names of siblings and
the like.
• Passwords should not be formed of words out of any dictionary or book. Longer
words do not generally add much protection. Using known words in any language
allows the password cracker to take shortcuts in his password cracking schemes,
allowing him to guess your password in a very small fraction of the time it would
take otherwise. Examples of bad passwords of this type are: dragon, secret,
cheese, god, love, sex, life and similar words.
• Passwords should not be composed of proper nouns of places, ideas, or people.
These words are commonly found in password cracker databases. Examples are:
Jehovah, Tylenol, edutainment, Coolio, beesknees, transformers.
• Passwords should not be simple variations of words. Although these passwords
don't appear in a book or dictionary, it is a simple matter to generate a
replacement word list automatically. These passwords are more secure than the
above two examples, but not significantly more secure. Examples of passwords of
this type are drowssap, l0ve, s3cr3t, dr@gon, and similar word-like terms.
• Passwords should not be a concatenation of two words commonly following each
other in a sentence. These passwords are more secure than the above password
concepts, but still fall far short for password security. Examples of these kinds of
passwords are: whatfor, divineright, bigpig, ilove, farfetched, catspajamas.
• Do not reuse recently employed passwords again. If you find it difficult to pick a
new password, you should wait until you changed you password at least 5 times
before reusing an old password, or 12 months if password changes are common.

Secure methods

• Always change your password immediately if you feel that your password has
been compromised. Always do this directly. Never follow links sent to you in
email, through an instant messenger client, or from a phone call you received. Ask
for administrative assistance if you have trouble changing your password.
• Do not write your password down where others may find it. If you must write it
down, ensure it is in a locked location that is only accessible to you. Hiding your
password in places you feel it is unlikely to be found is not helpful. Password
crackers have a criminal mind, and generally know where to look.
 • It is important that you change your password on a regular schedule, at least every
six months. This assists you by throwing off any cracking efforts that might be in
progress, but have not yet been completed. It also helps you if somehow you have
compromised your password in some other way without knowing it.
• Select passwords that use a mixture of capital letters, numbers, and special
characters. Take heed however, some systems do not allow you to use some or
any special characters. Make sure you check the password criteria for the system
you are using ahead of time, if possible.
• Use substitution of numbers for letters and letters for numbers in your passwords.
Although this is not a primary method of securing your password, it will add
another layer of security on top of a good password, and will prevent the
accidental guess of your password due to circumstances.
• Where it is not possible to use many characters in your password (less than 14), it
is advisable to create a password by creating a passphrase, and selecting letters in
a specific position in each word. An example of this is "jJjshnImn2". As you
notice, it's unlikely that any cracker would guess this password; however, it is
easy to remember when you note the passphrase "John Jacob Jingleheimer
Schmidt, his name is my name too". Notice the use of number substitution and
capitalization in the password.
• The best passwords are complete phrases if the system will allow them. They are
sometimes called "passphrases" in reflection of this. For example, a good
passphrase might be "I clean my Glock in the dishwasher." You can also use
number and letter substitution on passphrases as well. Longer passphrases
generally mean better password security.

Password Secrecy
Passwords are useless if they are distributed to other than to their intended users. Below
is a list of methods to keep your passwords private.

• If you have a large number of passwords to remember, or you don't feel you can
remember important ones, you can use your computer to assist you in the storage
of passwords. You can encrypt your password list with an acceptable master
password using reliable encryption software. Many password managers are
available for this purpose. For experienced users Gnu Privacy Guard and Pretty
Good Privacy are free for individual use. Ensure you know how to use encryption
properly; improper use of encryption technologies may defeat the whole purpose
of using encryption in the first place. Seek help from an encryption expert, or
purchase commercial encryption software if understanding is not forthcoming. Do
not store your encrypted passwords, or your encryption keys, somewhere that
another person may gain access to them.
• Refrain from using the same password on multiple systems, especially systems
that do not serve the same function. Never use passwords you use on Internet
forums, games, websites, or otherwise for any important password. It is trivial for
the owners of these systems to extract your passwords if they are willing.
 • Never tell another a password through e-mail, instant messenger clients, chat
rooms, forums or other shared environments. These conversations are almost
never entirely private. Do not tell someone your passwords over a cell phone or
cordless telephone, as these are insecure mediums for conversation, and may
easily be monitored. If you must tell someone a password over a telephone land
line, make sure the party you are speaking with is the only listener. You may want
to validate that additional parties are not listening in by calling the original party
on a number you know is owned by them.
• Do not use shared passwords unless it is entirely unavoidable. Passwords shared
between multiple users prevents the determination of which user performed which
actions.
• Of course, never tell your passwords to anyone. Once you tell someone else your
password, you no longer have control over the scope of password knowledge. If
you absolutely must share your account access to a computer system, change the
password to a new password first before sharing it, and then change the password
back to its original form once the other users are done performing the necessary
efforts.

Two-Factor Authentication
The original password concept has been proven to be insecure. There have been cases
where passwords have been compromised without a users knowledge, through coersion,
or because they were conned into revealing it. The core problem with legacy passwords is
that it is very difficult or impossible for an administrator or a computer system to
differentiate between a legitimate user and illegitimate user gaining access through the
same password. Because of this inherent flaw in the original password system, Two
Factor Authentication was invented.

A password is "something you know." This information is understood to be known by a

single individual. Two-factor authentication systems add in another factor, "something
you have", electronic card key, electronic token, dongle, fob or some other physical item
you keep in a secure place when not in use. A common stand in replacement for this
second factor when higher levels of security are needed is "something you are". A
biological fingerprint, retina pattern, person's weight, specific vital signs or a
combination of these items is used in place of the electronic device. The biological factor
for authentication and authorization has been found to be unreliable, but not in that it
permits those that should not be permitted when used properly, but because there is a
tendency for it to deny legitimate users access due to sickness, physical body changes, or
other physical impairments.

There are two common methods of authentication when users use electronic components
for two-factor authentication, response-only, and challenge-response systems.

Response-only systems require a user to present your electronic device to an electronic

reading system, or for you to enter data displayed on the electronic device without user
input. The user must provide a username or pin that is not known to outsiders, and then
enter specific credential data generated by the electronic device when prompted. In many
cases, this mechanism returns the user back to a single factor authentication, where the
user does not need to know something, but just posseses the item in question. An
example of this is the standard electronic card key used to enter a facility or building
perimiter. The user need not provide any other factor to prove their identity.

Challenge-response systems require the user to enter a specific passphrase or pin into the
electronic device first, before the device responds with the proper access credentials data.
This varient is always considered two-factor authentication, since the user must provide
both "something they know" (the pin), and use "something they have" (the electronic
device).

Both the response-only and challenge-response systems can be defeated if the user both
reveals the private information they keep secret, such as their username or pin code, and
the attacker takes ownership of the electronic device. Due to this weakness, the bioligcal
factor was invented.

Biological factors have been in use for several decades, and have proven to be reliable
and secure ways to prevent unauthorized users from gaining access to secure systems or
environments, regardless of the privacy of their passwords used. Systems monitor
fingerprints, eye retina patterns, weight, ambient temperature, and other biological signs
to determine the authenticity of the user requesting access. Movies have been touting
methods of defeating these systems by cutting off body parts, using retinal masks, or
forcing legitimate users into bypassing the authentication mechanisms for the attacker.
These are largely Hollywood schemes and rarely work in the real world. In most cases
where this level of security is required, local or remote monitoring of entry points
through cameras and security personnell is common. Deadlock portals, remote activated
magnetically controlled entranceways, and visual idenfitication are the norm.

Many simple methods have been devised to defeat weakly designed biological factor
systems, so be sure you thoroughly test the security measures you plan to put in place
before implementation.
How do I Disable the Netgear Router
Firewall?
In most cases, disabling the firewall on your Netgear router is a really bad idea. In fact, it
is such a bad idea that Netgear doesn't even make a button in their GUI that does this.

Nevertheless, we can effectively

disable a Netgear router firewall
just by adding a rule or two to the firewall configuration.

Netgear Router Firewall Default Rules

Netgear devices with firewalls have two default rules:

• Outbound Services: Allow all access from the inside to the outside.
• Inbound Services: Block all access from the outside to the inside, except
responses to requests from the inside.

How to Disable the Netgear Router Firewall

To disable the Netgear Router Firewall, all we need to do is to add a new rule that allows
all access from the outside to the inside.

To do this, type the router's address (the default is either 192.168.0.1 or 192.168.1.1) in
your Web browser

Enter your username and password in the prompt that appears. The default username is
admin and the default password is password.

From the main menu, choose Security -> Rules

Add a new rule for Inbound Services with a service name of "ANY" and an action of
"ALLOW always."

Then, move your new rule up until it is the first rule in the Inbound Services section.

Finally, make certain that this rule is enabled by checking the Enable column.

Your Netgear Router firewall is now disabled and your internal network is now
completely unprotected and open to attack from the Internet.
What is RADIUS (Remote Authentication
Dial In User Service)?
RADIUS (Remote Authentication Dial In User Service), defined in RFC 2865, is a
protocol for remote user authentication and accounting.

RADIUS enables centralized

management of authentication data, such as usernames and passwords.

When a user attempts to login to a RADIUS client, such as a router, the router send the
authentication request to the RADIUS server. The communication between the RADIUS
client and the RADIUS server are authenticated and encrypted through the use of a
shared secret, which is not transmitted over the network.

The RADIUS server may store the authentication data locally, but it can also store
authentication data in an external SQL database or an external Unix /etc/passwd file.
The RADIUS server can also plug into a PAM (Pluggable Authentication Service)
architecture to retrieve authentication data.

The role of the RADIUS server as the centralized authentication server makes is an
excellent choice for also performing accounting.

RADIUS can significantly increase security by enabling the centralization of password

management. Of course, the other side of that argument is that once you take over the
RADIUS server, you have everything.

RADIUS servers are available from many vendors. In addition, GNU RADIUS is an
excellent non-commercial option.

RADIUS utilizes the MD5 algorithm for secure password hashing.

RADIUS is the de facto authentication provider in 802.11i wireless networks.

 Q: How easy is it to change mac address?

A: Very easy! You can change MAC address in six easy steps.

2) Place the configuration disk in the floppy

1) Install your SpeedDemon.
drive and turn your computer on.

3) Type "M" to change MAC address, press 4) Type your desired Ethernet address, press
enter. enter.
5) Press "Y" to change mac address. 6) Press "E" and enter to reboot.
Q: I want to change MAC address, should I buy a SpeedDemon
network card?

A: Software manufacturers can limit software so that it can be used

only with an authorized network card. This form of copy protection
relies on the network card's hardware address. This effective
method of copy protection disadvantages legitimate users because
network cards often fail. Having SpeedDemon network cards
available ensures that your network will endure a hardware failure.

Furthermore, you can connect to the Internet through your

Broadband Internet Service Provider (ISP) only if your computer
has a network card or cable modem with an authorized network
address. If you change mac address, your SpeedDemon network
card clones your network card that is authorized to access the
Internet. Your SpeedDemon with change mac address will allow
you to connect two different computers to the Internet with only
one subscription. This method of broadband connection sharing
requires only a single Internet account and does not require the two
computers to be connected.

Every other method to change MAC address is inferior. Software-

based methods to change mac address merely modify your registry
or other system files. They don't really change MAC address, they
only fool your computer into thinking that you have a new Ethernet
address for a short time. With software-based solutions, your
hardware address will eventually reset back and there is no money-
back guarantee. Furthermore, computer programmers and network
professionals detect this inferior method and prevent it.

Now that SpeedDemon adapters are available, a new; easy; and

practical method to change mac address is available.
Q: What is significant about SpeedDemon network card ability to
change mac address?

A: SpeedDemon network cards allow you to change MAC address

thousands of times. When you change MAC address so that the
SpeedDemon duplicates another computer's network address makes
the computer with the SpeedDemon appear to be the same
computer as the one with the original network address. ISP's rely
on a computer's Ethernet address in order to authorize (or deny)
access to the internet. If you change MAC address, using a
SpeedDemon will allow you to have two computers authorized to
access the internet; one computer at home that is authorized by
your ISP and the other computer at your office with a
SpeedDemon.
Q: If I'm connecting two computers to my ISP's network, why don't
I just get two accounts from my ISP instead of change mac
address?

A: Because you will pay double in subscription fees. ISP's offer

major discounts if two computers are connected to the Internet
using only one subscription, one computer with a SpeedDemon
with a change mac address and an additional IP address.
Q: Why don't I just buy a hub or switch?

A: A hub or switch may suit you better than a SpeedDemon if the

computers you are trying to connect to the Internet are physically
located next to one another. However, if the computers you are
trying to connect to the Internet are located across a house or in
different buildings, the SpeedDemon would be a better choice
because the SpeedDemon doesn't require the two computers to be
connected in any way. If you don't want network cables cluttering
your hallways, you want a SpeedDemon.
Q: Is there another way to change MAC address?

A: YES, BUT WE DO NOT SUGGEST THAT ANYONE

ATTEMPT THIS:

1. Carefully desolder the EEPROM from your network card.

2. Place the EEPROM into an EEPROM programmer and hex
dump the EEPROM's data to your computer.
 3. Find the data that corresponds to your hardware address
(instructions on how to find your network address follow.)
4. Change MAC address EEPROM data to reflect your desired
network address and checksum. Information on modifying
the checksum varies among network card manufacturers; in
order to find the information, you must contact your NIC
manufacturer.

5. After you change MAC address data, dump the modified

data back to your EEPROM and resolder the EEPROM
onto your NIC board.
Q: How can I find my MAC address?

A: For windows 2000 and windows xp computers:

1) Click "start", then

2) Type "command".
"run".
3) Type "ipconfig /all" and locate your ethernet address in the "Physical Address" field.

A: For windows 95, windows 98, and windows me computers:

1) Click "start", then "run". 2) Type "winipcfg".

 4) Locate your change mac address in the
3) Locate and click your network card.
"Adapter Address" field.
What is the OSI Model?
The OSI model is a reference model which most IT professionals use to describe
networks and network applications.

The OSI model was originally intended to describe a complete set of production network
protocols, but the cost and
complexity of the government
processes involved in defining the OSI network made the project unviable. In the time
that the OSI designers spent arguing over who would be responsible for what, TCP/IP
conquered the world.

The Seven Layers of the OSI Model

The seven layers of the OSI model are:

Layer Name
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical

The easiest way to remember the layers of the OSI model is to use the handy mnemonic
"All People Seem To Need Data Processing":

Layer Name Mnemonic

7 Application All
6 Presentation People
5 Session Seem
4 Transport To
3 Network Need
2 Data Link Data
1 Physical Processing

The functions of the seven layers of the OSI model are:

Layer Seven of the OSI Model

The Application Layer of the OSI model is responsible for providing end-user services,
such as file transfers, electronic messaging, e-mail, virtual terminal access, and network
management . This is the layer with which the user interacts.

Layer Six of the OSI Model

The Presentation Layer of the OSI model is responsible for defining the syntax which two
network hosts use to communicate. Encryption and compression should be Presentation
Layer functions.

Layer Five of the OSI Model

The Session Layer of the OSI model is responsible for establishing process-to-process
commnunications between networked hosts.

Layer Four of the OSI Model

The Transport Layer of the OSI model is responsible for delivering messages between
networked hosts. The Transport Layer should be responsible for fragmentation and
reassembly.

Layer Three of the OSI Model

The Network Layer of the OSI model is responsible for establishing paths for data
transfer through the network. Routers operate at the Network Layer.

Layer Two of the OSI Model

The Data Link Layer of the OSI model is responsible for communications between
adjacent network nodes. Hubs and switches operate at the Data Link Layer.

Layer One of the OSI Model

The Physical Layer of the OSI model is responsible for bit-level transmission between
network nodes. The Physical Layer defines items such as: connector types, cable types,
voltages, and pin-outs.

The OSI Model vs. The Real World

The most major difficulty with the OSI model is that is does not map well to the real
world!

The OSI was created after many of todays protocols were already in production use.
These existing protocols, such as TCP/IP, were designed and built around the needs of
real users with real problems to solve. The OSI model was created by academicians for
academic purposes.
The OSI model is a very poor standard, but it's the only well-recognized standard we
have which describes networked applications.

The easiest way to deal with the OSI model is to map the real-world protocols to the
model, as well as they can be mapped.

Layer Name Common Protocols

7 Application SSH, telnet, FTP
6 Presentation HTTP, SMTP, SNMP
5 Session RPC, Named Pipes, NETBIOS
4 Transport TCP, UDP
3 Network IP
2 Data Link Ethernet
1 Physical Cat-5

The difficulty with this approach is that there is no general agreement as to which layer of
the OSI model to map any specific protocol. You could argue forever about what OSI
model layer SSH maps to.

A much more accurate model of real-world networking is the TCP/IP model:

TCP/IP Model
Application Layer
Transport Layer
Internet Layer
Network Interface Layer

The most significant downside with the TCP/IP model is that if you reference it, fewer
people will know what you are talking about!

For a better description of why the OSI model should go the way of the dodo, disco, and
DivX, read Kill the Beast: Why the Seven-Layer Model Must Die