Network+
Guide to Networks, Chapter 10 Review
Virtual Networks and
Remote Access
Virtualization
Virtualization is the emulation of a computer, operating system
environment, or application on a physical system. It’s a broad term that
encompasses many possibilities. In the following sections, you will learn about
a type of virtualization that allows you to, for example, create a logically
defined Linux client on your Windows 7 workstation or a virtual Windows Server
2008 R2 server on your UNIX server. In fact, using a virtualization program,
you can create dozens of different VMs (virtual machines), whether virtual
workstations or virtual servers, on one computer. Together, all the VMs on a
single computer share the same CPU, hard disk, memory, and network interfaces.
Yet each VM functions independently, with its own logically defined hardware
resources, operating system, applications, and network interfaces.
A VM can be configured to use not only a different operating
system, but also a different type of CPU, storage drive, or NIC than the
physical computer it resides on. VMs exist as files on the hard disk of the
physical computer. These files contain the operating system, applications,
data, and configurations for the VMs. Meanwhile, to users, a VM appears and
acts no differently from a physical computer running the same software. For
example, suppose you are the network administrator at an ISP and you establish
separate virtual mail servers for five companies on one physical computer. When
an employee at one company checks his e-mail, he has no idea that he is
accessing the same physical computer that an employee at another company uses
to check her e-mail. In this type of virtualization, the physical computer is
known as a host while each VM is known as a guest. The software that allows you
to define VMs and manages resource allocation and sharing among them is known
as a virtual machine manager, or, more commonly, a hypervisor. Figure 10-1 on
page 447 illustrates some of the elements of virtualization.
Virtualization offers several advantages, including the
following:
Efficient use of resources—Physical clients or servers devoted to one function typically use
only a fraction of their capacity. Without virtualization, a company might purchase
six computers to run six different services—for example, mail server, DNS server,
DHCP server, file server, remote access server, and database server. Each service
might demand no more than 15% of its computer’s processing power and memory.
Using virtualization, however, a single, powerful computer can support all six
services.
Cost and energy savings—Organizations
save money by purchasing fewer physical machines. They also save electricity
because there are fewer computers drawing power and less demand for air
conditioning in the computer room. Some institutions with thousands of users,
such as Stanford University, are using virtualization as a way to conserve
energy and are promoting it as part of campuswide sustainability efforts.
Fault and threat isolation—In a virtual environment, the isolation of each guest system
means that a problem with one guest does not affect the others. For example, an
instructor might create multiple instances of an operating system and
applications on a single computer that’s shared by several classes. That allows
each student to work on his own instance of the operating system environment.
Any configuration errors or changes he makes on his guest machine will not
affect other students.
In another example,
a network administrator who wants to try a beta version of an application might
install that application on a guest machine rather than his host, in case the
untested software causes problems. Furthermore, because a VM is granted limited
access to hardware resources, security attacks on a guest may have little
effect on a host or the physical network to which it’s connected.
Simple backups, recovery, and replication—Virtualization software enables network administrators to save
snapshots, or images, of a guest machine. The images can later be used to
re-create that machine on another host or on the same host. This feature allows
for simple backups and quick recovery. It also makes it easy to create
multiple, identical copies of one VM. Some virtualization programs even allow
you to save snapshot files of VMs that can be imported into a competitor’s
virtualization program.
Not every type of client or server is a good candidate for
virtualization, however. Potential disadvantages to creating multiple guests on
a single host machine include the following:
Compromised performance—When
multiple virtual machines contend for finite physical resources, one virtual
machine could monopolize those resources and impair the performance of other
virtual machines on the same computer. In theory, careful management and
resource allocation should prevent this. In practice, however, it is unwise to
force a critical application—for example, a factory’s real-time control systems
or a hospital’s emergency medical systems—to share resources and take that risk.
Imagine a brewery that uses computers to measure and control tank levels, pressure,
flow, and temperature of liquid ingredients during processing. These functions
are vital for product quality and safety. In this example, where specialty software
demands real-time, error-free performance, it makes sense to devote all of a computer’s
resources to this set of functions, rather than share that computer with the brewery’s
human resources database server, for example. In addition to multiple guest systems
vying for limited physical resources, the hypervisor also requires some overhead.
Increased complexity—Although
virtualization reduces the number of physical machines to manage, it increases
complexity and administrative burden in other ways. For instance, a network
administrator who uses virtual servers and switches must thoroughly understand
virtualization software. In addition, managing addressing and switching for
multiple VMs is more complex than doing so for physical machines. (You will
learn more about these techniques later in this chapter.) Finally, because VMs
are so easy to set up, they may be created capriciously or as part of
experimentation, and then forgotten. As a result, extra VMs may litter a
server’s hard disk, consume resources, and unnecessarily complicate network
management. By contrast, abandoned physical servers might only take up rack
space.
Increased licensing costs—Because every instance of commercial software requires its own
license, every VM that uses such software comes with added cost. In some cases,
the added cost brings little return. For example, an instructor might want to
create four instances of Windows 7 on a single computer to supply four students
with their own operating system environment. To comply with Microsoft’s
licensing restrictions, the instructor will have to purchase four copies of
Windows 7. Depending on the instructor’s intentions, it might make more sense,
instead, to share one copy of Windows 7 and separate each student’s files and
settings by using four different logon IDs.
Single point of failure—If
a host machine fails, all its guest machines will fail, too. For example, an
organization that creates VMs for its mail server, DNS server, DHCP server,
file server, remote access server, and database server on a single physical
computer would lose all of those services if the computer went down. Wise
network administrators implement measures such as clustering and automatic
failover to prevent that from happening. You’ll learn more about these techniques
in Chapter 14.
Most of the potential disadvantages in this list can be
mitigated through thoughtful network design and virtualization control. You can
choose from several virtualization programs to create and manage VMs. VMware is
the most widely implemented virtualization software today. The company provides
several different products, some designed for managing virtual workstations on
a single host and others capable of managing hundreds of virtual servers across
a WAN. Competing virtualization products include Microsoft’s Hyper-V, KVM
(Kernel-based Virtual Machine), Oracle’s VirtualBox, and Citrix’s Xen. All
provide similar functionality, but differ in features, interfaces, and ease of
use. In this chapter, you will see sample screen shots from some of these
virtualization programs and get a sense for how they function. In the Hands-On
Projects at the end of this chapter, you will have the chance to install a
popular virtualization program and create and network VMs.
Virtual Network Components
It is possible to create a virtual network that consists solely
of virtual machines on a physical server. More practical and common, however,
are networks that combine physical and virtual elements. Earlier you were
introduced to VMs. In this section, you will learn how VMs connect to each
other and to a physical network.
Virtual Machines and Adapters
AVM’s software and hardware characteristics are assigned when it
is created in the virtualization program. As you have learned, these
characteristics can differ completely from those of the host machine. Popular
virtualization programs offer step-by-step wizards that make creating VMs easy.
One of the first steps is choosing an image of the guest’s operating system. Operating
system images are available for download online or can be obtained on a disc
from software vendors. For example, if you are running a virtualization program
on your Windows 7 workstation, you might choose to install a guest machine
based on an Ubuntu Linux image you download from Ubuntu’s Web site. After
choosing the guest operating system, you can customize characteristics of the
VM, including memory and hard disk size, processor type, and NIC type, to name
a few. Figure 10-2 on page 450 shows a screen from the VMware VM creation wizard
that allows you to specify the amount of memory allocated to a VM. To connect
to a network, a virtual machine requires a virtual adapter, or vNIC (virtual
network interface card). Just like a physical NIC, a vNIC operates at the Data
Link layer and provides the computer with network access. Each VM can have
several vNICs, no matter how many NICs the host machine has. The maximum number
of vNICs on a VM depends on the limits imposed by the virtualization program.
For example, VirtualBox allows up to eight vNICs per virtual machine. Figure
10-3 on page 451 shows a dialog box from the VMware wizard that allows you to
customize properties of a virtual workstation’s vNIC. One of many options you
can configure for each NIC is its inbound and outbound transmission speeds. For
example, you could select transmission speeds that simulate a T1 or broadband
cable connection. Upon creation, each vNIC is automatically assigned a MAC
address. Also, by default, every virtual machine’s vNIC is connected to a port
on a virtual switch, as described next.
Virtual Switches and Bridges
As soon as the first virtual machine’s vNIC is selected, the
hypervisor creates a connection between that VM and the host. Depending on the
virtualization software, this connection might be called a bridge or a switch.
(Recall that every port on a physical switch can be considered a bridge; thus,
a switch is essentially a collection of bridges.) A virtual switch is a logically
defined device that operates at the Data Link layer to pass frames between
nodes. Virtual bridges, or ports on a virtual switch, connect vNICs with a
network, whether virtual or physical. Thus, a virtual switch or bridge allows
VMs to communicate with each other and with nodes on a physical LAN or WAN.
When virtual switches or bridges are used to connect vNICs with physical NICs
for physical network access, the physical NIC can be considered an uplink. Just
like an uplink connection between two physical switches, the physical NIC
connects a group of switched nodes to another network segment. Virtual switches
or bridges reside in the RAM of the physical computers that act as their hosts,
while their configuration resides in a separate file on the host’s hard disk.
One host can support multiple virtual switches. The hypervisor controls the
virtual switches and its ports, or bridges. Figure 10-4 on page 452 illustrates
a host machine with two physical NICs that supports several virtual machines
and their vNICs. A virtual switch connects the vNICs to the network. Recall from
Chapter 6 that physical switches exchange traffic through routers. The same holds
true for virtual switches. Suppose you created two virtual switches, switch A
and switch B, on one host machine. Traffic between VMs on switch A and VMs on
switch B could not pass directly between switches A and B. Instead, the virtual
switches would have to exchange data through a router, whether virtual or
physical, as shown in Figure 10-5 on page 453. In fact, the router could simply
be another virtual machine on the host configured to forward packets.
Naturally, virtual switches on different host machines also have to communicate
through routers. Virtual switches offer many possibilities for customizing and
managing network traffic, as you will discover later in this chapter. First,
however, it’s necessary to understand the different ways in which virtual
interfaces can appear on and communicate with a network.
Network Connection Types
Earlier you learned that when creating a virtual interface on a
VM, you choose its characteristics, such as speed. In addition, you are asked
to identify what type of network connection, or networking mode, the vNIC will
use. In the VMware or VirtualBox virtualization programs, you make this choice
when you create or reconfigure a vNIC. In Hyper-V, you make the choice through
the Virtual Network Manager. The most frequently used network connection types
include bridged, NAT, and host-only, as described next.
Bridged - In bridged mode, a vNIC accesses a physical network using the
host machine’s NIC, as shown in Figure 10-6 on page 454. In other words, the
virtual interface and the physical interface are bridged. If your host machine
contains multiple physical adapters—for example, a wireless NIC and a wired
NIC—you can choose which physical adapter to use as the bridge when you
configure the virtual adapter. Although a bridged vNIC communicates through the
host’s adapter, it obtains its own IP address, default gateway, and netmask
from a DHCP server on the physical LAN. For example, suppose your DHCP server
is configured to assign addresses in the range of 192.168.1.128 through
192.168.1.253 to nodes on your LAN. The router might assign your host machine’s
physical NIC an IP address of 192.168.1.131. A guest on your host might obtain
an IP address of 192.168.1.132. A second guest on that host might obtain an
IP address of 192.168.1.133, and so on. When connected using
bridged mode, a VM appears to other nodes as just another client or server on
the network. Other nodes communicate directly with the machine without realizing
it is virtual.
In VMware and VirtualBox, you can choose the bridged connection
type when you create or configure the virtual adapter. In KVM, you create a
bridge between the VM and your physical NIC when you modify the vNIC’s
settings. In Hyper-V, you create a bridged connection type by assigning VMs to
an external network switch. Figure 10-7 on page 454 shows the Hardware dialog
box that appears while creating a virtual machine in VMware with the Bridged
networking connection type selected. VMs that must be available at a specific
address, such as mail servers or Web servers, should be assigned bridged
network connections. VMs that other nodes do not need to access directly can be
configured to use the NAT networking mode.
NAT - In the NAT networking mode, a vNIC relies on
the host machine to act as a NAT device. In other words, the VM obtains IP
addressing information from its host, rather than a server or router on the
physical network. To accomplish this, the virtualization software acts as a
DHCP server. A vNIC operating in NAT mode can still communicate with other nodes
on the network and vice versa. However, other nodes communicate with the host machine’s
IP address to reach the VM; the VM itself is invisible to other nodes. Figure
10-8 on page 455 illustrates a VM operating in NAT mode. NAT is the default
network connection type selected when you create a VM in VMware, VirtualBox, or
KVM. In Hyper-V, the NAT connection type is created by assigning VMs to an
internal network. Figure 10-9 on page 456 shows the networking modes dialog box
in VirtualBox, with the NAT option selected. Once you have selected the NAT
configuration type, you can configure the pool of IP addresses available to the
VMs on a host. For example, suppose, as shown in Figure 10-8, your host machine
has an IP address of 192.168.1.131. You might configure your host’s DHCP
service to assign IP addresses in the range of 10.1.1.128 through 10.1.1.253 to
the VMs you create on that host. Because these addresses will never be evident
beyond the host, you have flexibility in choosing their IP address range. The
NAT network connection type is appropriate for VMs that do not need to be
accessed at a known address by other network nodes. For example, virtual workstations
that are mainly used to check e-mail, share files, or surf the Web are good
candidates for NAT network connections.
Host-Only - In host-only networking mode, VMs on one
host can exchange data with each other and with their host, but they cannot
communicate with any nodes beyond the host. In other words, the vNICs never
receive or transmit data via the host machine’s physical NIC. In host-only
mode, as in NAT mode, VMs use the DHCP service in the host’s virtualization
software to obtain IP address assignments. Figure 10-10 on page 456 illustrates
how the host-only option creates an isolated virtual network. Host-only mode is
appropriate for test networks or if you simply need to install a different operating
system on your workstation to use a program that is incompatible with your host’s
operating system. For example, suppose a project requires you to create
diagrams in Microsoft Visio and your workstation runs Red Hat Linux. You could
install a Windows 7 VM solely for the purpose of installing and running Visio. Obviously,
because host-only mode prevents VMs from exchanging data with a physical network,
this choice cannot work for virtual servers that need to be accessed by clients
across a LAN. Nor can it be used for virtual workstations that need to access
LAN or WAN services, such as e-mail or Web pages. Host-only networking is less
commonly used than NAT or bridged mode networking. You can choose host-only
networking when you create or configure a VM in VMware or VirtualBox. In
Hyper-V, the host-only connection type is created by assigning VMs to a private
virtual network. In KVM, host-only is not a predefined option, but must be
assigned to a vNIC via the command-line interface. Virtualization software
gives you the flexibility of creating several different networking types on one
host machine. For example, on one host you could create a host-only, or
private, network to test multiple versions of Linux.
On the same host, you could create a group of
Windows Server 2008 R2 servers that are connected to your physical LAN using
the bridged connection type. Or, rather than specifying one of the four
networking connection types described previously, you could also create a VM
that contains a vNIC but is not connected to any nodes, whether virtual or
physical. Preventing the VMfrom communicating with other nodes keeps it
completely isolated. This might be desirable when testing unpredictable
software or an image of untrusted origin.
Virtual Appliances
Imagine you’re a busy network administrator,
and your company’s IT director has asked you to provide a complete e-mail and
collaboration solution for everyone connected to the WAN. Traditionally,
someone in your situation would research and obtain trial versions of the leading
software, install the software on test machines, and evaluate each program over
a period of weeks. You might struggle to get your hardware and operating system
to work correctly with the software. Or you might wonder whether certain
problems with the new software are related to the way you configured it.
However, virtualization offers an alternative. Instead of installing the
program on a test server, you could install a virtual appliance, or an image
that includes the appropriate operating system, software, hardware
specifications, and application configuration necessary for the package to run
properly. Virtual appliances may be virtual workstations, but more commonly
they are virtual servers. Each virtual appliance varies in its features and
complexity. Popular functions include firewall and other security measures,
network management, e-mail solutions, and remote access. Other virtual
appliances are customized instances of operating systems designed to suit the
needs of particular users. Now that you are familiar with the elements that
make up a virtual network, you are ready to learn techniques for managing them
as part of an enterprise-wide network.
Virtual Networks and
VLANs
Ask a networking professional about his virtual network and
he’ll probably wonder exactly what you’re talking about. The term could be
shorthand for a VLAN defined on a physical switch or a VPN (discussed later in
this chapter), or it could simply refer to any network that connects virtual
machines. For example, in its Hyper-V offering, Microsoft refers to network
connection types as virtual networks. In this section, virtual network is used
generally to refer to ways in which virtual machines can be connected with
other virtual and physical network nodes. Virtual networks resemble physical
networks in many aspects. The same concerns regarding addressing, performance,
security, and fault tolerance apply. In some cases—for example, when it comes
to backups, troubleshooting, and software updates—virtual network management is
nearly identical to physical network management. In other cases, management differs
only slightly. For example, in the previous section, you learned that a DHCP server
is part of virtualization software. Running on a host, it dynamically assigns
IP addresses for virtual machines in NAT and host-only modes just as a DHCP
server on a physical network assigns addresses for its physical clients.
However, despite all the similarities between physical and virtual networks, an
important difference arises when managing virtual machines in VLANs. Recall
from Chapter 6 that VLANs are subnets, or broadcast domains, logically defined
on a physical switch. VLANs allow network administrators to separate network
traffic for better performance, customized address management, and security. On
a network that uses virtual machines, VLANs will typically include those VMs. You
also know that to create a VLAN you modify a physical switch’s configuration. However,
to add VMs to a VLAN defined on a physical network, you modify a virtual switch’s
configuration. In other words, VMs are not added to a preexisting VLAN on the physical
switch that manages that VLAN. The following example describes a common way of
incorporating VMs in VLANs.
Because virtualization programs vary, the steps required and the
nomenclature used will differ depending on what program you use. However, the concepts
are the same. Suppose you work at a small company whose network consists of
four VLANs defined on its primary backbone switch. The VLANs subdivide traffic
by group as follows: Management, Research, Test, and Public. On the network,
they are defined as VLAN 120, VLAN 121, VLAN 122, and VLAN 123, respectively.
To consolidate resources, your company is migrating its five physical file
servers to virtual file servers on a single host using a VMware program called
vSphere. The hypervisor portion of vSphere and the interface that allows you to
manage virtual machines and the virtual networks they belong to is called
VMware ESXi Server. As you create the five virtual servers on your new host server,
you configure each of their vNICs to operate in bridged mode. Furthermore, you
decide to assign each virtual server a static IP address. After creation, the
five virtual servers are connected to the same virtual switch. By default, each
vNIC is assigned a single port, or bridge, on the virtual switch. (If you
create multiple vNICs for your servers, each vNIC would connect to a separate
port.) Because the vNICs operate in bridged mode, the virtual servers can
access the physical network through the host’s physical interface. Likewise,
nodes on the physical network can access the virtual servers through the host’s
physical interface. Next, you install applications on your virtual servers and
customize software and NOS parameters. Finally, you are ready to add the
servers to the appropriate VLANs. In this example, suppose all five servers
belong to the Management, Research, and Test VLANs, and only one of them
belongs to the Public VLAN. In VMware, vNICs can be assigned to port groups.
Grouping ports allows you to apply certain characteristics to multiple vNICs
easily and quickly. Notably, all the vNICs in a port group can be assigned to
one VLAN with a single command. For example, the vNICs for all five file
servers will be assigned to port groups 120, 121, and 122. The vNIC for one
file server will also be assigned to port group 123. Next, you associate each
of the port groups with a VLAN. For example, you would associate port group 120
with VLAN 120, port group 121 with VLAN 121, and so on. Notice that multiple
vNICs can be assigned to a single port group. Also, a single vNIC can be assigned
to multiple port groups. (Depending on your network management strategy,
however, you might find it simpler to create multiple vNICs so that each vNIC
is associated with a different port group, or VLAN.) In other virtualization
programs, vNICs are assigned to VLANs by associating them directly with a VLAN
number or with a bridge that is, in turn, associated with a VLAN. Recall from
Chapter 6 that a single physical interface can carry the traffic of multiple
VLANs through trunking. Therefore, the host’s physical NIC must be configured
to operate in trunking mode for VLAN information to pass through. In other
words, it must be capable of carrying the traffic of multiple VLANs.
Virtualization software refers to the physical NIC, acting as an interface for
VLANs, as a trunk.
Now that you have created virtual servers connected to a virtual
switch, created port groups on the switch and assigned vNICs to those port
groups, associated those port groups with VLANs, and ensured that your host’s
physical NIC is configured to act as a trunk, all traffic tagged for VLAN 120
will be transmitted to all five file servers, for example, and all traffic tagged
for VLAN 123 will only be seen by one file server. Figure 10-11 on page 459
illustrates this example of multiple virtual servers connected to multiple VLANs.
The virtual network for a company that manages multiple virtual file servers
and multiple VLANs would likely be more complicated than the example described
in this section. For instance, as a network administrator you might ensure high
performance by using two physical NICs on the host and associating a virtual
server’s vNIC with both. You might instruct the virtualization software to
balance loads between multiple vNICs on a busy server. You might create
multiple virtual switches on the host to further separate traffic. You might
even create duplicates of your virtual servers on a second physical host to
ensure availability. For now, however, it is enough to understand the essential
concepts of using VLANs in a combined virtual and physical network.
Remote Access and Virtual Computing
In Chapter 7, you
learned about connecting nodes over long distances to form WANs. Most of the
connectivity examples in that chapter assumed that the WAN locations had
continuous, dedicated access to the network. For example, when a user in
Phoenix wants to open a document on a server in Dallas, she needs only to find
the Dallas server on her network, open a directory on the Dallas server, and
then open the file. The server is available to her at any time because the
Phoenix and Dallas offices are always connected and sharing resources over the
WAN. However, this is not the only way to share resources over a WAN. For
remote users, such as employees on the road, distance learning students,
telecommuters, military personnel overseas, or staff in small, branch offices,
intermittent access with a choice of connectivity methods is often more
appropriate. As a remote user, you can connect to a network via remote access,
a service that allows a client to connect with and log on to a LAN or WAN in a
different geographical location. After connecting, a remote client can access
files, applications, and other shared resources, such as printers, like any
other client on the LAN or WAN. To communicate via remote access, the client
and host need a transmission path plus the appropriate software to complete the
connection and exchange data. Many remote access methods exist, and they vary
according to the type of transmission technology, clients, hosts, and software
they can or must use. Popular remote access techniques, including dial-up
networking, Microsoft’s RAS (Remote Access Service) or RRAS (Routing and Remote
Access Service), and VPNs (virtual private networks), are described in the
following sections. You will also learn about common remote access protocols.
Dial-Up Networking
In Chapter 7, you
learned about the PSTN and ways in which it connects users to networks, including
dial-up. Dial-up networking refers to dialing directly into a private network’s
or ISP’s remote access server to log on to a network. Dial-up clients can use
PSTN, X.25, or ISDN transmission methods. However, the term dial-up networking usually
refers to a connection between computers using the PSTN—that is, regular
telephone lines. To accept client connections, the remote access server is
attached to a group of modems, all of which are associated with one phone
number. The client must run dial-up software (normally available with the
operating system) to initiate the connection. At the same time, the remote
access server runs specialized software to accept and interpret the incoming
signals. When it receives a request for connection, the remote access server
software presents the remote user with a prompt for his credentials—typically,
his username and password. The server compares his credentials with those in
its database, in a process known as authentication. If the credentials match, the
user is allowed to log on to the network. Thereafter, the remote user can
perform the same functions he could perform while working at a client computer
in the office. With the proper server hardware and software, a remote access
server can offer multiple users’ simultaneous remote access to the LAN. Though
far less popular than it was in the 1990s, some Internet subscribers still use
dial-up networking to connect to their ISP. In the Hands-On Projects at the end
of this chapter, you will have the opportunity to configure a dial-up
networking connection. Dial-up networking technology is proven reliable and its
software comes with virtually every operating system. Within the United States,
the dial-up configuration for one location differs little from the dial-up
configuration in another location. However, a dial-up connection via the PSTN
comes with significant disadvantages, with the worst being its low throughput. Currently,
manufacturers of PSTN modems advertise a connection speed of 56 Kbps. But the 56-Kbps
maximum is only a theoretical threshold that assumes a pristine connection
between the initiator and the receiver. Splitters, fax machines, or other
devices that a signal must navigate between the sender and receiver all reduce
the actual throughput.
The number of switching
facilities and modems through which your phone call travels also affects
throughput. Each time the signal passes through a switch or is converted from
analog to digital or digital to analog, it loses a little throughput. If you’re
surfing the Web, for example, by the time a Web page returns to you, the
connection may have lost from 5 to 30 Kbps, and your effective throughput might
have been reduced to 30 Kbps or less. In addition, the FCC (Federal
Communications Commission), the regulatory agency that sets standards and
policy for telecommunications transmission and equipment in the United States,
limits the use of
PSTN lines to 53
Kbps to reduce the effects of cross talk. Thus, you will never actually achieve
full 56-Kbps throughput using a dial-up connection over the PSTN. Nor can
traditional dial-up networking provide the quality required by many network applications.
The quality of a WAN connection is largely determined by how many data packets
it loses or that become corrupt during transmission, how quickly it can
transmit and receive data, and whether it drops the connection altogether.
Dial-up networking compares unfavorably with other WAN connection methods on
all accounts. To compensate for its relatively poor quality, most protocols
employ error-checking techniques. For example, TCP/IP depends on
acknowledgments of the data it receives. In addition, newer PSTN links are digital
and digital lines are more reliable than the older analog lines. Such digital
lines reduce the quality problems that once plagued purely analog PSTN
connections. From a network administrator’s point of view, dial-up networking
also requires a significant amount of maintenance to make sure clients can
always connect to a pool of modems. One way to limit the maintenance burden is
for an organization to contract with an ISP to supply remote access services.
In this arrangement, clients dial into the ISP’s remote access server, and then
the ISP connects the incoming clients with the organization’s network.
The dial-up
networking software that Microsoft provided with its Windows 95, 98, NT, and
2000 client
operating systems is called RAS (Remote Access Service). RAS requires software installed
on both the client and server, a server configured to accept incoming clients,
and a client with sufficient privileges (including username and password) on
the server to access its resources. In the Windows 2000 Server, XP, Vista,
Server 2003, Server 2008, and Server 2008 R2 operating systems, RAS is part of
a more comprehensive remote access package called the RRAS (Routing and Remote
Access Service). RRAS is described in the following section.
Remote Access Servers
The preceding
section described dial-up networking, a type of remote access method defined by
its direct, PSTN-based connection method. However, users who previously
depended on dial-up connections are increasingly adopting broadband
connections, such as DSL and cable. This section and following sections
describe services that can accept remote access connections from a client, no
matter what type of Internet access it uses. As you have learned, remote access
allows a client that is not directly attached to a LAN or WAN to connect and
log on to that network. A remote client attempting to connect to a LAN or WAN
requires a server to accept its connection and grant it privileges to the
network’s resources. Many types of remote access servers exist. Some are
devices dedicated to this task, such as Cisco’s AS5800 access servers. These
devices run software that, in conjunction with their operating system, performs
authentication for clients and communicates via dial-up networking protocols.
Other types of remote access servers are computers running special software that
enables them to accept incoming client connections and grant clients access to
resources. RRAS (Routing and Remote Access Service) is Microsoft’s remote
access software, available with the Windows Server 2003, Server 2008, and
Server 2008 R2 network operating systems and the Windows XP, Vista, and 7 desktop
operating systems. RRAS enables a computer to accept multiple remote client
connections over any type of transmission path. It also enables the server to
act as a router, determining where to direct incoming packets across the network.
Further, RRAS
incorporates multiple security provisions to ensure that data cannot be
intercepted and interpreted by anyone other than the intended recipient and to
ensure that only authorized clients can connect to the remote access server. Figure
10-12 on page 462 illustrates how clients connect with a remote access server
to log on to a LAN. Remote access servers depend on several types of protocols
to communicate with clients, as described in the following section.
Remote Access Protocols
To exchange data,
remote access servers and clients require special protocols. The SLIP
(Serial Line
Internet Protocol) and PPP (Point-to-Point Protocol) are two protocols that enable
a workstation to connect to another computer using a serial connection (in the
case of dial-up networking, serial connection refers to a modem). Such
protocols are necessary to transport Network layer traffic over serial
interfaces, which belong to the Data Link layer of the OSI model. Both SLIP and
PPP encapsulate higher-layer networking protocols, such as TCP and IP, in their
lower-layer data frames. SLIP is an earlier and less-sophisticated version of
the protocol than PPP. For example, SLIP can carry only IP packets, whereas PPP
can carry many different types of Network layer packets. Because of its
primitive nature, SLIP requires significantly more setup than PPP. When using
SLIP, you typically must specify the IP addresses for both your client and for your
server in your dial-up networking profile. PPP, on the other hand, can
automatically obtain this information as it connects to the server. PPP also
performs error correction and data compression, but SLIP does not. In addition,
SLIP does not support data encryption, which makes it less secure than PPP. For
all these reasons, PPP is the preferred communications protocol for remote
access communications. Another difference between SLIP and PPP is that SLIP
supports only asynchronous data transmission, whereas PPP supports both
asynchronous and synchronous transmission. As you learned earlier, in synchronous
transmission, data must conform to a timing scheme, whereas asynchronous
transmission may stop and start sporadically. In fact, asynchronous transmission
was designed for communication that happens at random intervals, such as sending
the keystrokes of a person typing on a remote keyboard. Thus, it is well suited
for use on modem connections. When PPP is used over an Ethernet network (no
matter what the connection type), it is known as PPPoE (PPP over Ethernet).
PPPoE is the standard for connecting home computers to an ISP via DSL or
broadband cable. When you sign up for broadband cable or DSL service, the ISP supplies
you with connection software that is configured to use PPPoE. Figure 10-13 on
page 464 illustrates how the protocols discussed in this section and commonly
used to establish a broadband Internet connection fit in the OSI model. (The
Application layer protocol RDP, discussed in the following section, is only
used when remotely controlling computers. Several different Application layer
protocols, including HTTP or FTP, could be substituted for RDP in Figure
10-13.)
Remote Virtual Computing
So far, you have
learned about dial-up networking and remote access servers, which are designed
to allow many clients to log on to a network from afar. Sometimes, however,
it’s necessary for one workstation to remotely access and control another
workstation. For example, suppose a traveling salesperson must submit weekly
sales figures to her home office every Friday afternoon. While out of town, she
discovers a problem with her spreadsheet program, which should automatically
calculate her sales figures (for example, the percentage of a monthly quota
she’s reached for any given product) after she enters the raw data. She calls
the home office, and a support technician attempts to resolve her issue on the
phone. When this doesn’t work, the technician may decide to run a remote
virtual computing program and “take over” the salesperson’s laptop (via a WAN
link) to troubleshoot the spreadsheet problem. Every keystroke and mouse click
the technician enters on his workstation is then issued to the salesperson’s
laptop.
After the problem
is resolved, the technician can disconnect from the salesperson’s laptop.
Remote virtual
computing allows a user on one computer, called the client, to control another
computer, called the host or server, across a network connection. The
connection could be a dedicated WAN link (such as a T1), an Internet
connection, or even a dial-up connection established directly between the
client’s modem and the host’s modem. Also, the host must be configured to allow
access from the client by setting username or computer name and password
credentials. A host may allow clients a variety of privileges, from merely viewing
the screen to running programs and modifying data files on the host’s hard
disk. After connecting, if the remote user has sufficient privileges, she can
send keystrokes and mouse clicks to the host and receive screen output in
return. In other words, to the remote user, it appears as if she is working on
the LAN- or WAN-connected host. Remote virtual computing software is specially
designed to require little bandwidth. A workstation that uses such software to
access a LAN is often called a thin client because very little hard disk space or
processing power is required of the workstation. Advantages to using remote
virtual computing are that it is simple to configure and can run over any type
of connection. This benefits anyone who must use dial-up connections or who must
run processor-intensive applications such as databases. In this scenario, the
data processing occurs on the host without the data having to traverse the
connection to the remote workstation. Another advantage to remote virtual
computing is that a single host can accept simultaneous connections from
multiple clients. For example, a presenter can use this feature to establish a
virtual conference in which several attendees log on to the host and watch the presenter
manipulate the host computer’s screen and keyboard. Many types of remote
virtual computing software exist, and they differ marginally in their capabilities,
security mechanisms, and supported platforms. Three popular programs, discussed
next, are Microsoft Remote Desktop, VNC (Virtual Network Computing), and
Citrix’s ICA (Independent Computing Architecture).
Remote
Desktop
Remote Desktop is the remote virtual computing software that
comes with Windows client and server operating systems. Remote Desktop relies
on RDP (Remote Desktop Protocol), which is an Application layer protocol that
uses TCP/IP to transmit graphics and text quickly. RDP also carries session,
licensing, and encryption information. RDP clients also exist for other
operating systems, such as Linux, so you can connect from those clients to a Windows
computer running Remote Desktop. Older versions of Windows operating systems, including
Vista, may require additional software for Remote Desktop to work properly.
VNC
(Virtual Network Computing)
VNC (Virtual Network Computing) is an open source system
designed to allow one workstation to remotely manipulate and receive screen updates
from another workstation. Open source is the term for software whose code is publicly
available for use and modification. As a result, anyone can change the software
to enhance it or fix problems and share their modified version with others. As
with Remote Desktop’s protocols, VNC’s protocols operate at the Application
layer.
VNC packages have been developed for multiple computer
platforms, including all modern versions of Windows, UNIX, Linux, and Mac OS X.
In addition, VNC functions across platforms. That is, you can use a VNC client
(or viewer, as it’s known in VNC terms) on a Windows 7 workstation to access a
VNC server running Ubuntu Linux. VNC is unique among remote virtual networking
systems in this ability. Besides its open source status, VNC boasts the ability
to support multiple sessions on a single computer. One drawback of VNC compared
with Remote Desktop is that its screen refresh rate is somewhat slower.
However, software engineers have modified VNC to use compression
techniques that expedite its data transmission. In addition, security has
historically been a concern with VNC, but techniques have also evolved to
mitigate this concern. Some popular versions of VNC include RealVNC, Tight VNC,
and UltraVNC. ICA (Independent Computing Architecture) Another system for
remote virtual computing that supports multiple simultaneous server connections
is Citrix System’s XenApp. With the Citrix option, remote workstations rely on
proprietary software known as an ICA (Independent Computing Architecture)
client to connect with a remote access server and exchange keystrokes, mouse
clicks, and screen updates. Running XenApp, the remote access server makes
applications available to clients and manages their connections. Citrix’s ICA
client can work with virtually any operating system or application. Its ease of
use and broad compatibility make the ICA client a popular method for supplying
widespread remote access across an organization. Potential drawbacks to this
method include the relatively high cost of Citrix’s products and the complex
nature of its server software configuration.
VPNs (Virtual Private
Networks)
VPNs (virtual private networks) are wide area networks that are
logically defined over public transmission systems. To allow access to only
authorized users, traffic on a VPN is isolated from other traffic on the same
public lines. For example, a national insurance provider could establish a
private WAN that uses Internet connections but serves only its agent offices
across the country. By relying on the public transmission networks already in
place, VPNs provide a way of constructing a convenient and relatively
inexpensive WAN. In the example of a national insurance provider, the company
gains significant savings by having each office connect to the Internet
separately rather than leasing point-to-point connections between each office
and the national headquarters. The software required to establish VPNs is
usually inexpensive, and in some cases is included with other widely used
software. For example, in Windows Server 2008 R2, RRAS allows you to create a
simple VPN. It turns a Windows server into a remote access server and allows clients
to dial into it. Alternately, clients could dial into an ISP’s remote access
server, and then connect with the VPN managed by RRAS. Third-party software
companies also provide VPN programs that work with Windows, UNIX, Linux, and
Macintosh OS X Server network operating systems. Or VPNs can be created simply
by configuring special protocols on the routers or firewalls that connect each
site in the VPN. This is the most common implementation of VPNs on UNIX-based
networks. Two important considerations when designing a VPN are
interoperability and security. To ensure a VPN can carry all types of data in a
private manner over any kind of connection, special VPN protocols encapsulate
higher-layer protocols in a process known as tunneling. You can say that these
protocols create the virtual connection, or tunnel, between two VPN endpoints. Based
on the kinds of endpoints they connect, VPNs can be classified according to two
models: site-to-site and client-to-site.
In a site-to-site VPN, tunnels connect multiple sites on a WAN, as shown in
Figure 10-14 on page 466. At each site, a VPN gateway encrypts and encapsulates
data to exchange over the tunnel with another VPN gateway. Meanwhile, clients,
servers, and other hosts communicate with the VPN gateway and do not have to
run special VPN software. They simply send and receive data to and from the VPN
gateway. In a client-to-site VPN, clients, servers, and other hosts establish
tunnels with a private network using a remote access server or VPN gateway, as
shown in Figure 10-15 on page 467. Each client on a client-to-site VPN must run
VPN software to create the tunnel for, and encrypt and encapsulate data. This
is the type of VPN typically associated with remote access. An enterprise-wide
VPN can include elements of both the client-to-site and site-to-site models. The
beauty of VPNs is that they are tailored to a customer’s distance, user, and
bandwidth needs, so, of course, every one is unique.
However, all share the characteristics of privacy achieved over
public transmission facilities using encryption and encapsulation. As you have
learned, encapsulation involves one protocol adding a header to data received from
a higher-layer protocol. A VPN tunneling protocol operates at the Data Link
layer and encapsulates Network layer packets, no matter what Network layer
protocol is used. Two major types of tunneling protocols are used on
contemporary VPNs: PPTP or L2TP.
PPTP (Point-to-Point Tunneling Protocol) is a Layer 2 protocol developed by Microsoft that expands on
PPP by encapsulating it so that any type of PPP data can traverse the Internet masked
as an IP transmission. PPTP supports the encryption, authentication, and access
services provided by RRAS. Users can either dial directly into an RRAS access
server that’s part of the VPN, or they can dial into their ISP’s remote access
server first, and then connect to a VPN. Either way, data is transmitted from
the client to the VPN using PPTP. Windows, UNIX, Linux, and Macintosh clients
are all capable of connecting to a VPN using PPTP. PPTP is easy to install, and
is available at no extra cost with Microsoft networking services. However, it
provides less-stringent security than other tunneling protocols.
Another VPN tunneling protocol is L2TP (Layer 2 Tunneling Protocol), based on technology developed by
Cisco and standardized by the IETF. It encapsulates PPP data in a similar
manner to PPTP, but differs in a few key ways. Unlike PPTP, L2TP is a standard
accepted and used by
multiple different vendors, so it can connect a VPN that uses a
mix of equipment types—for example, a Juniper router, a Cisco router, and a
Netgear router. Also, L2TP can connect two routers, a router and a remote
access server, or a client and a remote access server. Another important
advantage to L2TP is that tunnel endpoints do not have to reside on the same
packet-switched network. In other words, an L2TP client could connect to a
router running L2TP on an ISP’s network. The ISP could then forward the L2TP
frames to another VPN router or gateway, without interpreting the frames. This
L2TP tunnel, although not direct from node to node, remains isolated from other
traffic. Because of its many advantages, L2TP is more commonly used than PPTP. PPTP
and L2TP are not the only protocols that can be used to carry VPN traffic. For networks
in which security is critical, it is advisable to use protocols that can
provide both tunneling and data encryption. Such protocols are discussed in
detail in Chapter 11, which focuses on network security.
Cloud Computing
On network
diagrams, the Internet is frequently depicted as a cloud. This representation
arose from the packet-switched nature of data transmission over the Internet.
In packet switching, as you know, each datagram can follow one of many paths to
reach its destination. More recently, the cloud on networking diagrams has
grown to take on new meanings, thanks in large part to the marketing efforts of
network service providers. Cloud computing refers to the flexible provision of
data storage, applications, or services to multiple clients over a network. The
term includes a broad range of offerings, from hosting Web sites to delivering specialized
applications to providing virtual servers for collaboration or software
development. However, all cloud computing is distinguished by the following:
Self-service and on demand—Services,
applications, and storage in a cloud are available to users at any time, upon
the user’s request. For example, if you subscribe to Google’s Gmail or Google
Docs service, you can log on and access your mail and documents whenever you
choose.
Elastic—The
term elastic in cloud computing means that services and storage capacity can be
quickly and dynamically—sometimes even automatically—scaled up or down.
For example, if your database server on the cloud grows and
needs additional hard disk space, it can expand without you having to alert the
service provider. In fact, your server can be configured in such a way as to
require no intervention in this case. The amount of space you can add and the
flexibility with which it can be added depend on your agreement with the
service provider. Elastic also means that storage space can be reduced, and
that applications and clients can be added or removed, upon demand.
Support for multiple platforms—Clients
of all types, including smartphones, laptops, desktops, thin clients, and
tablet computers, can access services, applications, and storage in a cloud, no
matter what operating system they run or where they are located, as long as
they have a network connection.
Resource pooling and consolidation—In
the cloud, as on host computers that contain multiple virtual machines,
resources such as disk space, applications, and services are consolidated. That
means one cloud computing provider can host hundreds of Web sites for hundreds
of different customers on just a few servers. This is an example of a multitenant
model, in which multiple customers share storage locations or services without
knowing it. In another example of resource pooling, a single backup program might
ensure that the Web sites are backed up several times a day.
Metered service—Whether
the cloud provides applications, desktops, storage, or services, its use is
measured. A service provider might limit or charge by the amount of bandwidth, processing
power, storage space, or client connections available to customers.
An organization
that develops software might choose to keep its test platform on a server in
the cloud, rather than on a server in its computer room. Suppose it employs
dozens of developers on one project, and these developers, half of them working
from home, are located in six different countries. By contracting with a cloud
services organization to host its server, the software company can ensure
continuous, easy access for its developers, no matter where they are or what
type of computer they use. Developers can load any kind of software on the
server and test it from afar. If more hard disk space is needed, that can be
dynamically allocated. In addition, the cloud services provider can make sure
the development server is secure and regularly backed up. In this case, cloud
computing removes the burden of managing the server from the company’s IT
personnel. Figure 10-16 on page 469 illustrates this type of cloud computing. You
probably recognize that the characteristics of cloud computing resemble those
associated with virtualization. In fact, most cloud service providers use
virtualization software to supply multiple platforms to multiple users. For
example, industry leaders Rackspace and Amazon (in its Elastic Compute Cloud,
or EC2, service) use Xen virtualization software to create virtual environments
for their customers. In addition to virtual servers, cloud computing can
provide virtual desktops, which are desktop operating environments hosted
virtually, on a different physical computer from the one the user interacts
with. The term cloud computing also includes NaaS (Network as a Service), in
which a service provider offers its customers a complete set of networking
services. For example, the owner of a start-up specialty foods company with few
employees and zero technical expertise might choose to outsource all of the
company’s networking functions, such as mail, Web, DNS, DHCP, and remote access
services, plus LAN and WAN connectivity, to a cloud computing service provider.
Some IT professionals use a term with even broader meaning, XaaS, which stands
for Anything as a Service, or sometimes Everything as a Service. In that model,
the cloud assumes functions that go beyond networking, including, for example,
monitoring, storage, applications, and virtual desktops.
Cloud services may
be managed and delivered by a service provider over public transmission lines,
such as the Internet, on a public cloud. Most of the examples in this section
take place in public clouds. However, an organization with sufficient technical
expertise on staff might establish a private cloud on its own servers in its
own data center. This arrangement allows an organization to use existing
hardware and connectivity, potentially saving money. It might also be
preferable where network administrators want to ensure that resources are
secure. Despite public cloud service providers’ warranties of privacy and
security, these remain significant concerns for many potential customers.
Chapter Summary
·
Virtualization is the emulation of a
computer, operating system environment, or application on a physical system.
One host computer can support many VMs (virtual machines). VMs, also called
guests, share the physical computer’s CPU, hard disk, memory, and network
interfaces. Yet each functions independently, with its own logically defined
hardware resources, operating system, applications, and network interfaces.
·
VMs exist as files on the hard disk of the
physical computer. These files contain the operating system, applications,
data, and configurations for the VMs.
·
The software that allows you to define VMs
and manages resource allocation and sharing among them is known as a virtual
machine manager, or, more commonly, a hypervisor. Hypervisors are part of all
virtualization programs, of which VMware is the most popular. Other
virtualization programs include Hyper-V, KVM (Kernel-based Virtual Machine),
and VirtualBox.
·
Advantages of virtualization include efficient
use of resources; cost and energy savings, which can contribute to
sustainability; fault and threat isolation; and simple backups, recovery, and
replication.
·
Potential disadvantages of virtualization
include compromised performance, increased complexity, increased licensing
fees, and a single point of failure.
·
To connect to a network, a virtual machine
requires a virtual adapter, or vNIC (virtual NIC). Just like a physical NIC, a
vNIC operates at the Data Link layer and provides the computer with network
access. Each VM may have several vNICs, no matter how many NICs the host
machine has.
·
A virtual switch is a logically defined
device that operates at the Data Link layer. Ports on a virtual switch connect
vNICs with a network, whether virtual or physical, through the host’s physical
NIC. A virtual switch allows VMs to communicate with each other and with nodes
on a physical LAN or WAN.
·
Virtual switches reside in the RAM of the
physical computers that act as their hosts, while their configuration resides
in a separate file on the host’s hard disk. One host can support multiple
virtual switches. The hypervisor controls the virtual switches. In Hyper-V, a
virtual switch is called a virtual network.
·
When you configure a vNIC, you are asked to
identify what type of network connection or networking mode the adapter will
use. The most frequently used network connection types include bridged, NAT,
and host-only.
·
In bridged mode, a vNIC accesses a physical
network using the host machine’s NIC and obtains its own IP address, default
gateway, and netmask from a DHCP server on the physical LAN. When connected
using bridged mode, a VM appears to other nodes as just another client or
server on the network. Bridged mode is best used for VMs that must be available
at a specific address, such as mail servers or Web servers.
·
In the NAT networking mode, a VM relies on
the host machine to act as a NAT device. It obtains IP addressing information
from the DHCP service in the host’s virtualization software. A vNIC operating
in NAT mode can still communicate with other nodes on the network and vice
versa. However, other nodes communicate with the host machine’s IP address to
reach the VM; the VM itself is invisible to other nodes. NAT networking mode is
appropriate for clients that do not need to be addressed directly and at a
specific address by other nodes.
·
In host-only networking mode, VMs on one host
can exchange data with each other and with their host, but they cannot
communicate with any nodes beyond the host to create an isolated, all-virtual
network. In host-only mode, as in NAT mode, VMs use the DHCP service in the
host’s virtualization software to obtain IP address assignments. Host-only
networking mode is best used for test environments.
·
A virtual appliance is an image that includes
the appropriate operating system, software, hardware specifications, and
application configuration necessary for the package to run properly. Popular
uses for virtual appliances include firewall and other security measures,
network management, e-mail solutions, and remote access.
·
VLANs are subnets logically defined on a
physical switch that allow network administrators to separate network traffic
for better performance, customized address management, and security. On a network
that uses virtual machines, VLANs will typically include those VMs.
·
To add VMs to a VLAN defined on a physical
network, you modify a virtual switch’s configuration. In other words, VMs are
not added to a preexisting VLAN on the physical switch that manages that VLAN.
·
In VMware, vNICs are associated with port
groups, which can be assigned to VLANs. Multiple vNICs can be assigned to a
single port group. Also, a single vNIC can be assigned to multiple port groups.
In other virtualization programs, vNICs are assigned to VLANs by associating
them directly with a VLAN number or with a bridge that is, in turn, associated
with a VLAN.
·
For VLANs to include vNICs, the host
machine’s physical NIC must be configured to operate in trunking mode. In other
words, it must be capable of carrying the traffic of multiple VLANs.
Virtualization software refers to the physical NIC, acting as an interface for
VLANs, as a trunk.
·
As a remote user, you can connect to a LAN or
WAN in one of several ways: dial-up networking, connecting to a remote access
server, remote virtual computing, or through a VPN (virtual private network).
·
Dial-up networking involves a remote client
dialing into a remote access server and connecting via a PSTN, X.25, or ISDN
connection. The client must run dial-up software to initiate the connection,
and the server runs specialized remote access software to accept and interpret
the incoming signals.
·
Remote access servers accept incoming
connections from remote clients, authenticate users, allow them to log on to a
LAN or WAN, and exchange data by encapsulating higher-layer protocols, such as
TCP and IP in specialized protocols such as PPP. The Microsoft RRAS (Routing
and Remote Access Service) is the remote access software that comes with the
Windows operating systems.
·
To exchange data, remote access servers and
clients must communicate through special Data Link layer protocols, such as PPP
(Point-to-Point Protocol) or SLIP (Serial Line Internet Protocol), that
encapsulate higher-layer protocols, such as TCP and IP. PPP is the preferred
protocol. When PPP is used on an Ethernet network, as is the case with most
modern broadband Internet connections, it is called PPP over Ethernet, or
PPPoE.
·
Remote virtual computing uses specialized
client and host software to allow a remote user to connect via modem to a
workstation that is part of a LAN. Once the connection is made, the remote user
can control that workstation, performing functions just as if she were directly
connected to the LAN.
·
Remote Desktop is a remote virtual computing
client and server package that comes with Windows operating systems. VNC
(Virtual Network Computing) refers to an open source system that enables a
remote client (or viewer) workstation to manipulate and receive screen updates
from a host. ICA (Independent Computing Architecture) provides the basis for
Citrix Systems’ proprietary remote virtual computing software.
·
By creating a VPN (virtual private network),
you can construct a WAN from existing public transmission systems. A VPN offers
connectivity only to an organization’s users, while keeping the data secure and
isolated from other (public) traffic. To accomplish this, VPNs may be software
or hardware based. Either way, they depend on secure protocols and transmission
methods to keep data private.
·
To make sure a VPN can carry all types of
data in a private manner over any kind of connection, special VPN protocols
encapsulate higher-layer protocols via tunneling. Common tunneling protocols
include PPTP (Point-to-Point Tunneling Protocol) and L2TP (Layer 2 Tunneling
Protocol). Additional VPN protocols are discussed in Chapter 11, which focuses
on network security.
·
Cloud computing refers to the flexible
provision of data storage, applications, or services to multiple clients over a
network. Cloud computing consolidates resources and allows users from anywhere
using any kind of client to access them. Further, cloud computing is elastic
(that is, it can be quickly and easily scaled up or down). It is also metered,
meaning that usage can be measured. Finally, it is available on demand.
·
In NaaS (Network as a Service), a service
provider offers its customers a complete set of networking services. XaaS,
which stands for “Anything as a Service” or sometimes “Everything as a
Service,” includes functions that go beyond networking, including, for example,
monitoring, storage, applications, and virtual desktops.
·
Cloud services may be managed and delivered
by a service provider over public transmission lines, such as the Internet, on
a public cloud, or on an organization’s servers and internal network in a
private cloud.
Key Terms
Anything
as a Service See XaaS.
authentication The
process of comparing and matching a client’s credentials with the credentials
in the NOS user database to enable the client to log on to the network.
client-to-site
VPN A type of VPN in which clients, servers, and other hosts
establish tunnels with a private network using a remote access server or VPN
gateway. Each client on a client-to-site VPN must run VPN software to create
the tunnel for, and encrypt and encapsulate data.
cloud
computing The flexible provision of data storage, applications, or services
to multiple clients over a network. Cloud computing consolidates resources and
is elastic, metered, self-service, multiplatform, and available on demand.
credentials A
user’s unique identifying characteristics that enable him to authenticate with
a server and gain access to network resources. The most common credentials are
a username and a password.
dial-up networking The
process of dialing into a remote access server to connect with
a network, be it
private or public.
elastic A
characteristic of cloud computing that means services can be quickly and
dynamically—sometimes even automatically—scaled up or down.
Everything as a Service See
XaaS.
guest In
the context of virtualization, a virtual machine operated and managed by a
virtualization program.
host In
the context of virtualization, the physical computer on which virtualization
software operates and manages guests.
Hyper-V
Microsoft’s virtualization software package. Hyper-V operates with Windows
Server 2008 and
Windows Server 2008 R2.
hypervisor The
element of virtualization software that manages multiple guest
machines and their
connections to the host (and by association, to a physical network).
A hypervisor is also
known as a virtual machine manager.
ICA
(Independent Computing Architecture) The software from Citrix
Systems, Inc., that, when installed on a client, enables the client to connect
with a host computer and exchange keystrokes, mouse clicks, and screen updates.
Citrix’s ICA client can work with virtually any operating system or
application.
Kernel-based
Virtual Machine See KVM.
KVM
(Kernel-based Virtual Machine) An open source
virtualization package designed for use with Linux systems.
L2TP
(Layer 2 Tunneling Protocol) A protocol that
encapsulates PPP data, for use on VPNs. L2TP is based on Cisco technology and
is standardized by the IETF. It is distinguished by its compatibility among
different manufacturers’ equipment; its ability to connect between clients,
routers, and servers alike; and also by the fact that it can connect nodes
belonging to different Layer 3 networks.
Layer
2 Tunneling Protocol See L2TP.
multitenant A
feature of cloud computing in which multiple customers share storage locations
or services without knowing it.
NaaS (Network as a Service) A
type of cloud computing that offers clients a complete
set of networking
services—for example, mail, Web, DNS, DHCP, and remote access
services, plus LAN
and WAN connectivity.
Network as a Service See
NaaS.
open
source The term that describes software whose code is publicly available
for use and modification.
Point-to-Point
Protocol See PPP.
Point-to-Point Protocol over
Ethernet See PPPoE.
Point-to-Point Tunneling
Protocol See PPTP.
PPP
(Point-to-Point Protocol) A communications protocol that enables
a workstation to connect to a server using a serial connection; PPP can support
multiple Network layer protocols and can use both asynchronous and synchronous
communications. It performs compression and error correction and requires
little configuration on the client workstation.
PPPoE (Point-to-Point
Protocol over Ethernet) PPP running over an Ethernet network.
PPTP (Point-to-Point
Tunneling Protocol) A Layer 2 protocol developed by Microsoft that encapsulates PPP
data for transmission over VPN connections. PPTP operates with Windows RRAS
access services and can accept connections from multiple different clients. It
is simple, but less secure than other modern tunneling protocols.
private cloud An arrangement
in which shared and flexible data storage, applications, or services are
managed on and delivered via an organization’s internal network.
public cloud An
arrangement in which shared and flexible data storage, applications, or services
are managed centrally by service providers and delivered over public transmission
lines, such as the Internet. Rackspace and Amazon (with its EC2 offering) are
leading public cloud service providers.
RAS (Remote Access Service) The
dial-up networking software provided with Microsoft Windows 95, 98, NT, and
2000 client operating systems. RAS requires software installed on both the
client and server, a server configured to accept incoming clients, and a client
with sufficient privileges (including username and password) on the server to
access its resources. In more recent versions of Windows, RAS has been incorporated
into the RRAS (Routing and Remote Access Service).
RDP (Remote Desktop
Protocol) An Application layer protocol that uses TCP/IP to transmit
graphics and text quickly over a remote client-host connection. RDP also carries
session, licensing, and encryption information.
remote access A
method for connecting and logging on to a LAN from a workstation that is
remote, or not physically connected, to the LAN.
Remote Access Service See
RAS.
Remote Desktop A
feature of Windows operating systems that allows a computer to act as a remote
host and be controlled from a client running another Windows operating system.
Remote Desktop Protocol See
RDP.
Routing and Remote Access
Service (RRAS) The software included with Windows operating systems that enables
a server to act as a router, firewall, and remote access server. Using RRAS, a
server can provide network access to multiple remote clients.
RRAS See
Routing and Remote Access Service.
Serial Line Internet
Protocol See SLIP.
site-to-site VPN A
type of VPN in which VPN gateways at multiple sites encrypt and encapsulate data to exchange over a tunnel
with other VPN gateways. Meanwhile, clients, servers, and other hosts on a
site-to-site VPN communicate with the VPN gateway.
SLIP (Serial Line Internet
Protocol) A communications protocol that enables a workstation to connect
to a server using a serial connection. SLIP can support only asynchronous communications
and IP traffic and requires some configuration on the client workstation. SLIP
has been made obsolete by PPP.
thin client A
client that relies on another host for the majority of processing and hard disk
resources necessary to run applications and share files over the network.
tunnel A
secured, virtual connection between two nodes on a VPN.
tunneling The
process of encapsulating one type of protocol in another. Tunneling is the way
in which higher-layer data is transported over VPNs by Layer 2 protocols.
virtual adapter See
vNIC.
virtual appliance An
image that includes the appropriate operating system, software, hardware
specifications, and application configuration necessary for a prepackaged solution
to run properly on a virtual machine.
virtual bridge An
interface connecting a vNIC with a virtual or physical network, or a port on a
virtual switch.
virtual desktop A
desktop operating environment that is hosted virtually, on a different physical
computer from the one the user interacts with.
virtual machine See
VM.
virtual machine manager See
hypervisor.
Virtual Network Computing See
VNC.
virtual network interface
card See vNIC.
virtual private network See
VPN.
virtual server A
server that exists as a virtual machine, created and managed by virtualization
software on a host, or physical, computer.
virtual switch A
logically defined device that is created and managed by virtualization software
and that operates at the Data Link layer. Ports on a virtual switch connect virtual
machines with a network, whether virtual or physical, through the host’s physical
NIC.
virtual workstation A
workstation that exists as a virtual machine, created and managed by
virtualization software on a host, or physical, computer.
VirtualBox A
virtualization software platform from Oracle.
virtualization The
emulation of a computer, operating system environment, or application on a
physical system.
VM (virtual machine) A
computer that exists in emulation on a physical computer, or host machine.
Multiple VMs may exist on one host where they share the physical computer’s
CPU, hard disk, memory, and network interfaces.
VMware A
vendor that supplies the most popular types of workstation and server virtualization
software. Used casually, the term VMware may also refer to the virtualization
software distributed by the company.
VNC (Virtual Network Computing) An
open source system that enables a remote client (or viewer) workstation to
manipulate and receive screen updates from a host. Examples of VNC software
include RealVNC, TightVNC, and UltraVNC.
vNIC (virtual network
interface card) A logically defined network interface associated with a virtual
machine.
VPN (virtual private
network) A logically constructed WAN that uses existing public transmission
systems. VPNs can be created through the use of software or combined software
and hardware solutions. This type of network allows an organization to carve out
a private WAN through the Internet, serving only its offices, while keeping the
data secure and isolated from other (public) traffic.
XaaS (Anything as a Service,
or Everything as a Service) A type of cloud computing in which the
cloud assumes functions beyond networking, including, for example, monitoring,
storage, applications, and virtual desktops.
Xen An
open source virtualization software platform from Citrix Systems.
Review Questions
1. Which of the following is an advantage
to virtualizing many servers in your data center, compared to running each
server on a separate physical machine?
a. Virtualization will improve the servers’ performance.
b. Virtualization will conserve resources.
c. Virtualization will make administration easier.
d. Virtualization will save software costs.
2. Which of the following applies to
virtual machines, no matter what type of virtualization software they are
created with?
a. They can only belong to one VLAN.
b. They cannot be addressed by clients on a physical LAN.
c. They cannot be assigned Internet-routable IP addresses.
d. They exist as files on the hard drive
of their host.
3. You have created a virtual machine on your
workstation so that you can test some new applications. You configured the VM’s
hard disk space to be dynamically allocated. Which of the following will
allocate more space for the VM when it needs it?
a. Virtual switch
b. Virtual adapter
c. Hypervisor
d. Virtual network manager
4. You are running KVM on a Fedora Linux
computer and have configured a virtual server to use the bridged networking
type. The IP address of your host machine’s NIC is 192.168.25.71. Assuming your
physical LAN uses DHCP, which of the following addresses is most likely the one
assigned to your virtual server?
a. 192.168.25.1
b. 192.168.25.83
c. 192.168.0.0
d. Not enough information to draw a conclusion
5. Which of the following is the default
networking type assigned to vNICs in most virtualization programs?
a. Host-only
b. Grouped
c. NAT
d. Bridged
6. You have decided to create four virtual
Web servers on a Windows 2008 R2 server using Hyper-V R2. Which of the
following configuration options would you use to make sure the Web servers are
accessible to users across the Internet?
a. Private virtual network
b. Host virtual network
c. External virtual network
d. Internal virtual network
7. You work second shift and share a
desktop workstation with your colleagues who work on the first and third
shifts. Each of you has a separate virtual machine on the workstation. When
your third-shift coworker installs a new program on his VM, it causes the
machine’s operating system to stop working. What happens as a consequence?
a. Your VM’s operating system stops working.
b. The host machine’s operating system stops working.
c. Your VM and the host machine work as usual, but performance of all
the VMs is compromised.
d. Nothing changes for your VM.
8. Each of the VMs on your host computer is
configured to use the NAT networking type. They can still pick up e-mail and
surf the Web. How are they getting their IP addresses?
a. From the host machine’s virtualization
software
b. From the DHCP server on the physical network
c. From the router on the physical network
d. From another VM on the host machine that’s configured to act as a
DHCP server
9. Which of the following network
configuration types is best used for a company’s e-mail server?
a. Host-only
b. Bridged
c. NAT
d. Grouped
10. Which of the following network
configuration types prevents VMs from exchanging traffic with nodes other than
the workstation they are installed on?
a. Host-only
b. Bridged
c. NAT
d. Grouped
11. You manage a data center for a large ISP
that hosts virtual Web and mail servers for many customers. One of your
physical servers has four NICs and hosts four mail servers. How many vNICs can
you assign to each of the mail servers?
a. 1
b. 2
c. 4
d. It depends on the virtualization
software.
12. Because of the functions it performs,
each port on a virtual switch can also be considered a:
a. Virtual machine
b. Virtual bridge
c. Virtual router
d. Virtual firewall
13. You have created multiple virtual
machines on your workstation to test different unified communications programs.
You want these machines to be available to your IT colleagues for testing, but
you do not want the traffic generated by their use to interfere with routine
business LAN traffic. Meanwhile, on another workstation a coworker has
installed additional communications programs for review. You decide to create a
new VLAN devoted to software evaluation. Where do you add your coworker’s
virtual machines to the new VLAN?
a. On your host workstation, where you established the new VLAN
b. On the LAN switch, which manages the VLAN
c. On your friend’s host workstation,
where the virtual machines reside
d. On the LAN router, which directs traffic between VLANs
14. How must a physical NIC be configured so
that it can connect its host’s VMs to multiple VLANs?
a. As a trunk
b. As a port group
c. As a channel
d. As a team
15. To complete its VPN connection, your
computer is using RDP. Which of the following VPN types are you participating
in?
a. Site-to-link
b. Site-to-site
c. Link-to-client
d. Client-to-site
16. In which of the following situations
would you use RDP?
a. To enable someone else to control your
workstation, which is running a Windows operating system
b. To establish a VPN between your home workstation and your office
LAN
c. To remotely control a distant workstation that's running a UNIX or
Linux operating system
d. To manage a pool of modems available for multiple users to log
onto your network from a distance
17. You have decided to set up a VPN between
your home and your friend's home so that you can run a private digital
telephone line over your DSL connections. Each of you has purchased a small
Cisco router for terminating the VPN endpoints. Which of the following
protocols could you use to create a tunnel between these two routers?
a. L2TP
b. PPTP
c. PP2T
d. SLIP
18. A VPN is designed to connect 15 film
animators and programmers from around the state of California. At the core of
the VPN is a router connected to a high-performance server used for storing the
animation files. The server and router are housed in an ISP's data center. The
ISP provides two different T3 connections to the Internet backbone. What type
of connection must each of the animators and programmers have to access the
VPN?
a. At least a fractional T1 connection to the Internet
b. At least a T1 connection to the Internet
c. At least a T3 connection to the Internet
d. Any type of Internet connection
19. Which of the following functions makes
VPN protocols unique?
a. The ability to precisely time packet delivery
b. The ability to interpret both frames and datagrams
c. The ability to create tunnels
d. The ability to detect eavesdropping
20. As a business owner, you have decided to
outsource all of your company’s IT services to a cloud computing service
provider. How can your clients and employees access these services?
a. From a smartphone using cellular signals
b. From a desktop workstation attached to a DSL Internet connection
c. From a server at an office overseas, using a T1
d. All of the above
Practice Test
1. Virtualization is the emulation of a
computer, operating system environment, or application on a physical system.
a. True
b. False
2. Nbtstat
is useful only on networks that run Windows-based operating systems and ____.
NetBIOS
3. When
designing a network to share an Internet connection, most network
administrators prefer using a router or switch rather than ICS, because ICS
typically requires more configuration.
a. True
b. False
4. To calculate a host's network ID given its
IPv4 address and subnet mask, you follow a logical process of combining bits
known as ANDing.
a. True
b. False
5. ____ identifies each element of a mail message
according to content type.
a. MIME
b. Multipurpose Internet Mail Extensions
6. Many
remote access methods exist, and they vary according to the type of
transmission technology, clients, hosts, and software they can or must use.
a. True
b. False
7. Traditional dial-up networking can provide
the quality required by many network applications.
a. True
b. False
8. DNAT (Dynamic Network Address Translation)
may also be called ____.
IP
masquerading
9. Two
important considerations when designing a VPN are _____ and security.
a. reliability
b. interoperability
c. availability
d. performance
10. VMs that must be available at a specific
address, such as mail servers or Web servers, should be assigned host-only
network connections.
a. True
b. False
11. If you use the ____ command without any
switches, it will display a list of all the active TCP/IP connections on your
machine, including the Transport layer protocol used (UDP or TCP), packets sent
and received, IP address, and state of those connections.
a. ipconfig
b. nslookup
c. traceroute
d. netstat
12. A ____ is one that any user may access
with little or no restrictions.
a. private network
b. CIDR notation
c. public network
d. core gateway
13. When working on a UNIX or Linux system,
you can limit the maximum number of router hops the traceroute command allows
by using the -m switch.
a. True
b. False
14. Many types of remote virtual computing
software exist, and they differ significantly in their capabilities, security
mechanisms, and supported platforms.
a. True
b. False
15. E-mail servers and clients communicate
through special TCP/IP ____ layer protocols.
a. Network
b. Presentation
c. Application
d. Transport
16. In _____ networking mode, VMs on one host
can exchange data with each other and with their host, but they cannot
communicate with any nodes beyond the host.
a. host-only
b. bridged
c. NAT
d. network-only
17. To add VMs to a VLAN defined on a
physical network, you modify a switch’s configuration.
a. True
b. False
18. A subnet created by moving the subnet
boundary to the left is known as a(n) ____.
supernet
19. ____ is useful when operating a mail server,
for example, whose address must remain the same for clients to reach it at any
time.
a. SNAT
b. ARP
c. DNAT
d. PAT
20. MIME has replaced SMTP.
a. True
b. False
21. When multiple virtual machines contend
for finite physical resources, one virtual machine could _____ those resources
and impair the performance of other virtual machines on the same computer.
a. reframe
b. repair
c. monopolize
d. optimize
Chapter Test
1. ____ connect vNICs with a network, whether
virtual or physical.
a. Virtual duplexers
b. Virtual bridges
c. Virtual routers
d. Virtual crossovers
2. A VM must use the same operating system,
type of CPU, storage drive, and NIC as the physical computer it resides on.
a. True
b. False
3. ____ is the most widely implemented
virtualization software today.
a. Citrix
b. VirtualBox
c. VMware
d. Hyper-V
4. In bridged mode, a(n) ____________________
accesses a physical network using the host machine’s NIC.
vNIC
5. The
physical computer on a virtual machine is known as a ____.
a. guest
b. client
c. server
d. host
6. A ____ uses very little hard disk space or
processing power from the workstation on which it is installed.
a. fat client
b. thin client
c. virtual client
d. thick client
7. ____ is the remote virtual computing software
that comes with Windows client and server operating systems.
a. Remote Desktop
b. Remote Windows
c. Remote Client
d. Remote Server
8. Upon creation, each vNIC is automatically
assigned a ____.
a. block address
b. switch address
c. reference address
d. MAC address
9. In ____, each datagram can follow one of
many paths to reach its destination.
a. circuit switching
b. packet switching
c. line switching
d. data switching
10. ____ desktops are desktop operating
environments hosted virtually, on a different physical computer from the one
with which the user interacts.
a. Material
b. Virtual
c. Physical
d. Guest
11. The software required to establish VPNs
is usually expensive.
a. True
b. False
12. Most cloud service providers use
virtualization software to supply multiple platforms to multiple users.
a. True
b. False
13. VPNs can be classified based on the kinds
of ____ they connect.
a. hardware
b. circuits
c. endpoints
d. software
14. ____ are wide area networks that are
logically defined over public transmission systems.
a. Private lines
b. VPNs
c. Dial-up lines
d. Leased lines
15. In a ____ VPN, tunnels connect multiple
sites on a WAN.
a. client-to-client
b. link-to-line
c. site-to-client
d. site-to-site
16. A VPN tunneling protocol operates at the
____ layer.
a. Data Link
b. Network
c. Application
d. Session
17. In the NAT networking mode, a vNIC relies
on the ____ to act as a NAT device.
a. reference machine
b. guest machine
c. management machine
d. host machine
18. To connect to a network, a virtual
machine requires a ____.
a. virtual adapter
b. virtual switch
c. physical switch
d. virtual MAC address
19. ____ mode is appropriate for test networks or
if you simply need to install a different operating system on your workstation
to use a program that is incompatible with your host’s operating system.
a. Blocked
b. NAT
c. Bridged
d. Host-only
20. ____ is an open source system designed to
allow one workstation to remotely manipulate and receive screen updates from
another workstation.
a. Remote Desktop
b. Citrix
c. VNC
d. Xen
21. ____________________ refers to the flexible
provision of data storage, applications, or services to multiple clients over a
network.
Cloud
computing
22. The
software that allows you to define VMs and manages resource allocation and
sharing among them is known as a(n) ____________________.
virtual
machine manager
23. In the case of dial-up networking, the
term ____ refers to a modem.
a. virtual connection
b. POTS connection
c. serial connection
d. physical connection
24. In a(n) ____________________ VPN,
clients, servers, and other hosts establish tunnels with a private network
using a remote access server or VPN gateway.
client-to-site
25. A(n) ____________________ is a logically
defined device that operates at the Data Link layer to pass frames between
nodes.
Virtual
switch
